This chapter discusses important background elements of auditing.
Millions of individuals have had their financial futures negatively affected by corporate fraud and other malfeasance in the last 30 years. Management of corporations bear the responsibility for creating the financial statements that many stockholders and creditors use to ascertain whether a firm should receive their investments or loanable funds. Regrettably, recent financial scandals have raised questions regarding whether corporations can be trusted to produce accurate financial statements, that is, financial statements that reflect the actual success of the firm in generating revenue. Auditors and audit firms have, since the early 1930s in the United States at least, served the function of investigators of the compliance of corporate management-prepared financial statements with financial accounting standards. Financial accounting standards are the rules adopted within each nation to spell out how corporate transactions are to be analyzed and recorded. Based on the their investigation, auditors produce an opinion as to whether the recording of economic events or transactions that impact the financial statements adequately reflect the underlying economic reality facing the firm in compliance with the applicable reporting framework.
The importance of accurate auditing has been highlighted by recent events in the United States and abroad. In the United States, the WorldCom, Xerox, Health South, Bristol Myers, Citibank, Kmart and NextCard, and Enron scandals in the recent past, (and prior to that, Lincoln Savings and Loan, Penn Square, Sunbeam, Regina, ZZZZ Best, Crazy Eddy, Waste Management, Cendant, Livent, and Mattel), led to important changes in the auditing environment. Europe too had their equivalent of the Enron scandal such as the frauds at Ahold, Parmalat, and Comroad; in Japan, it was the bank Resona; in Australia, it was the insurance company HIH. The failure of these companies, and the inability of the auditor to recognize fraud and notify the public in their audit reports were the prime motivating forces that resulted in the significant regulatory changes we evidence today.
In the United States, for example, the key change in regulation is the Sarbanes-Oxley Act (SOX) of 2002. In Europe, the equivalent to SOX is the European Council Commission Directive 84/253/EEC (EU Eighth Company Law Directive), also referred to as European Commission’s (EC) Eighth Directive on statutory audits effective from 2006. Similar regulatory action was taken in Russia, Japan, China, and other countries. Scandal was not the only reason for changes in the auditing environment. The exponential growth of investing and raising capital in the global markets has also contributed to the changes in both the auditing environment and in international accounting as well. The changes in the auditing environment affected three aspects of the auditing profession: the nature of the regulation of auditing practice, the nature of the standards that auditors must use in performing the audit, and the ethics of the profession. In this book, we focus on the two main sets of standards that govern audits in most of the globe. These are the PCAOB standards that govern public company audits in the United States and the International Standards for Auditing (ISA) set by the International Auditing Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC). The three aspects of auditing previously mentioned are impacted by the standards set by the PCAOB and IAASB. We also discuss and describe the role of the American Institute of Certified Public Accountants (AICPA) of the United States in setting private company auditing standards. We believe this is important in helping to understand the complexity of the auditing environment given the importance of appreciating the demands of a changing business environment.
With respect to the international environment, two important sets of standards have emerged; one is in accounting and the other in auditing. These are the international accounting standards, known as the International Financial Reporting Standards (IFRS), developed by the International Accounting Standards Committee (IASC) and the auditing standards, known as ISA, developed by the IAASB. Many global multinational corporations that are headquartered outside the United States prepare their financial statements in accordance with international accounting standards and have them audited in accordance with international auditing standards. Auditing is a process of checking or evaluating whether the financial statements, for example, are prepared in accordance with a given set of criteria. For financial statements prepared in accordance with IFRS, therefore, an auditor checks whether IFRS was correctly applied to financial transactions accurately collected and summarized in the company’s financial statements. Just as financial data collection and financial statement preparation needs to follow rules of IFRS, the auditor must follow rules for auditing.
International standards on auditing (a major focus of this book) are promulgated by the IAASB. It follows a due process procedure in which research or other information suggestive of the need for new standards or for redrafting of old standards is analyzed. Once it has been decided that a new standard or revision of an old standard is required, then drafts of the proposed auditing standard are made available for public comment and discussion. Only after comments with respect to proposed standards are received and digested are final versions of the standards issued by the IAASB.
