How to conduct an audit: 6-phase method and tools for 2026

Updated April 2026 - Knowing how to conduct an audit is not about applying a checklist. It means running a structured process for evaluating a situation (accounts, processes, compliance) against a reference framework, with documented evidence and actionable conclusions. Audits that fail — producing useless reports or mobilising teams for nothing — almost always go wrong at the scoping phase.

Also see Business audit, Compliance audit and Organisational audit firm.

Before conducting an audit, you need to identify which type you are performing. The method varies accordingly.

1. Statutory audit (commissariat aux comptes) is governed by the NEP professional practice standards published by the H2A. It targets certification of annual financial statements. Its method is standardised, with mandatory planning, internal control evaluation and defined substantive procedures.

2. Contractual audit (contribution audit, due diligence) is commissioned by the company or a third party. The method is defined in the engagement letter; it follows the main audit phases but with a negotiated scope and deliverables.

3. Internal audit evaluates internal control and governance systems. It follows the IFACI (French Institute of Audit and Internal Control) standards. Its methodology includes annual planning based on a risk map.

4. Operational audit examines business processes (procurement, sales, logistics, IT systems). It is not subject to a legal standard but follows general audit principles: objective, scope, risks, evidence, conclusions.

5. Compliance audit verifies adherence to a reference framework (GDPR, ISO, internal standard, contract). Its method is based on the gap between the current state and the target framework.

Scoping is the most underestimated phase. Yet it determines whether the audit will produce value or noise.

The engagement letter formalises six elements: the audit objective, the covered scope (entities, periods, processes), the evaluation criteria (IFRS, French GAAP, internal benchmarks), the expected deliverables (report, executive summary, action plan), the timetable and the resources mobilised. It is signed by both parties before work begins.

Entity familiarisation completes the scoping: sector, business model, legal structure, inherent risk map, history of previous anomalies. An auditor who starts without this knowledge produces a generic report with no real added value.

Familiarisation is not a formality. It determines the quality of everything that follows.

In practice, it combines three approaches:

• ▸Document review: financial statements, internal procedures, previous reports, management dashboards
• ▸Stakeholder interviews: CEO, CFO, operational managers, legal department. The goal is to understand how the business actually works, not how procedures say it should work
• ▸Preliminary analytical review: comparison of key ratios (margin, liquidity, stock turnover) with prior periods and sector benchmarks

This phase produces an identification of significant risks, meaning the areas where a material anomaly is probable or possible. These risks drive the work plan for the next phase.

Internal control evaluation answers a simple question: do the company's processes genuinely protect against the identified risks?

The method has three steps:

Process mapping: description of information and authorisation flows for each significant process (purchase-to-pay, order-to-cash, payroll, treasury). We document who does what, who approves, who records.

Identification of strengths and weaknesses: strengths are effective controls (dual approval, automated reconciliation, segregated IT access). Weaknesses are areas where an expected control is absent or defective.

Walk-through tests: we trace a transaction from start to finish to verify that the described process is the one actually applied. A walk-through of 5 to 10 transactions per key process is generally sufficient to validate or invalidate the description.

Substantive procedures provide direct evidence that figures are correct (or not). They fall into two categories.

Analytical procedures compare figures against external or historical benchmarks. For example: if revenue increases 20% in a quarter but gross margin stays flat, that is a signal of a potential anomaly requiring investigation. Stock turnover ratios, debtor days and creditor days are among the most revealing.

Detail tests involve verifying the reality of specific transactions against source documents. Sampling is the standard technique: select a subset of transactions (15 to 50 items depending on materiality), request the corresponding supporting documents, verify the economic reality, correct accounting treatment and appropriate authorisation. External confirmations (bank confirmations, debtor confirmations) supplement internal evidence.

The synthesis phase is where the auditor transforms raw observations into professional judgement.

The materiality threshold is the amount below which an anomaly is not considered material. It is generally set between 0.5% and 2% of total assets or revenue. This threshold is calculated at the planning stage and drives validation decisions: time is invested on accounts that could exceed this threshold.

Anomaly classification distinguishes material errors (which exceed the materiality threshold and influence the final report), immaterial errors (recorded in the working papers but without impact on the conclusion) and internal control weaknesses (which do not necessarily affect the accounts but expose the company to future risk).

Working papers must enable a third-party auditor to reconstruct the reasoning behind each conclusion. This is the foundation of the auditor's professional liability.

The report is the final deliverable of the engagement. Its format varies by audit type.

For a statutory audit, conclusions are formalised in a certification report with four options: unqualified opinion, qualified opinion, adverse opinion, and disclaimer of opinion. Each qualification or adverse opinion must be specifically motivated.

For a contractual or operational audit, the report includes an executive summary, description of findings, associated risk assessment (critical/major/moderate/minor), prioritised recommendations with an owner and implementation horizon, and a formalised action plan.

Recommendations are the real value product of an audit. They must be specific, actionable, prioritised and measurable. A recommendation such as "improve internal control" has no value. A recommendation such as "implement electronic dual approval for bank transfers above EUR 10,000, owner: CFO, deadline: 30 days" is actionable.

CAATs (Computer Assisted Audit Techniques) allow analysis of an entire population of transactions rather than a sample. IDEA, ACL and the native tools of Power BI and Python can detect duplicates, out-of-range transactions, payments outside normal business hours, or missing invoice number sequences.

AI-based anomaly detection is becoming widespread in audit firms. These tools analyse accounting journals in bulk (FEC format) and flag statistically atypical entries. They do not replace auditor judgement but significantly reduce the time spent searching for anomalies.

Hayot Expertise Advice: the quality of an audit is measured less by the volume of the working paper file than by the relevance of the findings and the report's capacity to generate concrete decisions. An audit that produces 5 well-argued critical recommendations is infinitely more valuable than a 200-page report without clear prioritisation.

In 2026, conducting an audit effectively requires mastering six distinct phases: rigorous scoping, thorough familiarisation, internal control evaluation, targeted substantive procedures, documented synthesis, and actionable reporting. The quality of each phase conditions the value of the next. A poorly scoped audit produces a generic report; a report without prioritisation generates no decisions; an engagement without working papers exposes the auditor to significant professional liability.

Do you want to structure an audit engagement suited to your company? Our teams can assist you in defining the scope, selecting the method and producing an exploitable report.

Discover our statutory audit support | Make an appointment with an expert

(Official sources: H2A NEP 200, France Num / CNIL for GDPR evaluation, Bpifrance Creation on management dashboards)

How long does a business audit take?

Variable depending on size and complexity: 3 to 5 days for a targeted audit (GDPR compliance, procurement process), 15 to 90 days for an annual statutory audit of an SME, several months for a large company acquisition audit. Duration also depends on the quality of available documentation.

What is the difference between internal audit and external audit?

Internal audit is performed by company employees to improve processes (IFACI standards). External audit is conducted by an independent third party (statutory auditor, specialist firm) to certify or validate with an independence assurance recognised by third parties.

Which documents should be prepared before an audit?

Bank statements, invoices and accounting records, current contracts, depreciation schedules, documented internal processes and procedures, tax and payroll returns for the past 3 financial years, governance organisation chart. Well-organised documentation significantly reduces the duration and cost of the engagement.

How do you choose the right auditor for your company?

Verify registration with the H2A for statutory audit, request sector references, ensure independence from other already-performed engagements, and compare engagement letters on scope and method. The size of the audit firm should be consistent with the size of the company being audited.