Auditing Principles SUMMARY

Auditing Principles 1- Introduction to Auditing & Assurance What is Auditing? y

y

1- Introduction to Auditing & Assurance The Audit Process / Phase

Accounting is concerned in dealing with financial transactions and events so as to produce information that is useful for decision making.

y

Engagement ± Evaluating the acceptance of a new

client ; assessing whether the client is likely to be ethical, assessing independence, and drafting up the audit agreement.

Auditing is concerned with verifying the credibility and reliability of the information produced by accounting.

y

Understanding the entity ±Understand both the industry and business environment, its policies,

and so on. Why the Need for Auditing? y

y

y

y

y

y

The corporation structure that is founded on the principles of stewardship. Managers are the stewards of the shareholders¶ resources, which is the absentee owner.

y

Assess risks and materiality  ± identify the areas that are most risky and thus, material. material. Conducting tests of controls. Develop audit plan ± details the scope and ti ming

of the audit. Involves selection of appropriate audit  procedures.

Asymmetric information and conflict of interest leads to the need for shareholders to protect themselves from managers¶ misconduct.

y

Gather evidence, conduct audit procedures.

y

Evaluation and completion of audit

y

Accounting standards prescribe proper guidelines for  managers to follow. Auditors verify that managers have been following the  proper guidelines. An independent audit lends credibility to the financial statements.

Issue the opinion report o Unqualified / clean opinion ±  auditor  offers reasonable assurance that there are no material misstatements, in accordance to the standards. The financial statements  present a true and fair view. o

The Three Fundamental Auditing Concepts y

y

Audit Risk  ± There is always a risk that an audit will fail to detect misstatements or fraud in the financial statements. Auditors seek to provide reasonable assurance, as opposed to absolute assurance. Only reasonable assurance can be provided due to constraints. Thus, auditors always use a risk-based approach to auditing. They identify the most risk-prone areas and then focus their investigation on those areas.

o

financial statements present a true and fair view. Disclaimer ± Auditor fails to offer an opinion because of material scope limitations. Adverse ±  Auditor¶s disagreement with the company¶s accounting policies are material, in such a way that the financial statements do not present a true and fair  view.

Materiality ±  An item is said to be material if it affects

the decision making process. Auditors focus on the material areas of the financial statements. What is considered material is up to the professional judgement of the auditor. In a small business, having 10 errors might be considered a material event, but in a huge  public company, it might be considered inmaterial. y

o

Qualified ±  auditor has a scope limitation or a disagreement, but generally the

Audit Evidence  ±  Auditing is all about collecting and analyzing evidence  ±  evidence that verifies financial records. Again, it is not possible to collect every single   bit of evidence. Auditors use the risk-based approach when auditing. Auditors investigate ending balances, transactions and internal controls.

Skills & knowledge required from that of an audit or: y

Accounting

skills

y

Auditing

y

Legal

y

Creativity in obtaining evidence

y

Strong,

skills

knowledge rigorous logic ± revise critical thinking please.

2- The Financial Statement Auditing Environment

2- The Financial Statement Auditing Environment

Auditors

Services offered by public accounting firms

International Auditing Standards

1. 2. 3. 4. 5.

have to operate within the boundary of relevant ccounting standards. Understanding the financial reporting environment is vital for an auditor.

y

y

IFAC - The International Federation of  Accountants aims to develop the accounting profession across a wide range of areas. IAASB - The International Auditing and Assurance Standards Board is a committee of the IF AC. It issues auditing standards and practices for auditors. However, these standards are more towards providing guidance rather than mandating the law. In A merica, the AICPA sets the auditing standards through SAS (Statement on Auditing Standards). They are mostly similar to ISA standards.

Ethical Issues faced by auditors y y y

y y

y

7. 8. 9. 10.

Price competition among public accounting firms Clients' opinion shopping Clients threatening to change auditors

Approved Auditing Standards in Malaysia y

6.

MIA - The Malaysian Institute of  Accountants is a committee member of the IF AC. Besides representing and regulating the accounting profession in Malaysia, it has the role of helping the IF AC to develop local auditing standards for the country. In Malaysia, the approved auditing standards are IFAC's ISA (International Standards on Auditing) that have been approved by MI A, and Malaysian Standards on Auditing (MSA) issued by the MIA. So far, no MSA has been issued by the MI A, but it has issued Recommended Practice Guidelines, which serve as guidelines rather than law.

11.

