As I'm reviewing audit files I like to feel as if I'm reading a thriller, or at least a mystery story.
The introduction sets the scene, including the characters and their world. Then we start to see the stakes - what is at risk? What do the characters want? What dangers are there that our heroes have to overcome?
Once the hero (which is you - the auditor) - identifies these things, then they set about solving the mystery. How will they approach it best to make sure that they aren't side-tracked onto irrelevant issues that aren't really that critical to the plot? How do they stay focussed, and lead their trusty side-kicks safely through to a satisfactory outcome so that they survive to live the (even more exciting) sequel?
The brave adventurers set out on their great quest. What do they do when unexpected plot twists come up? Do they stay alert or are they lulled into boredom on the long journey, or tricked by some evil mastermind into missing some hidden piece of the puzzle? Are they intimidated by their fierce enemies to back down and take an easier path that leads to a dead end? Can they see through their quest to the end?
Okay, so it's not always quite that exciting doing an audit. But nevertheless, all audits follow a clear story that encompasses many of the standard tropes of a good story. And most importantly the reader of an audit file should be able to discern a clear story arc. I would describe this as follows:
1. What is the setting (entity and environment)?
2. What does our mission entail (scope and legislative requirements)?
3. Who are the key characters and stakeholders and how do they relate to the entity and to each other (risk, related parties, fraud)?
4. Who will be reading our story - or at least the final chapter - our audit report (user needs)?
5. What details can we skim over and what do we need to include so we don’t miss anything important (materiality)?
6. What are the key points we need to focus on where things could go badly wrong (documentation-specific risks including how the entity deals with its own risks)?
7. What the risks are that our mission could fail (reducing audit risk to an acceptable level)?
8. How can we meet this goal by choosing the combination of approaches that is most efficient - based on assessed risks and materiality?
9. How much we will rely on the client's own controls, how much we will rely on analytical review, and how much we will have to cover by testing transactions by sampling (our Risk Analysis, Strategy and Plan)?
10. How do we make sure we focus on our plan and don't get sidetracked - UNLESS something pops out that we didn't know about - the dreaded plot twist (revisiting planning)?
11. What have we found out about the big issues we identified in our planning (summarise the whole job on - The Audit Summary Information page - what we identified as the big issues -medium, high and significant risks and key issues - any changes we had to make along the way, and anything else that is really important - errors we found or indications of fraud for instance)?
12. Is our work is sufficient to meet our goals?
13. Pull together a report that encompasses all the important findings above.
Many audit files contain lots of good work, but don't necessarily hold together the story arc that makes a good audit file. Often the story is in the auditor's head, but they haven't recorded it that well. The story is either cluttered with too much detail or missing some important detail on which the whole plot hangs.
So when you are completing your next audit file, sit back and imagine you are reading a story. Does it contain all the elements above, or are there holes in the plot? Is it as big as Lord of the Rings but not nearly so interesting? Is there a clear story running through the whole file, so that someone else could read it and feel like they were right there with you on your adventure?