Definition: To audit means to go through the process of examining and verifying a company's financial records and supporting documents. While a business might go through an audit for any number of reasons, such as wanting to attract investors, get a loan, or sell the business, for many business people the word "audit" is welded to the words "income tax". An income tax audit is an inspection and verification of a company's records and supporting documents conducted by a CRA (Canada Revenue Agency) auditor. The CRA doesn't just conduct income tax audits, however; they perform audits of any CRA accounts, including auditing GST returns and claims for rebates. According to the CRA's Guide For Canadian Small Businesses, an audit usually takes one to two weeks, and involves "an examination of your ledgers, journals, bank accounts, sales invoices, purchase vouchers, and expense accounts." They go on to point out that the audit process may involve touring your business premises, and seeking information and assistance from your employees
Types of Audit Print this page
Types of Audits There are many types of audits; Internal Audit Services determines which kind to undertake based on a formal risk assessment process. The following provides examples of some of the audits that could be undertaken: Operational Audits Provide an objective evaluation of an area, department or functional operation. The process assesses the adequacy and effectiveness of controls designed to manage risks and ensure objectives are met.
Financial Audits A historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. The University’s external
auditors, the Office of the Auditor General of Alberta, perform this type of review annually. Internal audit will also conduct audits focus on a financial system's controls to ensure that financial controls are adequate and effective.
Information Systems Audits There are many types of information systems audits that focus on the controls that govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc. Internal Audit Services may also review of the development of a new application system.
Compliance Audits These audits address the specific department’s adherence to laws and regulations, policies and procedures, federal and provincial requirements, and restrictions imposed on endowments and grants etc. Follow-up Audits These are audits conducted after an internal or external audit report has been issued. They are desdigend to evaluate corrective action that has been taken on the audit issues reported in the original report. Consulting Services The types of consulting work that are undertaken by audit include facilitation services for control self-assessment; control framework development for new programs; and advice regarding applications controls for systems under development.
Audit Process Print this page
Audit Selection Audit projects are selected based on a formal risk-based planning process lined to the University’s enterprise-wide risk management process. The Board Audit
Committee approves the projects. The process is designed to ensure audit resources are allocated to areas where a review would benefit the University. To accommodate requests that are received throughout the year, a percentage of resources will be left unallocated. To request audit involvement please contact Mary Persson, the Director (
[email protected] or telephone 780.492.1682). These requests are normally made through the Vice President, Dean, Director, Chair, or other senior administrator.
Conducting an Audit An audit in normally conducted in four phases, during each stage in the audit process staff from the units involved will have the opportunity to participate. The process works best when management and Internal Audit have a solid working relationship based on clear and continuing communication. If there are any concerns about the process, clients are encouraged to direct the concerns to the auditors or the Director, Internal Audit Services. The following briefly outlines the process phases: Audit Planning •
An approach letter outlining the preliminary objectives and scope of the
•
review is sent to the responsible Vice-President or senior manager. An entrance meeting is held to introduce the audit team and outline the
•
preliminary objectives. More detailed information regarding the area is gathered (through interviews,
•
documentation review and research) to develop an engagement plan and terms of reference for the project. Terms of reference, outlining key elements of the audit project, is sent to senior management for endorsement.
Audit Fieldwork •
Fieldwork concentrates on gathering the information necessary to assess the adequacy and effectiveness of controls, risk management and governance processes.
•
Auditors typically gather information through this phase by talking with staff, reviewing procedures and business processes, and conducting tests to meet
•
the objectives of the audit. The fieldwork stage concludes with a list of significant findings from which the
•
auditor will prepare a draft of the audit report. In the conduct of their work, Internal Audit Services staff members are authorized to have unrestricted access to all functions, records, property, and personnel.
Audit Reporting •
An exit conference is held with senior management of the area under review
•
to outline the audit findings and ensure all relevant facts were considered. An audit report is drafted and include the major recommendations. Recommendations that do not address significant risks will be dealt with less
•
formally through a management letter. The draft report is provided to senior management for fact validation. Once, a response is received, a second draft will be provided soliciting management’s plans to address the recommendations (for inclusion in the
•
final report). Meetings will be scheduled as required to facilitate this process. Once the report is finalized, it is distributed to senior management and the
•
Office of the Auditor General of Alberta. A overview of reports is provided to the Board Audit Committee.