The first core set of international standards on auditing was completed and released in 1994. This has subsequently been regarded as work in progress and is being constantly refined and enhanced. Although various national adaptations of the ISA exist because nations adapt the ISA to mesh better with local laws and customs, we focus only on the standards as promulgated by the IAASB.
The purpose of this book is to focus purely on the changes in international auditing standards and the way these changes impinge on U.S. auditors in the performance of their auditing duties in the international arena. Internationally, the IAASB is the main auditing standards setting body. As such, it is equivalent to the AICPA’s ASB in the United States with respect to private company auditors or PCAOB with respect to public company auditors. All three standards setting bodies use the due process procedure outlined above, although the PCAOB also must have the U.S. Securities Exchange Commission approve the standards it adopts before they can have the force of law. Although all three auditing standard setting bodies work to set standards for the audits of financial statements and internal controls in their respective jurisdictions, they work independent of the financial accounting standards setting bodies.
In this book, we examine these key international auditing standards in detail and compare and contrast the requirements of IAASB standards with, predominantly, the PCAOB standards as well as the AICPA’s ASB standards where they are of particular interest. However, the convergence of the AICPA and IAASB standards has largely removed the need to compare AICPA and IAASB standards. These comparisons should provide U.S. auditors, and managers of U.S. businesses with the skills needed to comprehend the differing requirements of auditing standards set by these different bodies. Accounting students will benefit from having a resource for understanding the differences between the standards, both as they move through the accounting curriculum and as they enter their professional careers. Researchers, of course, may be interested in having comparisons of audit practice in the United States versus other parts of the world available. Having a clear, concise, guide to key differences between, predominantly, PCAOB and IAASB standards should ease the difficulties in making the comparison.
The research for this book was primarily obtained from three sources. First, we analyzed the relevant PCAOB standards and equivalent ISA and studied convergences and divergences with special emphasis on the divergences. Second, we obtained complementary information where possible from an AICPA website entitled “Substantive differences between the international standards on auditing and generally accepted auditing standards” (www.aicpa.org/FRS). Finally, to a lesser extent but equally important, we found useful information in a research project conducted by the Maastricht accounting, auditing, and information management research center entitled (EU project No Markt/2007/15/F lot 2) “Evaluation of the differences between international standards on auditing (ISA) and the standards of the US Public Company Accounting Oversight Board (PCAOB)” which was published five years ago. Discussions that are still relevant were assessed against our findings where possible and included in our discussions.
The history of auditing can be traced back to ancient China and Egypt going back to circa 3000 BC. The treatment of auditors was quite harsh in both countries because the auditors, in fact, served the Chinese emperors and the Egyptian pharaohs. It is reported that, in ancient Egypt, the Pharaoh used auditors to provide checks against fraud. For example, an auditor counted goods prior to their being stored. Another auditor then counted the goods stored. The Pharaoh’s supervisor was responsible for reconciling the two counts. If a material difference existed that could not be explained, both auditors were sacrificed to the gods as punishment.
The practice of modern day auditing, however, began when corporations started being set up after the industrial revolution. The divergence between owning the corporation and managing it had the potential to cause major problems for the owners should the managers take advantage of the owners’ lack of knowledge of the business’s actual operations. Thus, there was an intensified need for auditors to verify for the owners the management’s claims with regard to business progress. The profession realized that there was a need for auditing to have some standardized elements in order to better ensure that it was being done well. The first steps at providing such guidance to auditors were initiated in Scotland in 1853 with the formation of the Society of Accountants in Edinburgh. Initially, similar competing regulatory bodies cropped up all over the United Kingdom. However, it was realized that the only way these competing bodies could be effective was if they worked in conjunction with each other. These competing bodies subsequently consolidated in 1880 to form the Institute of Chartered Accountants of England and Wales (ICAEW). The advantage of having a single body to provide guidance to and regulation of auditors was recognized and resulted in the formation of similar bodies by other countries in the Western world.
