Audit criteria is the standard that you evaluate the subject matter against. Without firm criteria, the auditee will likely resist your audit recommendations. I know I did when I was audited.
Auditees might fight you over every statement in the report
I was audited three times in a very short period because I was the controller of two new federal grants. The state auditor and the internal auditor audited me first. They were both pretty pleasant to work with, but then I had the displeasure of being audited by a federal grantor.
The federal auditor called me on Monday morning to tell me that he was flying in that day to see my records. JOY. Because I had experience as an auditor, I was confident that I had all the records in order. But I still didn’t appreciate the disruption or the idea of a “surprise audit.”
Still, I did as my mother taught me and acted as hostess. “Would you like recommendations on where to stay or eat?” “Do you need a ride from the airport?” “No!” he barked, “I’ll see you around 1:00.”
He showed up around 2:00 and, without explaining what he was there to do, he said he wanted to look at my files. I pointed him to the filing cabinet and for the next three days, he sifted through my files (scrambling most of them!) and scrutinizing them for any little discrepancy.
Again, I was pretty confident that everything was fine, but he did write a few findings. I don’t remember what they were about, but they were obscure little issues that were not addressed in our contract or any federal standard or guideline. In other words, he audited without criteria!
The CFO and I worked for the next three months to debunk his findings, pointing out repeatedly that we could not be expected to read the federal government’s mind! Then, miraculously, the auditor’s boss called to say that he was withdrawing the report. We were victorious!
I assume that his other audit victims just rolled over and agreed with everything he said. But not us! I knew that auditors don’t have a leg to stand on without firm criteria, and I argued successfully against every sentence in the report.
And any auditee could do that to you if you work without criteria. To avoid that, you get auditees to buy into the criteria at the front end of the engagement.
(As an aside – be very careful when your audit client used to be an auditor themselves. They will know all of your tricks!)
What is audit criteria?
What I knew and this federal auditor obviously didn’t is that the definition of an audit is the evaluation of a subject matter against criteria. Without criteria, you don’t have an audit, you have a witch hunt. And we were having none of that!
The Yellow Book describes criteria this way:
8.17 Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. Suitable criteria are relevant, reliable, objective, and understandable and do not result in the omission of significant information, as applicable, within the context of the audit objectives. The relative importance of each of these characteristics to a particular engagement is a matter of professional judgment. In instances where laws, regulations, or policies prescribe the criteria to be used for the engagement, such criteria are presumed to be suitable in the absence of indications to the contrary.
6.25 Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. In a financial audit, the applicable financial reporting framework, such as generally accepted accounting principles, represents one set of criteria.
Places to Get Criteria
The criteria may reveal themselves to you while gathering information, or you may have to dig a little bit. You should not be afraid to ask the auditee to suggest criteria. They know their organization and industry better than you and will be more likely to buy into the conclusions and findings if they help determine the criteria.
Here are a few places to look for criteria:
- Policies and procedures
- Internal control documentation
- Laws and regulations
- Industry data, measures, trends
- Literature (articles, studies, books)
- Purpose or goals prescribed by law or regulation or set by officials of the audited entity
- Technically developed standards or norms
- Expert opinions
- Prior periods’ performance
- Defined business practices
- Contract or grant terms
- Performance of other entities or sectors used as defined benchmarks
What happens if you don’t have audit criteria?
Well, you or the auditee have to make some.
A new internal audit shop with a Fortune 500 company realized they had no criteria to work with at all!
The team was responsible for auditing approximately 30 manufacturing plants across North and South America. On their initial audits, they determined that none of the manufacturing plants had policies or procedures in place, and consistency in practices was definitely lacking. Each plant had its own way of doing things and these ways were not documented.
So, this team had no criteria against which to audit, and that made their work very difficult and pretty silly. They argued with the plant managers who had done it their own way for a few decades. Who were these auditors to tell them to do it any differently?
After half-a-year of arguing with the plant managers, the auditors finally decided to visit each plant and write them up for not having any policies and procedures. Smart! The audit team gave the plants nine months to put policies and procedures in place before the audit team conducted a more thorough audit. By the end of the year, the auditors had criteria against which to audit.
Maybe they were following the advice of the IIA in the last sentence of this paragraph:
IPPF STANDARD 2210.A3
Adequate criteria are needed to evaluate controls. Internal auditors must evaluate the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.
Document the Criteria and Get the Client to Agree!
To make sure the project doesn’t suffer from bad criteria, you should take the following steps as early in the project as possible:
- Get the client to agree to the criteria. The client should agree to the criteria used for evaluation. Using the criteria with which they don’t agree could result in the client rejecting the audit results. For instance, in auditing a foster care program, you may use the criteria for safe foster care homes outlined in the Foster Care Association of America’s latest publication. What would be unfortunate and make most, if not all, of the audit work invalid would be this statement by the client at the exit conference: “We think the Foster Care Association of America are a bunch of liberal idiots and we have never subscribed to their standards. They are nuts!” Yes, I admit, that happened to me! Whoops! Because the client didn’t agree to the criteria, I was left without authoritative support for my findings and conclusions!
- Document the criteria. It is always best to use written criteria that you can show the client, and they can sign off on it. The AICPA prevents you from taking on engagements unless the criteria are agreed to, up front, in writing (commonly in the engagement letter).
Which criteria is relevant?
What is audit criteria that is relevant to your audit? Here are three types of audits and some possible related criteria:
financial audit | GAAP |
compliance audit | laws, regulations, contract, grant agreement |
performance audit | benchmarks, standards, goals |
Here are some example objectives and related criteria:
Objective: Is the plant complying with the corporate office’s purchasing guidelines?
Criteria: Purchasing guidelines issued by the corporate office.
Objective: Are foster care homes safe?
Criteria: Foster Care Association of America safety guidelines, regulations, city code
Objective: Is the projection of future highway expenditures for the state reasonable?
Criteria: Benchmarking data/other states, historic cost, budgeting guidelines issued by the Association of Highway Engineers
Objective: Are performance measures accurately reported?
Criteria: Performance measurement criteria discussed in The Performance Measurement Handbook by Harvard Professor Ling Lang.
(Note: I made up all of the sources of criteria! These examples are provided to give you an idea of what the criteria might look like. Don’t try to Google these!)
“Good Business Practice” Isn’t Criteria
When an audit report argues that “doing X is good business practice” or “prudence dictates that you do X”, I know that the auditor was auditing without criteria and instead expressing their own personal opinion.
That is what consultants do. Consultants help you out by telling you what they think could improve your situation. I love consulting. I love people listening to my opinion; it is fun and good for the old ego. BUT, consulting engagements do not fit into the audit standards framework. That is why the IIA separates out their audit standards from their consulting standards and why the GAO won’t even discuss consulting in the Yellow Book Generally Accepted Government Auditing Standards.
In addition to being a criteria-less complaint, saying that someone is unaware of good business practice or that someone isn’t prudent is pretty insulting. Talk about starting an argument!
For more on the basics of how to conduct an audit, check out this best seller: Essential Skills Bundle