CHAPTER 1 AN OVERVIEW OF AUDITING

1.1. Introduction

There is now more information available than ever before, both to businesses and about businesses.
Corporations maintain large databases that provide detailed information on suppliers and customers. Various
credit agencies collect information on individuals and sell this information to financial institutions. The
websites of publicly listed companies provide a wealth of information, including annual reports containing
financial statements, to investors and potential investors. In all of these situations, there is a need for the
information to be reliable, credible, relevant, and timely. Auditing and assurance services can ensure that
information meets these criteria.

Reliable information is necessary if managers, investors, creditors, and regulatory agencies are to make
informed decisions about resource allocation. Auditing and assurance services play an important role in this
process.

Auditing and audited financial statements are important to both private and public enterprise. By the audit
function, the users of the financial statements have reasonable assurance that the financial statements do not
contain material misstatements or omissions.

1.2. Definition and Nature of Auditing

Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of correspondence between these assertions and established
criteria, and communicating the results to interested users.

Auditing should be done by a competent, independent person. The auditor must be qualified to understand the
criteria used and must be competent to know the types and amount of evidence to accumulate to reach the
proper conclusion after examining the evidence. The auditor must also have an independent mental attitude. The
competence of those performing the audit is of little value if they are biased in the accumulation and evaluation
of evidence.
Auditors strive to maintain a high level of independence to keep the confidence of users relying on their reports.
Auditors reporting on company financial statements are often called independent auditors. Even though such
auditors are paid fees by the company, they are normally sufficiently independent to conduct audits that can be
relied on by users. Even internal auditors – those employed by the companies they audit—usually report

1
directly to top management and the board of directors, keeping the auditors independent of the operating units
they audit.

Components of Auditing Definition

An audit is a systematic approach. The audit follows a structured, documented plan (audit plan). In the process
of the audit, accounting records are analyzed by the auditors using a variety of generally accepted techniques.
The audit must be planned and structured in such a way that those carrying out the audit can fully examine and
analyze all important evidence.

An audit is conducted objectively. An audit is an independent, objective and expert examination and evaluation
of evidence. Auditors are fair and do not allow prejudice or bias to override their objectivity. They maintain an
impartial attitude.

The auditor obtains and evaluates evidence. The auditor assesses the reliability and sufficiency of the
information contained in the underlying accounting records and other source data by:
studying and evaluating accounting systems and internal controls on which he wishes to rely and testing
those internal controls to determine the nature, extent and timing of other auditing procedures; and
carrying out such other tests, inquiries and other verification procedures of accounting transactions and
account balances, as he considers appropriate in the particular circumstances.

Evidence is any information used by the auditor to determine whether the information being audited is stated in
accordance with the established criteria. Evidence takes many different forms, including:
• Electronic and documentary data about transactions
• Written and electronic communication with outsiders
• Observations by the auditor
• Oral testimony of the auditee (client)
The evidence obtained and evaluated by the auditor concerns assertions about economic actions and events.
The basis of evidence – gathering objectives, what the evidence must prove, are the assertions of management.
Assertions are representations by management, explicit or otherwise, that are embodied in the financial
statements.

One assertion of management about economic actions is that all the assets reported on the balance sheet actually
exist at the balance sheet date. The assets are real, not fictitious. This is the existence assertion. Furthermore,

2
management asserts that the company owns all these assets. They do not belong to anyone else. This is the
rights and obligations assertion.

The auditor ascertains the degree of correspondence between assertions and established criteria. The audit
program tests most assertions by examining the physical evidence of documents, confirmation, inquiry, and
observation. The auditor examines the evidence for the assertion presentation and disclosure to determine if the
accounts are described in accordance with the applicable financial reporting framework, such as IFRS, local
standards or regulations and laws.

The goal, or objective, of the audit is communicating the results to interested users. The audit is conducted
with the aim of expressing an informed and credible opinion in a written report. If the item audited is the
financial statements, the auditors must state that in their opinion the statements “give a true and fair view” or
“present fairly, in all material respects’’ the financial position of the company. The purpose of the independent
expert opinion is to lend credibility to the financial statements. The communication of the auditor’s opinion is
called attestation, or the attest function. In an audit this attestation is called the “audit report”.

1.3. Accounting vs. Auditing

Many financial statement users and the general public confuse auditing with accounting. The confusion results
because most auditing is usually concerned with accounting information, and many auditors have considerable
expertise in accounting matters. The confusion is increased by giving the title “certified public accountant” to
many individuals who perform audits.