Internationally, the spur to the growth and development of audit standards arose as a result of several well publicized fraud cases where it was felt that the auditors, in their role as watchdogs, had not performed their tasks adequately. The British Companies Acts, passed in the latter half of the 19th century, attempted to set standards and provide guidelines to auditors. In the United States, the first auditing standards were issued in 1917. The first major development in international accounting and auditing was the formation of the IFAC on October 7, 1977, in Munich, Germany, at the 11th World Congress of Accountants Conference. Specifically, IFAC was established to strengthen the worldwide accounting profession in the public interest by:
(For further information, please visit the IFAC website at IFAC.org.).
The formation of the IFAC was the first major attempt at global international standards. The IFAC is currently a global organization that works with 155 member accounting boards in 118 countries. As of January 2014, the IFAC claims that 126 nations around the world have adopted IAASB standards to some degree (IAASB, 2014) The IFAC’s objective in creating these standards is to protect public interest by encouraging high quality practices among the world’s accountants.
The ISA have come a long way since the start of their development in 1994. They started as guidelines under the harmonization process of IFAC and its member bodies, one of which is the AICPA. The IFAC itself has been charged with the responsibility to enhance and expand the worldwide use of auditing standards with the objective of improving the quality and uniformity of international practice (Roussey 1999). The IFAC’s responsibilities include:
The importance of international auditing standards at the present moment cannot be understated. Roussey notes that there has been growing acceptance of ISA by:
A significant number of countries around the world have taken substantial steps to harmonize their auditing standards with the ISA. Among these countries are the Netherlands, the United Kingdom, The European Commission through the Fédération des Experts Comptables Europeens, as well as Canada, and South Africa. Some nations adopt the ISA word-for-word, others adapt the ISA to their own preferences based on local considerations.
In the United States, there are two sets of auditing standards, as already noted. The AICPA’s auditing standards are used in audits of companies whose stocks are not traded above a certain market capitalization level on any U.S. stock exchange or are not traded at all on any stock exchange. (Market capitalization refers to an estimation of the value of a business that is obtained by multiplying the number of shares issued by the current price of a share.) AICPA auditing standards, like those of the IAASB, are often considered to encourage greater reliance on the auditor’s professional judgment and skepticism than do the PCAOB standards. We also note that one of the big differences between accounting standards in the United States versus the international arena is the idea of rules-based versus principles-based standards. Rules-based accounting is basically a list of detailed rules that must be followed when preparing financial statements. Many accountants favor the prospect of using rules-based standards because, in the absence of rules, they could be brought to court if their judgments of the financial statements are incorrect. When there are strict rules that need to be followed, the possibility of lawsuits is diminished. Having a set of rules can also increase accuracy and reduce the ambiguity that can trigger aggressive reporting decisions by management. Principles-based accounting is a simple set of key objectives to ensure good reporting. The fundamental premise is that its broad guidelines can be practical for a variety of circumstances. However, lack of guidelines may result in unreliable and inconsistent information.
Both the IAASB and the AICPA have moved towards the harmonization of their respective sets of standards. For example, the AICPAs ASB has established a number of action plans to implement key initiatives as set forth in its report Horizons for the Auditing Standards Board. These include establishing a standing subcommittee of the ASB on international auditing standards, promoting opportunities for joint projects and initiating an effort for reporting on the credibility of information. Importantly, IFAC states that the AICPA’s ASB has chosen to use the IAASB’s ISA as the basis for its own standards with the aim of having minimal if any differences between AICPA Statements on Auditing Standards (SASs) and the requirements of the IAASB’s ISA.1 We note that there is now convergence as noted by the IAASB in its publication, Implementation of the Clarified International Standards on Auditing (IAASB 2014)
The PCAOB came into existence with the passage of the SOX of 2002 by the Congress of the United States. It was set up with the responsibility of setting auditing standards—subject to SEC review—for publicly owned companies. PCAOB audits are required to cover both a company’s internal controls over financial reporting and its financial statements. While all auditing standards claim to rely on auditor professional judgment, the PCAOB standards impose more detailed guidelines with respect to how audits of financial statements are supposed to be undertaken. Unlike the AICPA’s ASB, the PCAOB does not overtly seek to harmonize its standards with those of the IAASB.
