Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.
The Environment of Fraud
Darkness is the environment of wrongdoing.
No one sees us. Or so we think.
Fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories,Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring transforms Sméagol into a hideous creature–Gollum.
And what does this teach us? That which is alluring in the beginning can be destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.
What’s the solution? Transparency. It protects businesses, governments, and nonprofits.
But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.
It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.
But this segregation of duties is not always possible.
Lacking Segregation of Duties
Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.
Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.
Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.
1. Bank Account Transparency
First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statementsfirst (before the bookkeeper) include the following:
A nonprofit board member
The mayor of a small city
The owner of a small business
The library director
A church leader
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.
Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. Butif the bookkeeper even thinks someone is watching, fraud will lessen.
When you audit cash, see if these types of controls are in place.
Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.
2. Surprise Audits
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.
Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs.
Surprise Audit Ideas
Here are some surprise audit ideas:
Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
Agree all receipts to the deposit slip for three different time periods
Review all journal entries made in a two week period and request an explanation for each
Inspect two bank reconciliations for appropriateness
Review one monthly budget to actual report (look for unusual variances)
Request a report of all new vendors added in the last six months and review for appropriateness
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.
I will say it again. Having multiple people involved reduces the threat of fraud.
Segregation of Duties Summary
In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.
Unpaid fees can impair your independence in attest engagements. This article explains changes in the Unpaid Fees interpretation in the AICPA Code of Conduct.
Peer review checklists ask if fees have been paid prior to issuance of attest reports. Why? A loan to an attest client can impair independence. The thought here is that the CPA may have a self-interest in the client; namely, the collection of unpaid fees. And this self-interest could potentially lead the CPA to assist the client by issuing inappropriate attest reports.
So, has there been a change in the unpaid fees section of the Code of Conduct? Yes.
The old rule of just looking back one year is no longer the sole consideration in determining your independence in regard to unpaid fees; current year fees, if significant, can also affect independence.
The bolded fonts and underlines below are added by the blogger.
Unpaid Fees Interpretation
The independence interpretation (1.230.010) in the Code of Conduct says:
Threats to the covered member’s compliance with the “Independence Rule” [1.200.001] are at an acceptable level if, when the current-year attest report is issued, unpaid fees are both clearly insignificant to the covered member and relate to professional services provided less than one year prior to the date of the current-year attest report.
Alternatively, threats would not be at an acceptable level if, when the current-year attest report is issued, unpaid fees are both significant to the covered member and relate to professional services provided more than one year prior to the issue date of the current-year attest report.
That guidance provides factors to consider in evaluating your independence.
Unpaid Fees Factors to Consider
Factors to consider (ET 1.230.010.02) when evaluating whether threats are at an acceptable level include the following:
a. The significance of the unpaid fees to the covered member
b. The length of time the fees have been due from the attest client
c. The attest client’s agreement to pay the unpaid fees
d. The covered member’s assessment of factors affecting the ability of the attest client to pay the fees
So, what should you do if a significant threat is present? Consider safeguards.
Unpaid Fees Safeguards
You may use safeguards (ET 1.230.010.04) to mitigate the independence threat:
a. Have an appropriate reviewer who has not provided attest or nonattest services to the attest client review the attest work performed before the current-year attest report is issued.
b. Obtain partial payment of the unpaid fees balance before the current year attest report is issued such that the remaining unpaid balance is insignificant to the covered member.
c. Obtain an agreement from the attest client to a payment schedule before the current-year attest report is issued.
d. Suspend further work on current attest engagements and not accept new engagements with this attest client.
ET 1.230.010.05 goes on to say:
Communication with those charged with governance regarding evaluation of the unpaid fees and safeguards applied is not a sufficient safeguard when applied alone; however, it may be considered a safeguard when supplemented by other safeguard(s).
If the safeguards are not sufficient, you are not independent.
So, how do we define unpaid fees?
Unpaid Fees Defined
Unpaid fees include billed and unbilled services.
If you provide a service whereby you expect payment, it’s a fee–whether you billed it or not. The issue is whether the client owes you for the service.
Not Applicable for Attest Clients in Bankruptcy
ET 1.230.010.06 says that this interpretation does not apply to attest clients in bankruptcy.
Oddly, the potential impairment of independence may assist you (the CPA) in collecting past-due accounts. If the client needs the current year attest report, and the CPA can’t provide it without payment, then the client may find a way to come up with the money for past fees.
Still Not Sure
If after doing the above, you’re still not sure whether your independence is impaired, consider contacting the AICPA to get their thoughts. You can email them at email@example.com.
Auditors often fail to capture and communicate internal control weaknesses, even though such communications are required by the audit standards.
But making our clients aware of control weaknesses can help them. How? It allows them to improve their accounting system. The result: prevention of future fraud and errors.
In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit servicesand you’ll help your client protect their business.
At the end of the post, you’ll also see a video that summarizes this information.
A Common End-of-Audit Problem
You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness or tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you initially saw it).
Here’s a post to help you capture and document internal control issues as you audit.
Capture and Communicate Internal Control Deficiencies
Today, we’ll take a look at the following control weakness objectives:
How to discover them
How to capture them
How to communicate them
As we begin, let’s define three types of weaknesses:
Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.