Financial audit Operational audit Compliance audit Forensic audit Internal control assessment   ± In Malaysia, auditors are only required (in a financial statement audit btw) to assess whether the entity¶s Statement on Internal Control is in line with the actual system, unlike auditors in the U S where they must evaluate the system¶s effectiveness (under  S -Oxley) Attestation / financial forecasts - Auditors help to provide assurance on the preparation, supporting evidence and   presentation of these financial forecasts. They however do not assure that the financial projections will be realised. Risk assessment - assessing risk management system of  the entity as well as IT computer systems. Tax services Management advisory services Compilation services  ± merely compiling data provided by client into financial statements. No assurance provided. While not illegal in a sense to compile and audit the same client, the auditor might be perceived to be less ind ependent and less objective. Normally occurs for small private companies. Bookkeeping ± normally the accounting firm that does the  bookkeeping won¶t be allowed to do the auditing.

Generally Accepted Auditing Standards ( GAAS), developed  by AICPA. y

General Standards o

o

o

Auditor's Responsibility for the financial statements y

Auditors

are not responsible for the content of the financial statements. They merely express an opinion. Because of the risk-based approach, the opinion is not  perfect. It is management that are primarily responsible for the financial statements. If an auditors detect fraud or errors, they should report it to management. It should be noted that they are not primarily responsible for detecting fraud. Auditors are also not primarily responsible for detecting non-compliance of the client with laws and regulations (for example, environmental laws).

Non-compliance with laws and regulations ± What should the auditor do?

y

Standards of Field Work  o

o

o

y

y

y

y

Consider if it affects the financial stmt disclosures. Inform top management, even if the auditor believes that the non-compliance was intentional. ISA 250 ± If the non-compliance has a material effect on the financial statements and management refuses to take remedies, the auditor should issue a qualified or  adverse opinion. Section 174(8) of the Companies Act 1965 ± non compliance of any Acts should be reported to the CCM and the SC (if it¶s a public company).

Auditor

must plan the audit well and supervise assistants Auditor must understand the entity¶s environment Auditor must obtain sufficient evidence

Standards of Reporting o

o y

Auditor must have technical training and  proficiency. Auditor must maintain independence ±  without bias, obligation to management, 3 rd  parties and the public. Auditor must use due professional care in  preparing the report ± critical review,  professionalism on par with other auditors &  professional skepticism.

o

o

Auditor

must state in the report whether or not the records follow GAAP. Auditor must identify circumstances in which GAAP has not been followed with consistency Auditor must state that disclosures are inadequate, if that is the case with the financial statements. Auditor must either express or do not express an opinion. If an opinion cannot be expressed, reasons must be given. Auditors must state the scope and work done under the audit.

3 ± Risk Assessment & Materiality Introduction

3 ± Risk Assessment & Materiality How to use the audit risk model

After

accepting the engagement and understanding the entity¶s environment, the auditor¶s next step is to assess the level of risk, in which he/she identifies the areas that are considered material.

1.

The Audit Risk Model AAR

= IR x CR x DR  2.

Acceptable

audit risk = inherent risk x control risk x detection

risk. AAR  = The risk that the auditor will issue an unqualified opinion when material misstatements actually exist in the financial statements. AAR is also known as engagement risk.

3.

Assessing audit risk 

4.

Planned audit risk  y

y

The degree to which stakeholders are relying on the financial statements Level of materiality 5.

Achieved y y y

or actual audit risk 

Prudent acceptance of clients Understanding the entity¶s environment Designing an appropriate audit plan and procedures to cover the material areas of the client.

IR  = All other things being equal, the risk that an assertion will contain material misstatement due to the very nature of the  business or assertion itself. For example, a business that carries inventory prone to obsoletion is prone to inventory being overstated. Assessing inherent risk  y

y y y

Complexity of the assertion as to whether it is an estimate or a concrete assertion. For example, accounts receivable might contain more inherent risk than cash because bad debts is a matter of estimation. The very nature of the business itself. Past history or ethical issues concerning the client Risk awareness of client.

CR  = The risk that the internal controls of the entity will fail to detect and correct material misstatements. DR  = The risk that the auditor will fail to detect material misstatements through his/her audit procedures.