Audit Follow-up •
Once the audit is completed, Internal Audit Services periodically requests an
•
update on progress made in implementing recommendations. In certain instances, it may be necessary to revisit the area to ascertain
•
whether the corrective action taken is achieving the desired results. Reports of follow-up activity are provided to the Board Audit Committee.
Types of Audit Compliance Audit Operational Audit Financial Audit Information Management and Technology (IT) Audit Performance Audit
Compliance Audit Looks at whether or not an organization is adhering to specific laws, regulations and the control operations according to policy, directives, standards or contracts. This type of audit is also meant to detect breaches in security and to recommend any indicated changes in systems of control, policy and procedures. It is management’s job to establish the proper control environment and system control activities that are aligned with the organization’s compliance obligations. These control activities usually include the policies, directives, procedures and practices that ensure management objectives are achieved and risk mitigation strategies are carried out.
Operational Audits Looks at whether or not public funds and resources have been economically, efficiently and effectively managed. This type of audit examines and reports on matters related to any or all of the following: •
• •
the adequacy of the management systems, controls, and practices including those intended to control and safeguard assets and ensure due regard to economy, efficiency and effectiveness; the extent to which resources have been managed with due regard to economy and efficiency; and the extent to which programs, operations or activities of an entity have been effective.
Operational auditing fulfills the demand for performance and accountability information that is not being provided by information on financial performance and on compliance with authorities. Operational auditing is based on two principles: • •
Public business should be conducted in a way that makes the best possible use of public funds. People who conduct public business should be accountable for the prudent and effective management of the resources entrusted to them. BACK TO THE TOP
Financial Audit Examines how government looks after its accounts and at the records of financial transactions.
In financial audits, internal auditors test whether financial transactions support the amounts and disclosures recorded in the government’s accounting system. The scope of the audit may include comparing the results of operations with planned results, assessing the reliability of a department’s financial control systems, and checking how financial information is reported for decision-making. Internal auditors supplement these audit tests by further analysis and discussions with management. Planning decisions on the scope of a financial audit mainly involve the intended degree of audit assurance and the extent of audit work required to provide it. BACK TO THE TOP
Information Management and Technology (IT) Audit May include the following: • •
•
Reviews of existing or new information systems, before and after implementation, to ensure they are secure and meet the organization’s needs; Project management reviews, before or after systems implementation, to ensure controls are in place to mitigate project risks or to identify the strengths and improvements required for future projects; and/or Specific technology and security reviews to ensure that the technologies are appropriate, and that access to government systems are secure and adequately protected.
Due to the complexity and required skill sets to perform some of these reviews, Government Audit Services may work with specialized contractors to ensure high quality analysis and recommendations are provided to management. BACK TO THE TOP
Performance Audit Asks if an entity achieving its goals and at what cost. Performance audits usually address the following questions: • • • •
Are programs, functions or activities achieving desired results? Are there appropriate indicators and measures to assess performance? Are there better ways to achieve the organization’s objectives at lower cost? Are there ways to improve the quality of service without increasing cost?
•
Does the program, function or activity comply with applicable laws and regulations?
Internal control From Wikipedia, the free encyclopedia
Jump to: navigation, search In accounting and organizational theory, Internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.[1] It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are called also business controls.
[edit] Definitions There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components:
1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. 2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed 3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control’s impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics – for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)."[3]
[edit] Context Under the COSO Framework, objective setting is considered a precondition to internal control. By setting objectives, management can then identify risks to the achievement of those objectives. To address these risks, management of organizations may implement specific internal controls. The effectiveness of internal control can then be measured by how well the objectives are achieved and how effectively the risks are addressed. More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components such as social environment effecting behavior of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements [4].
The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out. In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers.
[edit] Roles and responsibilities in internal control According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess
whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting.
[edit] Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement. Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management.
[edit] Describing Internal Controls Internal controls may be described in terms of: a) the objective they pertain to; and b) the nature of the control activity itself.
[edit] Objective categorization Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to determine whether a control is operating effectively is called the
control objective. Control objectives fall under several detailed categories; in financial auditing, they relate to particular financial statement assertions,[5] but broader frameworks are helpful to also capture operational and compliance aspects:
1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions) 2. Occurrence (Cutoff): Transactions occurred during the correct period or were processed timely. 3. Completeness: All transactions are processed that should be (i.e., no omissions) 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate. 5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date. 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. 7. Reasonableness-transactions or results appears reasonable relative to other data or trends. For example, a control objective for an accounts payable function might be: "Payments are only made to authorized vendors for goods or services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives.