Now let’s take a look at discovering, capturing, and communicating control weaknesses.
1. Discover Control Weaknesses
Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:
Planning – Risk assessment and walkthroughs
Fieldwork – Transaction-level work
Conclusion – Wrapping up
A. Planning Stage
You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).
Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).
Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”
I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:
The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.
Such a statement tells the client what the problem is, where it is, and the potential damage.
Fraud: A Cause of Misstatements
While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud.Appropriate segregation lessens the chance that someone will manipulate the numbers.
Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.
If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.
If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:
Theft that is material (material weakness)
Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
Theft of insignificant amounts (other deficiency)
My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.
Errors: Another Cause of Misstatements
While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:
Do the monthly financial statements ever contain errors?
Are invoices mistakenly omitted from the payable system?
Do employees forget to obtain purchase order numbers prior to buying goods?
Do bookkeepers fail to reconcile the bank statements on a timely basis?
B. Fieldwork Stage
While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.
When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.
C. Conclusion Stage
When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management.
Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.
Now let’s discuss how to capture control weaknesses.
2. Capture Internal Control Weaknesses
So, how do you capture the control deficiencies?
First, and most importantly, document internal control deficiencies as you see them.
Why should you document control weaknesses when you initially see them?
You may not be on the engagement when it concludes (because you are working elsewhere) or
You may not remember the issue (weeks later).
Second, create a standard form (if you don’t already have one) to capture control weaknesses.
Internal Control Capture Form
What should be in the internal control form? At a minimum include the following:
Check-mark boxes for:
Other control deficiency
Other issues (e.g., violations of laws or regulations)
Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
Description of the deficiency and the verbal or written communications to the client; also the client’s response
The cause of the condition
The potential effect of the condition
Recommendation to correct the issue
Person identifying the issue and the date of discovery
Whether the issue is a repeat from the prior year
An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
Reference to related documentation in the audit file
After capturing the weaknesses, it’s time to communicate them.
3. Communicate Control Weaknesses
Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.
Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect (your client will let you know), you can make it right–before it’s too late. Additionally, discuss the control weakness with relevant personnel when you initially discover it. You don’t want to surprise the client with adverse communications in the written internal control letter.
Internal Control Video Summary
Here’s a video that summarizes the information above.
The main points in capturing and communicating internal control deficiencies are:
Capture control weaknesses as soon as you see them
Develop a form to document the control weaknesses
Communicate significant deficiencies and material weaknesses in writing
These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.
How Do You Capture and Report Control Deficiencies?
Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.
This video provides an overview of the four opinions:
If there are no material misstatements, then you will issue an unmodified opinion. The unmodified opinion says the financial statements are presented fairly.
Example SAS 134 Unmodified Opinion
A sample unmodified audit opinion follows:
INDEPENDENT AUDITOR’S REPORT
We have audited the financial statements of [Entity Name], which comprise the balance sheets as of December 31, 2020 and 2019, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.
In our opinion, the accompanying financial statements present fairly, in all material respects, the financial position of [Entity Name] as of December 31, 2020 and 2019, and the results of its operations and its cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.
Basis for Opinion
We conducted our audits in accordance with auditing standards generally accepted in the United States of America (GAAS). Our responsibilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report. We are required to be independent of [Entity Name] and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audit. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.
Responsibilities of Management for the Financial Statements
Management is responsible for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America, and for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.
In preparing the financial statements, management is required to evaluate whether there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for one year after the date that the financial statements are available to be issued.
Auditor’s Responsibilities for the Audit of the Financial Statements
Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.
In performing an audit in accordance with GAAS, we:
Exercise professional judgment and maintain professional skepticism throughout the audit.
Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of [Entity Name]’s internal control. Accordingly, no such opinion is expressed.
Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements.
Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for a reasonable period of time.
We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control-related matters that we identified during the audit.
If material misstatements are present, then a modified audit opinion is necessary. Modifications can also occur when you are unable to obtain sufficient appropriate audit evidence; for instance, when a scope limitation is present.
AU-C 705 defines a modified opinion as a (1) qualified opinion, (2) an adverse opinion, or (3) a disclaimer of opinion.
Another key definition in AU-C 705 is that of pervasiveness. This term is used in the context of misstatements; so if a material misstatements are present, you’ll want to know if they are pervasive. Two factors–material misstatements and pervasiveness–affect the type of opinion to be issued. Additionally, the ability or inability to obtain sufficient appropriate audit evidence affects the type of opinion to be issued. A misstatement (or possible misstatement) is pervasive if:
It’s not confined to specific accounts or items of the financial statement, or
If confined, the amount represents a substantial portion of the financial statements, or
If in relation to disclosures, the information is fundamental to the users’ understanding of the financial statements
For example, if material misstatements are present for inventory, receivables, and debt, they are pervasive. Or if, in another example, inventory makes up 60% of total assets and a material misstatement is present in that area, then it’s pervasive. Lastly, if key disclosures are not appropriately communicated or if they are omitted, then that is pervasive.
Now, let’s look at the three modified opinions.
