Audit Procedures & Testing Framework: Standards-Based Approach [2026]
Published: March 17, 2026 | Category: Audit Procedures | Read Time: 20 minutes | Author: CORAA Team
Introduction
Audit procedures are the backbone of audit evidence.
A procedure tells auditors: "What will I do? How will I do it? What am I looking for? How will I document it?"
Per ISA 330 (The Auditor's Responses to Assessed Risks), procedures must be:
- Relevant to the identified risk
- Sufficient to obtain audit evidence
- Well-documented in the audit file
This pillar guide provides a comprehensive framework for designing, executing, and documenting audit procedures aligned with Indian standards (ISA, SQM1, Ind AS, ICAI guidance).
Part 1: Audit Procedure Fundamentals
What is an Audit Procedure?
An audit procedure is a step-by-step description of:
- What the auditor will test
- Why it matters (what risk does it address?)
- How it will be performed
- What constitutes acceptable evidence
- How results will be documented
Anatomy of a Well-Documented Procedure
Procedure #5: Revenue Cutoff Testing
OBJECTIVE:
Ensure revenue transactions are recorded in the correct period (addressing cutoff risk).
SCOPE:
Sample 50 revenue transactions from final week of audit period (Dec 25-31).
PROCEDURE:
1. Select transactions from Dec 25-31 GL revenue entries
2. Obtain supporting invoice (goods dispatch date, invoice date)
3. Verify invoice date matches GL entry date
4. Trace to goods dispatch or service delivery date
5. Confirm transaction recorded in correct period
EVIDENCE:
Invoice copy; shipping document; GL entry screenshot
CONCLUSION:
All sampled transactions recorded in correct period. No cutoff errors identified.
Part 2: Audit Procedure Categories
Category 1: Analytical Procedures
What: Compare data to expectations; investigate variations
When: Risk identification; preliminary understanding; substantive testing
Example:
- Expense ratio analysis (2024 expense/revenue vs. 2023)
- If 2024 ratio 15% higher, investigate cause
Documentation:
- Data analyzed
- Expected vs. actual values
- Variation threshold
- Investigation conclusions
Category 2: Substantive Procedures (Tests of Details)
What: Examine individual transactions; test account balances
When: High-risk accounts or transactions
Example:
- Sample revenue transactions; trace to underlying contracts
- Sample AP payments; verify supporting invoices
Documentation:
- Population size
- Sample size and selection method
- Items tested and results
- Exception handling
Category 3: Tests of Controls
What: Verify controls are operating effectively
When: Relying on controls for audit conclusion
Example:
- Sample invoices >₹50L; verify CFO approval present
- Sample payments; verify segregation of duties
Documentation:
- Control objective
- Procedure performed
- Exception handling (what if approval is missing?)
- Conclusion (control effective/ineffective)
Category 4: Observation Procedures
What: Observe management or client action
When: Physical count; client process observation
Example:
- Observe fixed asset physical count
- Observe inventory count
- Observe bank reconciliation
Documentation:
- Date and time of observation
- What was observed
- Exceptions or issues noted
- Conclusion
Category 5: Inquiry Procedures
What: Ask management or client staff
When: Gaining understanding; clarifying complex areas
Example:
- Inquire about accounting policy changes
- Inquire about related parties
- Inquire about pending litigation
Documentation:
- Who was inquired
- Question asked
- Response received
- Corroborating evidence sought (did you verify the response independently?)
Part 3: Risk-Based Audit Procedure Design
Step 1: Identify Significant Risks
Per ISA 315 (Identifying and Assessing Risks):
Significant risks = risks requiring special audit attention
Examples:
- Revenue recognition (high misstatement risk; complex judgment)
- Lease accounting (Ind AS 116; often missed)
- Related parties (independence concern; disclosure risk)
- Contingencies (Ind AS 37; often underestimated)
- Fraud (intentional misstatement risk)
Step 2: Design Procedures Responsive to Risk
For each significant risk, design procedure addressing it:
Risk: Revenue from complex contracts under-recognized (multiple performance obligations)
Procedure:
- Identify revenue contracts >₹50L
- Obtain contract; review terms
- Verify management's performance obligation assessment
- Verify revenue recognition timing (when each performance obligation satisfied)
- Recalculate revenue for sample contracts
- Verify disclosure of revenue by performance obligation
Step 3: Document Procedure Design
Procedure Documentation Should Include:
- Procedure # (for cross-reference)
- Procedure name
- Risk addressed (link to risk assessment)
- Procedure objective
- Scope (population, sample size, selection method)
- Steps (what, how)
- Evidence (what documentation supports conclusion)
- Expected results (what would be acceptable?)
- Conclusion (did procedure provide sufficient evidence?)
Part 4: Audit Procedures for Key Risk Areas
Procedure Framework: Revenue Testing (Ind AS 115)
Risk: Revenue overstated; performance obligations misclassified; disclosures incomplete
Procedure Design:
Step 1: Understanding Control Environment
- Obtain revenue recognition policy
- Verify alignment with Ind AS 115
- Inquire about complex contracts
Step 2: Assess Revenue Risks
- Identify high-risk revenue streams (new products, complex terms)
- Identify significant contracts (>₹50L or significant % of revenue)
- Document risk assessment
Step 3: Design Substantive Procedures
- Test revenue transactions (sampling or 100%)
- Verify performance obligations (when satisfied?)
