How to do an audit in 14 steps

Auditing can get complicated, especially when you are using audit tools developed by someone else.  Sometimes you get so hung up in checking all the boxes and filling in all the blanks, that you lose sight of the big picture.

Here is how to do an audit in 14 steps so that you know where you are at all times.  Yes, I am leaving some details out.  And yes, you are right, auditing isn’t usually linear;  you usually have to double back on some steps and perform some of them simultaneously.

But, what this list does is keep you focused on the big hunks so you know where you are always – and so that you don’t get lost for days, maybe even weeks, processing audit paperwork!

The 14 Steps of Performing an Audit

1. Receive vague audit assignment
2. Gather information about audit subject
3. Determine audit criteria
4. Break the universe into pieces
5. Identify inherent risks
6. Refine audit objective and sub-objectives
7. Identify controls and assess control risk
8. Choose methodologies
9. Budget each methodology
10. Formalize the audit program
11. Perform & document audit methodologies
12. Conclude
13. Draft findings
14. Finalize report

Let’s talk about the first three steps in how to conduct an audit here and leave the rest for future posts. If you want to delve deeper into these steps right now, check out these courses:https://yellowbook-cpe.com/topics/essential-skills

1. Receive vague audit assignment

Go audit cash entity wide! Audit Scotland; you have two weeks. Determine if the state is protecting children placed in its care. Yes, auditors have started their audits with these vague assignments. As a matter of fact, most audits begin with vague objectives, but some are more vague than others.

An audit is defined as the evaluation of a subject matter against given criteria. Either component (subject matter or criteria) or both can be fuzzy.

Some auditors have it easier than others because their subject matter and criteria are well defined.

Financial auditors are blessed because their subject matter is well defined. (At least the whole universe isn’t under examination – only the financial statements of the entire universe!) The audit subject is the financial statements and the criteria is generally accepted accounting principles (GAAP).

But the financial auditor still has plenty of work to do to narrow the focus of his audit. The financial statements have many components, and the auditor will not be able to look at all of them. An initial vague audit assignment for a financial audit might sound like, “Express an opinion on the financial statements of the entity.”

You could argue that compliance auditors also have it pretty easy. But a compliance auditor’s job is tougher when the compliance requirements (or criteria) are lengthy, vague, and require a lot of interpretation. An initial vague audit assignment for a compliance audit may sound something like, “Determine whether the entity is in compliance with state regulations and laws.” And state regulations might consume three volumes of text!

The most complex audit type of all is a performance audit. Because the initial vague assignment may not have any criteria built into it, the auditor has to diligently hone the objective before being able to begin fieldwork. For instance, a city auditor may receive the assignment, “Determine whether cell phone usage is proper.” Or a legislative auditor may be asked to “Audit the effectiveness of the foster care program.” Eww – these are scary because the criteria is fuzzy. The terms “proper” and “effective” give me the shivers because they border on a consulting project and are hard to conclude against.

Some audit organizations prefer their auditors to narrow the audit objectives of their assignments. In other audit organizations, audit managers plan much of the engagements and narrow the audit objectives before handing over assignments to the auditors. There is no right way to approach it.

Before deciding which areas deserve attention, the auditor needs to learn more about the client’s operations and systems, and Step 2 does just that.

2. Gather information about the audit subject

The AICPA’s auditing standards are quite specific about the phase of gathering information. They include a laundry list of all the questions you should seek to answer about audit subjects before conducting a meaningful risk assessment.

AU-C 315.12  requires that you gain an understanding of the following areas:

1. Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework.
2. The nature of the entity, including
3. its operations;
4. its ownership and governance structures;

iii. the types of investments that the entity is making and plans to make, including investments in entities formed to accomplish specific objectives; and

1. the way that the entity is structured and how it is financed, to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.
2. The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor should evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
3. The entity’s objectives and strategies and those related business risks that may result in risks of material misstatement.
4. The measurement and review of the entity’s financial performance.

For an auditor, this is actually a very risky part of the audit. This is like the research phase for a PhD dissertation. We have all met someone who is close to getting their PhD but can’t quite complete it because she is still researching the topic! Many audits can drag on and on in a similar fashion.

This is one of the common motivations behind auditors using Same as Last Year (SALY) procedures. With SALY, there is no research phase and no danger of sucking up precious audit hours in planning. Using this method, however, causes you to waste precious time in the fieldwork phase because you will end up performing unnecessary procedures that are not customized for the audit at hand. SALY won’t tell you what the most effective and quickest procedure is!

After gathering information, many auditors have the tendency to feel a bit overwhelmed. They have almost too much information with which to work. Now what?

Have no fear! Step 4 takes the chaos – the disorder and disorientation of having too much information – and concretizes it. The risk assessment phase is a structure that you can use

 3. Determine audit criteria

During the information-gathering phase, you usually begin to determine your audit criteria.  Audit criteria is the benchmark against which you evaluate the audit subject. An audit without firm criteria is also known as a witch-hunt!

The criteria for a financial audit are very straightforward: they are GAAP (Generally Accepted Accounting Principles). Financial auditors are to express an opinion on whether the financial statements comply with the criteria – the benchmarks – or GAAP.

Performance auditors, who let’s say are looking at the safety of foster homes, have to uncover the criteria as part of their engagement. It isn’t handed to them on a silver platter (or a federally sponsored website as the case may be).

The performance auditor has to lock down the definition of “safe”? Is it that 90% of the foster children are safe? Is that the criteria against which the auditor will measure the subject?

These questions open up a whole can of worms, and it is VERY important that the auditor and the client agree on the definition of “safe” before proceeding with the audit. Otherwise, the auditor may report at the end of the engagement, “You have failed because only 72% of your children are safe.” Then the client might say something like, “Hold on, we define safety differently than you do, and from our calculations, 97% of our children are safe.”

The Single Audit (the audit of federal grant funds) has three main subject matters – the financial statements, internal controls, and the grant program – and three sets of criteria – GAAP, the Green Book, and the twelve federal compliance requirements laid out in the compliance supplement, respectively.