OVER AND UNDER AUDITING2014 • Boston AGA Chapter • January 23, 2014 • Art Hayes • www.hayesways.com • firstname.lastname@example.org 1
Why would you change what you are already doing? • Doesn’t it seem that you are pretty successful? • Isn’t there risk in changing? Maybe it won’t work out as well as what you are doing now? • And what if you are not so sure you are doing the right thing—then won’t there be even greater reluctance to try something new and maybe screw up even more and even be detected?
So, before we start we need to see if we can answer two basic questions • 1. ________________________ • 2. ________________________
A word about the perspective… • The way we do our audits is inextricably tied into questions of ethics. • Re Ethics—can we just “hide” behind more work we have to do? • The ultimate test=how well did you utilize your resources and how good was the quality of the work product you gave to your client.
The basics • What do we have to do? • How do we know what we have to do? • What else is there that we do? • The “extras”? • is there any room for slack? • Do we have any time for side trips? • What is a side trip? • Is it a part of the mission? • Did we waste that time? Do it for nothing?
Our basic activities • Risk assessment procedures (performed in every engagement) include: • Inquiries of management and others within the entity • Analytical procedures • Observation and inspection
Top ten (or so?) over and under auditing dilemmas • And tools to address them • Finding the right balance between drive by audits and the never ending story • Hint: this does not mean less work 8
The double edged sword • Professional judgment • Is it truly subjective? • Is there an objective measure/test to what we do? • Peer review? • Media? • Snitches?
What is our real mission/purpose/vision? • To critique and report? • Our independent role • To improve their operations? • To strive for the betterment of the overall concerns of taxpayers? • To improve their ability to safeguard their assets and information?
What is the greatest under-auditing trap? • What is the greatest over-auditing trap? • How do you determine the answers for your entity? 11
True or False • 1. Relatively inexperienced auditors will more likely than not result in under auditing, at least as regards detecting fraud. • 2. Relatively seasoned auditors will more likely than not result in over auditing, since they will tend to do the same work they are accustomed to do, on automatic pilot. • 3. A way to control under auditing is to utilize auditee personnel to do some of the audit work. • 4. Independence issues are irrelevant to the issue of over and under auditing. • 5. There are many factors in an audit engagement that affect over and under auditing that are beyond the control of the auditors 13
TOP TEN OR SO DILEMMAS • Not enough staff. • Not enough time. • So much to look at. • So many standards. • The Easter egg hunt phenomenon. • We are not clairvoyant. • They could gang up on us. • They seem so nice. • The learning curve and predictability. • We don’t want to look stupid!! 14
TOP TEN OR SO POSSIBLE SOLUTIONS 1. KNOW YOUR ENTITY. Take the time to talk to people. Learn as much as you can about the industry, the operations and the challenges. The more you know, the better you can design your steps, the more guesswork you can avoid, and the better you can aim your efforts at where the risks are.
2. AUDIT TO RISK. After learning about your entity, critically revisit your audit program, particularly if you have a canned audit program. We must concentrate our limited hours in the areas of most importance. And let the other areas go.....
3. For CAFRS, understand opinion units. Use the right materiality levels for the right funds. Use work from one opinion whenever you can to support the work of a government-wide opinion unit. Don't duplicate effort just because they are different opinion units.
4. Use CAATS when you can rather than detailed testwork. For some types of analysis, CAATS can be much more effective than detailed testwork.
5. Don't shy away from using analytical procedures as your sole support if there are not significant risks and if there are solid relationships in the analyticals and the expectations can be explained and relied on.
6. Don't allow scope creep. We deal with legislative bodies and other oversight that would like us to look at everything. We have to be able to identify the additional effort required for each additional request and do our best to gently persuade the interested parties that it will have to wait or be part of a separate effort.
