You’re a diligent auditor. You do your research and read the latest industry guidelines. You work hard to understand the risks of a company and how it can affect your findings but there are still times when something will slip through the cracks. When this happens, you need to know what happened to correct it for next time. Here are some common reasons auditors miss key audit risks:
If you’ve read fraud case studies, there was always a point when a critical audit risk was missed, which could have changed everything and even prevented the fraud. So how do auditors miss key risks?
Loss of independence
The auditor-client relationship is often intimate, with auditors acting as part of the client’s team. Auditors are sometimes sourced from within the client’s organization, making them true insiders in their role as external auditors. They also have unique access to a wealth of information about the client and its business that no one else can get. These factors can lead to loss of independence or audit committee bias when auditors become too close to their clients or too close to other members of their audit committees.
The potential for this type of bias comes with normal human nature: we’re more likely to trust people who are familiar to us and who share our values and beliefs than those who don’t. It only takes one overzealous employee at a client company, or even just an auditor who doesn’t take responsibility for his decisions, to create problems later on down the line.
Inadequate risk detention tools
An auditor will miss key audit risks if they are unable to detect the threats that matter or if they are unable to assess those risks properly. For example, imagine your client is a small business. You might expect to ignore the risk of petty cash theft because your client is so small and the variance is immaterial but this would be risky! It’s possible that lots of people could walk off with their tips every night without anyone noticing. In this situation, it would be necessary for auditors to check whether any employees have access to the cash register area without being observed by management or customers. However, it’s not just about detecting fraud; auditors also need to communicate what they’ve found with people who can do something about it.
Inadequate substantive tests
Auditors who do not test controls to their full potential are likely to miss key audit risks because they didn’t test them on their own experience or knowledge. For example, an auditor may understand how a company’s internal control system is supposed to work but not necessarily how it actually works in practice. If this is the case, then it’s likely that there will be certain weaknesses within that system that could lead to material misstatements of financial statements if not properly identified by the auditor.
Auditors might skip some testing procedures because they simply don’t have enough time before their deadline; therefore, they choose instead to focus on other tests deemed more critical than others at this particular moment in time; this is a ticking time bomb.
Over-reliance on manual controls
Manual controls—paperwork, checklists, and other procedures that an organization uses to ensure they’re doing things right—are often used as the primary mechanism for mitigating risk in audits. But this approach has a big problem: manual controls can be bypassed or misused. For example, auditors may rely too heavily on manual processes to ensure that employees are following proper procedures when they sign out company equipment at night; however, if someone intentionally signs out a piece of equipment from their desk without following the correct procedure, it won’t matter how nicely you’ve documented your policy on signing out pieces of equipment or who signs them out unless you have video surveillance.
Manual processes can also be overlooked entirely by employees who aren’t trained in all of your policies and procedures. Once again, unless those policies and practices are well embedded, nothing is stopping an employee from forgetting about one during their workday!
Failure to apply the appropriate level of professional scepticism
If you’re like most auditors, you might wonder why some of your colleagues miss key audit risks. It could be that they don’t know what to look for or how to apply the appropriate level of professional scepticism needed.
If you find yourself making excuses for a colleague who missed an audit risk, consider whether this individual has been trained in methods that can help them identify red flags and warning signs that indicate there may be material issues with a client’s financial statements.
As external auditors, we focus on compliance. We are not necessarily focused on looking for fraud. While this might make sense at first glance, it can leave significant gaps in internal controls reviews, avenues that fraudsters exploit.
Let’s look at an example: You have an employee incentive program that rewards employees based on meeting monthly sales targets. The amount each employee gets depends on how well they perform relative to other employees as measured by benchmark metrics like cost per sale or customer acquisition costs (CAC). You also measure whether these metrics are within historical ranges so that there aren’t any unusual spikes that might indicate potential problems with your financial reporting system or the process itself, you satisfy yourself that the test is adequate. What you have overlooked is whether the process of achieving the sales target has been done ethically, is there undue pressure on the sales team to deliver performance and does this affect the way they book sales orders?
Auditors are human, like everybody else.
Auditors are human, just like you and me. They make mistakes. They get tired or distracted. Some of them are just bad at their jobs. Or maybe they’re working long hours and need a mental break. Who can blame them? The point is that people make mistakes all the time for several reasons.
Some people might argue that if auditors aren’t making mistakes, then it means either: a) there’s something fundamentally wrong with their audit process, or b) no one ever makes mistakes. It doesn’t matter whether or not someone has made a mistake as long as they learn from it and do better next time.
We know auditors are human, but let’s look at how the profession has evolved in recent years to understand the factors at play better.
Since the 1930s, accountants have been trained to focus on financial information and maintain a narrow set of skills. As accounting firms have scaled up over time, they’ve adopted processes that standardize workflows and limit human error. This makes sense—it’s easy to have one standard approach across hundreds of employees who perform similar tasks with similar methods daily. But by doing so, we’ve restricted our ability to see beyond what we’re taught in our training and encouraged blind spots around certain areas of risk management.
With this process-oriented perspective comes an inherent lack of curiosity about why things happen as they do, which leads us down a dangerous path: We become desensitized to warning signs that something is wrong because we don’t want them disrupting our process flow or preventing us from meeting deadlines.
Auditors are “trained” to not see certain things.
Auditors are trained to ignore certain things. They’re also taught not to ask certain questions or look for certain things.
Auditors are taught that if they don’t find something, it doesn’t exist. The most common example of this is the assumption that humans do everything an organization does and, therefore, can be easily traced back to a particular person who did it. For example, if you have data on your computer but someone else has access to your computer as well. There’s no way you could know which one was responsible for something going wrong because both people had equal access to the data, and therefore both would be equally culpable, or so goes the thinking behind this framework. It sounds reasonable enough until you realize that it assumes everyone operates under identical circumstances when some workers have more access than others due to necessity.
How Auditproo prevents auditors from missing key audit risks
Auditproo is used by auditors to make sure they don’t miss important audit risks. Auditproo allows auditors to track progress and stay organized during audits, provides a checklist of required activities, tracks all issues found during reviews and audits, sends alerts when issues need attention, and much more.
The Dashboard allows auditors to track progress and stay organized during audits. It automatically updates as new information becomes available so you don’t need to constantly check in with management or other teams to see what’s going on with your projects or clients.
Auditors have missed the critical risk because they were unaware of it, did not understand it, or did not know how to identify it. The good news is that with training and practice and the right auditing tools such as auditproo.com we can learn how to see all types of risks in our day-to-day work and make better decisions.