Auditing Theory
Week 1:
An audit is a systematic process of objectively obtaining and evaluating evidence regarding
assertions (controledoelstellingen – completeness and existence of occurrence for example)
about economic actions and events to consider the degree of correspondence between these
assertions and established criteria, and communicating the results to interested users.
The degree of correspondence means that you don’t give 100% assurance, but you give enough
assurance to make sure that the company is doing good work.
The criteria are for example that you have to follow IFRS.
The interested users are the stakeholders.
The function of auditing is to lend credibility (reasonable assurance) to the (financial) statements.
Audits could also apply to operations or compliance. The assurance an accountant gives is around
95%. There is a mistake in an assurance report when the mistake is higher than 1%, but its mostly
between 1% - 5%.
Assurance framework:
- Three parties: the auditor, the auditee, and the public.
- Assurance object: for example financial statements (jaarrekening).
- Suitable criteria.
- Sufficient appropriate evidence.
- Written assurance report: because words can be twisted and a written report is certain and
easier to understand. The opinion of the auditor must be written in the conclusion.
Different theories describe the demand for the audit function:
- Agency theory (information asymmetry): the agency theory explores the relationship
between principals (owners) and agents (managers or employees) in a business. It focuses
on the potential conflicts that arise when agents, hired to act on behalf of principals, pursue
their own interests rather than aligning fully with the goals of the principals. To mitigate
this, principals may implement incentives, monitoring mechanisms, or contracts to ensure
agents act in the best interest of the business.
- Theory of inspired confidence (Limperg): this theory explains the role and responsibility
of auditors. According to Limperg, the public relies on auditors to provide confidence in
financial statements. The theory asserts that auditors must live up to expectations of users
(such as shareholders) by providing an honest and reliable opinion on the company’s
financial condition. If the auditor fails to meet these expectations, public confidence in the
financial reporting process may be damaged. The theory emphasizes the balance between
public trust and the auditor’s professional responsibility.
- Policeman theory (fraud): we can’t give 100% assurance, so we don’t really know if
someone has performed fraud. You want to see it as an auditor, but you can’t see
everything as an auditor. The theory suggests that auditors are primarily responsible for
detecting and preventing fraud within a company, acting like a “policeman” to ensure no
illegal activities occur. This theory places the burden of identifying fraud directly on
auditors. However, this view has been largely criticized and replaced by modern auditing
standards, which emphasize that the auditor’s role is to assess the accuracy of financial
statements, not specifically to uncover fraud, though they should remain alert to any
potential signs of it.
- Insurance theory: this theory suggests that auditors serve as a form of insurance for
stakeholders by providing assurance that financial statements are accurate and reliable. If
auditors fail in their duties and material misstatements are later discovered, stakeholders,
such as investors or creditors, may seek legal recourse against the auditors, treating them
as though they were “insured” against losses resulting from inaccurate financial reporting.
This theory reflects the idea that auditors bear some responsibility for protecting
stakeholders from financial harm caused by errors or fraud.
Laws and legislation (ISAs) = all laws and regulations are more and more the same between
countries.
Wta -> NBA -> NV COS = Dutch GAAS = ISA.
1
, - IAASB: Internation Auditing and Assurance Standards Board. It is the standard setter of
ISAs, ISAEs and other standards. It is supported by IFAC.
- International Standards on Auditing: international standards ensure the same audit
globally. Harmonization of standards for auditing financial statements.
The following scope of services addressed by the IAASB are known:
Assurance engagements = assurance is given when performing these engagements. These exist
of:
- Audit and review of historical financial information: these can be financial statements or
other financial reports.
- Other assurance engagements: this are assurance engagements that differ from audit or
review engagements or historical financial information. Examples include sustainability
reports, emissions reports, reviews of prospectuses, direct attestation, engagements of
service organizations etc…
2 types of assurance can be given when performing these engagements:
- Audit engagements with 95% assurance. This provides a reasonable level of assurance. It is
phrased positively, for example it often states: “Based on our work, we conclude that it
provides a true and fair view of reality and complies with all laws and regulations”.
