What is a confirmation exception, and why is it important to investigate a confirmation exception?
If you are reading this article, chances are that your auditor has told you that you have an audit exception or, even worse, multiple “audit exceptions.” Hearing that phrase strikes fear and panic into the hearts of many. While some of those reactions may be justified, I have found that many suffer more than necessary because they are not familiar with the vocabulary used in these discussions, do not really know what an exception is, or do not understand the audit process. This article will briefly summarize the purpose and process of an audit, define what audit exceptions are, and clarify what to look for when discussing the results of an audit. Show
Realizing that there are many types of audits, I will use SOC 1 or SOC 2 audits as the basis for this discussion. While other audits may be assessing different things and may have different types of exceptions, the basic principles and process described here can be applied across broad range of audits. What is the purpose of SOC Audit?System and Organization Control (SOC) audits are designed to provide an independent and objective assessment of a service organization to users of the services or system that the service organization provides. There are three things an auditor of the service organization is trying to determine:
An auditor must gather sufficient evidence to evaluate and answer these questions with reasonable assurance to support the unqualified or qualified opinion to be written in the audit report. The process of gathering evidence is called auditing and will include a number of different activities. For example, auditors may gather information by inquiring of appropriate personnel (management, supervisors, and staff); inspect documents and records; observe activities and operations being performed; and tests of controls. All of these activities used to gather and evaluate evidence are often referred to as audit procedures or audit tests. What are Audit Exceptions? A DefinitionAudit exceptions are simply deviations from the expected result from testing one or more control activities. Each control in a service organization’s description must be tested by an auditor to validate that the description is accurate and that controls are suitably designed and operating effectively to achieve the related control objectives or criteria. An auditor may use one or more tests to evaluate each control. As with any test, there are expected outcomes or responses. Consider the following example that you might see in a SOC audit:
Using this example, if an auditor performed this test and found that one or more of the batches selected for testing did not use batch control totals, as expected and indicated in the service organization’s description, the auditor would note a deviation. These deviations go by many names: audit exceptions, test exceptions, control exceptions, deficiencies, findings, misstatements, and so on. The Cause & Nature Audit ExceptionsAn auditor must investigate the nature and cause of any audit exceptions identified to determine whether:
What to Look for When Discussing Audit Exceptions in SOC Audit ResultsAuditors have their own vernacular that may cause confusion and worries. I like to compare audits to taking a trip to the doctor’s office: Imagine after suffering with an illness for a few days, you finally go in and see a doctor. The doctor visits with you, inspects you by doing a few checks personally, and may even orders a few tests (i.e., blood work) before coming back to share the prognosis at the conclusion of your visit. The doctor sits down in front of you and stoically shares that you are suffering from nasopharyngitis or acute coryza. You don’t necessarily know what that is, but it sounds horrible—much more serious than you had thought. In the moments after hearing the initial prognosis, your heart rate starts to pick up, you begin to sweat (if you weren’t already), and your mind begins to race. Seeing your reaction, the doctor quickly clarifies, “That means you’ve got a cold. You need to get some rest, stay hydrated, and take some pain medication.” That’s kind of what it’s like when you are visiting with your auditors after an audit. You know there were a few exceptions, but you’re not sure what it means or just how bad is. Well, not all audit exceptions are created equal. Types of Audit ExceptionsAudit exceptions can be intentional or unintentional, qualitative or quantitative, and include omissions. Auditors are required to make sure a service organization’s description is accurate and to include all design and operating deficiencies in the report—they no longer have discretion in determining whether or not to include exceptions. There are three basic types of exceptions when it comes to SOC audits:
As your instinct would suggest, an exception is not a good thing. However, having an exception does not necessarily mean that a control fails, nor does a control failure mean that an objective or criteria is not met. It is actually quite common for a SOC report to have some exceptions. Some user entities and auditors reading an audit report actually like to see one or two exceptions in a report because it gives them some comfort that the auditor is doing a thorough job. Review Audit Exceptions for ErrorsIt is important for you to review any audit exceptions. Auditors may mistakenly believe an error has occured because they:
Spending a little time with your auditors to understand the exceptions and confirming them internally can pay big dividends. In some cases, you will be able to find and provide the “missing” evidence to your auditors who can clear the exceptions. In other cases, you may be able to identify another control activity that your organization performs that mitigates the risk. Often, the risk raised by an audit exception is mitigated by other controls within the environment. Stay Diligent When Reviewing Audit ExceptionsTry not to get bogged down in the weeds when discussing audit results with your auditors. If there are control exceptions, ask them:
These questions will allow you to understand just how bad the exceptions are. You don’t really need to worry about a variance that will be noted in the report, but is not considered a control failure. If a control has an exception, knowing if it is a design or operating deficiency will help you understand what type and level of corrective action is needed. Qualified vs. Unqualified OpinionsAnother important pair of terms to keep straight when discussing audit results are ‘qualified’ and ‘unqualified.’ Unlike how most uses of these terms has ‘qualified’ as a positive term and ‘unqualified’ as a negative, auditors use them differently. For example, I am qualified for a job. However, we auditors like to be different. So, your ultimate goal in audit is to get an unqualified or clean opinion. A qualified opinion is not good in that it means that there is at least one control objective or criteria that the auditor believes the organization was not able to achieve. No matter how serious or not serious the exceptions may be, remember to always ask your auditor what they might recommend that you do to correct the exception(s) going forward. ConclusionHopefully this blog helped you better understand the purpose and process of an audit, what audit exceptions are, and clarified what to look for when discussing the results of an audit. If you have questions on about SOC 1 or SOC 2 audits, please contact us to request a consultation. You can also learn more about by reading our blogs specifically on SOC 1 and SOC 2 audits. Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards. Related Posts:
What is a confirmation exception?The term "Confirmation by Exception" or "CBE" means that the Confirming Parties agree that one party deems that all requests at a location are confirmed by the other party (the CBE party) without response communication from that party.
What should an auditor do if a confirmation response is not received?When the auditor has not received replies to positive confirmation requests, he or she should apply alternative procedures to the nonresponses to obtain the evidence necessary to reduce audit risk to an acceptably low level.
Why do confirmations not typically provide reliable evidence about the completeness assertion?The confirmation of customers' accounts receivable rarely provides reliable evidence about the completeness assertion because: customers may not be inclined to report understatement errors in their accounts.
What can auditors do to improve the effectiveness of confirmation requests?Setting confirmation response deadlines and asking clients to hand sign confirmation requests where feasible can also be helpful. To expedite confirmation responses, auditors can ask clients to make phone calls to intended recipients to alert them that confirmations will be coming.
|