First of all, the auditor should decide what is the audit risks level that he/she can tolerate. A normal level of  acceptable risk is 5%. Factors in deciding the level or  audit risk includes reliance of external users on the financial statements, the likelihood that the client will go bankrupt, and management integrity / ethi cal issues. The next step is to then determine the level of inherent risk. Auditors cannot change inherent risk, but merely consider it. Factors include the client¶s environment, results of previous audits, the presence of related  parties, etc. At this point, some auditors may assess fraud risk as well, which is generally distinguished from IR, CR, and DR. The next step is to then determine the control risk. If  internal controls are effective, the control risk will be set at a low level, vice-versa. If the auditor sets control risk at a low level (meaning IC is considered to effective), the auditor must perform tests of control to  justify that expectation first. Determine DR level using the formula above. If the DR  level is high, it means that the auditor can tolerate the risk of failing to detect material misstatements, since inherent risk may be low and/or control risk is low. If  DR level is low, it means that the auditor cannot tolerate failing to detect material misstatements, and must compensate by conducting more extensive substantive procedures.

Relationship between audit risk and materiality

There is an inverse relationship between audit risk and materiality. If materiality increases, it means that the auditor  must be more careful in simply issuing an unqualified opinion. Audit risk is reduced.

Materiality An

item is considered material if its non-disclosure could affect the decisions of the users of financial statements. When designing the audit plan, the auditor should establish an acceptable materiality level, so as to detect quantitatively material misstatements. This will allow for a better audit plan, as well as provide a basis for comparison when actual audit  procedures are carried out.

4- Audit Evidence and Audit Procedures Introduction

Financial statements represent management assertions. Thus, audit evidence is collected through audit procedures to express an opinion on the financial statements. Auditors generally divide the financial statements into account  balances, business processes or transaction cycles.

Management Assertions / Financial Statement assertions are divided into 3 categories:

Transactions y

y

y y

Transactions have indeed occurred, are valid and authorised, pertaining to the entity. All transactions have been recorded (complete recording) All transaction values are accurate. Transactions have been properly classified.

Account balances y

y

y

y

The assets, liabilities and equities indeed exist in reality. The assets are owned by the entity, and the liabilities are the obligations of the entity. All assets, liabilities and equities have been recorded (complete) The assets, liabilities and equities are accurately and  properly valuated.

Presentation & disclosure y

y y y

Disclosed events have indeed occurred and pertain to the entity. All required disclosures have been disclosed. Information is properly disclosed and explained. Information that is disclosed is accurately valuated.

General Categories of  Management Assertions

1. 2. 3. 4. 5. 6.

Validity / Occurrence Completeness Accuracy / valuation Classification Rights / obligations Authorization

7. Cut-off  . Additional

note: Business risk is the risk that the client will fail to achieve its objectives regarding efficiency and effectiveness of its business operations.

4- Audit Evidence and Audit Procedures Concepts of Audit Evidence ± good to know y

y

y

y

Nature of audit evidence ±includes accounting records (journal entries, source documents, ledgers), work  sheets that support valuations and calculations, confirmations /checks with third parties, interviews, analyst reports, interviews, minutes of meetings, internal control procedures, inspection, observation, recalculations, past audit evidence, and so on. Appropriateness / quality Relevance ± Collected evidence must relate to o the tested assertion. Reliability ± Independence, internal control o effectiveness, direct observation or inspection, documentary as opposed to oral evidence, and original documents.

4 - Audit Evidence and Audit Procedures Types of tests

1.

Tests of controls ± has 2 purposes. Tests of controls are done to initially support control risk assessment levels. They are also conducted again if the auditor is relying on internal controls, or if he decides that substantive evidence is not sufficient.

2.

Substantive procedures ± Procedures taken to detect material misstatements in management assertions either in transaction related assertions, account balance assertions or disclosure assertions. Considered to be the most detailed and assuring tests.

3.

Dual-purpose tests   ± The auditor performs both tests of  controls and substantive procedures on a single item.

4.

Analytical procedures ± a comparison between financial statement data and expectations formed by the auditor. It can also involve the use of industry data or previous historical data. Formal Definition - valuation of financial information made by a study of plausible relationships among both financial and nonfinancial data¶. The Auditing Standards Board through its SAS has mandated the use of  analytical procedures. Actually, analytical procedures are generally categorized as a form of substantive procedures as well. It is considered to be more efficient than tests of  details. Analytical procedures are also conducted at the  beginning stage of an audit to get a feel. They help to assess going concern as well.

Sufficiency / quantity ±  higher risk and low quality of  evidence requires more evidence to be collected. Auditor relies on persuasive (reasonable) o rather than conclusive (absolute) evidence. Evaluation ± thorough and unbiased.