The first standard issued by the PCAOB was the so-called Auditing Standard (AS) 1. This auditing standard adopted all then existing AICPA ASB standards as its own. These AICPA ASB standards, which then— for public company audits—were dubbed “interim standards” retain the status of standards public company auditors should follow until the PCAOB replaces them with its own standards. We will frequently refer to these interim standards as standards “under the aegis of the PCAOB,” or use similar wording. Since the effective date of the PCAOB’s AS 1, April 16, 2003, the PCAOB has adopted an additional 17 standards, gradually replacing many, but not all, of the original interim standards. Most recently in 2014, the PCAOB issued AS 18 dealing with related parties and significant unusual transactions. Since April 16, 2003, the AICPA has remained as the setter of auditing standards for privately owned companies in the United States. It has revised many of its earlier standards and engaged in a rewrite of these standards and has clarified their presentation. We refer to these standards occasionally but only to highlight more important points regarding the PCAOB standards and the ISA that are the focus of this book. However, please also note that the PCAOB is currently proposing a framework for reorganizing the existing interim (AU) and PCAOB issued standards (AS) into a single integrated numbering system based on subject matter. Hence, the numbers we cite may not be the final numbers and may be revised depending on the final decision (PCAOB release 2013-13 of March 26, 2013).
In the next section, we discuss what auditing is, the objectives of an audit, and the key components of auditing from the perspective of international standards on auditing. The different types of audit and auditors, the principles governing an audit, the limitations of an audit, and the risks faced by auditors are then examined. The generally accepted model of an audit is reviewed. Thus this section provides a broad description of what an audit is, the different types of audits, the requirements for becoming a certified or chartered accountant, and an overview of the auditing process to help you understand the more detailed information in the chapters that follow. In other words, it provides with a framework for understanding the rest of the book. In presenting this framework for understanding auditing, we refer heavily to the ISA to more simply illustrate the interplay between auditing standards and what an auditor does than would be achievable by reference to both the ISA and the PCAOB standards. However, later in the book, we also compare PCAOB standards with ISA.
Interestingly, there is no actual definition of what constitutes an audit in the ISA. The closest we come as authors to finding a definition of standards is in ISA 200. ISA 200 states that an auditor should conduct an audit sufficiently to enable him/her to express an opinion whether the financial statements present a true and fair view or present fairly, in all material respects the financial health of a company in accordance with an identified financial reporting framework. Hayes et al. (2005) point outs that while the great majority of audit work today is financial auditing, that is, checking the fundamental accuracy of a firm’s financial statements, operational auditing and compliance auditing are also very important. However, this definition does not cover these important types of auditing. Operational auditing involves examining the operational efficiency and effectiveness of an organization, while compliance auditing involves examining a firm’s compliance with other, nonfinancial rules, regulations, and laws. These two forms of audit, though, are not of concern here.
If we go back a century, Dicksee (1900) in Auditing: A Practical Manual for Auditors, states that an objective of an audit is three fold, namely:
The detection of fraud, according to Dicksee, was the most important part of the auditor’s duties. As Hayes et al. note, however, gradually the auditor’s duties began to change, with fraud detection becoming less and less of a priority. What was the reason for this development away from fraud? Several reasons have been given for this phenomenon, but the most important reasons according to Hayes et al. are:
By the late 1950s, fraud detection became merely a responsibility and not a primary objective of auditing. Commencing in the late 1970s and continuing through the 1980s, however, the public, which was dissatisfied with this interpretation, imposed pressure on the auditing profession to take a more aggressive stance towards fraud detection. This resulted in the appointment of several commissions including the Cohen Commission (1978), the Treadway Commission (1987), and the Dingell Committee (1987) in the United States. Similar pressure internationally resulted in the Davison and Benson Committees in the United Kingdom. In the United States, due to the pressures imposed by the findings of the committees referred to earlier, the ASB implemented the Statement on Auditing Standards (SAS) No. 99 Consideration of Fraud in a Financial Statement Audit effective from October 2002. It is now under the aegis of the PCAOB, AU 316 under the same name, Consideration of fraud in a financial statement audit. Under AU 316 auditors have to implement very extensive procedures to detect fraud. AU 316 describes a process in which the auditor (1) has to gather information needed to identify risks of material misstatement as a result of fraud, (2) assesses these risks after taking into account evaluation of the entity’s programs and controls, and (3) has to respond to the results. Under SAS 99 auditors will have to gather and consider much more information to assess fraud risks than in the past.
