An audit program is a simple but powerful document. Audit programs can:
- link the audit objective to the methodologies to the underlying evidence gathered
- summarize the evidence gathered and results of methodologies performed
- set forth a systematic plan for each phase of the audit work
- document when methodologies were completed and reviewed
- allow supervisors to assign, control, and evaluate the progress of the audit work
- allow reviewers to compare what was performed with what was planned
- train inexperienced audit staff on the steps involved in the audit & reduce the amount of direct supervision
- familiarize subsequent auditors with the work performed
- identify who performed the methodologies and who reviewed the working papers
- categorize the type of evidence gathered (physical, documentary, or testimonial)
Wow, that is a lot for one document to do! I think of the audit program as the hub of a wheel and all of the other audit documents as the spokes because the audit program can link the objectives to the audit methodologies, the evidence gathered, the results of the methodologies, the findings, and even to the audit conclusion. It is the first place I go when I review a set of working papers to get a sense of what the audit was about.
Here is an example of what one looks like: audit of fixed assets audit program I am not saying I am in love with this one… it is just a format example! The website AuditNet has over 3000 audit programs for you to peruse. But I don’t recommend that you use someone else’s audit program, if you can help it…
Create your audit program from scratch
I was hanging out with an eight-year-old recently and she and I decided we needed a snack—some popcorn. So we went into the kitchen and she watched as I got a big pot out from under the stove and added oil and kernels. She gave me a funny look and said “What are you doing?” When I told her I was popping popcorn, she gasped, “IN A POT!!??!!”
After she tasted the results—I use real butter and Orville Redenbacher popcorn—she was a convert. Come to find out she was had only ever eaten quickie popcorn from a microwave. She didn’t even know that it would work on the stove top.
So, my question to you is “What are you doing?” Are you standing by the microwave screaming for it to finish and then eating the mediocre results or are you creating a fresh, risk-based audit program? The difference is palatable.
Auditors complain to me all of the time that they spend most of their days checking off forms and filling in blanks on templates created by someone else. Auditing is NOT checking off boxes. The greatest thing about auditing is that we get to use our brains and create something from nothing. We don’t have to eat that junk food out of the microwave if we just make a tiny bit more effort.
So How Do You Create a Fresh, Customized Audit Program?
1. Start Out with a Good Question
First, you start out by having a very clear audit objective (for more on that see past newsletters). Ideally, this audit objective is phrased as a question. For instance, “Are children receiving free lunch eligible as defined by federal grant terms?” “Is the hospital guarding its surgical equipment from theft?” “Is that Orville Redenbacher popcorn?”
2. Brainstorm How to Answer the Question
Your next step is to sit down and think about a variety of ways that you could get to the answer to that question.
I suggest that you do this with others. Fellow auditors and the client may come up with some excellent ideas on steps that you can take to answer that question.
3. Consider Bang
After coming up with a list of possible audit steps—assess each step to determine two things:
- What kind of evidence is it going to yield?
- How many resources is it going to consume?
You want to perform the steps that give you the most bang for your buck. Bang comes from gathering strong evidence at the lowest possible cost. We talked about how to judge whether a methodology has bang in our last post.
4. Add Reminders
And to save yourself a headache when it is time to write the report, make sure that your audit programs remind you to gather evidence to support every element of your findings.
Most audit programs get us plenty of condition and criteria evidence, but fail to gather any juicy effect statements or even to dig in to find the root cause. Add steps to your program—yes, literally add steps to your program!—that say “For any audit issues/findings, gather evidence to support the effect.” “For any audit issues/findings, find out and gather evidence on the cause of the issue.”
I’ve seen auditors unable to complete their report when they get back to the office because they had failed to gather the cause and effect during fieldwork.
Progress with the steps of an audit
Where are we in the steps? We just finished step #10.
The 14 Steps of Performing an Audit
- Receive vague audit assignment
- Gather information about audit subject
- Determine audit criteria
- Break the universe into pieces
- Identify inherent risks
- Refine audit objective and sub-objectives
- Identify controls and assess control risk
- Choose methodologies
- Budget each methodology
- Formalize the audit program
- Perform & document audit methodologies
- Draft findings
- Finalize report
But I feel I would be remiss if I failed to tell you about audit plans. So let’s talk a little about those for a minute, because you might be required to document one at this point in the audit process.
Depending on which audit standards you follow, you might call an audit program and audit plan or an audit strategy. The IIA, the GAO, and the AICPA are not in alignment regarding this terminology, at all!
But in my mind, the audit program and the audit plan are different. An audit plan is a memo that includes a discussion of risk and how the auditor responded to that risk. Audit programs generally do not describe risks.
Here is what the GAO says about an audit plan in the performance auditing standards:
8.33 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.
8.34 The form and content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors’ basis for those decisions.
8.35 A written audit plan provides an opportunity for audit organization management to supervise audit planning and to determine whether
a. the proposed audit objectives are likely to result in a useful report;
b. the audit plan adequately addresses relevant risks;
c. the proposed audit scope and methodology are adequate to address the audit objectives;
d. available evidence is likely to be sufficient and appropriate for purposes of the audit; and
e. sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to conduct the audit and to meet expected time frames for completing the work.
Don’t you just love 8.35a? Before you go perform all of the methodologies you have described in your audit program and audit plan, take a few deep breaths. Imagine what your resulting audit report is going to say and ask yourself if anyone is going to care. And if the answer is no, stop right now and change course.
Don’t beat yourself up over it if you have somehow gone down a boring and uninteresting path; at least you caught it before you spent any more time on it or published a boring report. Bravo. That is why, now, at the end of planning, the GAO councils you to stop, write things down, consider the outcome, and have your leadership buy into your plan. This is the last chance to course correct before you enter the fieldwork phase.
Next time, documenting audit fieldwork!