Design procedures, evidence sources, nature, timing, extent, and audit program documentation.
Procedure design is the bridge between risk assessment and evidence. A procedure should state what will be done, to what population or item, for what period, using what evidence source, and which risk, assertion, or criterion it addresses.
The practical task is to write procedures that are specific enough to perform and strong enough to answer the risk. Vague procedures create weak evidence even when the general idea is correct.
This lesson focuses on how to:
A procedure should be specific enough that another practitioner could perform it. It should also explain why the work is being done.
| Component | Question | Weak wording |
|---|---|---|
| Action | What will be done? | “Check revenue.” |
| Evidence source | What document, system, person, or external source will be used? | “Look at support.” |
| Population | Which items or period are covered? | “Some invoices.” |
| Assertion or criterion | What risk does the procedure address? | No link to occurrence, completeness, valuation, compliance, or other criterion. |
| Extent | How many items or what scope? | No sample size, threshold, or selection basis. |
| Timing | When is the work performed? | No period-end or interim consideration. |
| Expected output | What evidence or conclusion should result? | No explanation of what would support or contradict the risk. |
A stronger sentence might say: “Select recorded revenue transactions for the two weeks before and after year end and agree each item to the customer order, delivery evidence, invoice, and subsequent collection to test occurrence and cut-off.” That wording identifies the action, population, evidence, timing, and purpose.
Procedure design changes with risk. Higher risk usually requires more persuasive evidence, more precise timing, or broader extent.
| Dimension | Meaning | Risk response |
|---|---|---|
| Nature | Type and quality of procedure and evidence source. | Higher risk usually needs more persuasive evidence, such as external confirmation or reperformance. |
| Timing | When the procedure is performed. | Higher period-end risk may require work closer to or after year end. |
| Extent | Quantity, coverage, or depth of work. | Higher risk may require larger samples, lower thresholds, or broader coverage. |
Nature, timing, and extent should not be generic labels. The answer should state what changes. For example, if collection risk is high, confirming more receivables near year end may be stronger than relying only on interim analytical procedures.
Evidence source affects procedure strength. The practitioner should consider independence, objectivity, directness, relevance, and reliability of the system or process that produced the evidence.
| Evidence source | Reliability consideration |
|---|---|
| External confirmation | Often persuasive when received directly by the practitioner. |
| Third-party document | Stronger than internally generated evidence if authentic and relevant. |
| System report | Depends on IT controls, report parameters, and data completeness. |
| Management inquiry | Useful for understanding but usually weak alone. |
| Observation | Shows a process at a point in time but not necessarily throughout the period. |
| Reperformance | Persuasive for recalculation or control operation when population selection is appropriate. |
| Analytical procedure | Useful when relationships are predictable and data is reliable. |
Inquiry is rarely enough for a high-risk conclusion. It should usually be corroborated with inspection, confirmation, recalculation, reperformance, observation, or data testing.
| Risk or assertion | Weak procedure | Stronger procedure |
|---|---|---|
| Revenue occurrence | Review sales. | Select recorded sales near year end and agree to customer order, delivery or service evidence, invoice, and subsequent collection. |
| Payables completeness | Inspect invoices. | Search subsequent payments and unmatched receiving reports after year end for unrecorded liabilities. |
| Inventory valuation | Discuss inventory with management. | Inspect ageing reports, compare cost to subsequent sales or replacement cost, and evaluate write-down assumptions. |
| Control operation | Ask whether review was performed. | Inspect evidence of review for selected periods, verify reviewer competence, and follow up exceptions. |
| Compliance with grant terms | Read grant agreement. | Map each key term to evidence, inspect supporting records, and test exceptions against the reporting period. |
| System access risk | Ask IT about access. | Obtain user access listing, compare to HR records, inspect approvals, and test removal of terminated users. |
The stronger procedures use evidence that directly responds to the risk. They also define the population and action clearly enough to document in a work plan.
An audit program or assurance work plan should show the logic between risk and procedure. The work paper should not be a checklist detached from the case facts.
| Work plan field | Why it matters |
|---|---|
| Risk or objective | Shows why the procedure is being performed. |
| Assertion or criterion | Links the procedure to what could go wrong. |
| Procedure wording | Gives clear instructions for the work. |
| Population and extent | Defines coverage and selection basis. |
| Timing | Shows whether interim, year-end, or subsequent work is needed. |
| Evidence source | Identifies the records, reports, confirmations, or observations to use. |
| Conclusion field | Forces the practitioner to evaluate results instead of only signing off. |
If a procedure is changed during the engagement, the work plan should explain the reason. A change may be caused by control failures, new risks, unreliable reports, client delays, or unexpected exceptions.
Procedure design happens before evidence is obtained. Evidence evaluation happens after the work is performed.
| Stage | Practitioner question |
|---|---|
| Design | Will this procedure obtain evidence that responds to the risk? |
| Performance | Was the procedure performed as planned and documented? |
| Evaluation | Is the evidence sufficient and appropriate, and what does it mean? |
| Response | Is more work, correction, communication, or report modification needed? |
This distinction matters in case writing. If the problem is a weak proposed procedure, redesign it. If the problem is an exception found during testing, evaluate the evidence and state the next action.
| Step | Question | Output |
|---|---|---|
| 1. Risk | What risk, assertion, or criterion needs evidence? | Procedure objective. |
| 2. Evidence source | Which source would be persuasive and available? | Evidence source. |
| 3. Nature | What action should the practitioner perform? | Procedure action. |
| 4. Timing and extent | When and how much work is needed? | Timing and coverage. |
| 5. Documentation | How should the procedure appear in the audit program or work plan? | Clear procedure wording. |
Use this framework when asked to design, critique, improve, or document a procedure.
| Pitfall | Correction |
|---|---|
| Writing vague procedures. | Specify action, evidence source, population, timing, extent, and assertion or criterion. |
| Choosing a procedure that does not answer the risk. | Link every procedure to the risk it addresses. |
| Treating inquiry as enough for high-risk areas. | Corroborate with inspection, confirmation, reperformance, or independent evidence. |
| Ignoring report reliability. | Test system reports and IT controls when reports are used as evidence. |
| Confusing design with evaluation. | Design procedures first; evaluate sufficiency and appropriateness after evidence is obtained. |