Audit techniques: how auditors actually gather assurance

The technique ladder — from weakest to strongest evidence

The techniques aren't interchangeable. They sit on a ladder of evidential strength, and a good auditor climbs it deliberately — using cheap techniques to find leads and expensive ones to confirm the leads that matter.

Technique	Answers	Evidence strength	Cost
Document review	What is the org supposed to do?	Low–medium	Low
Interview	Do the people understand and describe it consistently?	Low–medium	Low
Observation	What actually happens?	Medium	Medium
Walkthrough	Does the control operate end-to-end on a real case?	High	Medium
Sampling	Does it operate consistently across the population?	High	Medium–high
Re-performance	Does the control actually produce the claimed result?	Highest	High

The skill is matching technique to the risk of the unit (see risk-based auditing): low-risk units may stop at document review plus a confirmatory interview; high-risk units earn walkthroughs, sampling, and re-performance.

Document review — establish the claim, not the proof

Reading policies, procedures, records, logs, registers, and contracts is where most audits start. Document review establishes what the organisation says it does and whether the required artefacts exist at all.How to do it well:

Request documents before the fieldwork, against the criteria you're auditing, so you arrive already knowing the claimed design.
Read for currency and approval — is this the live version, dated, approved by the right role? An unapproved draft policy is a finding in itself.
Read for internal consistency — does the retention policy match the privacy notice match the actual system settings?
Note what's missing, not just what's there. The absent procedure is often the finding.

Interview — test understanding and surface discrepancies

Interviews test whether the people doing the work understand it and describe it the way the documents do. Done well, they're the fastest way to find the threads worth pulling.

Interview the people who do the work, not only the manager who wrote the procedure. The gap between the two is informative.
Ask open questions: "walk me through what happens when a data-subject access request arrives" reveals far more than "do you handle access requests within a month?" (to which the answer is always yes).
Ask the same thing of two people and listen for divergence. Two staff describing the same control differently is a lead.
Don't lead. A question that contains its own answer gets you the answer you fed in, not the truth.

Leading / closed

"You do review access rights quarterly and remove leavers promptly, correct?" — a closed, leading question. The auditee says "yes," you write "control confirmed," and you've learned nothing.

Open / anchored

"Tell me about the last time you reviewed access rights — when was it, who did it, what did you find, and what happened to the leavers you identified?" — open, specific, and anchored to a real event you can then ask to see evidence of.

Observation and walkthrough — watch the control operate

Observation is watching work happen in real time — a screen-share of the actual system, a person performing the actual task. Walkthrough goes further: you follow one real case from start to finish through the whole process, watching each control operate in context.The walkthrough is the single most revealing technique in auditing, because it exposes the seams between policy, system, and human behaviour that no single document or interview shows.

A data-subject access request walkthrough

Instead of asking whether DSARs are handled in time, the auditor picks one real request from the log and follows it:

How did it arrive — monitored channel, or a personal inbox nobody watches?
Was identity verified, and how?
Who was tasked, and was the one-month clock started and tracked?
How were all systems holding the person's data actually located — from the record of processing, or from memory?
What was disclosed, what was redacted, and on what basis?
Was the response sent within the deadline, and is there proof?

This one trace tests the record of processing, the deadline tracking, the redaction judgement, and the identity control — four obligations — in a way a document check never could. Walkthroughs earn their cost on every high-risk unit.

Sampling — reason about the population

You rarely test a whole population; you test a sample and reason about the whole. Two principles keep sampling honest:

Size follows risk. Sample more where a missed failure matters more. A handful may suffice for a low-risk control; a high-risk, high-volume control needs enough that one undetected failure would be unlikely (see risk-based auditing).
Selection avoids bias. Don't let the auditee hand you the sample, and don't only test tidy recent records. Mix random selection with deliberate edge cases: the oldest records, the highest-value ones, the ones around a system change, the exceptions.
Project carefully. If you sample 20 and find 2 failures, that's a ~10% failure rate to investigate, not "2 minor issues." Errors in a sample imply errors in the population.
Follow the thread when you find a failure. One failure often means widen the sample, not just log the one.

Biased sample

"I asked the team for five examples of completed access reviews and they all looked fine." — auditee-selected, all recent, all clean by construction. Proves only that five good examples exist.

Risk-weighted sample

"From the full list of 240 leavers this year I randomly selected 15, plus the 5 highest-privilege leavers and the 5 around the June system migration. Of 25, four retained active accounts past their exit date." — unbiased, risk-weighted, and it found the problem.

Re-performance — the strongest evidence

Re-performance means the auditor redoes the control and checks it produces the claimed result: recalculate the figure, re-run the access query, attempt the thing the control is supposed to prevent (in a safe, authorised way). It is the strongest evidence available because it depends on no one's word — but it's the most effort, so reserve it for high-risk controls where certainty is worth the cost.

Re-performing an access-revocation control

The procedure says leaver accounts are disabled within 24 hours. Rather than trust the ticket log, the auditor takes the HR list of last week's five leavers and queries the live directory directly. Two accounts are still enabled. That is not a documentation discrepancy to discuss — it is re-performed, first-hand proof of a control failure, and it is essentially unarguable.

Corroboration — no single technique is enough

The techniques are strongest in combination, climbing the ladder for the controls that matter. A control is well-evidenced when it is:

described in an approved, current procedure (document),
explained consistently by the people who run it (interview),
seen operating on a real case (walkthrough),
confirmed across an unbiased, risk-weighted sample (sampling), and — for the highest-risk controls —
re-performed by the auditor (re-performance).

Any one alone leaves a gap a good auditor — and a good assessor — will probe. The conclusion you can defend is the one where two or more independent techniques point the same way. That principle of sufficiency is the subject of the next guide: evidence fundamentals.

Related guides

This guide explains the method. To apply it across a whole regulation — every obligation scored and traceable — see the audit checklists, each with a free Regulatory Compliance Matrix you can review before buying.