[edit] Activity categorization Control activities may also be described by the type or nature of activity. These include (but are not limited to): • • • • • •
Segregation of duties - separating authorization, custody, and record keeping roles to limit risk of fraud or error by one person. Authorization of transactions - review of particular transactions by an appropriate person. Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of ongoing operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property. Analysis of results, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).
•
IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.
[edit] Control precision Control precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk. Precision is an important factor in performing a SOX 404 top-down risk assessment. After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entity-level controls are identified to address entity-level risks. However, a combination of entity-level and assertion-level controls are typically identified to address assertion-level risks. The PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls.[6] Later guidance by the PCAOB regarding small public firms provided several factors to consider in assessing precision.
[7]
[edit] Fraud and internal control Internal control plays an important role in the prevention and detection of fraud.[8] Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls.[9] This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level.[10] The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment.[11] The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk.[12]
[edit] Internal Controls and Improvement If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed. The same internal
controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency. [13]
[edit] Continuous Controls Monitoring Advances in technology and data analysis have led to the development of numerous tools which can automatically and continuously evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing, continuous controls monitoring provides assurance on financial information flowing through the business processes.
look at purchase, which takes up a significant amount of time, effort and money. Purchase starts with a requirement that is typically to be followed by an enquiry, placing of an order, receipt of goods, verification of material and ends with payment to a vendor. Sometimes, you may be required to pay an advance upfront, in other cases, the order may be placed orally and then the formal approval obtained. The rules in place for purchase should cover the different situations in your business and lay down some clear guidelines. Purchases are of different kinds, some routine, some non routine; some low value and some high value. There should be systems in place which take care of these different kinds of purchases. Purchase of raw material Purchase of raw material For raw materials that are consumed on a regular basis, you would need to set in place a reorder level and reorder quantity. The reorder level would need to take into account your rate of consumption, ie daily consumption as well as time taken from requisition to receipt of goods. For example, assume you consume 100 kgs of a chemical daily. Once the quantity of material on hand reaches the reorder level, your stores manager will request the purchase department to place the order. Once the order is placed, the vendor will take... some time to deliver the goods, which may need to be inspected and tested. The total time taken from requisition to receipt may be estimated at 19 days. Your reorder level has to take this factor into consideration while placing the order. In addition, a buffer may also be built in to take care of possible delays in order processing, delay in receipt of goods etc. If you decide that you must place the order when you have 25 days of stock on hand, your reorder level would be 2,500 kg, based on the daily estimated consumption of 100 kg. The reorder quantity will depend on factors such as cost of transporting and cost of storage in addition to consumption rate. While you would not like production to be hampered, keeping excess raw material can increase storage costs. Transport cost is also a critical element in your decision making; particularly in these times of high diesel costs.
need to put in place systems which reflect these thoughts. For example, if you want to have an atmosphere of hard work, you must demonstrate that hard work and sincerity are noticed and recognised. If promotions are based on other parameters and not on performance, then you send a message that hard work is not considered a key criteria for promotion. When you start putting systems in place, you need to look at how these systems reflect your overall plan for the business and organisational culture. Coming up next: Some critical areas in a business. Deciding the areas you need to keep a control on. Audit The general definition of an audit is an evaluation of a person, organization, system, process, project or product. Audits are performed to ascertain the validity and reliability of information; also to provide an assessment of a system's internal control. The goal of an audit is to express an opinion on the person/organization/system (etc) in question, under evaluation based on work done on a test basis. Due to practical constraints, an audit seeks to provide only reasonable assurance that the statements are free from material error. Hence, statistical sampling is often adopted in audits. In the case of financial audits, a set of financial statements are said to be true and fair when they are free of material misstatements - a concept influenced by both quantitative and qualitative factors. Traditionally, audits were mainly associated with gaining information about financial systems and the financial records of a company or a business (see financial audit). However, recent auditing has begun to include other information about the system, such as information about environmental performance. As a result, there are now professions conducting environmental audits. In financial accounting, an audit is an independent assessment of the fairness by which a company's financial statements are presented by its management. It is performed by competent, independent and objective person(s) known as auditors or accountants, who then issue an auditor's report based on the results of the audit. Such systems must adhere to generally accepted standards set by governing bodies regulating businesses; these standards simply provide assurance for third parties or external users that such statements present a company's financial condition and results of operations 'fairly'.
