Auditing has been present for years in different stage of development following the evolution of accounting. Starting since the epoch when the records were approved after a public reading, to the era when government’s officials were measured by their honesty. Followed by the times of the industrial revolution were the ownership of companies started separating from management; when owners required more protection of their investments increasing the use of auditors, consequently; to the times were an auditor was always searching for frauds or errors (Whittington & Pany, 2004, p. 7) and then “to ascertain the actual financial condition and earnings of an enterprise” (Montgomery, 1913, p. 9).
However, the acceptance of auditing as an academic discipline is not old and just after the development of different concepts and techniques within the audit model such as the use of sampling, the study of the internal control environment, and the risk assessment, is when more focus to the theoretical and conceptual framework of auditing it is been devoted.
Andrew Sayer (1992) discussed the concept of theories in social science from the perspective of “theory as an ordering-framework (p. 50)”, indicating that theory allows the use of the observed data and their relationships to predict and explain empirical events. Additionally Cooper and Schindler (1998) define theory as “a set of systematically interrelated concepts, definitions, and propositions that are advanced to explain and predict phenomena (facts) (p. 47)”. Another concept is expressed by Singleton and Straits (2005) explaining theory as a “set of interconnected propositions” (p. 19). The success in the explanations or predictions of any phenomena depends on the level that the theory holds and do not fails fitting in the situation, and the challenge is to perfect the process of matching theory and fact (Cooper and Schindler (1998).
Different authors have started the development of the audit theory such as Mautz and Sharaf (1961) with their publication titled The Philosophy of Auditing; also Tom Lee (1986) with his approach in the book Company Auditing, and later David Flint (1988) with his book Philosophy and principles of auditing (as cited in Moizer, 1989). The auditing analysis in this demonstration will be framed on the postulates proposed by David Flint (1988) as a foundation for the theory of auditing.
Flint (1988) stated that there is a matter of public accountability demanding an independent audit for its demonstration with clear definition and intention, based on evidence that only skilled auditors gather, measure it, and compare it against the standards, which generates economic or social benefit (as cited in Moizer, 1989). Following are the seven postulates or assumptions stated by Flint (1988):
- There is a relationship of accountability or a situation of public accountability.
- Accountability cannot be demonstrated without an audit.
- An audit requires independence and freedom.
- The subject matter of audit is susceptible to verification by evidence.
- Auditors are skilled judges who are able to measure and compare actual performance against standards of accountability.
- The meaning, significance, and intention of statements to be audited must be clear.
- An audit produces an economic or social benefit.
Whenever an economic relationship exists one of the parties owe a duty of an acceptable accountability, consequently audits are voluntary, imposed for the health of the relationship. There are also audit related to the interest of the public in matters of the society institutions. As expressed by Whittington and Pany (2004) “dependable information is essential to the very existence of our society” (p. 1). They explained the social need for audit and professionals who can attest that the reported information is fair respect to the reality for purpose of allocating resources for the production of services and goods based on reliable financial information (p. 1).
Normally the financial and economic aspects of the related subject matter are complex, not physically accessible, or have the level of significance that necessary demand an audit to accept the accountability. No all investors or stakeholders of an entity understand the complexity of the business and financial environment, or are near to the place were their resources are to oversee for accountability.
The credibility of the information is important and the preferable form of obtaining credible information to rely on is by using independent auditors to perform an audit. That reduce the business risk that relates to the permanence and profits of the company, and the information risk “that the financial information used to make a decision is materially misstated” (Whittington & Pany, 2004, p. 6). Therefore, if the audit must add credibility it must be performed independently and without bias or prejudice.
Audit is subject to verification and that is possible only if sufficient evidential matter of the audit is gathered. Additionally, some standards of accountability and performance need to be in place to easy the auditor’s measurement. Therefore, the parties involved must agree on their acceptable standards. The auditing community has set some professional guidance as a form of general accepted practiced standards.
For an audit to add value to the financial information, the purpose of the information should be clear, and the findings effectively communicated. The audit should be performed only when its benefits weigh more than the costs. As a consequence auditors should be aware of the cost of collecting evidence especially in situation were the risk is high.
The practice of auditing auditors agree on an attest engagement in which they “issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter or an assertion about subject matter that is the responsibility of another party (e.g., management)” (Whittington & Pany, 2004, p. 2). In an examination of financial statement, referred to as an audit the standards may be the Generally Accepted Accounting Principles (GAAP), and the auditors collect sufficient evidence to attest about how fair is the information in the financial statement respect to the GAAP.