Accounting is the recording, classifying, and summarizing of economic events in a logical manner for the
purpose of providing financial information for decision making. To provide relevant information, accountants
must have a thorough understanding of the principles and rules that provide the basis for preparing the
accounting information. In addition, accountants must develop a system to make sure that the entity’s economic
events are properly recorded on a timely basis and at a reasonable cost.

When auditing accounting data, auditors focus on determining whether recorded information properly reflects
the economic events that occurred during the accounting period. Because U.S. or international accounting
standards provide the criteria for evaluating whether the accounting information is properly recorded, auditors
must thoroughly understand those accounting standards.

3
In addition to understanding accounting, the auditor must possess expertise in the accumulation and
interpretation of audit evidence. It is this expertise that distinguishes auditors from accountants. Determining the
proper audit procedures, deciding the number and types of items to test, and evaluating the results are unique to
the auditor.

1.4. Type of Audit and Auditors

1.4.1. Types of Audits

Audits are typically classified into three types: audits of financial statements, operational audits, and
compliance audits.

■ Audits of Financial Statements

Audits of financial statements examine financial statements to determine if they give a true and fair view or
fairly present the financial statements in conformity with specified criteria. The criteria may be International
Financial Reporting Standards (IFRS), generally accepted accounting principles (GAAP).
Figure 1 – 1 An Overview of the Financial Statement Audit Process

■ Operational Audits

4
An operational audit is a study of a specific unit of an organization for the purpose of measuring its
performance. Operational audits review all or part of the organization’s operating procedures to evaluate
effectiveness and efficiency of the operation. Effectiveness is a measure of whether an organization achieves its
goals and objectives. Efficiency shows how well an organization uses its resources to achieve its goals.
Operational reviews may not be limited to accounting. They may include the evaluation of organizational
structure, marketing, production methods, computer operations or whatever area the organization feels
evaluation is needed. Recommendations are normally made to management for improving operations.

The operations of the receiving department of a manufacturing company, for example, may be evaluated in
terms of its effectiveness. Performance is also judged in terms of efficiency on how well it uses the resources
available to the department. Because the criteria for effectiveness and efficiency are not as clearly established as
accepted accounting principles and laws, an operational audit tends to require more subjective judgment than
audits of financial statements or compliance audits.

An operational audit involves a systematic review of an organization’s activities, or a part of them, in relation to
the efficient and effective use of resources. The purpose of an operational audit is to assess performance,
identify areas for improvement, and develop recommendations.

Sometimes this type of audit is referred to as a performance audit or management audit. Operational audits are
generally more difficult to conduct than financial statement audits or compliance audits because it can be very
difficult to identify objective, measurable criteria that can be used to assess effectiveness and efficiency.

Operational auditing has increased in importance in recent years, and it is likely that this trend will continue.
With entities restructuring and downsizing, many aspects of the entity’s operations are being evaluated. In the
private sector, an operational audit could be performed to assess the efficiency and effectiveness of the entity’s
use of IT resources.

■ Compliance Audits

A compliance audit is a review of an organization’s procedures to determine whether the organization is

following specific procedures, rules or regulations set out by some higher authority. A compliance audit
measures the compliance of an entity with established criteria. The performance of a compliance audit is
dependent upon the existence of verifiable data and of recognized criteria or standards, such as established laws
and regulations, or an organization’s policies and procedures. Accounting personnel, for example, may be
evaluated to determine if they are following the procedures prescribed by the company controller. Other

5
personnel may be evaluated to determine if they follow policies and procedures established by management.
Results of compliance audits are generally reported to management within the organizational unit being audited.

Compliance audits are usually associated with government auditors – for example, the tax authority, the
government internal auditing arm, or audit of a bank by banking regulators. An example of a compliance audit
is an audit of a bank to determine if they comply with capital reserve requirements. Another example would be
an audit of taxpayers to see if they comply with national tax law, for example, the audit of an income tax return
by an auditor of then government tax agency such as the Internal Revenue Service (IRS) in the USA.

Compliance audits are quite common in not – for – profit organizations funded at least in part by government.
Many government entities and non-profit organizations that receive financial assistance from the federal
government must arrange for compliance audits. Such audits are designed to determine whether the financial
assistance is spent in accordance with applicable laws and regulations.

