What is audit criteria?
Audit criteria is the standard that you evaluate the subject matter against. Without firm criteria, the auditee will likely resist your audit recommendations. I know I did when I was audited.
Auditees might fight you over every statement in the report
I was audited three times in a very short period because I was the controller of two new federal grants. The state auditor and the internal auditor audited me first. They were both pretty pleasant to work with, but then I had the displeasure of being audited by a federal grantor.
The federal auditor called me on Monday morning to tell me that he was flying in that day to see my records. JOY. Because I had experience as an auditor, I was confident that I had all the records in order. But I still didn’t appreciate the disruption or the idea of a “surprise audit.”
Still, I did as my mother taught me and acted as hostess. “Would you like recommendations on where to stay or eat?” “Do you need a ride from the airport?” “No!” he barked, “I’ll see you around 1:00.”
He showed up around 2:00 and, without explaining what he was there to do, he said he wanted to look at my files. I pointed him to the filing cabinet and for the next three days, he sifted through my files (scrambling most of them!) and scrutinizing them for any little discrepancy.
Again, I was pretty confident that everything was fine, but he did write a few findings. I don’t remember what they were about, but they were obscure little issues that were not addressed in our contract or any federal standard or guideline. In other words, he audited without criteria!
The CFO and I worked for the next three months to debunk his findings, pointing out repeatedly that we could not be expected to read the federal government’s mind! Then, miraculously, the auditor’s boss called to say that he was withdrawing the report. We were victorious!
I assume that his other audit victims just rolled over and agreed with everything he said. But not us! I knew that auditors don’t have a leg to stand on without firm criteria, and I argued successfully against every sentence in the report.
And any auditee could do that to you if you work without criteria. To avoid that, you get auditees to buy into the criteria at the front end of the engagement.
(As an aside – be very careful when your audit client used to be an auditor themselves. They will know all of your tricks!)
What is audit criteria?
What I knew and this federal auditor obviously didn’t is that the definition of an audit is the evaluation of a subject matter against criteria. Without criteria, you don’t have an audit, you have a witch hunt. And we were having none of that!
The Yellow Book describes criteria this way:
8.17 Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. Suitable criteria are relevant, reliable, objective, and understandable and do not result in the omission of significant information, as applicable, within the context of the audit objectives. The relative importance of each of these characteristics to a particular engagement is a matter of professional judgment. In instances where laws, regulations, or policies prescribe the criteria to be used for the engagement, such criteria are presumed to be suitable in the absence of indications to the contrary.
6.25 Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. In a financial audit, the applicable financial reporting framework, such as generally accepted accounting principles, represents one set of criteria.
Places to Get Criteria
The criteria may reveal themselves to you while gathering information, or you may have to dig a little bit. You should not be afraid to ask the auditee to suggest criteria. They know their organization and industry better than you and will be more likely to buy into the conclusions and findings if they help determine the criteria.
Here are a few places to look for criteria:
- Policies and procedures
- Internal control documentation
- Laws and regulations
- Industry data, measures, trends
- Literature (articles, studies, books)
- Purpose or goals prescribed by law or regulation or set by officials of the audited entity
- Technically developed standards or norms
- Expert opinions
- Prior periods’ performance
- Defined business practices
- Contract or grant terms
- Performance of other entities or sectors used as defined benchmarks
What happens if you don’t have audit criteria?
Well, you or the auditee have to make some.
A new internal audit shop with a Fortune 500 company realized they had no criteria to work with at all!
The team was responsible for auditing approximately 30 manufacturing plants across North and South America. On their initial audits, they determined that none of the manufacturing plants had policies or procedures in place, and consistency in practices was definitely lacking. Each plant had its own way of doing things and these ways were not documented.
So, this team had no criteria against which to audit, and that made their work very difficult and pretty silly. They argued with the plant managers who had done it their own way for a few decades. Who were these auditors to tell them to do it any differently?
After half-a-year of arguing with the plant managers, the auditors finally decided to visit each plant and write them up for not having any policies and procedures. Smart! The audit team gave the plants nine months to put policies and procedures in place before the audit team conducted a more thorough audit. By the end of the year, the auditors had criteria against which to audit... Continue reading here.
Senior Auditor at California State University, Office of the Chancellor
5 年Story of my life! But not for long, thankfully!