However, here are three types of audits: (a) audits of financial statements, (b) compliance audits, and (c) operational audits. Financial audits determine if the statements were prepared according with GAAP. Compliance audit verifies if the company had complies with law, regulations or polices and procedures. Finally, operational audits review the effectiveness and efficiency of particular unit of an organization (Whittington & Pany, 2004, p. 11).
Relative to the public accounting standards, the American Institute of Certified Public Accountants (AICPA) has developed the framework for the general accepted auditing standards (GAAS), which are the fundamentals principles of independent auditing in the U. S. The framework is divided in three major areas that are summarized as follow:
- General standards. A professional possessing adequate technical training and proficiency, independent in mental attitude and free from bias and with professional care planning and performing diligently, perform the audit.
- Standards of field work. The audit should be adequate planned and the staff properly supervised. Auditor should acquire sufficient understanding of the internal control environment to be able to determine the weak areas, and gather sufficient competent evidence to support their conclusions.
- Standards of reporting. The final report should state if the statements are consistent with GAAP and if necessary indicate those circumstances departing from GAAP, include adequate informative disclosure, and includes the opinion of the auditors about the financial statements.
Likewise, the AICPA has issued a series of auditing standards on auditing procedure, auditing and accounting guides, and auditing statements of position, to help auditor in the fulfillment of their responsibility of detecting misstatement (Whittington & Pany, 2004, pp. 34-35).
Auditing involve a serious processes that expose auditors to a different situations in which they need to exercise professional ethics. Those moral principles and values leading decisions and actions of the profession of auditing are provided by the AICPA in the Code of Professional Conduct, and by the Institute of Internal Auditors (IIA) Code of Ethics.
Normally auditors are involved in a decision process of ethical dimension. CPAs decisions during performing their duties can affect thousands of investors and their resources; therefore, they need to measure the implication of their decisions. Additionally, as Whittington and Pany (2004) indicated, “what is considered unethical in a particular society is not specifically prohibited” (p. 11), giving relevance and support to the need for the establishment of those principles and values in the accounting and auditing profession.
The public accounting, as well as the rest of professions, has the following characteristics: (a) their responsibility to serve the public with independence and due care with fairness and free from bias. (b) Involves a complex body of knowledge that includes different authoritative pronouncements of standards and principles governing the profession and the financial reports due to the need of technical competency. (c) Has establishes some standard of admission to the profession that each CPA is required to meet. In addition (d), need public confidence to be successful (Whittington & Pany, 2004, pp. 61-62).
The AICPA leads public accountants to recognize their responsibility to the public in general, to their clients, and to the profession. The section one of the code of conduct describes the organization and CPAs principles of responsibilities, public interest, integrity, objectivity and independence, due care, and scope and nature of services. The section two depicts the institute’s rules that are compounded by the following: independence, integrity and objectivity, general standards, compliance with standards, accounting principles, confidential client information, contingent fees, acts discreditable, advertising and other forms of solicitation, commissions and referral fees, and form of organization and name (Whittington & Pany, 2004, pp. 63-83).
Similarly, the IIA has their own code of ethics divided in three main sections, an introductory section, principles, and rules of conduct. Their principles apply to the profession and practice of the internal auditing, and include integrity, objectivity confidentiality, and competency. The IIA rules on conduct include integrity, objectivity, confidentiality, and competency (Whittington & Pany, 2004, pp. 83-84). The IIA is the organization that provides the standards for the professional practice of internal auditing.
As it can be deduced from the previous summaries, both institutes the IACPA and the IIA require high level of self-discipline and commitment to a honorable professional behavior, integrating similar principles of integrity, objectivity, and competence. Their rules differ in the fact that internal auditors perform internally; public accountants attest on the financial statements to the company as outsiders performing professionally to honor the public trust.
However, the concept of independence is common to both ramification of auditing because it refers to the “ability to maintain and objective and impartial mental attitude” (Whittington & Pany, 2004, p. 66), and without of conflict of interest.
After the previous review of the auditing theory and how CPAs support it with a professional framework that includes principles, ethical codes, and general accepted standards for the auditing practice, the following section depicts a discussion of audit procedures as well as an introduction of important concepts that are fundamental part of the theory of auditing and the auditing practice.
The Audit Procedures
The ultimate product after the performance of an audit is the issuance of a report indicating if the financial statements audited comply with GAAP. Sufficient evidence must support the audit report and such evidence is gathered and documented by exercising rigorous procedures that, among other important goals, help the auditors in assessing the risk of misstatement.
