How to Use Audit Walkthroughs to Find Control Weaknesses

audit walkthrough

What is the purpose of audit walkthroughs? How do you document walkthroughs? Is it better to use checklists, flowcharts or summarize narratively? How often should walkthroughs be performed? Are they required? Will a walkthrough allow me to assess control risk at less than high?

In this post, I answer these questions about one of the most important risk assessment procedures: walkthroughs. I share techniques Iโ€™ve used for many years. They work for me, and they will work for you.

Letโ€™s dive in.

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding of how a transaction makes its way through the accounting system and about related internal controls.

What are Audit Walkthroughs?

As we perform a walkthrough, we:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, and making observations, we are evaluating the design and implementation of internal controls to see if there are weaknesses that would allow errors or fraud. Audit standards do not permit the use of inquiries alone. Observations and inspections must also occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. In other words, the auditor can’t default to high. Risk assessment procedures are required.

What is not an Audit Walkthrough?

Following a transaction through the accounting system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they have been implemented and to see if they are properly designed. 

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While manuals tell you what the client intends to do, they don’t tell you what is occurring. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire. 

Internal Controls Documented in Prior Audits

In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures (e.g., a walkthrough) to establish the continued relevance of the audit evidence obtained in prior periodsSo, we are checking to see if the controls are still designed appropriately and whether they were in use throughout the current year. Why? Well, if a control was in use in the prior year but was discontinued in the current year, the prior year understanding would shed no light on the current-year change.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that โ€œtie,โ€ โ€œfoot,โ€ or โ€œbalance.โ€ We may not enjoy probing accounting systems for risk. Itโ€™s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. Itโ€™s too complicated and too important. So thereโ€™s no getting around it. The walkthroughโ€”or something like itโ€”must be done. Why? We’re gaining an understanding of risks and responding to them. Weโ€™re developing our audit plan. Screw up the plan, and we screw up the audit.

What is the purpose of the walkthrough? Identification of riskโ€”specifically, the risk of material misstatement. Once we know the risks, we know where to audit and we link our risks to our plan.

Walkthroughs and Lower Control Risk Assessment

Usually, audit walkthroughs are not sufficient to support lower control risk assessments (those less than high). If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t prove operating effectiveness.

Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are workingโ€”namely, change control. Why? Computer controls are usually consistent. 

An auditor can determine whether a control has been implemented with a test of one transaction. Effectiveness, on the other hand, normally requires a test of transactions. For example, a test of 40 transactions for appropriate purchase orders.

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my favorite is a narrative mixed with screenshots.

So how do I do this?

I interview personnel. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes may require several interviews. 

Early on, I may not know how each personโ€™s work fits into the whole. It’s like gathering puzzle pieces. The interviews and information may feel random, even confusing. But, later, when you put the parts together, the picture speaks more clearly. Then, you’ll understand the accounting system and control environment.

My Audit Walkthrough Tools

I document the conversations using:

  • A Livescribe pen or Notability app on iPad
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, โ€œTell me what you do and how you do it. Treat me as if I know nothing. I want to hear all the details.โ€ (For sample transaction-level walkthrough questions, see my audit series titled The Why and How of Auditing.)

As I listen, I write notes. At the same time, my Livescribe pen records the audio. Later the conversation can be played from the pen. (For more information about Livescribe, see my article: Livescribe, Note Taking Magic (for CPAs). ) See the Livescribe pen on Amazon. Alternatively, use Notability with your iPad. (If you have an iPad, this is the cheaper and better option.)

I find that most interviewees talk too fastโ€”at least faster than I can write. As Iโ€™m writing about the last thing they’ve said, they are moving to the next, and I fall behind. So I write simple phrases in my Livescribe notebook (or Notability app) such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later, as Iโ€™m typing the walkthrough narrative, I touch the letter “A” in โ€œAdd vendorโ€ with the tip of my pen (I’m doing so in my Livescribe notes). This action causes the pen to play the audio for that part of the conversation. Likewise, touching โ€œCโ€ with the tip of my pen–in โ€œChecks signed by the computerโ€–causes the pen to play that part of the discussion. Since the audio syncs with my notes, I can hear any part of the discussion by touching a letter with my pen. (The same is true of Notability.)

walkthrough of accounting process

Taking Pictures

In addition to writing notes in my Livescribe notebook, I take pictures with my iPhone. Of what? Here are examples (from a payables interview):

  • Invoice with approverโ€™s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe or Notability notes and audio
  • Photos of documents and persons 

 Audit Walkthrough Summary

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to my risk assessment summary. The system’s weaknesses tell me where risks exist.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So, at the top of the transaction cycle description, I name the persons I interviewed and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2025. 

Look Beyond the Normal Client Procedures

It’s easy for clients to tell you about normal procedures, but they may not think about unusual situations such as the absence of an employee or how errors are corrected.

Always ask who performs control procedures when a key person is out. Why? If someone canโ€”even though they donโ€™t normallyโ€”perform key controls, you need to know. Why? Such a situation can lead to fraud. For example, if a person does not normally issue checks but can, and that person also reconciles the bank statement, he might issue fraudulent checks. He knows the theft will not be detected through normal controls–in this case, the bank reconciliation.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, โ€œJohn is the only one who approves the purchase orders,โ€ for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, โ€œWho issues purchase orders when John is on vacation?โ€

Additionally, ask how errors are corrected. When things go wrong (and they sometimes do), you want to know how they are made right.

internal control weakness

Identification of Controls and Control Weaknesses

As you write your narrative of the accounting system and controls, highlight both controls and control weaknesses.

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risk of Material Misstatement

The control weakness created by Johnny Mannโ€™s duties increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one monthโ€™s cleared checks for appropriate payees. 

How do you know what audit procedures to perform in response to the risk? Ask, โ€œWhat can go wrong?โ€ and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate.

Communication of Internal Control Weaknesses

Though this article focuses on planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The words Control Weakness (as shown above) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies so I can track the disposition of each one. Each weakness is a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

See my article about classifying control weaknesses.

Audit Walkthrough Frequency

How often are walkthroughs required?

Answer: Once per year, if this is how you corroborate your understanding of the cycle. While walkthroughs are not specifically required in the audit standards, you do need to verify your understanding of the accounting system and related controls. And I know of no better way.

walkthrough frequency

AICPA Guidance on Walkthrough Frequency

TIS Section 8200.12, as issued by the AICPA, states the following:

auditors might perform a walkthrough of significant accounting cycles every year

If we’ve documented walkthroughs in prior years, then we need to do so again in the current year to prove the continuing relevance of the audit documentation. 

The Value of Walkthroughs

Walkthroughs tell us where risks are so we can plan our engagements to detect material misstatements.

Additionally, they allow us to add value to our audits. Clients want more than just an opinion. They desire to keep assets safe and to maintain accurate records. Well written management letters that highlight control weaknesses allow you to do just that. Time to start walking.

Risk Assessment Book

See my book on Amazon: Audit Risk Assessment Made Easy.

Audit Walkthrough Video

Hereโ€™s a video that explains walkthroughs. Itโ€™s an explanation of chapter 7 from my Audit Risk Assessment Made Easy book.