7. When scope creep does occur, we must remember to remove the procedures the next year. Too often, we let something into the audit program and we never get it out. By the time someone wonders why a certain step that doesn't support the opinion is in the audit program, it has already been completed. Or we look at the step and think it's a pretty good step and a worthwhile procedure, but forget that it is not necessary for the opinion.
8. Cut the extra compliance steps that have no chance of being material noncompliance. Too many rules are tested that are good to know, but don't support the opinion. If we find a few payments that weren't made within the prompt payment act parameters, will it really affect our opinion or our report?
9. Limit your attributes to only the substantive questions that support the opinion and only the key internal controls (if relying on internal control.) Don't make a big laundry list to review for every single transaction.
10. Be cautious with your sampling. Reconcile, reconcile, reconcile. People sometimes ask for listings of the main types of receivables and test away without considering what percent of the total receivable total they have. You could be missing a larger than comfortable percent of the total.
11. Understanding the overall balance is also important from the overauditing standpoint. Always make sure you know how much you need to be testing overall and understand what population you are talking about before you develop your steps and sampling plan.
12.commemorate/communicate/coordinate/consolidate • From this day forward, keep track of over and under-under auditing tendencies and communicate this to staff • Make it a part of audit huddles • Develop a central data base
The top nine things that prevent auditors from finding problems/fraud, per a staff survey • lack of time • lack of documentation at the auditee • not knowing what the real procedures are at the agency • lack of knowledge about such problems/fraud • lack of knowledge and understanding of information technology issues • so many auditing procedures to do • isolation of the auditors on site • fear of crying wolf • fear of making the auditee mad
Possible solutions to these obstacles*. • Look at the current “required” audit steps and determine if they are really “required” and eliminate (or do every other year) if possible. • Having more auditors with medical expertise and mental health training • Rotate auditors as well ask keep some on the audit with knowledge of ways to “beat the system” • * from my staff survey
Things that assist me in finding problems • CAATS • OK, I’ll admit it. I like to find the big issues (I don’t find them very often, and they are not necessarily fraud)—but I get a real charge out of finding stuff! I think the thing I rely on most is a skepticism where I pretty much assume that anything unusual I see is a problem until I can assure myself that it is not.
True, this goes against the “American Way,” in which we assume innocence until we prove guilt. However, if it walks like a duck, quacks like a duck, and swims like a duck, I’m going to assume it’s a duck until someone can be pretty convincing that its not a duck!
Conversations with staff around the office. I believe that interdisciplinary thought groups would allow the exchange of ideas, experiences, and problems and bring to light potential issues. E-mail is a wonderful and efficient tool for communicating knowledge, but it does not replace conversation as a “trigger” for recollections and experiences that may have fallen out of mind. There have been several occasions in my life where a comment or event did not seem significant at the time, but later became a critical issue with the development of more information
Provide more training that directly relates to types of problems/fraud we might encounter on an audit with focus on the mechanics of schemes and how those schemes can be detected • When the existing audit programs are revamped for new procedures under new standards, make sure that managers and in-charges understand that more time may be needed to complete the audit, and remind them that we are here to perform quality audits, not to establish bragging rights by trying to finish the audit in less time than the previous auditors
Emphasize to auditors that it’s OK to ask as many questions as they want, and they should continue asking questions until they are satisfied with and completely understand the answers; the auditee’s attitude does not control the amount of questions • Explain the roles of each section in our office and what each section does, and emphasize that every section must be on the lookout for problems/fraud when performing work; the auditors in each section should be made aware of what to do if fraud is found and should understand the process of handling a fraud allegation and who performs the various tasks related to handling the allegation; the auditors should also understand that fraud investigations may require the assistance of auditors from various areas of our office and are not just handled by Investigations
Emphasize that it’s better to make a big deal of an issue that could indicate fraud and find that it’s not fraud, rather than pass over the issue and find out later that fraud was occurring
