Auditors, I suggest you keep your job title on the down-low when meeting someone new at a party. Why? Because just as soon as you reveal you are an auditor, your new acquaintance will get very quiet. Shortly thereafter, your not-yet (and likely will-never-be) friend will leave to get a drink and never come back.
But you know what? Being a professional auditor can be very rewarding. Very. We get to work with a wide range of folks, no two audits are ever the same, and working directly with the executive team is thrilling. That new acquaintance simply doesn’t know what he is missing.
What is the job of an auditor, anyway?
If anyone at a party would listen, I would be proud to share that auditors have an important role to play because, unfortunately, government leaders can’t trust program managers when they say, “Everything here is fine. Don’t worry about us!”
But government leaders and citizens do worry and want assurance from someone they can trust that everything is going well. The auditor is that professional whom the leaders and the citizens can trust.
One definition of auditor is: An independent professional who reports on whether a subject matter meets agreed upon criteria.
Yes, that may sound very dry, but hang in here for a few more minutes before you get your drink refreshed. This definition has several important components: independence, subject matter, audit criteria and audit deliverables, and each is worth looking at in detail because they are pretty interesting. Let’s look at each of those components in turn.
Auditors must be independent of their clients and the subject matter they are auditing.
If you think about it, auditors are often the only professionals involved in an organization or in a program who can comfortably speak the truth because they are, hopefully, shielded from the backlash that can come from telling the truth because they are independent.
But who are these clients?
The Government Accountability Office (GAO), the federal audit organization that writes the governmental auditing standards (a.k.a. the Yellow Book) has a very broad definition of client. The GAO says, “A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest.” And they define public interest as, “the collective well-being of the community and entities the auditors serve.”
Did you know auditors had such a noble job?
CPAs are held to the same standard. They are certified “public” accountants after all. They have a primary responsibility to the public and a secondary responsibility to their audit client.
Clients in the government realm include management of the auditee, governing bodies, oversight bodies, special interest groups, other citizens, and the people who actually benefit from the government’s services.
The recipients of governmental funds aren’t likely to uncover their own risks or highlight their own weaknesses because they could lose their funding. And the oversight bodies might be so far removed from the program that they don’t have a sense of what is really happening.
Here is a quote from the GAO’s Yellow Book about auditor independence:
GAGAS 2018 3.22 Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties.
So you see that auditors can make quite a difference to an organization and to the community. The GAO’s Yellow Book says that auditors are “essential to the nation’s governing process”! Wow, that is quite a responsibility!
At the end of an audit engagement, auditors report on whether a subject matter meets a certain criteria.
All auditors struggle to keep their audits limited in size and scope. Unfortunately, it is easy for anyone seeking the truth to go off-track and then end up creating monstrous projects that are hard to reign in and report on. So auditors have to be disciplined and stay focused on what is most important!
In response to this struggle, most audit standards require that auditors develop a finite objective and scope for each engagement. Imbedded in the audit objective are the audit subject and the criteria the auditor will use to evaluate the audit subject.
The GAO has this to say about the audit objective and scope in the Yellow Book:
GAGAS 8.08 The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria.
GAGAS 8.09 Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.
The objective and scope define what the project is, as well as what it is not. Objectives are assessed against agreed upon criteria, which are benchmarks established by law, governing organizations, or company policies and procedures.
To satisfy the audit objective, auditors will gather and document audit evidence. The techniques that auditors use to gather evidence are called audit methodologies. Here is a quote from the Yellow Book about methodologies:
GAGAS 8.06 Auditors should design the methodology to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives and to reduce audit risk to an acceptable level.
All three of these elements – the objective, scope, and methodology – describe what auditors seek to accomplish on the audit. The GAO requires that auditors both document these three defining elements in their working papers and disclose them in the audit report to readers. By clearly defining the objective, scope, and methodology the auditor both maintains their focus and lets users of the audit know what they did and did not do.
Auditors create three deliverables from an audit project:
- The answer to the audit objective – called either an audit conclusion or an audit opinion
- Findings – issues that the auditor would like to see addressed or corrected by the client
- Working papers – documentation of the evidence the auditor gathered to support the conclusions and the findings.
If you are following the GAO’s audit standards for performance audits, you must put this promise – word for word – in your audit report. Notice that this mandatory paragraph mentions objectives, conclusions, findings, and evidence.
GAGAS 9.03 We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
In this way, auditors distinguish themselves from other professionals who say they report the truth but do not always back it up with evidence (dare I mention journalists?). Every sentence of an auditor’s report is backed up with evidence – often layers and layers of evidence that are written down and reviewed multiple times by other auditors before the audit report is issued.
Auditors following the Institute of Internal Auditors & the GAO standards do more than just conclude on whether the subject matter meets a given criteria; they also write audit findings when they find something that needs to be corrected, such as an internal control weakness, non-compliance, fraud, and/or abuse.
An audit finding sheds light on risks and also makes suggestions on what should be done to mitigate those risks.
Do auditors only focus on what is wrong? Generally, we do because we have to focus our limited resources on risks, negative events, and the issues that need fixing instead of highlighting and proving the good that occurs in an organization. In that way, auditors are like journalists.
Audit findings answer the questions that naturally arise when someone is told that something is wrong:
- What is the current state of affairs? (condition)
- What should be the current state of affairs? (criteria)
- What has caused the current state of affairs? (cause)
- Why is the current state of affairs undesirable? (effect)
- What should be done to correct the current state of affairs? (recommendation)
Now that we have a little better idea of what auditors are about (thanks for holding off on that refill!) we should tweak our definition of an auditor. We now have a better answer to the question, “What is the job of an auditor?”
We began with this definition: An independent professional who evaluates a subject matter against agreed upon criteria.
Please allow me to enhance it a bit based on what we just read: An auditor is an independent professional who concludes whether a subject matter meets an agreed upon criteria by gathering evidence through performing custom-designed audit methodologies. As they seek this conclusion, auditors will also alert you to things they see that need correcting. Aren’t you glad I didn’t start with that? Now you can go get that drink!