The current position of the IAASB with respect to fraud detection is described in ISA 240. According to the ISA 240, fraud is defined as “sophisticated and carefully organized schemes designed to conceal acts such as forgery, deliberate failure to record transactions and intentional misrepresentations being made to the auditor.” The responsibility for the prevention and detection of fraud and error rests primarily with management and those charged with governance under ISA 240. The PCAOB has now taken the requirements of SAS 99 under its aegis, and it is now the PCAOB’s AU 316 entitled Consideration of fraud in a financial statement audit.
An audit, as discussed in ISA 200, is an independent and expert examination involving evaluation of evidence in order to ascertain whether the financial statements present a true and fair view of the underlying economic reality of the client firm. It is in effect, a systematic approach that employs a structured, well documented plan for analyzing accounting records, using a variety of methodologies to acquire relevant evidence, to find out the relationship between the financial statements and the underlying economic reality of the firm. An audit is expected to be conducted without prejudice or bias. A term commonly used is that it must be conducted objectively, meaning that auditors are required to be impartial when evaluating evidence. The auditor is expected to collect sufficient evidence to determine whether the financial statements present a true and fair view of the underlying economic reality of the firm and evaluate that evidence without bias (referred to as reliability). The auditor has to ensure sufficiency and reliability by critically evaluating the internal controls to determine what type of tests should be done (referred to as nature of testing), the level of tests (extent), and when each test should be conducted (timing).
Auditors are also required to evaluate what is referred to as assertions of management. Assertions are assumptions about economic actions and events made by management. These assertions either explicitly or implicitly are embodied in the financial statements. An example of an assertion is that all assets reported on the balance sheet actually exist and are not fictitious. Furthermore, the company actually owns these assets, and they do not belong to anybody else. The assumption that assets on the balance sheet are real is referred to as the existence assertion. The assumption that the assets reported in the balance sheet are actually owned by the company and does not belong to anybody else is referred to as the rights and obligations assertion. The auditor is required to examine these assertions. The auditor is required to test these assertions by inquiring and physically observing (on a test or sampling basis) whether the assets exist and checking documentation to ensure that a transaction has occurred and physical ownership exists. By testing or sampling basis, we mean that not every transaction is checked to see if it occurred, but rather a sufficient number of, preferably randomly selected, transactions are checked. Based on this testing basis, the auditor is allowed to draw a reasonable conclusion about the account balances affected by that kind of transaction. In the case of assets such as accounts receivable, the auditor has to send confirmation of balances notices to customers (debtors) of the entity being audited. The customers are asked to respond with respect to the correctness of the balance shown on the balance notice. The auditor’s comparison of these two numbers (the number on the client’s books and the number that the client provides to the auditor) is referred to as ascertaining the degree of correspondence between assertions and criteria. The auditor also has to check whether, in reporting the assets (and liabilities), local standards, regulations, and laws are observed.
The ultimate goal of an audit is to communicate the results to parties referred to as interested users. The auditor has to express an informed opinion in a written report. The communication of the auditor’s opinion is called attestation. In layman’s terms, it is referred to as the auditor’s report. The auditors must state whether they believe that the financial statements give a true and fair view or present fairly in all material respects the financial position of the company. If, as in PCAOB audits, the auditor is giving an opinion on the effectiveness of the client’s internal control over financial reporting, the auditor will state whether or not material weaknesses exist in the internal control system. Please note that the auditor is not providing an opinion about the internal control system that includes all controls. The auditor is focused on the key internal controls specific to financial reporting. The auditor’s report may lend credibility to the financial statements if the auditor states he/she believes the statements present a true and fair view. On the other hand, if the auditor has sufficient reason to doubt that is true, the credibility of the financial statement is reduced.
In this book, we almost solely focus on financial statement audits. There are, though, several types of audits. We describe each of these in the following paragraphs.