Asking questions about things that look odd • Giving careful thought to answers that the auditee gives me to make sure the answers are plausible and make sense • Asking for documentation whenever possible to verify auditee statements • Gaining an understanding of the procedures that may apply to the area I’m looking at (purchasing, contracts, etc) so that I can determine if anything appears out of place
Asking other auditors for their opinion on issues that look strange (the other auditor might notice something I overlooked or might be able to share experience or expertise with the issue in question) • If the auditee gives a statement that involves the activities or participation of other individuals, following up with those individuals to verify the auditee’s statements (for example, if Bob says that Fred told him about something, ask Fred if he really did) • Asking the auditee where his or her information came from
Encouragement from my superiors and co-workers • Training classes • Experience on the audit. The more years that I am on a particular audit, the more likely I am to uncover some irregularity • Conscientious, talented auditors to work with me • Guidance from managers • Knowledgeable internal auditors at the auditee
Improving auditor skepticism through cognitive dissonance theory • Is objectivity a myth?38 • How much do we struggle to not have an open mind (by holding onto our assumptions/biases/beliefs) when we profess to have an open mind? • As professionals, we are expected to employ critical thinking in analyzing information/evidence • This includes weighing conflicting information from various sources • But are we to be totally objective? • The scientific method is designed to prove that a hypothesis is true?? • What is the main role of attorneys?
Two main perspectives: • What we tell ourselves to justify what we do..staying off the slippery slopes • Our possible predispositions to whether we think a person or an organization is trustworthy • And how those notions may affect our evaluation of what they say or do • What others tell us to justify what they have done or not done • And whether we buy off on it • If this sounds familiar, it is what we tell friends/family when they have been hurt • It wasn’t your fault/they were jerks/you are better off without him/her/that job • And the basis of cognitive reframing therapy
What are the two primary types of mistakes we can make in evaluating information? • False positives • False negatives • Which is worse?
Purpose of this session • To assist you in recognizing the traps we all can fall into when we are evaluating information and evidence
When our brains are made up, it is very hard to change them • Cognitive dissonance—a state of tension created whenever a person holds two cognitions (ideas, attitudes, beliefs, opinions) which are psychologically inconsistent. Leon Festinger • Smoking is not a good thing, it can kill me; I smoke two packs a day
It produces mental discomfort From minor pangs to deep anguish We don’t rest easy until we find a way to reduce it Quit smoking Convince yourself smoking isn’t so bad Or it is worth the risk because it helps me relax, or prevents me from gaining weight (another health risk) 43 43
Three primary applications to auditing and accountability • Auditors and the need to remain objective in skeptically analyzing audit evidence • Management and those charged with governance who need to remain objective and vigilant to indicators of possible fraud, waste or abuse through designing, establishing and monitoring effective internal controls • All of us as human beings who can trip down that ol’ slippery slope
Auditor responsibilities per SAS 99 • Paragraph 14: when responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), the auditor should further investigate the inconsistencies or unsatisfactory responses.
Paragraph 14: maintain the proper questioning mind throughout the audit • Paragraph 15: the questioning mind should include setting aside any prior belief that management is honest and has integrity and consider the risk of management override of controls
Paragraph 15: • Consider known external and internal factors that might: 1.create incentives/pressures to commit fraud, 2. provide opportunities for fraud to be perpetrated and 3. indicate a culture or environment that enables rationalization for committing fraud
Paragraph 16: professional skepticism should lead auditors to continually be alert for information or other conditions that could indicate that MMDF may have occurred
Paragraph 16: professional skepticism should lead auditors to thoroughly probe the issues, require additional evidence as necessary, consult with other team members and, if appropriate, experts in the firm, rather than rationalize or dismiss the information or other conditions indicating that a MMDF may have occurred.
Requirements of SAS 109 • Paragraph 19: the auditor should plan and perform the audit with an attitude of professional skepticism, which should be exercised throughout the audit engagement • Auditors should be rigorous in following up on indications of MMDF or error • Auditors should be alert for information or other conditions indicating a MMDF/E may have occurred.