- Verify transaction amounts (contract vs. GL)
- Test revenue cutoff (correct period)
- Verify disclosures (Ind AS 115 Schedule 1)
Step 4: Execute and Document
- Obtain sample of revenue contracts
- Perform detailed testing
- Document exceptions
- Propose adjustments if necessary
Step 5: Conclude
- Revenue fairly stated?
- Performance obligations correctly classified?
- Disclosures complete and accurate?
Procedure Framework: Lease Testing (Ind AS 116)
Risk: Embedded leases missed; ROU calculations incorrect; disclosures incomplete
Procedure Design:
Step 1: Lease Identification
- Scan all contracts for lease indicators
- Classify leases vs. services
- Document classification rationale
Step 2: ROU Asset & Liability Calculation
- Extract lease terms (lease payments, term, discount rate)
- Recalculate ROU asset and liability
- Verify GL recording
Step 3: Disclosure Verification
- Extract all identified leases
- Verify disclosure in Schedule 4
- Check payment schedule completeness
Step 4: Exception Handling
- Finance vs. operating classification: verify
- Discount rate appropriateness: verify
- ROU calculation: recalculate
Step 5: Conclude
- All leases identified and classified?
- ROU amounts calculated correctly?
- Disclosures complete and accurate?
Procedure Framework: Related Party Testing (Ind AS 24)
Risk: RPs missed; RP transactions under-tested; disclosures incomplete
Procedure Design:
Step 1: RP Identification
- Obtain RP identification questionnaire from management
- Cross-check against board minutes
- Verify no associates/joint ventures missed
- Identify key management personnel
Step 2: RP Relationship Assessment
- Document nature of each RP relationship
- Verify arm's length assessment (if applicable)
- Document independence considerations
Step 3: RP Transaction Testing
- Identify all RP transactions
- Test on lower thresholds (not same as third-party)
- Verify pricing appropriateness
- Test disclosure completeness
Step 4: Disclosure Verification
- Extract all RPs and transactions
- Verify disclosure per Ind AS 24
- Check completeness
Step 5: Conclude
- All RPs identified?
- RP transactions appropriately tested?
- Disclosures complete and accurate?
Part 5: Procedure Documentation Standards
What to Document
In Audit Workpapers:
-
Procedure Description
- Title and objective
- Risk addressed
- Scope (population, sample)
-
Performance
- Date performed
- Auditor name
- Procedure steps executed
-
Evidence
- Documentation obtained
- Testing results
- Exceptions found
-
Conclusions
- Results documented
- Adjustments proposed (if any)
- Sign-off by preparer and reviewer
Documentation Best Practices
1. Reference Other Workpapers
- "Per W/P #1.2, revenue contracts identified" (linking procedures)
2. Cross-Reference to Risk Assessment
- "Procedure addresses Revenue Recognition Risk (Risk #3, ISA 315)"
3. Document Exceptions Clearly
- "Exception: Revenue transaction dated Dec 31, but delivery occurred Jan 2" (clear description of finding)
4. Explain Conclusions
- "Tested 50 revenue transactions; 1 cutoff error identified; proposed adjustment ₹12L; management agreed" (clear disposition)
NFRA Compliance in Documentation
NFRA expects workpapers to show:
✓ Procedure was designed (responds to identified risk)
✓ Procedure was performed (auditor completed all steps)
✓ Procedure was supervised (reviewed by manager/partner)
✓ Conclusion documented (fair/not fair? no exceptions? exceptions resolved?)
Part 6: Procedure Execution Standards
Quality Control During Procedure Execution
1. Supervision
- Manager reviews procedures as they're performed
- Exceptions escalated immediately (not waiting for year-end)
- Training provided if staff unclear on procedures
2. Documentation
- Auditor documents what they did, when, and what they found
- Real-time documentation (not filled in later)
- Clear, concise language
3. Exception Handling
- Exceptions investigated immediately
- Management consulted for explanations
- Adjustments agreed before year-end (not last-minute surprises)
4. Consultation
- Complex areas escalated to senior auditor/partner
- Technical accounting questions consulted with firm specialists
- RP or fraud indicators escalated to engagement partner
Procedure Execution Checklist
- Procedure steps completed
- Evidence obtained and attached
- Exceptions documented
- Supervisor reviewed
- Adjustments approved by management
- Conclusions documented
Part 7: ISA/SQM1/Ind AS Integration
How Audit Procedures Connect to Standards
ISA 330: Designing & Implementing Audit Procedures
- Procedures must be responsive to assessed risks
- Procedures must be appropriate for risk level
SQM1: Quality Management
- Procedures must be performed per firm quality standards
- Procedures must be supervised and reviewed
- Documentation must support SQM1 quality objectives
Ind AS Standards:
- Revenue (Ind AS 115): Procedures test performance obligations, transaction amounts, disclosures
- Leases (Ind AS 116): Procedures test lease identification, ROU calculation, disclosures
- Contingencies (Ind AS 37): Procedures test probability, estimation, disclosure
ICAI Guidance:
- ICAI AI Use Cases: NLP for contract analysis, continuous control testing, data analysis
- EQCM Requirements: Procedures must be reviewed by independent quality control partner
Example: Integrated Procedure Design
Risk: Revenue under-recognized; Ind AS 115 non-compliance
ISA 330 Response: Design procedures responsive to revenue recognition risk
SQM1 Response: Procedures designed and executed per firm quality standards; supervised; reviewed by quality control partner
Ind AS 115 Response: Procedures specifically address performance obligations (when satisfied), transaction amounts, disclosure completeness
ICAI Response: Consider AI use case (NLP for contract analysis, data analytics for anomaly detection)
Part 8: NFRA Defensibility
What NFRA Expects to See
When NFRA reviews audit procedures:
1. Risk Assessment Documented
- What risks did auditor identify?