The purpose of financial statement audits is to examine the financial statements of companies to ensure that they present a true and fair view. The auditor also determines whether the accounts are in conformity with GAAP if the audit is conducted in the United States and IFRS if the audit is conducted in Europe and other Western countries. ISA and the PCAOB auditing standards were developed to guide auditors in the conduct of financial statement audits, including audit effort related to the client firm’s internal controls over financial reporting. In some respects, ISA audits of financial statements are similar to U.S. audits of financial statements. There is, however, a major difference related to internal controls. As discussed in a later chapter, the PCAOB requires an audit of internal controls. The objective is to express an opinion as to whether a company’s internal controls over financial reporting are effective. If the report indicates weaknesses, then the audit of the financial statements has to take this into account with respect to substantive testing, and so on. There is no equivalent for ISA; in general, that means there is no requirement for an auditor to render an opinion on the client’s internal controls. However, the ISAs do specify some auditor responsibilities related to internal control over financial reporting. This is a major difference and will be discussed in a later chapter.
The purpose of an operational audit is to study one specific operation or subdivision of a company and to make a report on the performance of the operation or subdivision that was audited. The operation under study can be any aspect of the client company, including, but not limited to, marketing management, production methods, and information technology (IT). In particular, the auditor is expected to examine the objectives of the company and then evaluate how effective the relevant procedures are in helping attain those objectives. The auditor is expected to critically audit the procedures in place in terms of efficiency and effectiveness to carry out relevant operations under study. The audit report generally comprises recommendations to management on areas of improvement with respect to the operations that were studied.
The purpose of a compliance audit is to study whether the company under audit has adopted the rules and procedures set out by top management. The purpose of a compliance audit is to critically examine if the company is complying with the procedures they are expected to follow based on the prevalent laws. In general compliance audits are conducted by government auditors and internal auditors. The audit report comprises comments on deficiencies in compliance procedures and is sent to the manager of the division being audited.
Operational and compliance audits are internal reports. To the best of our knowledge they are not provided to investors in any way under either PCAOB or ISA rules.
There are two basic types of auditors: internal auditors and independent external auditors, whose work is our focus.
The purpose of internal auditors is to investigate the effectiveness of the operations of the company and report to company management. The paramount responsibility of an internal auditor is the critical review of the efficiency of internal controls. The main task of internal auditors is operational audits, financial audits, and compliance audits. It is generally accepted that the external auditor should, as part of their duties, review the work of the internal auditor especially in those areas where perceived lack of adequate control could, potentially, jeopardize the quality of financial information generated by the company’s accounting systems.
The internal auditor, can hopefully act as if they are independent of the board of directors and the heads of departments for whom they conduct the audit. The majority of internal auditors of public companies report to the audit committee or, alternatively, to the Chief Financial Officer (CFO). However, this is easier said than done; it is accepted that total independence is not possible because, in effect, the internal auditors are employees of the company and do work for the company. One advantage (among others) of having internal auditors is that they could provide direct assistance to the external auditor during the course of the audit. It is required that external auditors assess the competence of internal auditors by reviewing their educational backgrounds and experience. External auditors are also required to assess the potential objectivity of the internal auditor. For example, if the status of the internal auditor on the organizational chart is relatively low, then their objectivity could be questioned because they might not be able to protect themselves from the managers their reports criticize.
The primary function of the external auditor is to perform an effective and independent audit and provide what in technical terms is referred to as an attest function. We are solely interested here in the work of the external auditors. The attest function requires that the external auditor deliver an opinion as to whether the company’s financial statements and management assertions provide, in the United Kingdom for example, what is called a true and fair view of the state of the company’s affairs. In the United States, the opinion states whether the financial statements present fairly the company’s financial affairs. Depending on the country, independent auditors are certified by a professional organization or by a government agency.
The background discussed in the preceding paragraphs regarding internal versus external auditors applies to the United States and internationally.
The final result of an audit is the expression of an opinion. Internationally, this is governed by the company laws of each country. In most cases, the law of each country applies to the country as a whole. However, in the United States and Canada, individual states and provinces, respectively, have authority over regulating the attest function.