Audit Documentation y

y

y

y

Purpose of documentation ± support for the audit opinion and to systematically conduct the audit  process. Audit documentation records how the audit was   performed, what evidence was collected, and the conclusions. Audit firms usually keep permanent files and current files. Permanent files include corporate charter, chart of accounts, internal control policies, and so on. Current files include current financial statements, trial balance, working papers, and so on. Audit documents are required to be retained for 7 years after the audit h as been completed.

THE AUDIT BUCKET

Substantive tests ???

Audit

procedures serve to assess risk of material misstatement, internal control effectiveness, and collect substantive evidence

Analytical procedures

Types of audit procedures:

Tests of controls 1. 2. 3. 4.

Inspect documents Examination ± physically examine assets Observation ± personal observation of procedures Inquiry ± oral or written info obtained by asking the client. 5. Confirmation ± oral or written information by asking a 3rd party. 6. Scanning 7. Recomputation ± Recompute amounts and compare to client¶s. 8. Re-performance ± Reperform procedures and compare to client¶s. 9. Analytical procedures ± explained on the right side. 10. Vouching ± tracing a transaction to its relevant document evidence.

Risk assessment

Audit Strategy: 1. 2.

Reliance strategy ± relying on internal c ontrols Substantive strategy ± relying on substantive audit procedures.

5- Audit Planning & Documentation Planning for an audit: y y

Required by ISA 300.

5- Audit Planning & Documentation Audit Documentation (working papers) y

Good planning is necessary to perform an effective audit, saves costs, and avoid misunderstanding with the client.

The process y

Client acceptance Be wary of accepting clients with ethical issues or  o with bankrupt potential. o Be wary of accepting clients that are in high ri sk  o

o

y

Establishing the terms of engagement ±  Serves to reduce the expectation gap between the o o

o

o

o

y

auditor and client. The terms of engagement prescribes the type, scope and timing of the engagement. The main contents include the objectives of the audit, the auditor¶s responsibilities, management responsibilities, and limitations. The engagement letter is a contract. It can also contain arrangements on the use of specialists and other value-added services, and lastly, the audit fee. It should also contain other agreements like the use of an expert.

Understanding the e ntity o

o

o

y

areas ± insurance, for example. The auditor must be capable of accepting an engagement. Consultation with the former auditor of a client is mandated by MIA by-laws.

With globalization and technological advances,  business has become extremely complex. Auditors must understand the entity in order to assess risks and areas of material concern, and thus develop an appropriate audit plan to address those concerns. Tour the offices, initial interviews, company articles of incorporation, organization chart, management philosophy, remuneration methods. Assess business risk ± helps in assessing potential areas of material misstatements.

Preliminary analytical procedures   ± compare financial data using industry information, historical data and auditor¶s expectations.

Purpose: To plan and conduct the audit in a systematic way, to prove that the audit was properly conducted in accordance with GAAS, and also acts as a written record of all audit evidence that will help the auditor in forming the audit opinion.

y

Audit

y

Audit

y

y

documentation is the property of the auditor. Clients have no right to those documents unless required by court. documentation must be protected ± because it would contain confidential and trade-related information. Permanent documentation ± generally includes general   business information about the client and historical audit documentation. Current documentation ± audit programme, working trial balance, adjusting and reclassification entries, and supporting schedules

6 ± Internal Control & Assessment of Control Risk  Definition of internal control - Internal control is broadly

defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations;  b) Reliability of financial reporting; and c) Compliance with laws and regulations.  Note: Internal control can help to decrease the expectation gap. good internal control system means higher assurance on the   part of the auditor. The internal control can affect the overall audit strategy. A

COSO defines internal control as having five components:

1.

Control Environment -sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.

2.

 Risk

3.

 I nformation

and Communication-systems or processes that support the identification, capture, and exchange of  information in a form and time frame that enable  people to carry out their responsibilities

4.

Control Activities - the policies and procedures that help ensure management directives are carried out.

5.

 M onitoring -processes

Assessment  - the identification and analysis of  relevant risks to the achievement of objectives, forming a basis for  how the risks should be managed

used to assess the quality of  internal control performance over time.

Audit Risk Model y

AR = IR x CR x DR 

Assessment of internal control risk 

1.

If internal control is set at a low risk level, the auditor  must conduct tests of controls to satisfy himself that controls are indeed reliable. 2. In contrast, tests of controls are rarely performed on controls that are assessed to be weak. 3. Once internal controls are tested, we obtain what is called achieved level of control risk. This value is  plugged in to the audit risk model. 4. Internal control can be assessed through observation, interviews, questionnaire, reviewing internal control methods and flowcharts, and so on.