According to Whittington and Pany (2004), audit procedures involve: (a) the understanding of the client, the business, and industry to use it in assessing risks; (b) the understanding of the internal control environment; (c) the design and performance of controls testing to assess how effective the controls are in preventing or detecting material misstatements; and (d) the design and performance of substantive procedures that include analytical procedures, direct testing of transactions and ending balances (pp. 138-139).
Because the internal control is the focus of interest for this demonstration, a separate section will discuss it.
The substantive procedures include analytical procedures, the testing of transactions, and the testing of the ending balances on the statements. Analytical procedures consist of an analysis and evaluation of the information present in the financial statements, and a review of the relationship between financial and nonfinancial information. The assumption behind the analytical procedures is that the relationship and trend of the financial information is expected to follow the historical data and projections of the business and in contrary situation evidence must be obtained to support the reasonability of the changes (Whittington & Pany, 2004, p. 141).
Different techniques are use during the analytical procedures. From simple verification of a number to complicated mathematical models, such the comparison of cumulative expenses and revenues with prior years to find significant differences, the use of multiple regression model to estimate revenues by using economic and industry data, and ratio analysis and its comparison with other businesses in the same industry (Whittington & Pany, 2004 (p. 141).
The testing procedures seek to prove the occurrence and correct recognition of transactions, and prove of existence and misstatements on what the ending balances represent. The substantive testing procedures are performed as an interim mode before year-end, and then after the business year-end. The level of risk established by the auditors during the overall business assessment guides the extent of the substantive audit procedures. “The greater the risk of material misstatement the greater the needed extent of substantive procedures” (Whittington & Pany, 2004, p. 139), but always keeping under evaluation the cost-benefit relation of increasing the procedures to perform.
Among the most common test performed in an audit process, Whittington and Pany (2004) summarized the following:
- Accounting System: Comparison-Agreeing amounts from different internal records.
- Documentary evidence:
- Tracing-Establishing the completeness of transaction processing by following a transaction forward through the accounting records.
- Vouching-Establishing the existence or occurrence of recorded transactions by following a transaction back to supporting documents forms a subsequent processing step.
- Inspection-Reading or point-by-point review of a document or record (the terms examine, review, read, and scan are used to describe the inspection technique).
- Reconciliation-Establishing agreement between two sets of independently maintained but related records.
- Third-party representation: Confirmation and evaluating a response from a debtor, creditor, or other party in reply to a request for information about a particular item affecting the financial statements.
- Physical evidence:
- Physical examination-viewing physical evidence of an asset.
- Observation-viewing a client activity.
- Computations: Reperformance-repeating a client activity. This may include operations such as footing (providing the total of a vertical column of figures); cross footing (proving the total of a horizontal row of figures); and extending (re-computing by multiplication).
- Data interrelationships: Analytical procedures-Evaluation of financial information made by a study of expected relationships among financial and nonfinancial data.
- Client representations: Inquires-questions directed toward appropriate client personnel.
According to Whittington and Pany (2004), auditors also collect evidence from some subjective areas such as the accounting estimates, the fair market value measurement and disclosures, and transactions with related parties (pp. 146-148).
After the development of audit procedures auditors test for existence or occurrence to search for misstatements and completeness searching for understatement, from transactions’ start to finish, and they test the accounting system from source documents to journals to ledgers. (Whittington & Pany, 2004, p. 195). The audit program includes two main parts, the assessment of the effectiveness of the client internal controls, and substantive testing. Normally the system portion of an audit program is divided by cycle such as revenue, purchasing and payments, production, payroll, investing, and financing (Whittington & Pany, 2004, p. 196).
The risk concept is use in different disciplines for different purposes. A simple definition of the concept is that: risk is the level of exposure to the chance that some event happens. The event might be beneficial or prejudicial, or might have subsequent implications to other situations or process. Therefore, in business there is a risk of losing money, a risk of fraud, and a risk of misstatement the financial information. As consequence, business and individuals manage risk and the level of exposure to specific risk according to their judgment.
The audit process involves the management of risk in different areas with the goal to reduce it to the minimum level possible. Whittington and Pany (2004) introduced some of the risk’s concepts such as:
- business risk, “the risk associated with a company’s survival and profitability” (p. 6).
- Information risk, “the risk that the information used to assess business risk is not accurate” (p. 6).
- Audit risk, “the risk that the auditors may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated” (p. 35).
