Don’t rest on your laurels! Audits don’t reveal whether your internal controls are foolproof or that you’re free of errors. Overreliance on audit results can lead to greater vulnerability.
If your organization completed an audit with no findings — no recommendations, no adjustments, and a clean opinion — you may be under the impression that it is impervious to fraud and that you’re running a tight, error-free ship.
Not so fast.
An auditor’s good opinion is a remarkable accomplishment, to be sure, but it doesn’t mean everything is perfect or that no errors exist. The opinion principally indicates that your financial statements don’t contain any significant misstatements and that those who rely on them to make decisions can be confident that they are reasonably accurate.
Audits offer big-picture insights and often reveal opportunities for increasing efficiencies and improving operations, but they aren’t airtight — so don’t rest on your laurels. The fight against fraud calls for constant vigilance, and becoming a little too comfortable or over-reliant on audit results can lead to greater vulnerability.
Bridge the audit expectation gap
When leaders realize that a clean audit opinion is not a judgment of the effectiveness of their organization’s internal controls, they often become frustrated and wonder what an audit’s purpose truly is, if not to assure them of the unassailability of their processes and procedures.
Understanding what an audit provides (and what it doesn’t) helps to balance expectations with reality and keep you from letting down your guard in the never-ending battle against fraud. In most cases, an external audit is required by a regulator or third party. The auditor obtains financial data from the auditee that depicts the organization’s financial performance during the year, and its financial position at yearend.
The audit is an exercise in sampling and materiality — meaning the auditors don’t look at everything. In fact, they don’t even come close! It is just not practical for auditors to review every transaction throughout the year. Instead, auditors primarily look into the bigger, riskier, and more significant stuff to get a general but dependable assessment of exposure.
Ultimately, auditors give an opinion to those regulators or third parties to assure them that they can trust the financial information they see and that any errors behind the scenes wouldn’t otherwise influence their decisions.
Audits aren’t your best defense against fraud and error
Audits are not designed to test controls, nor to catch fraud or detect every error; that’s largely up to your organization’s management and governing body. In fact, only about 4 percent of known frauds are discovered by an external audit. Whistleblowing and internal tipoffs are, in fact, the most common way fraud is uncovered.
It’s all about internal controls
Continuously evaluating and strengthening your internal controls is critical to effectively protecting your organization. If you want to prevent fraud and errors, create a culture of accountability and spend some time reviewing your internal controls. Make sure there are management reviews in place and that there is a second set of eyes looking over each transaction and process.
Many entities have had the same processes in place for several years. With changes in software systems and turnover in positions, it’s always important to review the structure in place and ensure controls are modified where necessary.
How we can help
CLA has assisted higher education institutions and state and local governmental entities in developing internal procedures and controls that go well beyond the scope of an audit. We can consult, train, and perform analyses to help detect and prevent fraud in areas that would likely not be in the purview of your external auditor.