Summary Advanced Auditing
Chapter 1 Assurance and Auditing
Information risks that investors face when making decision based on financial report are:
- Information is biased
- Information may be irrelevant
- Information may be inaccurate
- Information may be though to be sensitive
- Information may be complex so difficult to understand
The role of an auditor is to reduces these risks for people who use the information. Virtually any
information provided by one party to another can be subject to an audit if the recipient of the
information is concerned about its objectivity, relevance, or reliability. There are four general reasons
explaining the nature of demand for auditing.
1. Audit helps keep management honest and motivated
2. An audit provides assurance over the quality of the FS in an efficient and effective manner.
3. Reliable financial reports reduce a firm cost of capital.
4. Auditors provide a reasonable level of assurance that information received by capital
providers s reliable, while maintaining that they do not guarantee that the FS are accurate.
Managers are subject to two forces that might lead to misstating the FS for their own benefit:
- Incentives, which refers to motivational forces, e.g. bonuses.
There are two situations where incentives and information asymmetry combine to create
potentially dysfunctional trust. Namely;
o Adverse selection: when a buyer of products/services cannot distinguish between
good and bad alternatives.
o Moral hazard: refers in FR to situation where owners do not have enough reliable
and trustworthy information to evaluate whether management is doing a good job or
not.
These inappropriate behaviors are referred to as shrinking. The cost of this
behavior are agency costs. Accurate and trustworthy info could reduce these
costs.
- Ethical principles, which influence the willingness of individuals to take part in inappropriate
activities that can arise as a result of information asymmetry. [See p. 10 for philosophical
perspectives]
Assurance services Independent professional services that improve the quality of information,
or its context, for decision makers.
International An assurance engagement in which a practitioner aims to obtain sufficient
Framework on appropriate evidence in order to express a conclusion designed to enhance
Assurance the degree of confidence of the intended users other than the responsible
Engagements party about the outcome of the measurement or evaluation of an underlying
subject matter against criteria.
,International Standards make the distinction between,
1. Direct reporting engagement; the practitioner measures and evaluates information directly.
2. An attest engagement; the process of providing assurance about the reliability of specific
information provided by one part to another. An attester is simply adding his/her opinion
about the reliability of the information and a written assertion made by accountable party.
Accounting The process by which information about activity or enterprise is
identified, recorded, classified, aggregated, and reported.
Financial accounting The specific process of identifying, recording, classifying, aggregating
and reporting the info that is required for external purposes that has
historically been called GAAP.
Auditing The process of providing assurance about the reliability of the info
contained in a FR prepared by management in accordance with GAAP.
Assurance Pursuant to an accountability relationship between two or more parties, a
engagement written communication is issued expressing a conclusion concerning a
subject matter for which the accountable party is responsible.
An auditor should only undertake an assurance engagement when three conditions are met:
1. He/she has adequate knowledge of the context in which assurance is to be given
2. The subject matter of the assurance can be examined with an objective evaluation process
3. The assurance provider must be independent and objective in regards to the info and its
context.
Examples: environmental audit, software audit, royalty audits etc.
In an attest engagement, a public accountant is engaged to issue a written communication that express
a conclusion about the reliability of a written assertion mad by one party o another. To offer such
services, the accountant meets four basic conditions:
1. There must be an assertion being made by one party, the accuracy of which is of interest to
another party. This assertion may be quantitative or qualitive in nature.
2. There must exist agree-upon and objective criteria that can be utilized to assess the accuracy
of the assertion.
3. The assertion must be amenable to verification by an independent party.
4. The accountant should prepare a written conclusion about the accuracy of the assertions.
,Chapter 2 Managing Risk
An auditor overall objective is to determine if the FS is in line with the GAAP principles. To come to
this conclusion, the auditor must obtain evidence to support the conclusion that FS is reported
appropriately. An audit has four broad objectives according to GAAP:
1. To ensure that FS are presented in accordance with GAAP.
2. To deter and detect material fraudulent FR carried out by an organization’s management.
3. To evaluate the likelihood that the organization will continue as a going concern.
4. To report the conclusion from those evaluation to interested stakeholders.
For integrated audit, the four objective above, plus:
5. Evaluate and report to stakeholders about the effectiveness of the IC over the process by
which FR are generated (only for trading of securities in the U.S)
Risk A threat to an organization that reduces the likelihood that the organization will
achieve one or more of its objectives.
Information The risk that information used in decision making is inaccurate or insufficient.
risk (mostly relevant to an auditor)
ERM Formal process designed to identify potential events that may affect the entity, to
manage risks to be within its risks appetite, and to improve reasonable assurance
regarding the achievement of entity objectives.
Effective risk under the ERM principle recognizes that:
- Risks affect organization in various ways
- Risks are interrelated
- Risk can only be managed though intervention by management or other stakeholders.
The COSO view of ERM:
1. Risk management can be applied on different levels: entity, division, unit, or subsidiary.
2. The sources of the risks are: strategic, operations, reporting and compliance with laws and
regulations.
3. The components of the ERM approach are:
a. Internal environment: the firm’s general philosophy and approach to RM.
b. Objective setting: the set of firm’s objectives to be supported through RM.
c. Event identification: The circumstances and events that represent potential risk that
are relevant to the firm’s objectives
d. Risk assessment: The identification and evaluation of potential risk that emanate
from the identified events.
e. Risk response: the firm’s basis plan for avoiding, accepting, reducing, or sharing
risks.
f. Control activities: Specific activities undertaken by an organization to reduce the
likelihood or significance of risk.
g. Information and communication; determine the effectiveness of RM.
h. Monitoring: continuous evaluation of RM to assure the effectiveness over time.
Compliance and regulatory reporting risk are to the interest of the auditor, e.g. CSR is an example.
However, auditors are most interested in the risk management activities that directly impact the FS,
e.g. ICOFR.
, ICOFR Subset of controls that help ensure accurate and reliable processing, sorting and
reporting of info relating to transaction, account and FS aggregations.
Internal control Integrated framework focuses on the five components of IC over FR that are a subset
of the eight components of the ERM framework, namely control environment, risk assessment,
control activities, information and communication, and monitoring. [p. 37]
The hierarchy for controlling risk, may ICOFR embedded in different levels:
1. First level, control environment. The CE is the necessary condition for effective IC over FR
in the long term, which reflects the managements’ attitude.
2. Second level, internal business processes. These controls encompass the activities designed
to assure that transactions occurring in a business process are properly recorded, classified,
and maintained.
What can we do with risk?
- Risk assessment: identification, measurement, prioritization
- Risk management: accept, avoid, share, or reduce
- Risk monitoring: process level, activity level, or entity level
External audit is valuable because it is designed to provide an objective check on the reliability and
fairness of financial information. [Table 2.1 p. 41 gives the relationship between the risk management
and audit] Remember: risk management process is iterative and continuous!
GAAS audit Obtain reasonable assurance about whether the FS as a whole are free from
material misstatement, whether due to fraud or error, thereby enabling the auditor
to express an opinion on whether the FS are prepared, in material respects, in
accordance with an applicable FR framework.
Integrated Two phases, a) examination of the effectiveness of ICOFR, and b) examination of
audit the FS (i.e. the same as GAAP audit)
Quality control standard require that firms have procedures in place to monitor and maintain
independence, manage professional personnel, review client relationship, and support and monitor
engagement quality.
