Testing & Audit Exceptions
BY ISAAC CLARKE (PARTNER | CPA, CISA, CISSP) ON JANUARY 23, 2019
If you are reading this article, chances are that your auditor has told you that you have an audit exception or, even worse, multiple “audit exceptions.” Hearing that phrase strikes fear and panic into the hearts of many. While some of those reactions may be justified, I have found that many suffer more than necessary because they are not familiar with the vocabulary used in these discussions, do not really know what an exception is, or do not understand the audit process.This article will briefly summarize the purpose and process of an audit, define what audit exceptions are, and clarify what to look for when discussing the results of an audit.
Realizing that there are many types of audits, I will use SOC 1 or SOC 2 audits as the basis for this discussion. While other audits may be assessing different things and may have different types of exceptions, the basic principles and process described here can be applied across broad range of audits.
What is the purpose of SOC Audit?
System and Organization Control (SOC) audits are designed to provide an independent and objective assessment of a service organization to users of the services or system that the service organization provides. There are three things an auditor of the service organization is trying to determine:
- Is the service organization’s description of its system and services accurate or presented fairly?
- Are the controls described by the service organization suitably designed to achieve the related control objectives or criteria?
- Did the controls described by the service organization operate effectively during the period covered by the assessment to achieve the related control objectives or criteria?
An auditor must gather sufficient evidence to evaluate and answer these questions with reasonable assurance to support the unqualified or qualified opinion to be written in the audit report. The process of gathering evidence is called auditing and will include a number of different activities.
For example, auditors may gather information by inquiring of appropriate personnel (management, supervisors, and staff); inspect documents and records; observe activities and operations being performed; and tests of controls. All of these activities used to gather and evaluate evidence are often referred to as audit procedures or audit tests.
What are Audit Exceptions? A Definition
Audit exceptions are simply deviations from the expected result from testing one or more control activities. Each control in a service organization’s description must be tested by an auditor to validate that the description is accurate and that controls are suitably designed and operating effectively to achieve the related control objectives or criteria. An auditor may use one or more tests to evaluate each control. As with any test, there are expected outcomes or responses.
Consider the following example that you might see in a SOC audit:
- Control Objective: Controls provide reasonable assurance that statement processing is appropriately scheduled and that deviations in processing are identified and resolved.
- Control Activity: Statement batch totals are used in order to identify and resolve deviations in processing.
- Testing Performed: Inspected a sample of batches used to process statements and noted that batch control totals were used to help maintain the integrity of the statements processed.
Using this example, if an auditor performed this test and found that one or more of the batches selected for testing did not use batch control totals, as expected and indicated in the service organization’s description, the auditor would note a deviation. These deviations go by many names: audit exceptions, test exceptions, control exceptions, deficiencies, findings, misstatements, and so on.
The Cause & Nature Audit Exceptions
- The identified exceptions are within the expected rate of deviation and are acceptable.
- Additional testing of the control or of other controls is necessary to reach a conclusion about whether the controls related to the control objectives or criteria stated in management’s description of their system or services operated effectively throughout the specified period.
- The testing that has been performed provides appropriate basis for concluding that the control did not operate effectively throughout the specified period.
What to Look for When Discussing Audit Exceptions in SOC Audit Results
Auditors have their own vernacular that may cause confusion and worries. I like to compare audits to taking a trip to the doctor’s office:
Imagine after suffering with an illness for a few days, you finally go in and see a doctor. The doctor visits with you, inspects you by doing a few checks personally, and may even orders a few tests (i.e., blood work) before coming back to share the prognosis at the conclusion of your visit. The doctor sits down in front of you and stoically shares that you are suffering from nasopharyngitis or acute coryza. You don’t necessarily know what that is, but it sounds horrible—much more serious than you had thought. In the moments after hearing the initial prognosis, your heart rate starts to pick up, you begin to sweat (if you weren’t already), and mind begins to race. Seeing your reaction, doctor quickly clarifies, “That means you’ve got a cold. You need to get some rest, stay hydrated, and take some pain medication.”
That’s kind of what it’s like when you are visiting with your auditors after an audit. You know there were a few exceptions, but you’re not sure what it means or just how bad is. Well, not all audit exceptions are created equal.
Types of Audit Exceptions
Audit exceptions can be intentional or unintentional, qualitative or quantitative, and include omissions. Auditors are required to make sure a service organization’s description is accurate and to include all design and operating deficiencies in the report—they no longer have discretion in determining whether or not to include exceptions.
There are three basic types of exceptions when it comes to SOC audits:
- Misstatements: a misstatement is used to refer to an error or omission in the description of the service organization’s system or services.
- Deficiency in the Design of a Control: a design deficiency is used when a control necessary to achieve the control objective or criteria is missing or an existing control is not properly designed, even if the control operates as designed, to achieve the control objective or criteria.
- Deficiency in the Operating Effectiveness of a Control: an operating deficiency is used when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
As your instinct would suggest, an exception is not a good thing. However, having an exception does not necessarily mean that a control fails, nor does a control failure mean that an objective or criteria is not met.
It is actually quite common for a SOC report to have some exceptions. Some user entities and auditors reading an audit report actually like to see one or two exceptions in a report because it gives them some comfort that the auditor is doing a thorough job.
Review Audit Exceptions for Errors
It is important for you to review any audit exceptions. Auditors may mistakenly believe an error has occured because they:
- misunderstood the documentation provided;
- did not ask the right question; or
- did not ask the right person.
Spending a little time with your auditors to understand the exceptions and confirming them internally can pay big dividends. In some cases, you will be able to find and provide the “missing” evidence to your auditors can clear the exceptions. In other cases, you may be able to identify another control activity that your organization performs that mitigates the risk. Often, the risk raised by an audit exception is mitigated by other controls within the environment.
Stay Diligent When Reviewing Audit Exceptions
Try not to get bogged down in the weeds when discussing audit results with your auditors. If there are control exceptions, ask them:
- Does the exception constitute a control failure?
- If there is a control failure, was it a design or operating deficiency?
- Do any of the deficiencies that impact, in their opinion, the organization’s ability to meet their control objectives or criteria specified for the audit?
- Do they feel that the exceptions or deficiencies, individually or collectively, could result in a qualified opinion on the audit?
These questions will allow you to understand just how bad the exceptions are. You don’t really need to worry about a variance that will be noted in the report, but is not considered a control failure. If a control has an exception, knowing if it is a design or operating deficiency will help you understand what type and level of corrective action is needed.
Qualified vs Unqualified Opinions
Another important pair of terms to keep straight when discussing audit results are ‘qualified’ and ‘unqualified.’ Unlike how most uses of these terms has ‘qualified’ as a positive term and ‘unqualified’ as a negative, auditors use them differently.
For example, I am qualified for a job. However, we auditors like to be different. So, your ultimate goal in audit is to get an unqualified or clean opinion. A qualified opinion is not good in that it means that there is at least one control objective or criteria that the auditor believes the organization was not able to achieve.
No matter how serious or not serious the exceptions may be, remember to always ask your auditor what they might recommend that you do to correct the exception(s) going forward.
Hopefully this blog helped you better understand the purpose and process of an audit, what audit exceptions are, and clarified what to look for when discussing the results of an audit