What is the nature of control evaluation?
I’ll answer that for you!
It is time to trim the roses. We just moved into a new house where the roses had not been pruned in years – maybe a decade. One absolutely beautiful light pink rose bush is right outside my office window and I started in on trimming it one afternoon thinking I’d make quick work of it. It was so entangled, bloated, and thorny that I thought about pulling out the electric hedge trimmer. But you aren’t supposed to use a hedge trimmer to prune roses; roses need to be pruned thoughtfully at the bud or at a fork in the branch.
So I started in with round one of trimming – and almost filled up an entire City of Austin trashcan with the thorny branches. Then I stepped back and saw that my pruning had left it misshapen and still full of dead limbs. Only after the second round did I realize that this bush was in actuality three bushes all planted closely together.
The next morning I went out and pruned a few more branches that I still felt were too long. I only have eight more rose bushes to go (!).
Evaluating internal controls are a lot like trimming the rose bush. Usually, you discover something you aren’t expecting. And you can’t approach them once and be done. As a matter of fact, I think controls have to be approached at least three times: once just to get a general understanding, next to evaluate controls related to the inherent risks you identified, and finally to test key controls.
The tweaked steps of conducting an audit
Over the years, I have refined the steps of conducting an audit for teaching purposes. I err on the side of summarizing concepts so that my students don’t get too bogged down in the minutia and keep their eyes on the big picture. But as I summarized I obscured the iterative nature of control work – so I am reversing that generalization and getting pretty granular here. This step-by-step process isn’t the only way to do it… obviously! But hang in with me and maybe you can get on board with some of it:
- Receive vague audit assignment
- Gain a general understanding of the audit subject and general control structure
- Choose relevant criteria to evaluate the subject matter against
- Break the audit subject into pieces
- Evaluate inherent risk for each of the pieces
- Refine objective and define sub-objectives
- Evaluate controls for each objective and sub-objective and determine key controls
- Design relevant tests – including substantive and control tests
- Allocate resources to the endeavor
- Formalize the audit program
- Perform substantive and control tests
- Write findings
- Conclude against objectives
- Finalize report
Yes, yes. There is a lot more to it and auditing isn’t linear – but it does illustrate the iterative nature of control work. Look how many times in that process I mentioned controls. Step #2, Step #7, Step #8, Step #11. Prune, evaluate, prune, evaluate – over and over and over.
Everyone who creates iterates
In early March, I attended SXSW Educational conference, where the buzz surrounded gamify-ing your content. In other words, if you want young folks to learn, you might consider turning your contents into a video game.
The game developers used the word ‘iterative’ like it was going out of style. They talked about their original design, the need to tweak, get user feedback, tweak again, get more user feedback, reevaluate, tweak, bla bla bla. They realized they were never going to completely perfect their game, but at some point they had to publish it.
Audits are also iterative and if you don’t watch out, control work can consume your entire audit budget. You can easily end up on bunny trails that have nothing to do with your audit objective.
Auditors call the pursuit of errant bunnies “scope creep” – auditees call it a witch-hunt. Those of you with lots of audit experience know that you can find something critical to say everywhere you look – easy pickin’s as they say. But we don’t want to spend all year victimizing the client for any old random thing that comes up… or do you?
Stay focused on a sexy but clear objective to save time
Let’s assume that you don’t want to stay on each audit forever, picking, picking, picking, picking until everyone cries for mercy – including your audit team. You want to answer a specific targeted objective that deals with a sexy, interesting, risky area. That means you don’t care about all controls – only the controls that relate to your objective and that deal directly with the inherent risks you identified.
Start broad but tread lightly at first to gain a general understanding of who is involved and whether the entity has a control consciousness. Then after you evaluate inherent risks, inquire and understand controls that mitigate that risk. Then test the controls that are non-negotiable, or key, to mitigating those inherent risks.
Approach each iteration gingerly and briefly. And put away the hedge trimmer! You simply are NOT going to get it all done at the first approach and I am sorry to report that it isn’t going to be fast and easy.
—–
Resides in Austin, Texas and can be reached at leita@yellowbook-cpe.com.
512-996-8588
Making Finance and Auditing Fun and Easy!