How auditors use walkthroughs, inspection, observation, and reperformance to evaluate control design and operation.
Control testing is designed to answer two related questions: whether a control is suitably designed and whether it operated effectively during the period being tested. Walkthroughs, inspection, observation, and reperformance help the auditor move beyond management’s description of a process and obtain evidence about how controls actually work.
The AUD exam often asks which procedure provides the strongest evidence for a specific control objective. Inquiry alone is rarely enough. Stronger answers usually combine inquiry with evidence such as documents, system logs, observation, or auditor reperformance.
flowchart LR
A["Understand process"] --> B["Identify relevant control"]
B --> C["Walk through transaction"]
C --> D["Select operating-effectiveness test"]
D --> E["Inspect, observe, or reperform"]
E --> F["Evaluate exceptions and conclude"]
A walkthrough traces a transaction from initiation through recording in the accounting records. The auditor uses it to understand the process, confirm whether the documented process matches reality, identify relevant controls, and evaluate whether the control is designed to prevent or detect a misstatement.
| Walkthrough step | What the auditor learns |
|---|---|
| Select a transaction | Whether the selected item is representative of the process being understood |
| Trace initiation | How the transaction begins and who has authority |
| Follow approvals | Whether required review and authorization points exist |
| Inspect system or document evidence | Whether the control leaves evidence of performance |
| Trace recording | Whether the transaction reaches the subledger and general ledger properly |
| Ask process owners questions | Whether actual practice differs from the written policy |
A walkthrough may include inquiry, observation, inspection, and reperformance. It is often strong evidence about design and implementation. A single walkthrough usually does not prove that a control operated effectively throughout the period unless it is combined with broader testing or the control operates only once.
Inspection means examining evidence that a control was performed. For manual controls, the evidence may be signatures, initials, dates, review notes, reconciliation sign-offs, or exception reports. For automated controls, the evidence may be configuration settings, system logs, access reports, or workflow records.
Inspection is useful when the control leaves reliable evidence. It is weaker when the evidence can be backdated, altered, or generated without actual review.
| Control | Evidence inspected | Audit concern |
|---|---|---|
| Purchase approval | Approved purchase order or workflow approval | Was approval performed before the purchase? |
| Bank reconciliation review | Dated sign-off and resolved reconciling items | Was the review timely and meaningful? |
| Credit-limit control | System configuration and override logs | Were limits enforced and overrides authorized? |
| Journal-entry review | Review notes, preparer/reviewer IDs, and posting date | Did review occur before posting or close? |
The auditor should inspect enough items, selected from an appropriate population, to support the conclusion about operating effectiveness.
Observation means watching a control being performed. It is useful when the control does not leave strong documentary evidence, such as observing inventory count controls, cash-handling procedures, restricted-access processes, or segregation of duties.
Observation is limited because it shows performance only at the moment observed. Employees may also behave differently when they know the auditor is present. For period-wide operating effectiveness, observation usually needs to be supplemented with inspection, reperformance, or repeated testing.
Reperformance is the auditor’s independent execution of the control. It is often persuasive because the auditor does not merely inspect evidence that someone else performed a control; the auditor tests whether the control would produce the expected result.
Examples include:
Reperformance is especially useful for calculation controls, reconciliations, matching controls, and automated application controls. The auditor must use the same relevant inputs and period as the client control being tested.
The best procedure depends on the control type and objective.
| Control type | Common test approach | Why |
|---|---|---|
| Manual approval | Inspect approved documents and evaluate authority/timing | The control leaves documentary evidence |
| Review control | Inspect sign-off, review evidence, and follow-up of exceptions | The reviewer must do more than initial a schedule |
| Automated matching | Inspect configuration and reperform selected matches | Settings and logic determine whether the control works |
| Physical safeguard | Observe access restriction and inspect access logs | Both behavior and access evidence matter |
| Reconciliation | Inspect review evidence and reperform key reconciling items | Reperformance tests whether the reconciliation actually works |
For IT-dependent controls, the auditor also considers relevant IT general controls. If program changes or access controls are weak, the auditor may not be able to rely on the automated control without additional testing.
Do not treat a walkthrough as a full operating-effectiveness test for the entire period unless the facts support that conclusion. A walkthrough often supports understanding and design, but additional testing is usually needed for reliance.
Do not pick inquiry alone as the strongest test of control operation. Inquiry can explain what should happen; inspection, observation, and reperformance provide stronger evidence of what did happen.
Do not assume a signature proves a review was meaningful. The auditor may need to evaluate whether exceptions were identified, investigated, and resolved.