- Inherent risk, “the possibility of a material misstatement of an assertion before considering the client’s internal control” (p.128).
- Control risk, “the risk that a material misstatement will not be prevented or detected on a timely basis by the client’s internal control” (p. 129)
- Detection risk, “the risk that the auditors will fail to detect the misstatement with their audit procedures” (p. 129).
Within the audit risk, auditors assess the risk level of occurrence of the different form of misstatement of financial statement, such as errors, fraud, and illegal acts. In measuring audit risk auditors use the following model:
AR = IR x CR x DR
Where: AR = Audit risk, IR = Inherent risk, CR = Control risk, and DR = Detection risk. (Whittington & Pany, 2004, p. 130)
Additionally, because the auditors are expose to some legal responsibility and are subject to be sued by any client’s stakeholder, they have to take in consideration the reputation of the management, financial strength, and other financial rating to assess the overall risk or engagement risk of the association with that particular business (Whittington & Pany, 2004, p. 174).
The process of planning the audit involves the understanding of the client and its environment, an overall audit strategy, and the risk assessment of financial statements material misstatement. Therefore, auditors seek to understand the nature of the client and accounting polices, the industry, regulations and external factors affecting the client, the clients objectives, strategies, and related business risk, how the client measure and review performance, and the internal control environment. (Whittington & Pany, 2004, pp. 179-180).
Consequently, auditors use different sources to obtain the client overall understanding. That includes electronic research tools, visit to different plant or location of the client, and some analytical procedures. (Whittington & Pany, 2004, pp. 181-183).
A Company’s internal control consists of the policies and procedures established to provide reasonable assurance that the objectives of the company will be achieved; including the client’s internal control, they could identify areas of strength as well as of weakness.
The stronger the internal control, the less testing of financial statement account balances required by the auditors. For any significant account or any phase of financial operation in which controls were weak, the auditors expanded the nature and extent of their tests of the account balance.
With the increased reliance on sampling and internal control, professional standards began to emphasize limitations on auditor’s ability to detect fraud. The profession recognized that audits designed to discover fraud would be too costly. Good internal control and surety bonds were recognized as better fraud protection techniques than audits. (Whittington & Pany, 2004, p. 8)
The assessment of inherent risk involves considering the likelihood that material misstatement in financial statement will result, and each risk related to the management assertions. At this stage, auditors identify what it is not correct or the significant risk by area and based on that assessment they adjust their approach, modifying the nature, timing, and extent of the audit procedures (Whittington & Pany, 2004, pp. 188-189).
Evidence is all data and information gathered by the auditors to support auditors’ conclusions. The importance of the evidence is that “audit risk is reduced by gathering audit evidence” (Whittington & Pany, 2004, p. 127) and when the risk is high more evidence is necessary as well as the increasing the coverage of audit procedures. According to Whittington and Pany (2004), evidence need to be collected for each financial statement assertion sufficiently to support their opinion. As issued in the Statement of Auditing Standard (SAS) 31 about evidential matter, the financial statement assertions are the following:
- Existence or occurrence-assets, liabilities, and owners’ equity reflected in the financial statements exist; the recorded transactions have occurred.
- Completeness-all transactions, assets, liabilities, and owners’ equity that should be presented in the financial statements are included.
- Rights and obligations-the client has rights to assets and obligation to pay liabilities that are included in the financial statements.
- Valuation or allocation-assets, liabilities, owners’ equity, revenues, and expenses are presented at amounts that are determined in accordance with generally accepted accounting principles.
- Presentation and disclosure-accounts are described and classified in the financial statements in accordance with generally accepted accounting principles, and all material disclosures are provides.
(Whittington & Pany, 2004, p. 174)
The above assertions are the base for the risk assessment performed by auditors, and to determine misstatements possible to occur and consequently decide the audit procedure to exercise.
Guidelines are included in the SAS 31 regarding what sufficient competent evidence is, which relates to the quantity of evidence auditors should collect. The competence of the evidence is determined by the combined condition of relevant and valid. That means that it most related to the assertion, and that it is dependent on the circumstance in which it is obtained. The reliability or validity of the evidence increase when is received from independent sources, when is produced by an effective internal control, gathered directly by the auditor, is documented, obtained from original documents, and when is received from more than one source (Whittington & Pany, 2004, p. 132).
Different types of audit evidence is obtained by the auditors such as accounting information system, internal and external documentary evidence, third-party representations such as confirmations, reports, and lawyers letters; physical evidence such as fixed assets and inventory, computations re-performance, data interrelationships of financial and nonfinancial information, and client representations oral and in writing (Whittington & Pany, 2004, pp. 131-137).
