Learning from Common Mistakes
Even experienced auditors make testing errors that lead to rework, missed findings, or regulatory issues. Here are the seven most common mistakes and how to avoid them.
Mistake 1: Testing the Wrong Attribute
The Problem: Auditors test what's easy to see rather than what actually matters for control effectiveness.
Example: For an approval control, testing whether a signature exists rather than whether the approver had authority and reviewed supporting information.
The Fix: Map each test procedure to specific control objectives and financial statement assertions. Ask: "What would need to be true for this control to fail?"
Mistake 2: Inadequate Sample Sizes
The Problem: Using samples too small to provide reasonable assurance, or not adjusting for control frequency and risk.
The Fix: Use established sampling guidance (AICPA, IIA) appropriate for:
- Control frequency (daily, weekly, monthly)
- Risk level of the process
- Prior testing results
- Tolerable deviation rate
Mistake 3: Insufficient Documentation
The Problem: Workpapers don't support the conclusion. Auditors know what they tested but didn't write it down clearly.
The Fix: Document for an uninvolved reviewer. Include:
- Specific procedures performed
- Population and sample selection method
- Actual results with evidence references
- Exception analysis
- Clear conclusion tied to results
Mistake 4: Not Understanding the Control
The Problem: Testing a control without understanding how it actually operates leads to irrelevant procedures.
The Fix: Before testing:
- Interview control owners
- Walk through the control end-to-end
- Review control documentation
- Understand compensating controls
Mistake 5: Ignoring IT Dependencies
The Problem: Manual controls often depend on IT controls (system reports, access controls, automated calculations) that aren't tested.
The Fix: For each manual control, identify:
- System reports used as inputs
- Automated calculations relied upon
- Access controls protecting data integrity
- Change management over relevant systems
Ensure dependent IT controls are in scope and tested.
Mistake 6: Improper Exception Evaluation
The Problem: Treating all exceptions the same, whether one deviation in 40 samples or 10 in 25.
The Fix: For each exception:
- Determine root cause
- Assess whether compensating controls exist
- Evaluate impact on control objective
- Consider whether additional testing is needed
- Conclude appropriately on control effectiveness
Mistake 7: Testing at Wrong Time
The Problem: Testing too early misses the period, while testing too late creates time pressure and rework.
The Fix: Plan testing windows that:
- Cover the full period (interim + rollforward)
- Allow time for exception investigation
- Enable remediation testing if needed
- Meet reporting deadlines
Building a Quality Program
Prevent these mistakes through:
- Training on common pitfalls
- Templates that prompt complete documentation
- Review processes that catch errors early
- Quality metrics to identify patterns
Continuous improvement in testing quality pays dividends in reduced rework and stronger audit opinions.