Illustration 1.2 summarizes the three types of audit.

Audits of financial statements Operational audits Compliance audits

Examine financial statements, A study of a specific unit A review of an organization’s procedures
determine if they give a true and of an organization for the and financial records performed to determine
fair view or fairly present the purpose of measuring its whether the organization is following
financial position, results, and performance. specific procedures, rules or regulations set
cash flows. out by some higher authority.

Each of these types of audit has a specialist auditor, namely the independent auditor, internal auditor, and
governmental auditor. The independent auditor is mainly concerned with financial statement audits, the internal
auditor concentrates on operational audits, and the governmental auditor is most likely to determine compliance.

1.4.2. Type of Auditors

There are a number of different types of auditors; however, they can be classified under four headings: external
auditors, internal auditors, government auditors, and forensic auditors. One important requirement of each
type of auditor is independence, in some manner, from the entity being audited.

6
External Auditors

External auditors are often referred to as independent auditors or public accountants. Such auditors are called
“external” because they are not employed by the entity being audited. External auditors audit financial
statements for publicly traded and private companies, partnerships, municipalities, individuals, and other types
of entities. They may also conduct compliance, operational, and forensic audits for such entities. An external
auditor may practice as a sole proprietor or as a member of a public accounting firm.

Professional standards require that external auditors maintain their objectivity and independence when
providing auditing or other attest services for clients

Internal Auditors

Internal auditors are auditors employed by individual companies, partnerships, government agencies,
individuals, and other entities are called internal auditors. In major corporations, internal audit staffs may be
very large, and the director of internal auditing (sometimes called the chief audit executive, or CAE) is usually a
major job title within the entity.

The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and
consulting activity designed to add value and improve an organization’s operations” with a view to “help an
organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes.” Internal auditing reviews the
reliability and integrity of information, compliance with policies and regulations, the safeguarding of assets, the
economical and efficient use of resources, and established operational goals and objectives. Internal audits
encompass financial activities and operations including systems, production, engineering, marketing, and
human resources.

The IIA has developed a set of standards that should be followed by internal auditors and has established a
certification program. An individual meeting the certification requirements set up by the IIA, which include
passing a uniform written examination, can become a certified internal auditor (CIA). Many internal auditors
are also CAs or CGAs.

Like external auditors, internal auditors must be objective and independent. To help ensure the objectivity and
independence of internal auditors, the IIA suggests that the director of internal auditing report directly to either
the board of directors or the audit committee of the board or have free access to the board. If the internal
7
auditors report to the chief financial officer or a similar financial officer within the organization, a conflict of
interest may arise. Internal auditors may not be objective and independent when evaluating certain
organizational functions if they are direct subordinates of the same individuals whose stewardship they are
reporting on.

Internal auditors can be involved in all types of audits. They may conduct compliance, operational, and forensic
audits within their organizations; they may assist the external auditors with the annual financial statement audit.
Internal auditors may also be involved in assurance and consulting engagements for their entities.

Government Auditors

Government auditors are employed by federal, regional, and local agencies. At the federal level is the Office of
the Auditor General.

Forensic Auditors

Forensic auditors are employed by corporations, government agencies, public accounting firms, and consulting
and investigative services firms. They are trained in detecting, investigating, and deterring fraud and white –
collar crime. Some examples of situations where forensic auditors have been involved include

 analyzing financial transactions involving unauthorized transfers of cash between companies

 reconstructing incomplete accounting records to settle an insurance claim over inventory valuation
 proving money – laundering activities by reconstructing cash transactions
 embezzlement investigation and documentation, and negotiation of insurance settlements

1.5. Economic Demand for Auditing

To illustrate the need for auditing, consider the decision of a bank officer in making a loan to a business. This
decision will be based on such factors as previous financial relationships with the business and the financial
condition of the business as reflected by its financial statements. If the bank makes the loan, it will charge a rate
of interest determined primarily by three factors:

1. Risk – free interest rate. This is approximately the rate the bank could earn by investing in U.S. treasury
notes for the same length of time as the business loan.

8
2. Business risk for the customer. This risk reflects the possibility that the business will not be able to repay
its loan because of economic or business conditions, such as a recession, poor management decisions, or
unexpected competition in the industry.

3. Information risk. Information risk reflects the possibility that the information upon which the business risk
decision was made was inaccurate. A likely cause of the information risk is the possibility of inaccurate
financial statements.

