All auditors need to know how to document audit findings because audit findings are one of the two key deliverables of an audit project (the other is the conclusion against the audit objective, if you were wondering ☺).
Here is a statement that performance auditors following GAGAS must include in their audit report:
GAGAS 2018 9.03. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.
Notice the long sentence says that audit findings must be backed up with evidence.
Now let me show you another quote from GAGAS:
GAGAS 2018 8.133 Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.
Notice that evidence must be documented!
We don’t make things up out of thin air
Evidence is a hallmark of the auditing profession. Unlike other professions, we have to back up everything we say with facts.
I love that about us! We aren’t like those guys on cable news that say anything they want to excite the viewer. Audit reports are not that salacious, but that is not to say they can’t be interesting.
Facts are interesting
Consider the difference between these three statements:
- Statement #1: State oversight is lacking
- Statement #2: The elderly are dying as the result of the state’s disregard for safety
- Statement #3: The Department of Elder Care visited 1.7% of state-run nursing homes over the past five years to verify compliance with state and local safety regulations.
Statement #1 is so vague I have no idea what is going on. And I am going to have a hard time tying that to audit evidence as the word ‘lacking’ is a bit judgmental and hard to prove using either physical or documentary evidence.
Statement #2 is salacious and also hard to prove because elderly folks do die from other causes and pointing to the state’s ‘disregard for safety’ as the primary cause is going to be tricky, probably impossible.
Statement #3 is our auditor happy spot. We said something interesting and the reader will appropriately be appalled! We identified who is responsible and we gave the reader context (years, percentages). But most importantly we can tie that to evidence!
What evidence? Well, I could ask the Department for a list of all state run nursing homes and then ask the Department for a log of where they have visited the homes and performed a safety check. I can also tie some of the visits from the log to documentation of these visits and interview a few inspectors. So tidy and convincing.
What goes in a finding?
If you are following GAGAS or IIA standards, a finding contains five elements:
- The condition
- The effect
- The cause
- The criteria
- Two recommendations – one that resolves the condition and one that resolves the cause
For more on the meaning of these elements, please see this short video.
And each of these elements needs to be supported by audit documentation.
An example of how to document audit findings
Let’s say we are using statement #3 above as our cause statement. We have already decided how we will prove that.
Let’s say our condition statement is that 30% of nursing homes do not contain fire suppression equipment that is up to current code. How do we prove this? We do a statistical sample of all state-run homes and ask the administrators of the homes to email us documentation proving the purchase of the compliant fire suppression equipment. We could also visit a few homes to verify these documents.
The effect could be anecdotal such as, “After a fire broke out in The Hills nursing home in Marble County, three residents were injured when fire suppression equipment did not work.” For this, we would collect a police report and put it into our audit documentation.
The criteria is state or local code regarding fire suppression equipment. For this, we would include the appropriate exerpt from the state or local code in our audit documentation.
And then the first and second recommendation are already backed up with evidence because they tie directly to (and mirror) the evidence in the condition and the cause.
I recommend that you use the SPPRC format to describe your tests in detail.
Next time, we will continue our discussion of how to document audit findings.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: