3 Auditing Mistakes No Agency Can Afford
By: Kimberly Holston, Senior Manager; Elizabeth Lainhart, Supervisor; and Eric Peters, Supervisor
It happens every year. An audit cycle comes to an end, and the agency is faced with audit findings that they did not expect. More importantly, they cannot seem to figure out the underlying cause or how to address it. Having conducted hundreds of audits for the federal government, we have seen how avoiding these three common audit mistakes can mean the difference between an audit finding or a “clean” audit report. Regardless of where your agency is in its business cycle, it is never the wrong time to address these three common pitfalls to ensure you are continuing with your audit success.
1. Tone at the Top Doesn’t Support Effective Internal Controls
Where there is no vision, the people perish. The tone at the top refers to leadership’s attitude and behaviors regarding the organization’s values, philosophy, and operating style. A tone at the top that exemplifies ethical behavior and an emphasis on constant improvement will encourage buy-in to the vision set forth by the organization’s leadership. Conversely, without a strong tone at the top to support an internal control system, employees may lose confidence in the sustainability of the organization or credibility of the leadership.
It is important that each level of leadership subscribes to the overall success of the agency’s mission and pursuit of a strong control environment. If leadership does not emphasize the importance of adhering to and establishing strong internal controls, their employees might not see them as important either. This laissez-faire attitude could result in employees not following established policies and procedures or not correcting known control deficiencies in a timely manner. To establish and exemplify a strong tone at the top, agencies should consider the following:
Developing corrective action plans with clear accountability, timelines, and progress tracking. Employees at different levels throughout the organization will embrace the tone at the top if they are included by name or title in the organization’s remediation plans. This will cause employees to be more engaged, as they are aware that they will be held accountable by the organization’s leadership.
Implementing frequent communication with employees regarding organizational policies and ethics. Most organizations require that employees complete annual ethics training; however, incorporating more frequent discussions about the organization’s stance on ethical behavior and the consequences of noncompliance is a strong deterrent to most bad actors.
Encouraging individuals throughout the organization to lead by example. It is essential to get buy-in from mid-level managers. This can be done through seeking their feedback and involving them in decision-making, where appropriate. Since mid-level managers have more one-on-one interaction with their direct reports, getting their support on leadership’s initiatives and values will increase the likelihood of buy-in at all levels.
2. Processes that are Undocumented or Not Communicated
A process is only as good as it is performed. To ensure a process is being implemented consistently and as intended, it is imperative that the process is thoroughly documented and communicated to the process owners. Too often we, as auditors, are given a Standard Operating Procedure (SOP) document that is ten years old, only to find out during testing that the actual process has changed significantly since the time that SOP was written. We typically discover that some process changes were purposeful, but not documented, while others were not intended or approved by management, but became habits over time.
Whether the change in procedures was purposeful or not, SOPs that don’t align with current processes can lead to key processes being done inconsistently or incorrectly, without proper controls in place. In addition, following procedures that differ from the approved SOPs is a common reason for an audit finding.
Another concern is continuity. If the process has not been documented and the process owner leaves the agency, their replacement may not have the information to perform that procedure as designed.
Avoid this costly audit mistake by remembering these two tips:
Properly document your processes. Document processes clearly and thoroughly, with multiple levels of input and review prior to finalization. Establish a periodic review schedule for the current SOPs to ensure any approved changes that occur are captured and to identify any additional areas that need to be revised. The frequency of this review schedule may change from agency to agency, but often we see agencies reviewing and modifying their SOPs annually or biennially.
Communicate and train the process owners. Maintain the updated copy of the SOP in an accessible place for the process owners, such as the agency’s intranet. It is not enough for someone to read an SOP once when they onboard into that position. This should be a document that they (and the person after them) can refer to as needed and have been properly trained on.
3. Insufficient Supporting Documentation
Documentation is the proof of processes. One of the most common mistakes we see during audits is not maintaining sufficient documentation to support balances or control activities. From an auditor’s perspective, this is one of the most common and impactful mistakes an agency can make because it shows a clear lack of controls. If an agency doesn’t have support to show that a transaction was valid, an approval was received, or that a reconciliation was conducted, we as auditors can’t be certain the key control was performed or the information was recorded accurately. We often find that lack of documentation is due to a haphazard process for document retention (for example, approvals are done via email and a copy of that email is not maintained in a location accessible to anyone other than the sender and receiver), or a lack of a robust document repository system.
A lack of supporting documentation that is pervasive throughout the agency has many implications that could result in the following situations:
A finding in the agency’s audit report. Most of the time, if an agency is not able to provide adequate documentation to support a balance or internal control, it will result in a finding in the audit report. For example, many agencies have seen that not retaining supporting documentation could result in a disclaimer of opinion during their financial statement audit, or multiple material weaknesses over multiple audit years.
Increased Risk of Material Misstatement or Fraud. If there is no documentation, did it really happen? Lack of documentation increases the risk of material misstatement and/or fraud, which may lead to additional audit procedures conducted by the auditing firm.
To ensure that an agency can produce the supporting documentation requested by the auditors and individuals throughout the organization, an agency should ensure it has the following:
Current document retention policy. Agencies should have a clear record retention policy that describes the proper method and time period for retaining key documentation, such as approvals, invoices, and reconciliations. This policy should be communicated throughout the agency.
Robust document repository system. The ideal document repository is electronic, easy to use, and readily accessible by individuals with a need to know. This can be part of an agency’s existing systems (such as an accounting system or procurement system) or it can be a standalone system or shared drive. The important thing is that the documentation is well organized and complete.
Documentation checklist. For items that have a large amount of supporting documentation (such as contract and procurement files), developing a documentation checklist for the person preparing the file to use can be helpful in ensuring all required documentation is retained in accordance with the agency’s document retention policy.
With improvement in mind, the entire organization can be involved in implementing and effectively operating controls, thereby reducing audit findings.