Common Mistakes When Preparing For An Audit

If customs walks in today, are you ready? Most aren’t and the penalties prove it. What triggers a customs audit ? 1. Random Selection Part of risk-based targeting systems to keep audits fair.  2. Red Flags Errors or inconsistencies in import declarations can raise alarms.  3. Industry Targeting   Customs focuses on industries with high fraud risks like electronics and pharma.  4. Prior Non-Compliance Past penalties or lack of response can trigger scrutiny.  5. **Related Party Transactions**   Intra-company deals face extra checks for pricing issues.  6. FTA Claims   Large claims for Free Trade Agreements may lead to reviews.  Common Mistakes That Trigger Penalties  - Misclassification  Customs uses data analytics to find errors. This can lead to a duty shortfall of up to three times.  - Undervaluation Transfer pricing reports can expose undervalued goods, resulting in fines and interest.  - FTA Misuse  Lack of origin support during claims can mean repayment of duties plus penalties.  - Poor Recordkeeping Random audits can catch missing documents, leading to fines.  - Misdeclared Dual-use Goods   These can lead to serious legal issues.  - Inconsistent Broker Instructions   Discrepancies can cause loss of benefits.  Preparation Best Practices - Assemble a Compliance Task Force    Include Trade Compliance, Finance, Logistics, and Legal teams.  - Review Historical Import Data Analyze reports from brokers and customs tools for the last 12 to 36 months.  - Validate HS Classifications  Cross-check with product specs and rulings.  - Review Valuation Methodology   Ensure all dutiable elements are included in declared values.  - Confirm Origin Documentation  Match each FTA claim with valid supplier declarations.  - Check Recordkeeping Protocol   Keep all documents accessible.  - Audit FTA Claims  Randomly select entries to trace back to source.  - Examine Related Party Transactions  Ensure customs values are based on fair market pricing.  - Spot Audit Broker Instructions  Pull recent declarations to check accuracy.  - Prepare a Compliance Report   Summarize risks and actions taken.  **Do's**  ✅ Designate a single point of contact for customs.   ✅ Be transparent but only provide requested information.   ✅ Keep an audit log of all communications.   ✅ Prepare an intro presentation outlining import processes.   ✅ Provide documents promptly and in order.  **Don'ts**  ❌ Don’t argue or blame other departments.   ❌ Don’t offer unsolicited documents.   ❌ Don’t allow unscheduled interviews with untrained staff.   ❌ Don’t say “we’ve always done it that way.”  **Post-Audit Actions**  Review findings with your broker or legal team.   Respond within the deadline to correct inaccuracies.   Implement corrective actions and document them.   Schedule a follow-up audit within six months.   Update SOPs and training based on findings.  

🛠️ Why So Many Auditors Struggle with Planning an Audit from Scratch 🛠️   Last week in the Internal Audit Collective, an impromptu discussion broke out around internal audit planning—and one theme came through loud and clear:   👉 Many experienced staff, seniors, and many managers struggle the most when tasked to plan an audit from scratch.   Why does this happen so often?   A few common reasons stood out: Many auditors rely too heavily on prebuilt risk matrices—especially those used in SOX—rather than building risk-based procedures from the ground up. Some processes are too immature for meaningful controls, making assurance audits a poor fit. Teams try to cover too much scope, resulting in bloated, unfocused audit programs. Planning often overlooks other reviews already performed by HSE, ESG, QA, or 2nd Line teams—causing duplication and stakeholder fatigue. And while Gen AI seems promising, generic prompts like “create an audit program for X” often generate vague results without business context. But maybe the biggest challenge?   Audit teams often don’t engage business leaders early or meaningfully enough to clarify expectations, align on outcomes, and secure subject matter input. And that’s more a leadership issue than a staff one.   So what can Internal Audit leaders do?   Too often, critical context captured by the Internal Audit leadership team doesn’t make its way to the audit project team—leading to misaligned scope, inefficient planning, and missed opportunities for insight.   To solve for this, leaders should proactively share the following with their audit teams before the planning phase begins: 1. The rationale for the audit. What triggered this audit? Is there a known business issue, an emerging risk, or a request from leadership? What early indicators or data trends pointed to the need for this review? 2. The link to enterprise risks. How does this audit tie back to the organization’s top risks? What role does the process play in managing or influencing those risks? 3. The Executive Sponsor’s perspective. What are their objectives for the audit? What insights are they hoping to gain or decisions they need to make based on the outcome? When audit teams are equipped with this context, they can scope more effectively, focus on business-relevant risks, and design audit procedures that truly align with stakeholder expectations.

