When presented with the task of an audit being performed, the questions that the auditor and auditee have are:
Every audit is an evaluation of subject matter against criteria. The establishment of suitable criteria is key to the success of the audit. Without having the criteria defined, the focus of procedures performed may be lost and the intended outcome of the audit may not be achieved. Suitable criteria are needed in order to allow for a reasonable measurement or evaluation of the subject matter by the auditor as determined within the context of professional judgement. This applies to any type of audit, such as:
In order to be suitable, the criteria must be:
Audit criteria are policies, procedures, or requirements used as a reference against which audit evidence is compared. Criteria are found in many forms. We sometimes have questions from clients asking “What criteria are used in a financial report audit?” or “What are internal audit criteria?” The audit criteria listed below may be used for all different audit types discussed in this article. Some audit criteria examples are:
It must be determined which criteria to be used for an engagement as not all may be necessary, relevant, or reliable in terms of achieving the stated objectives of the audit and addressing the needs of the intended recipients of the audit results. In order to have a successful audit, the criteria must be agreed to by the relevant parties prior to the start of the engagement. In most cases, this is the party being audited and the auditors. In some cases, third parties also agree to the criteria. These criteria are typically outlined in an audit engagement letter.
Criteria audited against for financial statement audits of public companies are the Generally Accepted Accounting Principles (GAAP), a common set of accounting principles, standards, and procedures issued by the Financial Accounting Standards Board (FASB). Private companies may opt to follow GAAP as well. GAAP can be considered to be the established criteria against which the audit is performed. The auditors follow the Generally Accepted Audit Standards (GAAS) when performing the audit. GAAS are the minimum standards the auditors follow when performing their financial statement audit procedures.
For internal audits, the internal audit team of the company must work with the division or group being audited to define the criteria to perform their procedures against. The Institute of Internal Auditor has stated in IPPF standard 2210.A3:
“Adequate criteria are needed to evaluate controls. Internal auditors must evaluate the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.”
An internal audit cannot be conducted if no suitable criteria have been established by the management of its operations for the area under review.
Attestation engagements are founded on the concept, a “party other than the service auditor makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria.” (SSAE No 18). The responsible party or engaging party, not the service auditor, is responsible for selecting the criteria and the engaging party is responsible for asserting that the criteria are suitable. The responsible party is normally the engaging party upon whom the audit procedures are to be performed against.
As stated in SSAE 18, for SOC 1, SOC 2, and SOC 3 engagements, the service auditor should assess whether management has used suitable criteria in:
This assessment ties back to the components of suitable criteria detailed earlier in this article. The assessment includes appropriateness of the classes of transaction processed; the automated and manual systems and controls used; the information used to perform the procedures including electronic, hardcopy, primary, or secondary information; and any services performed by subservice organizations.
Since the responsible party is providing the assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria, it represents in Section II of the SOC report that:
“The key to a successful attest engagement is that the user entities and their auditors need access to the criteria upon which the engagement was performed in order to understand the basis for the “service organization’s assertion about the fair presentation of management’s description of the service organization’s system, the suitability of the design of controls that address control objectives stated in the description of the system and, in the case of a type 2 report, the operating effectiveness of such controls.” (taken from SSAE 18). In other words, the criteria must be available to the user entities and their auditors. Without this, the recipients of the report cannot determine if it meets their needs. This information is found within the report with the description of controls provided by the service organization.
In conclusion, the establishment of suitable criteria for the audit to be performed is key to a successful outcome. The criteria must be relevant to the objective of the audit and recipients of the audit results, agreed upon by the parties to the engagement, and able to be audited against.
If you have any additional questions regarding suitable audit criteria, or would like to enlist the services of Linford & Co for your upcoming audit engagement, please contact us.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.