- Why are these risks significant?
- What could go wrong?
2. Procedures Responsive to Risks
- For each risk, is there a procedure?
- Does procedure address the risk?
- Are procedures sufficient in scope?
3. Evidence Collected
- Did auditor obtain supporting evidence?
- Is evidence relevant to risk?
- Is evidence sufficient to support conclusion?
4. Exceptions Investigated
- Were exceptions identified?
- Were exceptions investigated?
- Were adjustments agreed with management?
5. Conclusions Documented
- Did auditor conclude fairly stated?
- Is conclusion supported by evidence?
- Are adjustments necessary?
Sample NFRA Questions
Q1: Revenue Recognition
NFRA: "Revenue increased 25% from prior year. What procedures did you perform to verify it's fairly stated?"
Your evidence: Risk assessment (identified revenue recognition risk); procedures designed (50 revenue contracts tested, performance obligations verified, ₹X cutoff test performed); exceptions identified (2 cutoff errors, adjusted); conclusion documented (revenue fairly stated after adjustments).
Q2: Lease Accounting
NFRA: "What procedures were performed to identify embedded leases?"
Your evidence: Procedure description (contract language screening per NLP indicators); contracts tested (45 supply/service contracts scanned); leases identified (3 embedded leases found); ROU calculation tested (all 3 recalculated); conclusion (all leases identified, ROU amounts correct).
Audit Procedure Checklist by Cycle
| Cycle | Key Procedures |
|---|---|
| Revenue | Contract review, performance obligation assessment, cutoff testing, disclosure verification |
| Purchases | Completeness test (unmatched invoices), pricing verification, cutoff testing, disclosure verification |
| Cash | Bank reconciliation, unusual items, reconciling items investigation |
| Leases | Lease identification (embedded), ROU calculation, disclosure verification |
| RP | RP identification, RP transaction testing, disclosure verification |
| Contingencies | Litigation inquiry, probability assessment, disclosure verification |
| Fixed Assets | Completeness, valuation, depreciation, disclosure |
Key Takeaways
-
Every procedure must address a specific risk. No procedure should be generic; each should respond to an identified risk.
-
Procedures must be documented in the workpapers. What was done, by whom, when, what was found—all documented.
-
Procedures must be supervised and reviewed. Quality control during execution, not just at year-end.
-
Exceptions must be investigated and resolved. Not swept under the rug; investigated and adjusted if necessary.
-
Documentation must support audit conclusions. If auditor concludes "fairly stated," evidence must support that conclusion.
-
Procedures must comply with ISA/SQM1/Ind AS. Design procedures per standards; execute per quality standards; document per documentation standards.
-
NFRA defensibility depends on procedure quality. Strong procedures = defensible audit; weak procedures = NFRA findings.
Related Blog Posts
- AI in Audit Procedures: Complete Framework for Indian CA Firms
- Audit Quality Management: SQM1, EQCM & Compliance Framework
- 100% Ledger Testing: From Sampling to Comprehensive Coverage
- Continuous Audit with AI: Real-Time Monitoring & Control Testing
- Lease Accounting Audit (Ind AS 116): Testing & Verification Procedures
- Related Party Transaction Procedures: AI + Manual Verification
About CORAA
CORAA helps Indian audit firms design, execute, and document audit procedures aligned with ISA, SQM1, and Ind AS standards. From procedure templates to quality control workflows, strengthen audit evidence, improve NFRA defensibility, and ensure standards compliance.
Learn more: Visit our website
Sources
- ISA 200: Overall Objectives of the Independent Auditor
- ISA 315: Identifying and Assessing Risks of Material Misstatement
- ISA 330: The Auditor's Responses to Assessed Risks
- ISA 500: Audit Evidence
- SQM1: Service Quality Management (ICAI)
- Ind AS 115: Revenue from Contracts with Customers
- Ind AS 116: Leases
Get weekly audit insights
Practical guides on audit automation, SQM1 compliance, and Ind AS procedures — delivered to 2,000+ CA professionals every Friday.
No spam. Unsubscribe any time.
Topics