Auditors evaluate not only the existence of internal controls but also their consistent implementation, documentation, and effectiveness in practice. Written policies, timely approvals, and thorough corrective action plans are essential to demonstrating operational readiness and control reliability during audits.
Key Insights
- Auditors require internal controls to be documented, approved, implemented, and followed; undocumented or inconsistently applied controls are treated as ineffective, regardless of intent or design.
- Audit procedures focus on verifying execution through supporting documentation such as reconciliations, time and effort records, procurement files, and subrecipient monitoring evidence; if documentation is missing, the control is considered nonexistent.
- Corrective action plans must be prompt, specific, implemented in full, and supported by evidence; vague or late CAPs, or those lacking documentation, often lead to repeat findings and raise concerns about governance and accountability.
This lesson is a preview from our Grants Management Certificate Program. Enroll in a course for detailed lessons, live instructor support, and project-based training.
This is a lesson preview only. For the full lesson, purchase the course here.
One of the most common disconnects auditors see begins with a simple exchange. Organizations say, “We have controls.” Auditors respond, “Show us.”
Documented internal controls are not optional — they are a core audit requirement. Policies must be written. Auditors expect key grant functions to be governed by written policies and procedures. If a process exists only in someone’s head, it does not exist for audit purposes.
Written policies demonstrate consistency, institutional knowledge, and continuity despite staff turnover. Practices that are not documented cannot be tested, validated, or relied upon.
Policies must also be formally approved. Approval matters. Auditors look for evidence that policies were adopted by the appropriate leadership, authority, or governing body and were in effect during the audit period. Draft policies or undated procedures are frequent audit findings.
But having a policy is not enough — it must be implemented. Auditors will test whether staff follow the policy, whether approvals, reviews, and reconciliations actually occur, and whether systems reflect policy requirements. A policy that is not operationalized is treated the same as having no policy at all.
This is where many audit findings occur. Auditors compare what the policy says, what documentation shows, and what staff actually do. When practice does not match policy, auditors document a control failure — even if the policy itself is well written.
From an audit perspective, strong internal controls are written, approved, implemented, followed, and documented. If any one of these elements is missing, the control is considered ineffective.
After reviewing written policies, auditors immediately ask the next question: “Show us the evidence.” Auditors do not rely on intent. They rely on documentation proving that controls were executed.
Reconciliations. Auditors expect to see regular reconciliations, evidence that they were completed timely, and review by someone independent of the preparer. Missing reconciliations — or reconciliations without review signatures — are common control deficiencies.
Approval signatures. Approvals must be documented, dated, and completed by authorized personnel. Auditors test whether approvals occurred before transactions — not after the fact. Undated or retroactive approvals weaken control effectiveness.
Procurement documentation. Auditors look for solicitation records, cost or price analyses, vendor selection documentation, and contract files containing required clauses. A compliant procurement process that is poorly documented is treated as noncompliant.
Time and effort records. Documentation must reflect actual work performed, align with payroll charges, and be reviewed and approved. Auditors frequently trace labor charges back to certified time records to validate allowability and allocability.
Subrecipient monitoring files. Auditors expect complete files that include risk assessments (both pre- and post-award), monitoring plans, site visits, reports, desk reviews, follow-up actions, corrective actions, and relevant communication. Missing monitoring evidence is one of the most common findings for pass-through entities.
From an auditor’s perspective, if it is not documented, it did not happen. Strong internal controls are proven through consistent execution, timely and contemporaneous documentation, and clear audit trails.
Evidence alone, however, is not enough. Auditors also evaluate effectiveness. They are not just asking, “Do you have controls?” They are asking, “Do those controls actually work in practice?”
Testing controls means verifying that controls were performed as designed, operated consistently throughout the audit period, and prevented or detected errors and noncompliance. A beautifully written policy that is inconsistently applied is not an effective control.
Auditors commonly test controls by selecting samples of transactions, tracing transactions from initiation to final approval, reviewing documentation for completeness and authorization, and interviewing staff to confirm understanding and execution. If staff describe a process differently than what documentation reflects, that signals a breakdown.
This is where “in practice, not just on paper” becomes critical. Auditors compare what the policy says, what staff say they do, and what documentation actually shows. Any misalignment among these three increases the risk of a control deficiency.
Common control testing failures include approvals occurring after transactions, undocumented reviews, controls skipped during high-volume periods, incompatible duties performed by one person, or controls that exist but are not applied consistently. These issues often result in findings — even when fraud did not occur.
Effective internal controls are properly designed, consistently executed, adequately documented, and periodically tested. From an audit perspective, controls that are not tested are assumed to be unreliable.
When an exception is identified, auditors do not expect perfection — they expect readiness.
If an auditor identifies an exception, they expect the organization to acknowledge it promptly, explain what happened, demonstrate awareness of the issue, and show that corrective steps are underway or completed. Silence, confusion, or defensiveness raises immediate red flags.
Auditors understand that procedures are sometimes bypassed. What they want to know is why the deviation occurred, whether it was authorized, whether it was isolated or systemic, and what corrective actions were taken. Unexplained deviations are often treated as control failures.
Late financial or performance reports trigger scrutiny. Auditors expect entities to explain the cause of delays, how internal controls identified the issue, and how timelines are being corrected. Repeated delays without documented explanations frequently result in findings.
If documentation is missing, auditors expect a clear explanation, evidence that the issue was identified internally, and steps taken to prevent recurrence. Saying “we’re still looking for it” without a timeline is not sufficient.
Auditors also review prior audit findings. They expect entities to recognize past weaknesses, explain corrective actions taken, and demonstrate whether controls are now functioning effectively. Failure to address prior issues often escalates findings into repeat deficiencies.
Audit readiness is not about having no issues. It is about being able to explain issues clearly, quickly, and confidently — with documentation to support the explanation. Organizations that can do this signal strong governance, even when exceptions occur.
One of the most heavily scrutinized areas in any audit is the Corrective Action Plan (CAP).
Auditors evaluate not just whether a CAP exists, but how well it was designed, executed, and sustained.
Timeliness. Corrective action plans should be initiated promptly after an issue is identified. Delays signal weak governance, lack of ownership, or underestimation of risk. A late CAP often raises more concern than the original finding.
Specificity. Vague language is a red flag. CAPs should clearly state what went wrong, what will change, who is responsible, and when completion will occur. Statements such as “staff will be reminded” or “procedures will be reviewed” are not sufficient.
Evidence. Auditors expect documentation demonstrating that corrective actions occurred — controls were updated or redesigned, training was conducted, and systems or workflows were modified. Promises without evidence do not close findings.
Full implementation. Partial implementation is treated as non-implementation. Auditors test whether new controls are operational, whether staff follow the updated process, and whether the issue no longer occurs. If the problem persists, the finding becomes a repeat finding.
Follow-up documentation. Auditors and pass-through entities revisit prior CAPs. They expect proof of implementation, monitoring, and sustainability. Inadequate documentation during follow-up often results in escalation.
Corrective action plans are not paperwork exercises. They are evidence that organizations are learning, adapting, and strengthening internal controls. Strong CAPs demonstrate accountability and are one of the fastest ways to rebuild auditor confidence.