1. Qualified Opinion
Suppose your audit reveals inventories are materially misstated, the client does not record your proposed audit adjustment, and there are no other material misstatements. If this is your situation (a material misstatement exists that is not pervasive), then audit standards allow for the issuance of a qualified opinion.
Here is sample qualified opinion language (this is not the full opinion):
We have audited the financial statements of ABC Company, which comprise the balance sheets as of December 31, 20X1 and 20X0, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.
In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion section of our report, the accompanying financial statements present fairly, in all material respects, the financial position of ABC Company as of December 31, 20X1 and 20X0, and the results of its operations and its cash flows for the years then ended in accordance with accounting principles generally accepted in the United States of America.
Basis for Qualified Opinion
The Company has property with impaired value. The impairment occurred in 20X9. Accounting principles generally accepted in the United States of America require that impaired assets be written down to their fair market value. The Company continues to reflect the property at cost. If the property was stated at fair value upon impairment, total assets and stockholder’s equity would have been reduced by $X,XXX,XXX as of December 31, 20X1 and 20X0, respectively.
2. Adverse Opinion
Now let’s suppose that you are auditing a consolidated entity, and your client is not willingto include a material subsidiary and which, if included, would have a pervasive impact on the statements.
Here is sample adverse opinion language (this is not the full opinion):
We have audited the consolidated financial statements of ABC Company and its subsidiaries, which comprise the consolidated balance sheet as of December 31, 20X1, and the related consolidated statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.
In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion section of our report, the accompanying consolidated financial statements do not present fairly the financial position of ABC Company and its subsidiaries as of December 31, 20X1, or the results of their operations or their cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.
Basis for Adverse Opinion
As described in Note X, The Golfing Company has not consolidated the financial statements of its subsidiary Easy-Go Company that it acquired during 20X1. This investment is accounted for on a cost basis by The Golfing Company. Under accounting principles generally accepted in the United States of America, the subsidiary should have been consolidated. Had Easy-Go Company been consolidated, many elements in the accompanying consolidated financial statements would have been materially affected. The effects on the consolidated financial statements of the failure to consolidate have not been determined.
3. Disclaimer of Opinion
Finally, let’s suppose you are performing an audit in which insufficient audit information is provided with regard to receivables and inventories (both of which are material) and that the misstatements have a pervasive impact on the financial statements as a whole.
Here is sample disclaimer of opinion language (this is not the full opinion):
Disclaimer of Opinion
We were engaged to audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 20X1, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.
We do not express an opinionon the accompanying financial statements of ABC Company. Because of the significance of the matters described in the Basis for Disclaimer of Opinion section of our report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on these financial statements.
Basis for Disclaimer of Opinion
The Company’s accounting system was hacked during the year by an unknown party, resulting in a series of changes in accounting entries. Additionally, the Company was unable to restore the accounting system. As a result of these matters, we were unable to determine the adjustments that were necessary to correct the balance sheet, statement of income, changes in stockholder’s equity, and cash flow statement as of and for the year ended December 31, 20X1.
Effective Date of SAS 134
The new SAS 134 opinions are required for periods ending on or after December 15, 2021.
Resolving Conflict with Clients
If, as described above, you have a client that is unwilling to post a material audit adjustment, consider creating a draft of the opinion and providing it to them. This is not a threat, just a way to clearly communicate the effect of not posting the adjustment.
Before doing anything, allow the client to fully explain their position. A modified opinion may not be necessary once you understand the facts. But if after the discussion, the you are still convinced there is a material misstatement, a modified opinion may be necessary.
In some cases, you may want to consider withdrawing from the engagement. Consult with your legal counsel before doing so.
Audit Opinion Research
Deciding on the opinion is often the most important decision you will make in an audit. So, do your research, and, if needed, consult with others to gain assurance about your decisions. AU-C 705: Modifications to the Opinion in the Independent Auditor’s Report provides several sample opinions; so refer to those as you create any modified opinions including qualified, adverse, or disclaimer. See AU-C 700: Forming an Opinion and Reporting on Financial Statements for information about unmodified opinions.
Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.
You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.
Insanity: doing the same thing year after year but expecting different results.
Are you ready for better results?
Here are seven deadly (audit) sins that cause our engagements to fail.
1. We don’t plan
Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.
What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.
Each year, audits have new wrinkles.
Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?
Anticipate issues and be ready for them with a real audit plan.
2. SALY lives
Elvis may not be in the house, but SALY is.
Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).
I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?
Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.
Sometimes the Saly issue occurs because of weak staff.
3. We use weak staff
Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.
Another audit mistake is weak partner involvement.
4. We don’t monitor
Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.
As Ronald Reagan once said: Trust but verify.
Engagement partners need to lead and monitor. They also need to provide the right technology tools.
5. We use outdated technology
Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations?
Do your staff members fear you so much that they don’t give you the bad news?
6. Staff (intentionally) hide problems
Remind your staff that bad news communicated early is always welcome.
Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).
Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.
And here’s one last audit mistake: no post-engagement review.
7. No post-engagement review
Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.
If you are a partner, consider a fifteen-minute meeting with staff to go over the list.