Contents [hide] • • • • • •
1 Quality audits 2 Integrated audits 3 Types of auditors 4 Major auditing firms 5 Auditing firms around the world 6 See also
•
7 External links
[edit] Quality audits Main article: Quality audit Quality audits are performed to verify the effectiveness of a quality management system. This is part of certifications such as ISO 9001. Quality audits are essential to verify the existence of objective evidence of processes, to assess how successfully processes have been implemented, for judging the effectiveness of achieving any defined target levels, providing evidence concerning reduction and elimination of problem areas and are a hands-on management tool for achieving continual improvement in an organization. To benefit the organization, quality auditing should not only report non-conformances and corrective actions but also highlight areas of good practice. In this way, other departments may share information and amend their working practices as a result, also enhancing continual improvement.
[edit] Integrated audits In the US, audits of publicly-listed companies are governed by rules laid down by the Public Company Accounting Oversight Board (PCAOB). Such an audit is called an Integrated Audit, where auditors have the additional responsibilities of expressing opinions on the management's assessment of the firm's internal control and the effectiveness of internal control over financial reporting, based on their (the auditors') own assessment.
[edit] Types of auditors There are two types of auditors: •
Internal auditors are employees of a company hired to assess and evaluate its system of internal control. To maintain independence, they present their reports
directly to the board of directors or to top management. They provide functional operation to the concern. Internal auditors are employees of the company, so they can easily find out fraud and any mishappenings. •
External auditors are independent staff assigned by an auditing firm to assess and evaluate financial statements of their clients or to perform other agreed-upon evaluations. Most external auditors are employed by accounting firms for annual engagements. They are called upon from outside the company.
Major auditing firms The four largest accounting firms in the world are collectively referred to as the Big Four. They are as follows: • • • •
PricewaterhouseCoopers, also known as PwC. Ernst & Young, also known as EY. KPMG. Deloitte Touche Tohmatsu, also known as Deloitte.
There are many other audit firms competing with the big four for major audit engagements. Competition has intensified in response to independence issues and other legislative requirements introduced as a consequence of the Arthur Andersen scandal. In the US and Australia, these firms are called "mid-tier". Some of these include: Mazars, BDO International, William Buck, Moore Stephens LLP, Grant Thornton International, McGladrey & Pullen, Hall Chadwick, Dauby O'Connor & Zaleski, LLC, PKF, Pitcher Partners, Johnson Lambert & Co. LLP, Beard Miller Company, DFK International, Horwath International and UHY firm. In the UK, medium-sized firms are also called "mid-tier". Many of these firms are international, increasingly competing for work against the Big Four, especially following the recent large auditing scandals.
[edit] Auditing firms around the world While the four major audit firms listed above provide audit services to the largest corporations in the United States of America, audit firms around the world are also in partnership with the Big Four. Since corporations hold offices in other parts of the world, they tend to be audited by affiliates of the Big Four to maintain consistency and uniformity in their application of auditing standards.
Audit risk
From Wikipedia, the free encyclopedia
Jump to: navigation, search This article may need to be wikified to meet Wikipedia's quality standards. Please help by adding relevant internal links, or by improving the article's layout. (September 2008) Audit risk is a term that is commonly used in relation to the audit of the financial statements of an entity. (See financial audit). The primary objective of such an audit is to provide an opinion as to whether or not the financial statements under audit present fairly the financial position, profit/loss and cash flows of the entity. Audit risk is the risk of the auditor providing an inappropriate opinion on the financial statements, particularly when those financial statements contain a material misstatement. Of less concern is the situation where the auditor states that the financial statements do not meet the standard of fair presentation, when in fact they do.