I wish someone had shown me this pyramid on Day 1 of my IT audit career. Would've saved me 6 months of confusion. When I started, I jumped straight to controls. Access reviews. Change management. Backup testing. I was checking boxes. But I had no idea WHY those controls mattered. No one told me to start at the top of the pyramid. The Business. What does this company actually do? How do they make money? What goals are they chasing? Without understanding that, every control I tested felt random. Then one day, my manager asked me: "Chinmay, why this IT Application is in scope for our audit?" I froze. Because I was testing controls in isolation. I never connected controls to IT apps and IT apps to the business process. Great auditors don't start at the bottom of the pyramid. They start at the top. You can't test what you don't understand. This framework changed everything for me. Understand the business → What goals drive this company? Map the core processes → What processes support those goals? Identify the applications → What systems enable those processes? Evaluate IT risks → What can go wrong in those systems? Test the controls → What mitigates those risks? Top to bottom. Always. If you're confused about where to start, save this infographic. Print it. Keep it at your desk. Because the biggest mistake I made wasn't bad testing. It was testing without context. Learn IT audit the way it's actually done. Because clarity is the difference between doing audit and understanding it. Tag someone who needs to see this framework. #itaudit #audit #risk #compliance #internalaudit #cisa #isaca

The Mistake Many IT Auditors Make When Starting Out If you’re just stepping into IT Audit, you might be making the mistake of focusing too much on controls and forgetting to understand the business. 📍Here’s what I mean: Many new IT Auditors get obsessed with checklists, control frameworks (ISO 27001, NIST, COBIT, etc.), and compliance requirements. While these are important, they only tell half the story. 📍The reality? - You can’t audit what you don’t understand. - A system is only as critical as the business process it supports. - Controls make sense only in the context of the risks they mitigate. 📍A Practical Example: I once worked with a junior IT Auditor who flagged a missing user access review as a major issue. But when we took a step back and examined the business impact, we realized: ✅ The system was a test environment, not production. ✅ No sensitive data was involved. ✅ The control failure had minimal risk exposure to the business. Instead of raising unnecessary red flags, a better approach would have been: 📍Understand the business process first – What is the system used for? Who depends on it? 📍Identify real risks – What happens if this control fails? Does it affect financials, data privacy, or operations? 📍 Align with business impact – Not every missing control is a catastrophe. Prioritize based on real risk exposure. My Advice to New IT Auditors: - Spend time learning how the business operates, not just control frameworks. - Ask stakeholders why a system exists before jumping into its controls. - Remember, your job is not just to find issues—it’s to help the business stay secure while operating efficiently. Have you ever made this mistake or seen others do it? Let’s discuss in the comments. 👇 #ITAudit #GRC #CyberSecurity #RiskManagement

Over the last 2 months, I’ve talked to 16 CEOs & CFOs of 7-figure brands selling on Shopify, and an alarming number have received sales tax notices from the states. Here are the top 3 mistakes they made that you want to avoid: 1/ Turning on sales tax calculation in states, collecting sales tax from customers, and never registering with those states. Collected sales tax liability that's not remitted is illegal and could mean future large penalties for your business. 2/ Triggering nexus in states and not registering to collect and remit sales tax in those states. Not complying with state economic or physical nexus laws is risky for businesses. Audit look-back periods can be 3-4 years, with some states looking back as far as 7-8 years or longer. 3/ Not setting up tax exemptions for specific products. Since sales tax rules vary by state, your product may be taxable in some states but exempt in others. Regularly review and update your account’s settings to match the state laws. These mistakes add unnecessary stress and risk to the business today and at exit… Don't wait until you're drowning in notices. 

Some companies invest months preparing for ISO certification… only to fail on audit day. The reason? Not bad people. Not poor effort. It’s fragile processes. Here’s where organisations usually break down: 1. No document control – Policies and SOPs live in shared drives and emails. Wrong versions get used. 2. No proof of compliance – Training records, approvals, and acknowledgements can’t be traced. 3. Missed deadlines – CAPA actions and supplier certifications expire without follow-up. 4. Manual handling – Complaints and safety reports stuck in Excel or email threads. 5. Inconsistent processes – Departments run differently, nothing aligns. When the auditor asks for evidence, the cracks show. And that’s where failure happens.

