Staying on track on an audit is mighty tough! Especially when you are using tools created by someone else who isn’t on your audit. Keep this list of the steps of performing an audit handy so that you know where you are and what you need to do next.
The 14 Steps of Performing an Audit
- Receive vague audit assignment
- Gather information about audit subject
- Determine audit criteria
- Break the universe into pieces
- Identify inherent risks
- Refine audit objective and sub-objectives
- Identify controls and assess control risk
- Choose methodologies
- Budget each methodology
- Formalize the audit program
- Perform & document audit methodologies
- Draft findings
- Finalize report
Last time, we covered steps 1-3. Let’s work on 4-6 in this post.
Step 4: Break the Universe into Pieces
In order to approach an audit effectively, you must break down the audit universe into manageable chunks. Instead of saying that you will examine the whole earth, you will look at just the continent of Europe. Even more specifically, you will examine just Italy. Still, more specifically, you will look at just one city in Italy – Florence.
But Florence is still too big of an audit subject. I can’t think of a way to audit Italy or Florence because the subject is too broad (but I would love it if someone would pay me to hang out there for a year trying). You can’t assess risk on Florence.
How about the cathedral or Duomo in Florence? Getting closer. How about verifying that the front pew of the Duomo in Florence is clean? Now you can work with that.
The audit objective, “Is the front pew of the Duomo clean?” makes me quite happy. Why? I can intuit a methodology (a technique for answering that question). I can think of a few ways to verify that the front pew of the Duomo is clean.
Now what is G.R.E.A.T. about the risk assessment SASs is that they divide financial statement universe up into bite sized chunks for you—the chunks are the elements of the financial statements and the related management assertions.
Other standard setting bodies, such as the GAO (Yellow Book) and the Institute of Internal Auditors, don’t give us much help. We are left to our own devices. And believe me, some auditors are more than qualified to create some wacky devices!
So on a performance audit or a compliance audit, you must come up with your own way to divide the universe into bite-sized pieces. This can be one of the more challenging phases of the audit. Simple example: on a compliance engagement, the chunks of the audit universe might be the 30 compliance requirements for the grant. (In the next step of the inherent risk assessment, we’ll decide which three of the 30 chunks deserve our attention, because we can’t audit all 30!)
Step 5: Identify Inherent Risks
We seriously overuse the word “risk” in the audit profession, and it can get very confusing to distinguish between risks, but I am going to try.
I have heard inherent risk described as “risk in the absence of controls.” Not that helpful, right?
We should first look at the definition of inherent:
in·her·ent ( n-hîr nt, -h r -)
Existing as an essential constituent or characteristic; intrinsic.
And the definition of risk:
risk (r sk)
1. The possibility of suffering harm or loss; danger.
2. A factor, thing, element, or course involving uncertain danger; a hazard: “the usual risks of the desert: rattlesnakes, the heat, and lack of water” (Frank Clancy).
Inherent risk is the risk that exists just because of the nature of the item. This is how the AICPA’s clarified auditing standard AU-C 200 explains inherent risk (remember, the AU-Cs apply only to financial audits… so you will have to analogize here):
.A42 Inherent risk is higher for some assertions and related classes of transactions, account balances, and disclosures than for others. For example, it may be higher for complex calculations or for accounts consisting of amounts derived from accounting estimates that are subject to significant estimation uncertainty. External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. Factors in the entity and its environment that relate to several or all of the classes of transactions, account balances, or disclosures may also influence the inherent risk related to a specific assertion. Such factors may include, for example, a lack of sufficient working capital to continue operations or a declining industry characterized by a large number of business failures.
A great place to start when imagining inherent risk is to ask, “What could go wrong?” and then, “Do I care about what could go wrong?” If you are a nerd like me, you’ll want to get more detailed and methodical in your assessment. That is where the three facets of inherent risk come in.
As best as I can determine (and my perspective on inherent risk continues to evolve), inherent risk can be viewed from three perspectives:
- Generic risk
- Fraud risk
- “Flipside of criteria” risk
A local internal auditing and risk assessment guru, Dr. David Crawford, developed a master list of risks. It is kind of a sick list, but it’s true. A risk is anything that would result in:
- Loss of money
Would a contaminated river in a tourist town known for its tubing, rafting and swimming cause any of the above risks? Yep, they would cause all of them. Death and injury could occur to a young tuber, rafter, or swimmer. Shame could be brought upon the region for injuring scores of tourists. Obviously, tourists will make alternative travel arrangements when they find out the river is contaminated and the town will lose revenues.
These risks can be called generic risks: risks that apply every time an action is taken. Leaving the house and getting on the freeway puts drivers at risk for most of these! These risks are simply a part of life.
And then you have to consider fraud risk, which is the risk that someone will rip off the entity or mislead the entity in some significant way. Fraud is often defined as:
- A deception deliberately practiced in order to secure unfair or unlawful gain.
The Certified Fraud Examiners divide fraud into three main categories: corruption, asset misappropriation, and fraudulent statements. Fraud risk for the river in the tourist town might include collusion between the city employees responsible for water safety and the largest resort on the river. The owner of the resort might bribe city employees to overlook poor water quality during peak tourist season so that the resort can keep making money.
Want to delve deeper into fraud? Check out An Auditors Responsibility for Fraud self-study course.
What is the risk that the client will not meet the audit criteria? Or that they will not achieve what their activities are designed to achieve?
In our river example, the city is working to achieve economic prosperity through hospitality. A contaminated river will not help them with either.
Let’s switch the example: Let’s say you are evaluating whether all school children below the poverty level receive free lunch. On the flip side, a kid above poverty level could be enjoying free lunch or the kids below poverty level could either be paying for lunch or not getting lunch at all (Now I am really upset!).
Let’s say you are looking to determine whether bond disclosures are complete in the financial statements. The flip side of the “completeness” criteria is that the disclosures are NOT complete: the client left something out of the financial statements.
Imagine if several large bond issues were left out of the schedule and the bond-rating agency relied on that information to create the bond rating. And what if, after additional bonds were issued, the issuers and the bond-rating agency discover that the client had exceeded their debt limit causing them to downgrade their credit rating and to call several series of bond for immediate payment. Did I just take it too far? 🙂
Step 6: Refine the audit objective
Now it is time to refine that vague audit assignment so that you can work with it. The audit universe has, up until this point, been too broad, too universal. “Express an opinion on the financial statements?” “Verify compliance with grant requirements?” Those include an awful lot of information and detail that you are not going to be able to verify.
But now that you know where the risks are, you can narrow your focus.
For instance, for our financial statement audit you may decide that cash receipts deserve some attention. You might even state the objective in terms of the management assertions. For instance, “Are cash receipts complete?”
For more on what makes a good objective, see https://yellowbook-cpe.com/audit-objectives-run-the-show-on-a-performance-audit.html
Next time – three more steps!