Contents [hide]
• •
1 Where audit risk fits into the audit process 2 The audit risk formula 3 Components of the audit risk formula o 3.1 Audit risk o 3.2 Inherent risk o 3.3 Control risk o 3.4 Detection risk 4 An example 5 References
•
6 External links
• • •
[edit] Where audit risk fits into the audit process Audit risk is assessed during the planning phase of the audit, and is a very important activity, as the testing to be performed during the next phase of the audit (now referred to as the "putting the plan into action phase", but essentially the testing phase) is determined in response to the risk assessment. Note that, at this stage, the auditor has not yet done any testing, so his assessment of risk is essentially a provisional one. During the testing phase, after testing the entity's control system, the auditor has to consider if the control system is better or worse than expected during the planning phase, and adjust his testing accordingly.
Having said the above, there are indications that the large auditing firms are shifting elements of the risk assessment into the preliminary engagement phase of the audit (formerly referred to as the pre-engagement phase), which refers to the phase where work is done prior to entering into a contract with the then still prospective audit client. Firms are doing this to avoid involvement with clients that may cause them reputational damage. Risk is supposed to be assessed at two levels, being the financial statement level and the assertion level. Risk at financial statement level refers to a risk factor that can produce a misstatement in any one of a number of assertions, like the management of the entity being dishonest or incompetent. Risk at assertion level refers to a risk factor that makes a misstatement of a specific assertion more likely. A contentious matter in this regard is the interplay between the determination of materiality and risk assessment during the planning phase. Some sources state that risk should be assessed before the determination of materiality, but the argument that materiality should be determined before the risk assessment makes more sense, for the simple reason that the definition of audit risk includes a reference to material misstatement. Hence, if the auditor has not yet determined materiality, he will not be able to do a meaningful risk assessment.
[edit] The audit risk formula Audit Risk = Inherent Risk x Control Risk x Detection Risk The purpose of this equation is to calculate detection risk, which then indicates to the auditor how much substantive testing he has to do to arrive at the acceptable audit risk. This is explained below in more detail.
[edit] Components of the audit risk formula [edit] Audit risk In this context, audit risk (also referred to as residual risk) refers to acceptable audit risk, i.e. it indicates the auditor's willingness to accept that the financial statements may be materially misstated after the audit is completed and an unqualified (clean) opinion was issued. If the auditor decides to lower audit risk, it means that he wants to be more certain that the financial statements are not materially misstated.
[edit] Inherent risk Inherent risk represents the auditor's assessment that there may be a material misstatement relating to an assertion in the financial statements under audit,
without taking the effectiveness of the related internal controls into account . If the auditor concludes that there is a high likelihood of such a misstatement, ignoring internal controls, he would assess the inherent risk as being high. An example of inherent risk: the valuation of inventory is inherently more risky when the type of inventory is difficult to value due to its nature, so the valuation of diamonds are inherently much more risky than, say, tennis balls. Internal controls are ignored during the assessment of inherent risk because they are considered when assessing another component of audit risk, namely control risk. The assessment of inherent risk (and also control risk) is an exercise that requires professional judgement on the part of the auditor. Hence, two auditors assessing the same company may assess the inherent and control risks differently, but it is to be expected that their assessments should be in the same vicinity. Auditors express their risk assessment in one of two ways (and this goes for all the components of the risk formula): as a percentage, or described as low, medium or high.
[edit] Control risk Control risk represents the auditor's assessment of the likelihood that a material misstatement relating to an assertion in the financial statements will not be detected and corrected, on a timely basis, by the client's internal control system. To return to the example of an entity having an inventory of diamonds, which is inherently risky in terms of valuation: if the entity has competent, experienced valuers valuing its inventory, the control risk will be lower as compared to a situation where incompetent people are tasked with performing that function. The product of inherent risk and control risk is referred to as the Risk of Material Misstatement, and represents the risk that the auditor adequately has to respond to when doing substantive testing. It is permissable to do a combined assessment of inherent and control risk, instead of formally separating the two components as done above.
[edit] Detection risk Detection risk is defined as the likelihood that a material misstatement relating to an assertion willnot be detected by the auditor's substantive testing. It is important to note that the detection risk indicates the detection risk that the auditor is willing to "live with", given the acceptable audit risk and his assessment of inherent and control risk. This means that if the detection risk is high, the auditor is willing to accept a high detection risk, and will do less substantive testing as compared to a situation where the detection risk is lower.