6 - Internal Control & Assessment of Control Risk  ISA requires auditor to inform management whenever material weaknesses are found in internal controls. This is often done through a management letter.

6 - Fraud (ISA 240)

6 - Analytical procedures

Fraud ± An intentional act by employees or management to gain an unfair or illegal advantage by deceiving and cheating.

Definition - Evaluation of financial information made by a study of plausible relationships among both financial and nonfinancial data.

There are 2 types of fraud ± misappropriation of assets and fraudulent financial reporting. Error ± Unintentional mistake.

Types of analytical procedures: y

Preliminary analytical procedures ±  helps the auditor 

to understand the client¶s environment and design the audit procedures (mandatory). Management has the primary responsibility for detecting and  preventing fraud, through a strong internal control environment.

y

Substantive analytical procedures ±  used to obtain

substantive evidence about particular assertions y

Auditor¶s responsibility for fraud y

y

y

y

y

y

Detection of fraud is not the auditor¶s primary responsibility. Instead, he only obtains reasonable assurance that the financial statements are free from material misstatements that may result from errors or fraud. However, ISA 240 does require the auditor to maintain an attitude of professional skepticism that misstatements may occur due to fraud. Controls may be overridden by management. The auditor has to maintain an ongoing frame of mind that fraud is possible, even when past history of the client is clean. discussion with the engagement team might be necessary to assess whether and where fraud may have taken place. A

The auditor has to inquire of management whether they know of any fraud cases. Fraud risk factors ± Wh en the auditor is assessing internal controls, he should also assess whether risks for fraud exist. If the auditor is aware that fraud might exists, substantive testing have to be modified to account for that possibility.

Communication of fraud to management y

y

When the auditor discovers fraud or the possiblity of fraud, it should be communicated as soon as possible to the appropriate level of management or governance. Always

consider legal implications when deciding whether  or not to report fraud. If fraud is discovered in a publicly listed company, the SC requires it to be reported.

Final analytical procedures ±  overall review of 

financial statements (mandatory). Preliminary and final analytical procedures are mandated by auditing standards.

7 ± Auditing The Revenue Process Introduction Auditors

generally divide a firm into several transaction cycles to trace an activity to the final financial standards. We must understand revenue recognition, the revenue process, assessment of risk and finally conducting audit tests. Revenue Definition y y

y

Revenue ± Income from ordinary course of business. Gross inflow of economic benefits, in which these inflows result in increased equity (excluding equity contributions from shareholders). Revenue should be measured at fair value.

Revenue Recognition y

y

Revenue is only recognized when: It is probable that future economic benefits o will flow to the entity (when the earnings  process is These benefits can be measured reliably. o Revenue must be realised and earned.

Overview of the revenue process y y y

Sale

of goods / services Receipt of cash Return of goods

7 ± Auditing The Purchase Process Introduction

7 ± Audi i Introduction

the Inventory Cycle

7 ± Auditing the Cash & Investments Cycle Introduction

Subst ti l ti l ures are useless due t t e residual nature of cash. However, internal controls are very i or tant.

Investments

Most of the ti e, the auditor will just use a substantive strategy to audit invest ents. If a large por tfolio of  invest ents are involved however, the auditor might rely on internal controls;  because substantive testing would then be very inneff icient.

9 ± Auditing Long Term Debt, Shareholders¶ Equity and Income Statement Accounts Introduction y

Understand the entity

y

Assess

y

Conduct tests of controls

y

Develop audit plan

y

risks ± AAR = IR x CR x DR 

Conduct substantive audit procedures  procedures and substantive audit tests.

±

analytical

Substantive

audit procedures are mostly used instead of tests of  controls to audit t his cycle. Useful components in the long term debt cycle y

Bond

y

Creditors ± can be contacted to confirm

y

Board

y

Loan

y

Due dates of bond notes or notes payable -

y

y

notes , notes payable and l ease contracts of directors ± must authorize transactions

amortization schedule ± useful for identifying interest expense. Off-balance sheet activities ± capitalization or noncapitalization of lease payables. Cash disbursement journal ± to check on interest payments.

Useful components in the equities c ycle y

Share

y

Registrar and transfer agent; or company secretary

y

Dividends account

y

certificates and their details

Cash disbursement journal ± to check whether dividends amount is correct.