The best anti-fraud, security and ethics policies won't help your company if nobody follows them. An audit compliance test looks at how well your policies and procedures work in practice. If the test shows your staff doesn't follow the rules, the auditor will have to apply more intensive audit testing procedures.
An audit compliance test looks at whether your company follows its own policies and rules. This is a separate process from compliance audits that look at whether the company is in compliance with government regulations and requirements.
Auditors do a great deal more than just check the math in your financial records. A thorough audit also looks at your company's internal controls and evaluates whether they're working:
- How do you protect yourself from losses due to mismanagement, error, employee theft and fraud?
- Are your employees acting in compliance with the regulations and laws that affect your company?
- Is your financial information accurate and reliable? Even if the numbers all add up, is it possible someone could have falsified them?
For example, if one person has the authority to approve a purchase, write the check and record the transaction, there's nothing to stop them from paying themselves for a non-existent purchase. Internal controls such as having someone else review the transaction reduce the risk of fraud.
Just because you put internal controls in place for your staff doesn't mean they work.
- Your controls may not be as well-designed as you think. That leaves you with serious vulnerabilities.
- Paperwork and double-checking other people's paperwork are tedious activities, which makes it tempting to skip the work.
- It's easier and more comfortable to put your faith in people than in policies. Everyone knows Fred's honest, so why worry about how much stuff he's ordering lately?
Audits exist to catch problems like this. Audit testing procedures spot risks and gaps, evaluate how efficient your policies are and produce recommendations for fixing any problems.
The audit compliance test looks at how well your organization complies with its own rules. If you have policies in place for preventing embezzlement or ensuring accurate record-keeping, how consistently do you and your team follow through on them?
There are several independent compliance testing/audit procedures an auditor can use to measure compliance:
- Ask questions. How do you check employee time cards? Is anyone who could alter data in a position to do it with no oversight? Even if the answers sound good, more audit testing procedures will be necessary.
- Look around. Just looking to see who has access to where, what the risk-management procedures are and where security cameras are placed can tell the auditor a lot.
- Examine the records. Suppose purchases over $5,000 require your written authorization. The auditor goes through the purchase records and sees if the documents are actually there. If every visitor has to log in at the front desk, the auditor looks at the log-in files to confirm this.
- Re-performance. The auditor performs various operations and sees if automatic control systems track them or detect errors.
- Apply a walk through test. The auditor walks through a complete transaction, seeing if everything works the way it's supposed to.
- Using computer-aided audit tools to go through and analyze really large amounts of data.
If the audit compliance test shows you're walking the walk, that's good news. The rest of the audit will be a lot simpler because the auditor can have confidence your documentation and records are reliable.
If the auditor discovers your team doesn't follow procedure, or that your internal controls fall short of best practices, you'll need to up your game. The solution may be added layers of review, more documentation or that your staff needs better training to comply with the controls you already have.