When presented with the task of an audit being performed, the questions that the auditor and auditee have are:
- What is the objective of the audit?
- What is to be achieved?
- What is the need of the users of the output of the audit?
Identifying Suitable Criteria
Every audit is an evaluation of subject matter against criteria. The establishment of suitable criteria is key to the success of the audit. Without having the criteria defined, the focus of procedures performed may be lost and the intended outcome of the audit may not be achieved. Suitable criteria are needed in order to allow for a reasonable measurement or evaluation of the subject matter by the auditor as determined within the context of professional judgement. This applies to any type of audit, such as:
- Financial statement audits
- Audits conducted over internal operations (an internal audit)
- Attestation engagements (examination, review, and agreed-upon procedures)
In order to be suitable, the criteria must be:
- Relevant to the subject matter
- Measurable (qualitative or quantitative)
- Complete (relevant factors are not omitted in relation to the audit objectives)
What are Audit Criteria?
Audit criteria are policies, procedures, or requirements used as a reference against which audit evidence is compared. Criteria are found in many forms. We sometimes have questions from clients asking “What criteria are used in a financial report audit?” or “What are internal audit criteria?” The audit criteria listed below may be used for all different audit types discussed in this article. Some audit criteria examples are:
- Policies and procedures
- Established internal controls
- Historical activity
- Laws and regulations
- Agreements with external parties such as manufacturers and suppliers
- Agreements with customers and clients
- Industry best practices
- Industry published standards
- Expert opinion
It must be determined which criteria to be used for an engagement as not all may be necessary, relevant, or reliable in terms of achieving the stated objectives of the audit and addressing the needs of the intended recipients of the audit results. In order to have a successful audit, the criteria must be agreed to by the relevant parties prior to the start of the engagement. In most cases, this is the party being audited and the auditors. In some cases, third parties also agree to the criteria. These criteria are typically outlined in an audit engagement letter.
Financial Statement Audits
Criteria audited against for financial statement audits of public companies are the Generally Accepted Accounting Principles (GAAP), a common set of accounting principles, standards, and procedures issued by the Financial Accounting Standards Board (FASB). Private companies may opt to follow GAAP as well. GAAP can be considered to be the established criteria against which the audit is performed. The auditors follow the Generally Accepted Audit Standards (GAAS) when performing the audit. GAAS are the minimum standards the auditors follow when performing their financial statement audit procedures.
For internal audits, the internal audit team of the company must work with the division or group being audited to define the criteria to perform their procedures against. The Institute of Internal Auditor has stated in IPPF standard 2210.A3:
“Adequate criteria are needed to evaluate controls. Internal auditors must evaluate the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.”
An internal audit cannot be conducted if no suitable criteria have been established by the management of its operations for the area under review.
Attestation engagements are founded on the concept, a “party other than the service auditor makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria.” (SSAE No 18). The responsible party or engaging party, not the service auditor, is responsible for selecting the criteria and the engaging party is responsible for asserting that the criteria are suitable. The responsible party is normally the engaging party upon whom the audit procedures are to be performed against.
Focus on SOC Engagements
- Preparing its description of the service organization’s system
- Evaluating whether controls were suitably designed to achieve the control objectives stated in the description
- Evaluating whether controls operated effectively throughout the specified period to achieve the control objectives stated in the description of the service organization’s system, in the case of a type 2 report.
This assessment ties back to the components of suitable criteria detailed earlier in this article. The assessment includes appropriateness of the classes of transaction processed; the automated and manual systems and controls used; the information used to perform the procedures including electronic, hardcopy, primary, or secondary information; and any services performed by subservice organizations.
Since the responsible party is providing the assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria, it represents in Section II of the SOC report that:
- The description of services covered by the report is a representative description;
- The controls stated in the description of services provided in the report were designed and implemented for the period under review in accordance with the description criteria; and
- The controls stated in the description operated effectively for the period under review, in the case of a type 2 report.
Why are Suitable Criteria Essential to the Successful Performance of an Attest Engagement?
“The key to a successful attest engagement is that the user entities and their auditors need access to the criteria upon which the engagement was performed in order to understand the basis for the “service organization’s assertion about the fair presentation of management’s description of the service organization’s system, the suitability of the design of controls that address control objectives stated in the description of the system and, in the case of a type 2 report, the operating effectiveness of such controls.” (taken from SSAE 18). In other words, the criteria must be available to the user entities and their auditors. Without this, the recipients of the report cannot determine if it meets their needs. This information is found within the report with the description of controls provided by the service organization.
In conclusion, the establishment of suitable criteria for the audit to be performed is key to a successful outcome. The criteria must be relevant to the objective of the audit and recipients of the audit results, agreed upon by the parties to the engagement, and able to be audited against.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.