Reflections on the 2016 external audit season

They are finally gone!! With the audited financial statements finally issued – at least for most companies having a calendar year (Dec. 31) year end, the 2016 external audit (where the CPA firm certifies the reasonableness of the financial statements of your company) has come to an end.

Hopefully many of you can now return to your regular 60-hour work week of just getting the things that matter done rather than worrying about the corporate politics or ramification of the external audit (alright maybe not have to worry as much). Some of you are now facing the reality of having to deal with the commitments you made to get the auditors off your back as you address those “helpful” audit report comments left behind (and reported to the audit committee or executive management). Let’s reflect on the lessons learned and hopefully “minimize the pain” of next year’s external audit.

Know the type of auditor you are dealing with and their scope

Yes, there are different types of auditors each having their own scope of what the audit will entail. Generally, financial auditors (the type we are talking about here) provide reasonable (not absolute) assurance about whether the financial statements are generally free from material misstatement and whether the statements are presented based on generally accepted accounting and audit-related standards.

[ MORE AUDITING LESSONS: Answers to audit committee questions that will keep you employed ]

This type of audit generally focuses on the role that information systems play in recording, maintaining and reporting on financial information. This is the reason auditors focus more on application security that is used to enforce segregation of duties for the processing of financial transactions than cybersecurity – even though the latter may cause greater operational risk to the organization and headaches (job security challenges) to you.

Do a self-assessment and identify your “challenges”

This doesn’t need to be too formal and I appreciate that you may not have the time to do fully. Walking through the checklists (or audit programs) that auditors use can help tip you off as to what to expect, any potential gaps, and “excuses” you may need to come up with prior to the audit. Sometimes an outside facilitator (whether from another department or outside consultant) can provide a fresh or honest perspective. This helps you and your team “kick the tires” on any false assumptions that may rear their ugly head when the auditors visit. The idea here is not necessarily to fix everything but to understand where you might be exposed and to decide (prioritize) what you want to fix, if anything.

Choose your Sarbanes-Oxley (SOX) controls wisely

Perhaps no greater area causes as much audit pain to information technology and information security functions as having to specify and test controls related to SOX. Adding to the pain is the confusion as to what is and isn’t required. In a nutshell (and I am oversimplifying this) you need to declare the controls that you have in place to mitigate the risk that financial statements are materially misleading to those who use them.

Despite “vendor claims” or “viewpoints from inexperienced auditors,” there are no set controls that must be implemented. Rather, you need to identify the risk, identify control(s) that you implemented to mitigate the risk and test to see that those controls function as intended. More is not necessarily better – quality of the control to mitigate the risk is far more crucial than the quantity.

But here’s how some of you are getting into trouble. You try to get “brownie points” with the corporate staff by declaring as many controls as you can (and being proud that you have so many controls). But if you declare a control as being critical, you need to test the control. If the test reveals that the controls don’t work as intended, no matter how immaterial (remember it was you who said it was a critical control), you need to remedy the control (and fill out lots of paperwork).

You then try to backtrack saying that all the controls identified were not critical, which results in a catch-22. By admitting the controls are not critical, your manager now questions your ability to lead and deliver services efficiently because you implemented controls that are not needed resulting in  inefficiencies – not a good thing to be known for in today’s business climate.  

Use policies as a contract and identify missing “understandings”

The more expectations are defined (for our purposes – documented) the less audit issues you will have. The reason is that most technology and information security functions generally excel at implementing agreed upon requirements. These requirements are generally documented through policy. The problem arises when expectations are not communicated, agreed to and thereby documented. In these situations, the external auditor may impose their own expectations resulting in comments requiring that their expectations be implemented whether reasonable or not. So, resolve your issues within your function and other departments before the audit or the external auditor will resolve it for you.

Document your rationale for accepting risks and try to get approval for your decision

There usually is more than one control that can be used to mitigate the risk. Sometimes, a decision to not mitigate the risk and accept the consequences makes business sense. In these situations, document the rationale for accepting the risk or implementing an alternative risk strategy and get it approved – hopefully by an IT steering or risk management committee. External auditors are less likely to challenge something that has been approved by a committee rather than a strategy implemented by an individual.

Bottom line

Good planning will help you master the audit process and help avoid some of the most common audit problems. It makes you look good and reduces the headaches for your boss. As that well-known “management guru from the 1700s” (Ben Franklin) said, “an ounce of prevention is worth a pound of cure.”