YOUR AUDIT PLAN ISN´T A CHRISTMAS WISH LIST ´Tis the season – leaves start to fall, spreadsheets start to fill: it’s planning time in many internal audit departments. It´s our moment of truth for next year´s annual plan. Risks are ranked, spreadsheets polished, the right people have been asked to provide input, your audit committee slides are an eye-watering dashboard your peers couldn´t be more jealous about. The entire process screams “objectivity and independence” … and yet, some “projects” magically land on the list for reasons that have little to do with risk. Not deliberately. Maybe, at least little, unconsciously. Because in the autumn rush - deadlines everywhere, inboxes exploding, year-end parties around the corner, the team gets irritable - it’s tempting to let context and convenience guide our choices. And suddenly: ❌ We pick projects we want to do because they look fun. ❌ We avoid audits that feel “too messy.” ❌ We please management with “easy wins.” ❌ We can´t unthink our missing miles to the next status. ❌ We plan trips where - oh look! family weddings happen to take place. See the problem? These aren’t risk-based decisions. They’re, at least to a certain extent, unconscious biases shaping the plan while we’re too busy to notice. And that’s super dangerous: it quietly shifts the plan from an objective roadmap into a patchwork of preferences, politics, and shortcuts. ▶️ The biggest risks? Doing stuff that´s unimportant (to put it more politically correctly: inefficiencies). Omitting real risks. ▶️ The consequences: Adding no value, losing credibility. Because if our plan isn’t anchored in risk, we might as well start rolling dice or ordering a new crystal ball for Christmas. Audit planning should resist the noise of context. It’s not about what’s easiest or nicest. It’s about what matters most. So as you finalize your plan, take a breath and ask yourself: ✴️ Am I being guided by risk… or by bias hiding in plain sight? ✴️ Am I intrinsically motivated to do the right things in my job, or do I care for acclaim, easy solutions, and my mileage account? ✴️ Am I as objective and independent as I pretend to be? ✴️ Am I the one who should make all those decisions on my own? Cold, hard questions… but unavoidable questions, if we still want to be able to look in the probing eyes of our audit committee members when we explain our “risk-based approach”. Repeat with me: audit plans are not a Christmas wish list, and the AC chairman isn´t Santa Claus. Stay professionally sceptical – of your own decisions. Happy planning season! #riskmanagement #auditplan #integrity #independence

Everyone tells you to plan, but are you over planning? Sometimes, over-planning can actually kill an audit. 😲 I remember one time preparing for what was supposed to be our most interesting audit ever. Our checklist had checklists. It seemed perfect— until we hit the field. Things started falling apart fast: 1️⃣ Unexpected client changes threw our well-crafted schedule into chaos. 2️⃣ Team members got bogged down in minor details, 3️⃣ We missed opportunities for real-time adjustments because we were too focused on sticking to “The Plan.” By the time we wrapped up, what should have been an insightful audit turned into a bureaucratic nightmare. Over-planning led us straight into inefficiency and frustration. So how can we plan better? P - Prioritize key objectives L - Limit unnecessary details A - Act on actionable items swiftly N - Navigate challenges with flexibility ---------------------------------- Hi there, I'm Rob. I teach people (especially auditors) how to ask better questions. ----------------------------------

Poor audit preparation will cost you dearly. I’ve seen companies delay reporting for months. The reason? Basic documents weren’t ready. Boards waited and auditors kept following up. Eventually stakeholders lost trust. Audit preparation is a reflection of discipline, and how you prepare signals to stakeholders whether management can be trusted with bigger decisions. This is what poor audit preparation really costs: 1. Reputation ➞ regulators and banks lose confidence. 2. Decisions ➞ delayed board approvals, slow growth. 3. Morale ➞ burnt-out finance teams, more mistakes. 4. Insights ➞ tick box approach, less innovation. 5. Time ➞ missed deadlines, endless follow-ups. 6. Trust ➞ strained stakeholder relationships. 7. Money ➞ higher audit fees, cost overruns. And here’s how you can avoid this: • Spread the workload across the year. • Confirm deadlines upfront with auditors. • Assign one clear owner for each audit item. • Have a clear reporting and compliance plan. • Gather your records promptly after year end. • Lock reporting timelines into Board calendars. • Ask your auditors where the blind spots really are. What would you add to this list to improve an audit? Remember, better preparation = time + cost savings. ------- ➕ Follow Jonathan Maharaj FCPA for finance‑leadership clarity. 🔄 Share this insight with a decision‑maker. 📰 Get deeper breakdowns in Financial Freedom, my free newsletter: https://lnkd.in/gYHdNYzj 📆 Ready to work together? Book your Clarity Session: https://lnkd.in/gyiqCWV2

Seven common risk assessment mistakes include: 1. Assessing all assertions for the risk of material misstatement (often one, two or three assertions are relevant, but not all) 2. Not documenting why inherent risk is assessed as it is (we should document why inherent risk is low, moderate, or high—use inherent risk factors such as complexity or subjectivity) 3. Using a basic response when we’ve documented risk at high (high risk needs a more rigorous response) 4. Documenting that a significant risk is present but all inherent risk is assessed at low or moderate (a significant risk, by definition, is one with extremely high inherent risk) 5. Assessing inherent risk at the same level (e.g., moderate) for every assertion in every class of transactions (this means the auditor is not really thinking about risk) 6. Having no significant risks (this is seldom true; there’s almost always one or two significant risks) 7. Not documenting linkage (higher risk merits linkage to extended procedures and those should be defined) #CPAHallTalk, #riskassessment