Last week, I walked us through an example finding and showed how to support the finding with evidence. This week, I want to talk more about how you get there.
As you will see, in order to reduce the hassle of documenting audit findings, it is best to start thinking about the elements very early in the audit process.
Start with the risk assessment when documenting audit findings
One of the biggest time-wasters on an audit is doubling back after you have finished the audit trying to find evidence to support what you want to say in your finding. Instead, PLAN on supporting the finding from the get-go!
I integrate the elements of a finding into my risk assessment. That way, when the risk assessment is done, the finding is pretty well-written.
Most audit teams follow these steps in conducting a risk assessment:
- Breaking the subject matter into small enough pieces to run through a risk assessment (those may be smaller pieces of the subject, steps of the process, or compliance items)
- Assessing inherent risk on those pieces
- Refining the audit objective to address those inherent risks
- Assessing control risks relevant to the audit objective
- Designing fact-based and control-based tests to address the inherent and control risks identified.
Do you see the elements of a finding in there?
In order to assess inherent risk, auditors ask “What could go wrong?” and “So what?”
The condition statement of a finding answers the question, “What could go wrong?” and the effect statement of a finding answers the question, “So what?”
So far our risk assessment has tackled 2 elements; only 3 to go!
The audit objective naturally includes the audit criteria and that criteria is the same criteria you can use in your audit finding.
3 tackled; only 2 more elements to go.
And the GAO councils us in Yellow Book section 8.117 that the cause of an audit finding is an internal control weakness. So you have uncovered the cause when you do your control risk assessment.
Sweet! We have covered the condition, effect, cause and criteria. Only the recommendation element is left.
Now crafting a recommendation is super easy because the recommendation resolves (or mirrors) the condition and the cause.
Stick a fork in that finding; it is D.O.N.E!
Write it out and sit with it
Now that you have completed the risk assessment, draft the finding. Now sit with it for a few days and ask yourself if you would be proud to report this to the client.
Put yourselves in the client’s shoes and think about whether you would be interested in this finding.
If not, go back and rejigger the risk assessment. If that yields nothing, you may want to halt this particular audit project entirely.
Design your tests to support the elements
Once you are finished with the risk assessment and you feel that your resulting finding will interest the client, it is time to design your testing.
In general, you will perform a test of fact to support your condition and effect statements, and tests of controls to support your cause statement.
Then when you perform those tests, you should find the support you need for the finding. This of course assumes you were on the right track with your risk assessment!
Now take those testing results and create the finding you envisioned, and voilà, you are most of the way there.
Before the report is issued…
What? That sounds too perfect?
Yes, you are right. That process I just described is a little too pat and simple. That isn’t how most audits turn out; audits are more fluid than that.
Often, as you gather information and perform testing, new risks crop up. Sometimes the project goes completely off the rails due to scope creep, client issues, or audit leadership.
Therefore, the team needs to make double sure that it is documenting audit findings before the report is issued.
This means that somewhere in the audit documentation review process, someone ties every statement in the audit report back to the supporting evidence.
Auditors call this ‘cross-referencing’ and it is a tedious task. But you want to make sure before you publish the report that every statement you make in the finding is something you can stand firmly and confidently behind.
For more on how to design tests, please enjoy this short self-study video.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: