Being at a store witnessing an inventory count, would you ask the client leading the exercise which items to count or ask about their preference of items that should be counted?
If your answer to any of these two options is affirmative, you certainly don’t know what your approach as an auditor needs to be before you even think of planning an assurance or advisory engagement. Because both of these are obviously incorrect!
But even if you know that these are incorrect or even better, you understand that this question can’t be or is flawed by design, you’re in for a rude awakening, because at some point in time we might subscribe to such an approach unknowingly.
An obvious, easy to understand example that we might find ourselves guilty of using at some point in our auditing career is relying on client inquiries and using these to plan / design audit procedures so that approach is ‘guided’ or more appropriately misguided from the outset or worst drawing inferences based on those inquiries!
Wouldn’t you agree then that apart from this obvious idiocy there would be other more subtle wrongs that we use to make up our audit approach?
Indeed, that’s true. Follies make up the average internal auditor’s approach and in this blog piece that’s what I’m about to unravel and also explain how these should be avoided / rectified. So, let’s begin with some real-life audit approach foolery.
|
The Follies |
Analyses |
|
While planning a review of an area, the auditor asks client for specific information that could satisfy the underlying engagement objectives. |
The auditor narrows down the scope of the audit from the outset that might eventually lead to non-accomplishment of objectives of review because specific information alone wasn’t enough or was outright irrelevant risking time and effort. The auditor also believes that the objectives assessed at the outset won’t evolve during the course of the engagement. |
|
The auditor breaking down the precise scope to the client. |
The auditor keeping no flexibility to widen the scope if objectives remain unmet with originally conceived scope. |
|
The auditor seeks specific data, records, and information that has the potential to have findings. |
The auditor runs a detection risk and exposure miscalculation by limiting records to client’s choice. The auditor might end up identifying problems that are materially insignificant, miscalculating the overall exposure because the total population was not observed or identifying no problems at all because the record that had anomalies or issues wasn’t provided by the client. |
|
The auditor asks client to identify specific periods that could have anomalies. |
The auditor is fixated on prior knowledge of period specific issues and takes a myopic approach towards data to avoid comprehensive reviews. Resultantly, periods that could have even greater problems are ignored, taking the sampling bias to a whole new level when the client is asked to provide data to its liking. |
|
The auditor asks client for multiple data sets with different headers for the same area and period under review. |
Instead of acquiring access to client applications and testing controls over it in terms of access, and data processing, the auditor makes multiple requests for data sets when these could be queried directly by the auditor. The risks of data being invalid (not fit for use) and incorrect are built into the audit approach. |
|
The auditor asks the client about a record pertaining to specific activity / events. |
The auditor is ruling out the possibility of numerous other records also relating to the specific activity / events under review. Though the client is not given a choice per se, however it will be up to the client to select which records to identify with the activity / events. |
|
The client seeking the purpose of a specific record the auditor requested and the auditor specifying the purpose. |
When in fact asking reasons for records requested might mean blocking access to these fair and square, the auditor divulging its purpose would ensure the record will already be skewed to the purpose given and might not be useful for identifying other relationships and patterns that could be more useful in fulfilling the purpose or other purposes that could arise. |
|
The auditor relying solely on inquiries to obtain understanding of the system and the process. |
Relying on client inquiries ignoring system documentation when it exists or not testing a few transactions first-hand would leave an understanding that will not just be deficient, but also aligned with the acts of the executioners rather than the established guidelines |
|
The auditor asks the client to pick up transaction(s) for the auditor to perform a walkthrough on. |
Instead of selecting transaction(s), the auditor relies on the selection made by the client that might not be representative of the actual state of the process and / or might not be aligned with the system and process requirements laid out by documented guidelines. |
|
The auditor asks the client for a particular data set, when in fact the whole population could be easily examined. |
The client systems and the auditors’ tools allow for the whole population to be examined efficiently and effectively so as to eliminate the need for sampling and the inherent judgements involved in these. However, the auditor relies on sampling because of a hard-wired approach. Alternatively, the testing could begin with an analytical review of the whole population that helps to identify patterns and relationships that could be given special focus in detailed testing. |
|
Add to this list, auditor’s lack of reconciliation of data figures (numbers and values) of various datasets obtained, rendering the data / reports unreliable. |
|
There could certainly be many more; I am no authority in identifying all these!
So, what’s so obviously wrong with all these approaches that they only qualify to be mentioned as foolery? Let me break it down for you in case you didn’t!
All these approaches are replete with incompleteness and inaccuracy! And yes, these are exactly the hallmarks auditors strive for in all sorts of engagements, assurance and advisory. In order to fulfill assurance or advisory engagements, internal auditors always need to seek out information, data and records that are complete and accurate, since the contrary will undermine the engagement objectives, and the assurance or advisory provided will not just be subpar but outright invalid for the purpose it was planned and executed.
The result would not just be a poorly planned and executed engagement, but an internal audit function that would not be relied upon initially, ignored into irrelevance secondly and disbanded finally.
The internal auditors need to understand that they have to put their own house in order before marketing their abilities to add value and help improve their potential clients’ systems, processes and operations. The first and foremost in this regard is the completeness and accuracy of their own audit approach before seeking out the same traits in the client’s records.
You can’t test client’s information, data and records for completeness and accuracy, unless the audit approach and planning through which these have been obtained are complete and accurate. Because completeness of data obtained through such follies would be limited to client’s account and its accuracy will be 100% from client’s perspective.
Completeness and Accuracy are the assertions internal auditors need to self-test in their approach and planning before testing the same in client’s information, data and records.
Once on the floor for a stock count, its us the internal auditors who have to decide what to see, what mix of inventory to examine, what extent to cover both in numbers and values, irrespective of what the client’s preferences in this regard might be. Because, apart from testifying our competence, these assertions also ensure our objectivity and independence are firmly in place!