In the international arena, auditors are expected to follow ISA 200, which emphasizes that auditors conform to the Code of Ethics for Professional Accountants issued by IFAC. The ethical principles, as in the United States, relate to the auditor’s independence, integrity, objectivity, professional competence, due care, confidentiality, professional behavior, and technical standards. What are the standards or guiding characteristics in the United States? In the United States, the auditor is expected to conduct the audit in accordance with the auditing standards promulgated by the PCAOB for publicly owned companies and the AICPA’s ASB for privately owned companies. Internationally, ISA 200 requires that the auditor conduct the audit in accordance with the ISA. Both ASB and ISA have strong similarities. In both cases, the auditor is required to plan and perform the audit with an attitude of professional skepticism. Professional skepticism implies that the auditor should not take the honesty of the client for granted; rather, the auditor should recognize that under certain circumstances, the financial statements could be materially misstated. (Professional skepticism is defined by the PCAOB’s AU 230’s Due professional care in the performance of work as an attitude that includes a questioning mind and a critical assessment of audit evidence. The ISA defines professional skepticism as an essential attitude that enhances the auditor’s ability to identify and respond to conditions that may indicate possible misstatement. So essentially in both definitions the key tenets are the adoption of an attitude enabling critical assessment of evidence. Hence, there is little difference in this respect.)
Both the ASB standards and the ISA give a lot of leeway to the auditor’s professional judgment. The PCAOB standards, however, are more likely to require check the box types of procedures. That is, the PCAOB provides less leeway for individual auditor professional judgment than do the ASB standards or the ISA. Just as with the ASB standards and the ISA, however, the PCAOB standards also requires that the auditor plan and perform the audit with an attitude of professional skepticism.
As Hayes et al. (2005) note, there are certain inherent limitations in an audit that affect the auditor’s ability to detect material misstatements. These limitations result from such factors as the use of testing or sampling, the inherent limitations of any accounting and internal control system, and the fact that most evidence is persuasive rather than conclusive. Furthermore, the process of obtaining evidence to form an opinion is matter by judgment. Judgment is required to determine the nature and extent of audit evidence and the drawing of conclusions based on the audit evidence gathered. Because of these factors, an audit is no guarantee that the financial statements are free of material misstatement. In the United States, the auditor’s opinion states that the audit provides ‘reasonable assurance’, not complete assurance, that the statements are free of material misstatement.
ISA audit reports state the same. For both, it goes without saying that collusion by clients is a limitation because collusion enables the colluding parties to overcome internal controls
Whereas a company may face a plethora of business-related risks, management is primarily responsible for understanding and mitigating the effects of these risks. The auditor’s primary concern relates to risks associated with the financial statements. The most important risk (frequently referred to as type 1 risk) is the risk of giving an erroneously clean, that is a “good” or “unqualified”, opinion in undeserving circumstances do not. The newest revision of ISA 200 requires the auditors to adequately plan and perform their audit to reduce type 1 risk to the lowest acceptable level possible. Type 2 risk is the risk that the auditor will erroneously give a bad or qualified or adverse opinion to financial statements that deserve a good or unqualified opinion. A key problem with a type 1 opinion is that investors may be more likely to invest in shares of a company that has received the erroneous good opinion. When the truth about the company comes out, and the investors realize that the company’s value may be less than they had thought, the stock price may drop and investor wealth may decline. If, though, the auditors gave the client firm an erroneous qualified or bad opinion, investors may sell off their holdings of the firm’s shares, with the result that the stock price will drop when, had the auditor given a correct opinion, the stock price would not have fallen. Thus shareholder wealth would be diminished for a wrong reason.
We have now discussed the objectives of the audits, the qualifications of auditors, the types of audits, and the types of opinions. It is important now to describe briefly the audit process model. The audit ends with an opinion (good or bad). However, many things must happen before the opinion can be given. We discuss the audit process next.
The phases of the audit according to international auditing standards are:
We discuss each of these stages in turn.
Client acceptance is covered in ISA 210 under Terms of audit engagements. For recurring audits, ISA 210 paragraph 13 says that the auditor should assess whether the circumstances that exist at that time require the terms of the engagement to be changed. Also, paragraph 13 states that the auditor should consider whether the client needs to be reminded of the terms of the audit engagement.
