What story does your audit file tell?


As I'm reviewing audit files I like to feel as if I'm reading a thriller, or at least a mystery story.

The introduction sets the scene, including the characters and their world. They we start to see the stakes - what is at risk? What do the characters want? What dangers are there that the heroes have to overcome?

Once the hero (which is you - the auditor) - identifies these things, then they set about solving the mystery. How will they approach it best to make sure that they aren't sidetracked onto irrelevant issues that aren't really that critical to the plot? How do they stay focussed, and lead their trusty side-kicks safely through to a satisfactory outcome so that they survive to live the (even more exciting) sequel?

The brave adventurers set out on their great quest. What do they do when the unexpected plot twists come up? Do they stay alert or are they lulled into boredom on the long journey, or tricked by some evil mastermind into missing some hidden piece of the puzzle? Are they intimidated by the giants and trolls to back down and take an easier path that leads to a dead end? Can they see through their quest to the end?

Okay so it's not always quite that exciting doing an audit. But nevertheless all audits follow a clear story that encompasses many of standard tropes of a good story. And most importantly the reader of an audit file should be able to discern a clear story arc. I would describe this as follows:

  1. Understand the setting (entity and environment) and what our mission entails. 
  2. Understand the key characters and stakeholders how they relate to the entity and to each other.
  3. Understand who will be reading our story (or at least the final chapter - our audit report) and then decide what level of detail we need to look at to meet their information needs (materiality).
  4. Look at and become familiar with the data we are called to report on (financial statements with supporting trial balance) - look at specific risks that present out of that data.
  5. Understand what the entity does to manage its own risks, and assess whether/how much we can rely on this.
  6. Work out what the risks are that our mission could fail - the inherent risks that exist regardless of controls that they may have, the risk that the controls in place may not detect material errors, and clearly describe our assessment of these so we can design tests appropriate to these identified risks, to make sure as far as possible that our work will be water-tight (reducing audit risk to an acceptable level)
  7. Consider the ways we could meet this goal by choosing the combination of approaches that is most efficient - based on assessed risks and materiality. How much we will rely on the client's own controls, how much we will rely on analytical review, and how much we will have to cover by testing transactions by sampling (our Risk Analysis, Strategy and Plan)?
  8. Do the work we have decided to do, making sure we focus on our plan and don't get side tracked - UNLESS something pops out that we didn't know about - the dreaded plot-twist. Then we go back to our planning and reassess to see what we need to change and how this impacts other parts of the job.  
  9. We do what we decided, then we review what we found out about the big issues we identified in our planning. We summarise the whole job on one page (Audit Summary Information) - what we identified as the big issues (medium, high and significant risks and key issues), any changes we had to make along the way, and anything else that is really important (errors we found or indications of fraud for instance).
  10. Decide if our work is sufficient to meet our goals.
  11. Pull together a report that encompasses all the important findings above.

Many audit files contain lots of good work, but don't necessarily hold together the story arc that makes a good audit file. Often the story is in the auditors head, but they haven't recorded it that well. The story is either cluttered with too much detail or missing some important detail on which the whole plot hangs. 

So when you are completing your next audit file, sit back and imagine you are reading a story. Does it contain all the elements above, or are there holes in the plot? Is it as big as War and Peace but not nearly so interesting? Is there a clear story running through the whole file, so that someone else could read it and feel like they were right there with you on your adventure?

Have more questions? Submit a request

Subscribe to our mailing list

We have a regular newsletter which includes the latest updates in the audit and assurance space as well as on to our latest work.

Click here to view previous newsletters, enter your email bellow to subscribe.