I noted that some audit firms focus on checking supporting documents and others focus on accounting processes, control procedures, internal control environment, enterprise culture, … Which one is right?
Either method may be used, depending on the audit strategy chosen by the engagement auditor. Auditing standards allow auditors to choose whether to trust an enterprise's control systems or not after considering the feasibility and available resources.
If auditors choose to trust the enterprise's control systems, auditors should implement procedures to understand, evaluate and test the enterprise's internal control procedures. If the test results are successful, the audit risk will be reduced (because the control risk is defined at a lower level), so checking supporting document procedures is not focused. However, if the test results are unsuccessful, auditors will waste effort and time and have to go back to using a strategy that focuses on detailed document checking.
Conversely, if auditors do not choose to trust the internal control system of the enterprise, auditors will have to perform many detailed inspection procedures on documents to reduce the audit risk to an acceptable low level.
However, in the case of enterprises with too many transactions, the detailed inspection strategy on documents will not be feasible because of the limited resources and time. In this case, only the strategy of choosing to trust the company's control system can obtain sufficient and appropriate evidence for the auditor's opinion.
Depending on the specific audit circumstances and the available resources, the auditor will select an optimal audit strategy that will both help meet the audit objectives, effortless, time-efficient, and cost.