[edit] An example Suppose an auditor is doing the risk assessment relating to the completeness of trade payables assertion. He regards 5% as an acceptable audit risk, and has
assessed the inherent risk at 70%, which is high. But he has also assessed the control risk relating to this assertion at 10%, which means that the client has strong controls in place "governing" this assertion. The auditor expects these controls to eliminate 90% of the misstatements that were likely due to the inherently risky nature of the assertion, leaving a low combined risk of slightly above 6% for him to respond to by means of his substantive testing. Calculating the detection risk then produces an answer of almost 80%, which implies that the auditor can, with detection risk at a high 80%, still have the acceptable audit risk of 5%. Hence the auditor does not have to do very exhaustive substantive testing relating to the completeness of trade payables. Note that the auditor can peg control risk at above the assessed level, thereby effectively treating the entity as having worse controls than is really the case. By doing so, the auditor effectively opts to do less controls testing, but must then compensate by doing more substantive testing.
[edit] References •
•
•
Srivastava R.P. & Shafer G.R. (1992) " Belief function Formula for audit risk " Review: Accounting Review, Vol. 67 n° 2, pp. 249-283, for evidence theory applied on audit risk. Lesage (1999)" Evaluation du risque d'audit : proposition d'un modele linguistique " Review: Comptabilite, Controle, Audit, Tome 5, Vol. 2, September 1999, pp.107-126, for fuzzy audit risk. Fendri-Kharrat et al. (2005)"Logique floue appliquee a l'inference du risque inherent en audit financier ", Review: RNTI : Revue des Nouvelles Technologies de l'Information, n° RNTI-E-5, (extraction des connaissances: etats et perspectives), November 2005, pp.37-49, Cepadues editions, for fuzzy inherent audit risk.
External auditor From Wikipedia, the free encyclopedia
(Redirected from External audit) Jump to: navigation, search The examples and perspective in this article may not represent a worldwide view of the subject. Please improve this article or discuss the issue on the talk page.
An external auditor is an audit professional who performs an audit on the financial statements of a company, government, individual, or any other legal entity or organization, and who is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent
evaluation on such entities. They are distinguished from internal auditors for two main reasons: (1) the internal auditor's primary responsibility is appraising an entity's risk management strategy and practices, management (including IT) control frameworks and governance processes, and (2) they do not express an opinion on the entity's financial statements. Beside providing audit services, external auditors also provide different other kind of services. Most common of them are reviews of financial statements and compilation. In review auditors are generally required to tick and tie numbers to general ledger and make inquiries of management. In compilation auditors are required to take a look at financial statement to make sure they are free of obvious misstatements and errors. The primary role of external auditors is to express an opinion on whether an entity's financial statements are free of material misstatements. Some people confuse auditors with people who detect fraud but auditors have nothing to do with fraud detection exclusively. Auditors just want to make sure that company's financial statements are true and fair representation of its actual position. If they come across any fraud related information, it is their responsibility to bring it to the management's attention and consider withdrawing from the engagement if management does not take appropriate actions. Normally, external auditors review the entity's information technology control procedures when assessing its overall internal controls. They must also investigate any material issues raised by inquiries from professional or regulatory authorities, such as the local taxing authority. For public companies listed on stock exchanges in the United States, the Sarbanes-Oxley Act (SOX) has imposed stringent requirements on external auditors in their evaluation of internal controls and financial reporting. The independence of external auditors is crucial to a correct and thorough appraisal of an entity's financial controls and statements. Any relationship between the external auditors and the entity, other than retention for the audit itself, must be disclosed in the external auditor's reports. These rules also prohibit the auditor from owning a stake in public clients and severely limits the types of non-audit services they can provide. In the United States, certified public accountants are the only authorized nongovernmental type of external auditors who may perform audits and attestations on an entity's financial statements and provide reports on such audits for public review. In the UK, Canada and other Commonwealth nations Chartered Accountants have served this role.
Financial audit
From Wikipedia, the free encyclopedia
Jump to: navigation, search A financial audit, or more accurately, an audit of financial statements, is the review of the financial statements of a company or any other legal entity (including governments), resulting in the publication of an independent opinion on whether or not those financial statements are relevant, accurate, complete, and fairly presented. Financial audits are typically performed by firms of practicing accountants due to the specialist financial reporting knowledge they require. The financial audit is one of many assurance or attestation functions provided by accounting and auditing firms, whereby the firm provides an independent opinion on published information. Many organisations separately employ or hire internal auditors, who do not attest to financial reports but focus mainly on the internal controls of the organization. External auditors may choose to place limited reliance on the work of internal auditors.