It is assumed that, unless an untoward incident has occurred (e.g., finding that the client engages in fraud), then the status quo is maintained and the related risk associated with the client is the same as it was the previous year. With respect to new clients, the auditor is required to determine the business risk by investigating the background, financial statements, and the nature and type of the industry of the client.
Planning is covered in ISA 300. It is required that the audit firm plan the work such that the audit is both timely and efficient. The plan is contingent on the nature of the industry and the business environment of the client. The auditor should develop a plan after studying the business environment of the client, the types of control (including an understanding of the entire control environment and control procedures), and the client’s accounting system. The auditor is required to conduct analytical procedures to test the control procedures. The results of the analytical procedures help to determine overall riskiness of the client because the ratio analyses involved, including analyses of how specific ratios changed from one year to the next, help direct the auditor’s attention to potential problem areas. With this and other information in hand, the auditor is then required to set materiality levels based on assessed risk. For example, the combination of risk and materiality assessment might dictate where the auditor allocates work time. So if materiality is high but risk is low, the auditor may do less work. Similarly, if materiality is low but risk is high, the auditor may do more work. The auditor is then required to prepare a plan (also referred to as an audit program) outlining the nature, type, and extent of audit procedures that are required overall and for each account type to gather evidence.
ISA 300 emphasizes the importance of evaluating the client’s internal control structure in the planning stage. The auditor is required to assess if: (1) the client’s internal control structure is adequate to generate reliable data and (2) the client’s internal control is adequate to safeguard assets. The evidence subsequently required to be tested is contingent on these results. If the tests reveal weak internal controls, then auditors are required to obtain relatively more evidence because there is a greater likelihood that problems in financial reporting will not be caught and corrected by the internal control system and, therefore, the problems will be included in the financial statements themselves. Guidance for this is provided in ISA 315. ISA 315 also covers the computer information systems environment, a very important factor given the computerization of the business environment.
ISA Sections 500 and 501 provided guidance on types of tests and evidence required. These sections require that the audit be performed and the report prepared with due professional care by persons who have adequate training, experience, and competence in auditing. The auditor is required to act with due professional care. This means that the auditor acts independently and adheres to international ethics by keeping the results confidential. Due professional care also means that the auditor should perform the audit diligently, obtain sufficient evidence before arriving at an opinion, maintain a complete set of working papers, and prepare an audit report that is appropriate to the state of the client’s affairs.
Tests of controls are tests designed to obtain reasonable assurance that the financial system controls are in place and are effective. This is discussed in PCAOB’s Auditing Standard No 5 entitled An audit of internal control over financial reporting that is integrated with an audit of financial statements. The auditor is required to test controls for the purpose of reducing risk and then, based on the results, determine the extent of substantive tests. (The purpose of substantive tests is to obtain evidence of the completeness, accuracy, and validity of the data provided by the accounting system.) Analytical procedures (discussed in detail in ISA 520) are used to identify significant discrepancies between the results the auditor expected to find and the actual results. Based on this, further substantive tests are determined. If the analytical procedures do not indicate significant discrepancies, then the substantive tests can be reduced.
This is discussed in ISA 550, 560, 570 and 580. The auditor is required to first assess the following:
The auditor must perform final audit procedures before the audit report can be written. These are described in ISA Sections 600 and 620. As described in these sections, the auditor is required to obtain legal letters and identify subsequent events that could potentially adversely or favorably affect the company. The auditor should then report to the board of directors and obtain a management representation letter. Guidance relating to obtaining the representation letter is provided in ISA 580.
This chapter introduced the reader to the role of the auditor in the validation of financial statements prepared by corporate management. In doing so, we focused on international standards when describing the audit process. The chapter begins by describing the different sources of auditing standards used by an auditor, depending on whether they are auditing organizations based in the United States and which have their stocks sold on U.S. Exchanges or whether they are auditing organizations whose clients are headquartered in countries that have adopted international auditing standards. It then describes the different types of audits and, based on the international auditing standards, leads the reader through the audit process. This information provides a quick guide to the role that different standards setting bodies play in the public audit, depending on the location of the client firm. The topics in this chapter are deeply explored as we go into further discussion of auditing and a comparison of the differences between ISA and PCAOB auditing standards.