Clients will often ask why we complexify certain types of audit procedures. Why do we perform our testing procedures the way we do? One of the audit testing concepts we adhere to in our audits is the following: Performing “downstream” and “upstream” test procedures. Let me explain what these concepts are in the context of an easier audit area — Physical Access. The audit objective for physical access testing is easy to understand. We want to see that “right people/right access.” Confirming this is a little more involved.
Downstream Testing – For physical access testing, this involves obtaining a list of active key card holders, selecting a sample based on the tables noted with the AICPA Audit Sampling Guide, and determining with the assistance of the client and a review of documentation whether the active key card holders were 1) duly authorized and 2) whether their access is still authorized. Easy right? Yes, this audit procedure is easy. The next audit procedure (“upstream” testing) is slightly more difficult, but still it is not difficult.
Upstream Testing – This audit procedure requires that the activity log for the period being reviewed is obtained from the key card system. An unmatched query should be run against the list of active key card holders to determine which activity log entries do not match to a key card holder. Select a sample of these entries and work with the client to figure out if that access was appropriate at the time it occurred.
There are other aspects to physical access testing not covered in this blog post, such as: termination testing (e.g., employee, contractor, client, vendor), inspection of key card stock, accounting for assigned key cards, and last accessed date analytics. Suffice it to say that audit testing is multi-faceted and more complex than the simply stated objective of “right people/right access.”