Contents [hide]
• • • •
1 Purpose 2 History o 2.1 Audit of government expenditure 3 Governance and Oversight 4 Stages of an audit o 4.1 Planning and risk assessment o 4.2 Internal controls testing o 4.3 Substantive procedures o 4.4 Finalization 5 Significant audit firms 6 Commercial relationships versus objectivity 7 Related qualifications 8 See also
•
9 References
• • • •
[edit] Purpose Financial audits exist to add credibility to the implied assertion by an organization's management that its financial statements fairly represent the organization's position and performance to the firm's stakeholders (interested parties). The principal stakeholders of a company are typically its shareholders, but other parties such as
tax authorities, banks, regulators, suppliers, customers and employees may also have an interest in ensuring that the financial statements are accurate. The audit is designed to reduce the possibility of a material misstatement. A misstatement is defined as false or missing information, whether caused by fraud (including deliberate misstatement) or error. Material is very broadly defined as being large enough or important enough to cause stakeholders to alter their decisions. The exact 'audit opinion' will vary between countries, firms and audited organisations. In the US, the CPA firm provides written assurance that financial reports are 'fairly presented in conformity with generally accepted accounting principles (GAAP).' The measure for 'fairly presented' is that there is less than 5% chance (5% audit risk) that the financial statements are 'materially misstated'.
[edit] History [edit] Audit of government expenditure The earliest surviving mention of a public official charged with auditing government expenditure is a reference to the Auditor of the Exchequer in England in 1314. The Auditors of the Imprest were established under Queen Elizabeth I in 1559 with formal responsibility for auditing Exchequer payments. This system gradually lapsed and in 1780, Commissioners for Auditing the Public Accounts were appointed by statute. From 1834, the Commissioners worked in tandem with the Comptroller of the Exchequer, who was charged with controlling the issue of funds to the government. As Chancellor of the Exchequer, William Ewart Gladstone initiated major reforms of public finance and Parliamentary accountability. His 1866 Exchequer and Audit Departments Act required all departments, for the first time, to produce annual accounts, known as appropriation accounts. The Act also established the position of Comptroller and Auditor General (C&AG) and an Exchequer and Audit Department (E&AD) to provide supporting staff from within the civil service. The C&AG was given two main functions – to authorise the issue of public money to government from the Bank of England, having satisfied himself that this was within the limits Parliament had voted – and to audit the accounts of all Government departments and report to Parliament accordingly. Auditing of UK government expenditure is now carried out by the National Audit Office. Sing industry (acting through various organisations throughout the years) as
to the accounting standards for financial reporting, and the U.S. Congress has deferred to the SEC. This is also typically the case in other developed economies. In the UK, auditing guidelines are set by the institutes (including ACCA, ICAEW, ICAS and ICAI) of which auditing firms and individual auditors are members. Accordingly, financial auditing standards and methods have tended to change significantly only after auditing failures. The most recent and familiar case is that of Enron. The company succeeded in hiding some important facts, such as off-book liabilities, from banks and shareholders. Eventually, Enron filed for bankruptcy, and (as of 2006) is in the process of being dissolved. One result of this scandal was that Arthur Andersen, then one of the five largest accountancy firms worldwide, lost their ability to audit public companies, essentially killing off the firm. A recent trend in audits (spurred on by such accounting scandals as Enron and Worldcom) has been an increased focus on internal control procedures, which aim to ensure the completeness, accuracy and validity of items in the accounts, and restricted access to financial systems. This emphasis on the internal control environment is now a mandatory part of the audit of SEC-listed companies, under the auditing standards of the Public Company Accounting Oversight Board (PCAOB) set up by the Sarbanes-Oxley Act.
[edit] Governance and Oversight Many countries have government sponsored or mandated organizations who develop and maintain auditing standards, commonly referred to generally accepted auditing standards or GAAS. These standards prescribe different aspects of auditing such as the opinion, stages of an audit, and controls over work product (i.e., working papers). Some oversight organizations require auditors and audit firms to undergo a thirdparty quality review periodically to ensure the applicable GAAS is followed.
