Preparing for external audit

Don’t let inadequate planning jeopardize the success of your audit

Looking forward to your next audit?  We don’t come across many people who are….

An audit can be a very stressful experience.  If you don’t know what to expect, your team may spend a lot of time scrambling around to find evidence that either doesn’t exist or is difficult to retrieve.

But as we all know Proper Planning Prevents Poor Performance (If you’re thinking there’s one P missing, that’s because I went for the polite version).  This definitely applies to preparing for your external audit – it can make a huge difference to the way the audit progresses and the final outcome.

It helps if you understand why the auditors are putting you through this.

What are the objectives of an external audit?

There are different types of audit, but the most common external audit is the annual financial statements audit, conducted by an independent auditor to ensure that the company’s financial reports present a true and fair view of its financial performance (as in the income statement) and its financial position (as in the balance sheet).

To this end, the auditor must obtain reasonable assurance that the financial statements don’t contain material errors, whether due to error or fraud.  They do this by selectively testing financial records – i.e. by gathering and evaluating evidence to see if it supports the figures and disclosures that are reported in the statements.

Obviously, the company’s IT systems play a crucial part in the accuracy of the financial reporting.  All need robust controls to make sure that transactions are recorded and reported properly.  The controls should aim to prevent users performing unauthorized activities, whether accidental or deliberate, that can affect the validity of the figures.

Auditors assess how effectively the controls prevent and mitigate the risk of material misstatement.  The findings can have repercussions on the way the rest of the audit is conducted.

If they judge the controls to be effective and they have confidence that the information in the system is reliable, this may reduce the level of substantive audit evidence that they need to gather.  But if they find the controls to be inadequate there is a greater risk of inaccuracies, so they will need to obtain much more extensive and detailed audit evidence, thereby increasing the amount of audit effort needed, and the cost of the audit.

Note that the objective of this audit is NOT to audit your security, nor to detect or prevent fraud; that is the responsibility of the company’s management.  But auditors will look for reasonable assurance that the financial statements are not materially misstated as a result of fraud.  If they suspect that fraud could be occurring, this will affect the nature and extent of the audit processes and the evaluation of controls.

What are the major risks?

Your auditors will assess your specific risks depending on many factors that affect your company, such as its size and structure, geographical locations, the industries that it operates in and the regulatory environment, but listed below are some general risks that they will look out for across the board. We’ll discuss these risks and the controls that you need to manage them in more detail in our next posts.

  • Improper role design or provisioning
  • Privileged user access, particularly:
    • IT users provisioned with access to sensitive business applications
    • End users provisioned with access to IT applications
  • Users who have the ability to carry out end-to-end functions
  • Change management – are all changes properly authorized and tested?
  • Lack of policies and procedures.

Top Tips for a successful audit:

Determine the scope and focus of this year’s audit

Your audit may differ from year to year.  Changes in your business operations, regulations, and the economic environment will affect what risks the auditors decide to focus on, so they may look at areas which haven’t arisen in previous audits.

They’ll also look for evidence that any issues identified in earlier audits have been satisfactorily addressed.  As time goes by and auditors gain confidence in the higher level controls, they may dig deeper into the system to identify more complex risks.

To ascertain the scope of the audit and which areas the auditors intend to focus on, hold a planning meeting involving relevant parties from IT, the business, internal audit and the external auditor.

This gives you the opportunity to review the information requested and discuss any changes.  It helps you to be prepared to evidence and defend your controls.

Conduct your own security audit

This will identify vulnerabilities so that you can fix or mitigate them before the auditors arrive.

Make sure your policies, procedures and evidence are up to scratch

You need clear policies and procedures that describe exactly how you manage the key risks and the controls that you have in place. Keep documentary evidence to prove that you are enforcing them.

These documents can provide the auditor with a roadmap for testing the controls and reduce the risk of him surprising you with unexpected requests.

Don’t use words such as ‘all,’ ‘any,’ ‘every,’ and ‘never.’

Even the most rigorous controls can’t guarantee that unauthorized events will never occur, but if you use such terms, some auditors will make you prove it!  It only takes one error to blow your claims apart.  Instead use words such as ‘reasonable;’ e.g. ‘we make a reasonable assurance that..’

Avoid evidence fraud

If documentary evidence is missing, DO NOT be tempted to falsify it, as this will be seen as evidence fraud.  It will cast doubt on all the evidence that you have produced and lead to a failed audit.  Missing documents will result in document deficiencies being noted, but this is much less damaging than creating evidence after the fact.

Your control framework needs to be adaptable

As your business grows you need to change or extend your controls to accommodate acquisitions, structural changes and new IT systems, as well as regulatory changes.

Use tools to help

Implementing controls and monitoring risk can be very complex and time-consuming, so look for tools to help you do it efficiently and effectively.

In the next post we’ll discuss access management risks and related controls

In the meantime, you can find out more about our audit reporting tools here