- Review engagements with approximately between 60% and 70% assurance. These provide
limited level of assurance. It is phrased negatively, for example it often states: “Nothing has
come to our attention that suggests the client does not comply with…”. In this type of
engagement, less work is required than in an audit engagement.
Non-assurance engagements no assurance is given when performing these engagements. These
exist of:
- Agreed-upon procedures: here, no assurance is given. These include compilation
engagements or a report of factual findings. Such a report can only be given to the client,
as others might derive assurance from it, which is not the intention.
- Other engagements: for example giving advice on a certain topic. This is only advice and
can’t come out to the public. Often advisory engagements, where no assurance is provided.
There are high expectations from the society that (could) lead to expectation gaps. There could be
a broader scope than historical financial information. The public has unreasonable expectations of
what an auditor can do, for example the public expects the auditor to find frauds. Sometimes the
standards are also not clear for auditors.
Risk assessment:
The organization for which the auditor controls, has a business process. Such a business process
leads to registration of transactions. At the end of the year the financial statements need to be
made up (balance sheet + income statement).
2
, While doing your business process, you have to cope with inherent risk + business risk. This all
leads to (financial) reporting risks, which all leads to accounts assertions -> control risk. It is the
responsibility of the auditor to have enough controls and to perform enough control activities to
reduce the control risk. After that, as an auditor, you look at the detection risk. After that you have
an remaining audit risk, which is the 1% - 5% possibility we spoke about earlier -> materiality.
Audit risk model:
Audit risk = the risk that you issue an incorrect opinion, also known as engagement risk. These
are errors undetected by the auditor. The formula for audit risk is:
Audit risk (AR) = Inherent risk (IR) * Internal control risk (ICR) * Detection risk (DR).
- Inherent risk (IR) = also known as business risk. Errors likely to occur in client’s financial
statements. This risk is always present, and no one has control over it. For example, Shell
has many oil platforms that they will eventually have to dismantle in the future because
there will be no more oil in that area. They must already account for certain costs on the
balance sheet now for expenses they will incur in the future.
Another example is with Ahold. Albert Heijn has a large amount of inventory. An inherent
risk with this inventory is that it could expire, which would make the inventory valuation
incorrect. It's an inherent risk because Ahold has little control over it. Its prescribed in the
ISA315.
- Internal control risk (ICR) = this relates to internal controls (interne beheersing). It
consists of errors that bypass controls and errors not detected by controls. The client has
influence over this, but you as an auditor do not. Control risk refers to how the client
addresses inherent risk. Has the client implemented safeguards in the process to prevent
the risk from materializing?
An example at Ahold is that they perform periodic inventory checks to assess the condition
of the stock. Additionally, the client could use FIFO (First In, First Out) to prevent old
products from remaining on the shelves.
Good internal controls lead to a low control risk, while poor internal controls result in a high
control risk. This directly impacts audit risk, because if the control risk is high, the audit risk
is also high.
- Detection risk (DR) = this relates to substantive procedures. Errors caught by the auditor.
Here, the auditor does have influence. You first assess the inherent risk and control risk,
which ultimately determines how much substantive work you will need to do, and therefore,
how low you can set the detection risk.
If the inherent risk and control risk are high, your detection risk must be very low to prevent
issuing an incorrect opinion. You achieve this by performing more substantive procedures as
an auditor.
You document this per financial statement item in your working papers. This will help you determine
the necessary substantive procedures to be performed.
For the control risk and detection risk, control testing and substantive procedures are necessary to
determine them. If these controls are not very good, you have to do extra tests and a lot of
substantive procedures.
Substantive procedures (and control testing) = we look at the design, the existence, and the
operation.
- Design: you talk to the client, and during the conversation, you learn that they have an
authorization process for sales invoices. So, you understand the design of the control.
- Existence: next, you want to confirm that this design is actually in place, meaning you want
to document its existence.
3
