A compliance audit can be one of the most straightforward audits out there OR it can drive an auditor absolutely nuts. Since an audit is defined as the evaluation of a subject matter against a criteria, an auditor’s level of sanity hinges on how clear the criteria is.
The GAO gives us a long list of what qualifies as criteria inside the 2018 Yellow Book:
8.124 Criteria: To develop findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.
Notice that the list starts with auditor favorites – laws, regulations, contracts and grant agreements. What nice foundations to base your compliance audit on, right?
The client can’t exactly argue with these criteria, otherwise they would break the law or a contract. Notice that the types of criteria get less and less convincing and mandatory as you move to the end of the list.
A compliance audit needs super-specific criteria
But even those seemingly solid criteria at the beginning of the list can be troublesome. When the law, regulation, contract or grant agreement is vague – and that happens quite a bit – the auditor is left having to make personal interpretations and these personal interpretations may not jive with the client’s interpretation and voilà! Crazy Town!
Reasonable and necessary?
One of my customers was responsible for auditing charity bingo operations. The state regulated the charitable bingo operations and taxed their profits to support other state programs.
Profit in the state regulations was defined as sales proceeds less … wait for it… ‘reasonable and necessary’ business expenses. Anyone see a problem here?
What is reasonable and necessary to one person is frivolous and wasteful to another. I have this sort of discussion with my husband all the time. “Hon,” I plead, “is it really necessary to buy yet another power saw? You already have three.”
These auditors were duking it out with the operators over small and large expenditures. One auditor found that a bingo operator was expensing a BBQ party for customers and staff after every game. Since the auditor loved BBQ, he rearranged his schedule so he could enjoy the festivities.
Years later, another auditor wrote a scathing finding questioning the parties and asked the operator to pay more tax. The operator was stunned at the inconsistency between auditors and fought hard against the finding because they reasoned that the party was a reasonable and necessary marketing expense.
So, which auditor is right? Well, both are because the criteria (“necessary and reasonable”) is vague.
What is an auditor to do with vague criteria?
First of all, the auditor should see if they can get the auditee to agree to a more specific criteria BEFORE they begin the audit. You know the auditee is not going to agree to a more specific criteria after you have already written them up!
Another solution is to ask regulators, lawmakers, grantors and contract authors to tighten up the criteria. A contract is obviously easier to change than a law.
Another option is to not audit that particular subject matter at all. Many auditors have a choice what they audit and what they don’t audit. Instead of going around and around with the client, the auditor could point out the flaw in the criteria, suggest a way to resolve it, report the situation to the oversight body, and move on to another pressing risk.
Or maybe, if the whole audit team is really bothered by the auditee’s interpretation, the auditor can work with some sort of proxy subject matter and criteria that would motivate the auditee to change their behavior. For instance, these auditors could have mildly shamed the bingo hall operators by publishing a report of all operators that contrasts the gross revenues to the revenues that are taxable. Bingo halls that exhibited a suspiciously small amount of profits might be questioned by the oversight body.
But what will happen most often is the auditor will have to become a little more flexible. The auditor will have to accept that the auditee’s interpretation is different but valid. Maybe they do need four power saws, excuse me, a BBQ party after every game!
So if a compliance audit is causing you to argue with the client, pause and reconsider your audit criteria.
For more on how to stay sane on a compliance audit, check out this short video course entitled: How to Tackle a Challenging Audit Objective.