Setting the proper objective is critical to delivering on a quality, value-add audit. It must be strongly linked to the goals and objectives of the entity being audited; drive the risk identification and assessment; and be a foundation for the audit workplan and conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Yet too many audits have poor objectives.
I have performed analysis in support of, and reviewed, thousands of audits during my 30+ years of internal audit. I always start by looking closely at the audit objective. From an analysis perspective, I want to know the data and the analytics that will identify and assesses risk; and the controls that mitigate the risks (so I can test them). I get this from the audit objective. I can not determine the data, the analytics, or controls when the audit objective is stated as, “To improve the operations of Account Payable” or even “To verify the controls over Accounts Payable”. Further, I challenge the team lead to tell me how they are going to conclude (i.e., Yes or No) on these so-called audit objectives.
I came to realize that people were confusing “the objective of the audit” and “the audit objective”. The objective of the audit may be to improve accounts payable operations, but this is not the audit objective. The goals and objectives of accounts payable is not ‘to improve the process’ so this can’t not be the audit objective.
The objective should consider the business objective: to pay approved invoices accurately, timely and to the correct vendors. Thus, a better objective would be, “The accounts payable process controls are adequate and effective in paying approved invoices accurately, in a timely manner, and to the correct vendor.
A more appropriate audit objective would be “The accounts payable process supports the timely and accurate payment of approved invoices”. Now this is something I can conclude on (e.g., Yes. The controls are adequate and effective… or No. The controls are not adequate and effective..). In addition, I have a better idea of how analytics can be used to support the audit.
- Timeliness – examine the payment terms, invoice date, payment date and identify late/early payments
- Accurate – compare goods ordered (price and quantity) with good receipt and invoice amount; run outlier analysis on vendor-amount combinations; and test for duplicate payments.
- Correct vendor – compare invoices to order, run invoice sequencing tests, etc.; run fictitious vendor tests; check vendor master change logs; etc.
- Approved – compare approver id for authority
My first takeaway is to ensure that you have properly and adequate defined the audit objective; and that it is something that you can conclude on.
My next comment would be on the audit workplan. Too often I have seen examples of where the audit work plan did not address all the objectives of the audit. For example, if you have “The accounts payable process supports the timely and accurate payment of approved invoices” as the objective, then your workplan should have steps to assess the timeliness, accuracy, and approval of invoices. I reviewed an audit workplan to assist the team with data analysis and noticed that a sub-objective was “to ensure that the roles and responsibilities of the employees was understood”. Not something you can conclude on, and I won’t comment on the ‘to ensure’ part except to say this is not an audit objective. I did not see anything in the workplan that would allow them to conclude the employees understood their roles and responsibilities and told them they would need to add something. At the reporting phase, the next time I looked at the audit, I looked at the audit steps (workplan) and saw that they had added a step “Review job descriptions.” However, the report did not conclude on the sub-objective; their reason, “we didn’t have enough information to make a conclusion”. At least they were honest. After that, I started asking team leads more pointed questions. For example, “If you review the job descriptions, can you conclude on whether or not employee understood their roles and responsibilities?”
The audit steps must not only be present but also include the necessary criteria. I reviewed on audit that was looking at the service levels provided by an outside firm. One of the audit steps, linked to ‘timeliness’ was to calculate the length of time from service request to completion. I did not see any criteria related to timeliness so I asked, “What will you conclude if it takes five days?”. “What if it takes ten days?” In another audit, they were reviewing personal records to determine the accuracy of the data and planned to test ten fields against source data. My question was “What will you say if two fields have an error?” “What if only one field was in error and the error was not significant?” “How do you determine the significance (impact) of inaccurate data?” One of the fields being examine was employee name (which was stored in three fields – last, first and initials). If the initials were not entered, was this an error and did it mean the record was flagged by the audit as being inaccurate?
Back to our accounts payable audit with sub-objectives related to approved, timely, accurate and correct vendor. What will you conclude if 15 invoices were not approved; or 2% of invoices were paid late? Do your criteria provide clear definitions of acceptable and unacceptable and has the client agreed to the criteria? For an audit of external laboratory testing, the audit initially had an objective related to timeliness of results but did not have a criterion for timeliness. This was corrected, and criterion stipulated that timely meant that lab results had to be provided within ten days, however the client was willing to accept up to 30 days and had told the external firm this. The discrepancy was not addressed during the planning phase and resulted in major problems at the reporting phase.
My second takeaway is to ensure that you have steps in the audit workplan that address all the audit objectives and sub-objectives; that these steps are supported by defined and accepted criteria; can be executed; and, when executed, will allow you to conclude on the sub-objective.
Moving on to the conduct phase. Too often auditors are satisfied with only finding symptoms of process weaknesses but not actual causes for found symptoms. The result being their recommendations fall short of assisting management to improve controls and reduce future risk. Something I see often, particularly in compliance audits, is:
- Objective: To ensure compliance with “A”
- Criteria: Must do “A”
- Condition: Not doing “A”
- Recommendation: Do “A”
If we take accounts payable as an example these types of audits often look like this:
- Objective: Verify that we are not paying the same invoice twice
- Criterion: invoices should not be paid twice
- Condition: Invoices are being paid twice
- Impact: based on the sample of 100 invoices, we estimate that there are $20K in duplicate payments.
- Recommendation: Recover duplicate payments
The compliance audit (Do “A”) probably won’t result in any change to operations. The A/P audit may recover the expense and cash, but it will not provide lasting value to the manager of accounts payable. The audit should look beyond the mere existence of duplicate payments – to ‘why’ they are occurring. And the process should also be looking at more than a sample of invoices.
First, I would like to point out how the audit objective contributed to this problem. I hope that you are not doing an accounts payable audit to simply find duplicate invoices and recover funds. As it stands, the recommendation should address the root cause of the risks to the achievement of the objective and therefor are limited to duplicate payments.
Secondly, given the audit objective, the auditor should develop appropriate criteria and design a program that has the necessary steps to allow the auditor to deliver on the object. It should have steps to look at whether invoices were approved, paid in a timely manner (not early and not late), accurately (right amount and not twice), and to the correct vendors (not in correct or fictitious vendors). The steps should also maximize the use of data analytics to review 100% of the transactions.
My next comments relate to the recommendations. Recommendations should be linked to the audit objective and address the root cause. Sounds simple, but I have seen recommendations like “Do A” which do not address the root cause. And I have seen recommendations that were made which were not part of the audit objective and were not supported by any criteria.
Take time at the beginning of the audit to consider the audit objective. Ensure that the audit objective will identify the root causes of the risks in the various business processes. Ensure that you have the proper criteria and audit steps to allow you to deliver on the audit objective.
Ensure that your analysis allows you to identify the financial impact of the symptoms found so that you will be able to gain support for the recommended process changes. Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible financial impact statement. And repeat the ‘why’ question to get to the root cause of the symptoms to eliminate future risks.
Ensure that you recommendations are implementable, cost-effective, address the root cause, and identify the appropriate position that can act on them.