Auditing has no effect on either the risk-free interest rate or business risk, but it can have a significant effect on
information risk. If the bank officer is satisfied that there is minimal information risk because a borrower’s
financial statements are audited, the bank’s risk is substantially reduced and the overall interest rate to the
borrower can be reduced. The reduction of information risk can have a significant effect on the borrower’s
ability to obtain capital at a reasonable cost. For example, assume a large company has total interest-bearing
debt of approximately $10 billion. If the interest rate on that debt is reduced by only 1 percent, the annual
savings in interest is $100 million.

As society becomes more complex, decision makers are more likely to receive unreliable information. There are
several reasons for this: remoteness of information, biases and motives of the provider, voluminous data, and
the existence of complex exchange transactions.

Remoteness of Information In a global economy, it is nearly impossible for a decision maker to have much
firsthand knowledge about the organization with which they do business. Information provided by others must
be relied upon. When information is obtained from others, the likelihood of it being intentionally or
unintentionally misstated increases.

Biases and Motives of the Provider

If information is provided by someone whose goals are inconsistent with those of the decision maker, the
information may be biased in favor of the provider. The reason can be honest optimism about future events or
an intentional emphasis designed to influence users. In either case, the result is a misstatement of information.
For example, when a borrower provides financial statements to a lender, there is considerable likelihood that the
borrower will bias the statements to increase the chance of obtaining a loan. The misstatement could be
incorrect dollar amounts or inadequate or incomplete disclosures of information.

9
Voluminous Data

As organizations become larger, so does the volume of their exchange transactions. This increases the
likelihood that improperly recorded information is included in the records – perhaps buried in a large amount of
other information. For example, if a large government agency overpays a vendor’s invoice by $2,000, it is
unlikely to be uncovered unless the agency has instituted reasonably complex procedures to find this type of
misstatement. If many minor misstatements remain undiscovered, the combined total can be significant.

Complex Exchange Transactions

In the past few decades, exchange transactions between organizations have become increasingly complex and
therefore more difficult to record properly. For example, the correct accounting treatment of the acquisition of
one entity by another poses relatively difficult accounting problems. Other examples include properly
combining and disclosing the results of operations of subsidiaries in different industries and properly disclosing
derivative financial instruments.

After comparing costs and benefits, business managers and financial statement users may conclude that the best
way to deal with information risk is simply to have it remain reasonably high. A small company may find it less
expensive to pay higher interest costs than to increase the costs of reducing information risk.

For larger businesses, it is usually practical to incur costs to reduce information risk. There are three main ways
to do so.

User Verifies Information

The user may go to the business premises to examine records and obtain information about the reliability of the
statements. Normally, this is impractical because of cost. In addition, it is economically inefficient for all users
to verify the information individually. Nevertheless, some users perform their own verification. For example,
the IRS does considerable verification of business and individual tax returns to determine whether the tax
returns filed reflect the actual tax due the federal government. Similarly, if a business intends to purchase

10
another business, it is common for the purchaser to use a special audit team to independently verify and
evaluate key information of the prospective business.

User Shares Information Risk with Management

There is considerable legal precedent indicating that management is responsible for providing reliable
information to users. If users rely on inaccurate financial statements and as a result incur a financial loss, they
may have a basis for a lawsuit against management. A difficulty with sharing information risk with
management is that users may not be able to collect on losses. If a company is unable to repay a loan because of
bankruptcy, it is unlikely that management will have sufficient funds to repay users.

Audited Financial Statements Are Provided

The most common way for users to obtain reliable information is to have an independent audit. Typically,
management of a private company or the audit committee for a public company engages the auditor to provide
assurances to users that the financial statements are reliable.

External users such as stockholders and lenders who rely on those financial statements to make business
decisions look to the auditor’s report as an indication of the statements’ reliability. Decision makers can then
use the audited information on the assumption that it is reasonably complete, accurate, and unbiased. They
value the auditor’s assurance because of the auditor’s independence from the client and knowledge of financial
statement reporting matters. Figure 1 – 3 illustrates the relationships among the auditor, client, and financial
statement users.

Figure 1 – 3 Relationships among the Auditor, Client, and Financial Statement Users

Auditor
Auditor issues report
relied upon by users to
Client or audit committee reduce information risk
hires auditor

Provides capital
External Users

Client Client provides financial

statements to users

11