A Perfect Audit
by Jennifer L. Shields, CPA, CGFM, Audit Partner
Posted on December 12, 2019
Is it possible? Does such a thing as a perfect audit exist? What defines a perfect audit for you? If I had to write a definition, based on many years of performing audits and talking with clients, I believe most would say a perfect audit is one with no findings.
Believe it or not, the goal of an audit is not to write findings. While this may be shocking to some, the goal of the audit is to assure the public that the financial statements of an entity are fairly stated, in accordance with the applicable reporting framework. Auditors do not audit every transaction, but rather sample various transactions in accordance with the audit plan.
If that is the purpose of an audit, then why do auditors write findings? The answer lies in the audit standards. As part of an audit, auditors are required to obtain an understanding of internal control in order to identify and assess the risks of material misstatement. The auditors are not required to give an opinion on the operating effectiveness of internal controls. However, during the process of understanding internal controls for a client, the auditors may discover that controls are not designed well or they may not be functioning as intended. When that happens, the auditor must evaluate the deficiency and determine whether to report a finding.
In governmental audits, the auditors are required to report audit findings in accordance with Government Auditing Standards (GAS). If the organization is also required to undergo a Single Audit, the auditor must also report findings related to Federal programs in accordance with Uniform Guidance.
Findings are reported in a format outlined by GAS and Uniform Guidance to identify the following elements:
- Criteria: The criteria identifies why the deficiency is a finding, usually stemming from a Federal rule or an accounting framework. An example would be generally accepted accounting principles or the Code of Federal Regulations. Think of this as the “who.”
- Condition: The condition of the finding explains what happened. For example, generally accepted accounting principles were not followed. Think of this as the “what.”
- Context: The context puts the condition in perspective. The who and the what have already been identified, the context provides additional understanding to assess just how bad the “what” might be.
- Cause: The cause is the underlying reason for the finding. This is often the most difficult to identify. It could be human error or intentional circumventing of the rules. It could be a lack of technical knowledge or loss of knowledge due to a new person in the position. It could also be the result of resistance to change or the notion that a particular process has always been handled a certain way.
- Effect: The effect is a known or possible outcome of the finding. For example, the entity could be subject to sanctions or the error could require the entity to make a correction.
- Recommendation: The recommendation is made by the auditors and describes what actions the entity should undertake to resolve the finding. In other words, suggestions for how to fix the problem.
- Views of Responsible Officials: This section is simply management’s response to the finding. For example, management agrees that there is a weakness in controls. Then, management will want to identify what changes will be made to strengthen the control environment. The changes management intends to make is the corrective action plan.
A finding does not necessarily mean that there has been an error. It could mean that although the auditors did not find errors in in the sample, the chance exists that an error could occur due to a noted weakness in the internal control environment. Conversely, the lack of an audit finding does not mean that there were no errors, as there could be errors that were not part of the audit sample.
A well written audit finding, combined with management’s response and related corrective action plan, can provide governing bodies and management with a reason for making changes. Changes should strengthen the control environment, as well as assure the public that resources are being used properly and management is doing their best to prevent fraud. You might conclude then that audit findings are neither good nor bad. They are merely information that should be used by management and those charged with governance to ensure their charged duties are being met.
In summary, only you can define what a perfect audit is for you. Perfect audits should not be defined solely as one in which there are no findings, because audit findings can be an extremely useful management tool. Speaking as an auditor, a perfect audit for me is one in which clients are prepared, available and willing to listen and improve their organizations as a result of the audit.