[edit] Stages of an audit A financial audit is performed before the release of the financial statements (typically on an annual basis), and will overlap the 'year-end' (the date which the financial statements relate to). The following are the stages of a typical audit:[citation needed]
[edit] Planning and risk assessment Timing: before year-end Purpose: •
•
to understand the business of the company and the environment in which it operates. o What should auditors understand?[1] the relevant industry, regulatory, and other external factors including the applicable financial reporting framework the nature of the entity the entity’s selection and application of accounting policies the entity’s objectives and strategies, and the related business risks that may result in material misstatement of the financial statements the measurement and review of the entity’s financial performance internal control relevant to the audit to determine the major audit risks (i.e. the chance that the auditor will issue the wrong opinion). For example, if sales representatives stand to gain bonuses based on their sales, and they account for the sales they generate, they have both the incentive and the ability to overstate their sales figures, thus leading to overstated revenue. In response, the auditor would typically plan to increase the rigour of their procedures for checking the sales figures.
[edit] Internal controls testing Timing: before and/or after year-end Purpose: •
to assess the operating effectiveness of internal controls (e.g. authourisation of transactions, account reconciliations, segregation of duties). If internal controls are assessed as effective, this will reduce (but not entirely eliminate) the amount of 'substantive' work the auditor needs to do (see below).
Notes: •
•
In some cases an auditor may not perform any internal controls testing, because he/she does not expect internal controls to be reliable. When no internal controls testing is performed, the audit is said to follow a substantive approach. This test determines the amount of work to be performed i.e. substantive testing or test of details.[citation needed]
[edit] Substantive procedures Financial audits exist to add credibility to the implied assertion by an organization's management that its financial statements fairly represent the organization's position and performance to the firm's stakeholders (interested parties). The principal stakeholders of a company are typically its shareholders, but other parties such as tax authorities, banks, regulators, suppliers, customers and employees may also have an interest in ensuring that the financial statements are accurate. The audit is designed to reduce the possibility of a material misstatement. A misstatement is defined as false or missing information, whether caused by fraud (including deliberate misstatement) or error. Material is very broadly defined as being large enough or important enough to cause stakeholders to alter their decisions. The exact 'audit opinion' will vary between countries, firms and audited organisations. In the US, the CPA firm provides written assurance that financial reports are 'fairly presented in conformity with generally accepted accounting principles (GAAP).' The measure for 'fairly presented' is that there is less than 5% chance (5% audit risk) that the financial statements are 'materially misstated'.
[edit] Finalization Timing: at the end of the audit Purpose: • • •
to compile a report to management regarding any important matters that came to the auditor's attention during performance of the audit, to evaluate and review the audit evidence obtained, ensuring sufficient appropriate evidence was obtained for every material assertion and to consider the type of audit opinion that should be reported based on the audit evidence obtained.
[edit] Significant audit firms These firms are the 'Big 4' multinational accountancy firms which audit the majority of large quoted/listed companies. In addition to providing audits, they also provide other services including tax advice and IT consultancy.
Firm
2007 global revenue (US dollars)
PricewaterhouseCoopers (corporate website) 25.2bn[2]
Deloitte (corporate website)
23.1bn[3]
Ernst & Young (corporate website)
21.1bn[4]
KPMG (corporate website)
19.8bn[5]
Other significant audit firms are listed here: • • •
Top 100 accounting firms in the United States Top 50 accountancy firms in the UK Top 30 accounting firms in Canada
[edit] Commercial relationships versus objectivity One of the major issues faced by private auditing firms is the need to provide independent auditing services while maintaining a business relationship with the audited company. The auditing firm's responsibility to check and confirm the reliability of financial statements may be limited by pressure from the audited company, who pays the auditing firm for the service. The auditing firm's need to maintain a viable business through auditing revenue may be weighed against its duty to examine and verify the accuracy, relevancy, and completeness of the company's financial statements. Numerous proposals are made to revise the current system to provide better economic incentives to auditors to perform the auditing function without having their commercial interests compromised by client relationships. Examples are more direct incentive compensation awards and financial statement insurance approaches. See, respectively, Incentive Systems to Promote Capital Market Gatekeeper Effectiveness and Financial Statement Insurance.
[edit] Related qualifications •
There are several related professional qualifications in the field of financial audit including Certified General Accountant (CGA), Chartered Certified Accountant, Chartered Accountant and Certified Public Accountant.
[edit] See also • • • • •
Center for Audit Quality (CAQ) Comparison of accounting software Computer Assisted Audit Tools Forensic Accounting List of accounting topics