© Matti Mattila, CPFA, CISA, CIA Findings Classification Previous Item Next item Previous menu How to Classify a Finding in terms of The ECAR Model dimensions Classification of findings should be made in an objective and a consistent manner. The result of the classification should not depend on who has done it. A good practice is to document audit finding classification principles and procedures. Another good practice is to make the classification when conclusions based on audit findings, and recommendations based on conclusions are made; this conjunction should help in making the recommendations clearer and to have them address basic causes of the problems found. It is common that an audit finding is associated with several general objectives and with several elements of internal control. However, if most findings are classified in most objective categories, the ultimate benefit of findings classifiation can prove weak. Thus, one should prefer a procedure where least amount of main general objectives and least amount of main elements of internal control is associated with a finding. Examples of Findings Classification Finding #1: "Logs of the accounting system have not been examined at all." - General objective of internal control: "1 = Objectives and opportunities"; "3 = Right Information". Examining logs is a control againts intruders, i.e. persons that have accessed the system although they are not authorized to that. An intruder can collect confidential information, add, change or delete information, even change the way the accounting system runs [1]. - Element of internal control: "C = Controls". Examination of logs is a control. Finding #2: "The staff making [project progress and quality] checks on the spot is not qualified." - General objctive of internal control: "1 = Objectives and opportunities". Poor quality of on the spot checks endangers achievement of the objectives of the projects. - Element of internal control: "E = Control environment". Having unqualified employees perform critical tasks tells about lack of commitment in the organization's objectives - a matter of control environment. Finding #3: "Resources have been used deliberately to forbidden purposes." - General objctive of internal control: "2 = Compliance". The finding indicates that a violation of rules has taken place. - Element of internal control: "E = Control environment". Control environment encompasses among other things ... personal integrity and values of employees. Finding #4: "Audit trail from time recording system to cost accounting system is obscure." - General objctive of internal control: "3 = Right Information". Cost accounting information cannot be relied [for the present]. - Element of internal control: "A = Accounting systems". The quality of facts ("what happened") cannot be relied until audit trail is examined and fixed, if needed. Finding #5: "Separation of duties in Payroll was not effective on January 13th, but there was no reaction because of that control failure." - General objctive of internal control: "3 = Right Information". On a known day there has been a higher risk of entries of inappropriate information in payroll than usually. - Element of internal control: "R = Determination of Risks". A risk of internal control realized, as a key control was ineffective. It makes no sense to regard this as control failure, because failures in internal control system are inherent. In stead, the biggest failure was that of the accountable person's: he/she did not to identify, evaluate and determine the risk that realized. Determination of risk could have resulted in arrangement of an ad hoc control in place. Table of Classified Findings Results of audit findings classification can be saved e.g. on an MS Excel worksheet - as illustrated in the picture below. Picture 1: Classified findings. OBJECTIVE = Code of general internal control objective; ELEMENT= Code of internal control element; FINDING = Audit finding; FIND_ID = Identification code of Audit finding (= Audit Identification code + running number). [1] The finding can be associated with "Compliance", too, if there is a requirement that accounting system logs must be examined [e.g.] twice in a week.