An important supporting evidence of the audit report and conclusions is the audit documentation, which is required by the SAS 96 for the auditors understanding and review of the audit work, the nature of audit work performed, and to show the agreement between the records and the financial statements. The working papers have some important functions: (a) are the best way to assign and coordinate the auditing work, (b) help audit managers and partners in the supervision and reviewing or the work of assistants, (c) support the audit reports, (d) documents the auditors compliance with GAAS, and (d) assist in the conduction of future audit to the client (Whittington & Pany, 2004, pp. 148-150).
The working papers are confidential and unrestricted documentation owned by the auditors, principally because they represent the major factor to use in case of negligence charges. Part of the working paper are the administrative working papers, the working trial balance, separate schedules, adjusting journal entries and supporting schedules, and analysis of ledgers accounts such as a reconciliation, computational working paper, corroborating documents. They are filed in two major groups, permanent file, and current files (Whittington & Pany, 2004, pp. 151-158).
As a large-scale corporate grow rapidly auditors began to sample selected transactions, rather than study all transactions. Auditors and business managers gradually came to accept the proposition that careful examination of relatively few selected transactions would give a cost-effective, reliable indication of the accuracy of other similar transactions (Whittington & Pany, 2004, p. 8).
As explained before, auditors need sufficient and competent evidence to support their conclusions, but because business grows involving high volume of economic events and transactions, they need to rely in sampling testing. Audit sampling can be statistical or no statistical, involves the selection of a sample from a group of items and the use of the sample characteristics presuming that the auditors can draw inferences about the whole population. (Whittington & Pany, 2004, p. 309).
From the previous sampling introduction, we have the sample risk that is the risk that the auditors conclusion based on a sample might be different if they examine the whole population. According to Whittington and Pany (2004) “sampling risk is reduced by increasing the size of the sample” (p. 309) or by auditing the whole population.
Auditors use statistical and no statistical sampling to perform a random selection, which involve that every item in the population has an equal chance of being selected for inclusion in the sample. Different techniques are used such as random number tables, random number generators, systematic selection, haphazard selection, block selection, and stratification (Whittington & Pany, 2004, pp. 310-313).
There is a sample risk for test of controls in which auditors face the risk of assessing control risk too high, which is related to efficiency, or too low based on the operating effectiveness of the control. The AICAP guide suggest the statistical sample sizes for tests of controls at 5 percent risk of assessing control risk too low, providing the following tolerable deviation rate per assessed level of control risk: for low 2 – 7%, for moderate 6 – 12 %, for slightly below the maximum 11 – 20%, and for maximum level of control risk they recommend to omit test (Whittington & Pany, 2004, pp. 316-320).
Besides sampling, auditors became aware of the importance of effective internal auditing. Following section presents a discussion about internal auditing.
The internal auditing developed rapidly during the decade of 1930s generating the foundation of the Institute of Internal Auditors (IIA), which is an organization with local chapter in the main cities worldwide. The IIA defines internal adducting as follows:
An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process. (The Institute of Internal Auditors [IIA], 2008)
Internal auditors are an important part of the internal control environment of entities, representing the highest level of control that measure and evaluate the effectiveness of other controls. Additionally to the financial controls, the internal auditor’s scope includes the evaluation and testing of control effectiveness, and other assurance and consulting services to the management.
Some companies have focus on outsourcing the internal audit functions, which is also provided by CPA firms as an extended audit service and according to the AICPA guiding. However, opposition to the participation of accounting firms exist under the argument of possible conflicts of interest having then as part of the internal control when they also audit the company.
The IIA have issued the standards for the practice of internal auditing with the following purpose:
- To delineate basic principles that represent the practice of internal auditing.
- Provide a framework for performing and promoting a broad range of value-added internal auditing.
- Establish the basis for the evaluation of internal audit performance.
- To foster improved organizational processes and operations.
The auditing standards of the IIA includes two parts, the first is the attribute standards that state basic requirements for the practice of internal auditing. According with this attribute, organizations should define in a formal document or internal audit charter, the purpose, authority, and responsibility of the internal audit, and the nature of assurance and consulting services that the internal auditors will provide. Additionally, the chapter should include recognition of the definition of internal auditing, the code of ethics, and the auditing standards (IIA, 2008).
The standards also state the independence and objectivity condition for internal auditors during the performance of their work. The need of freedom from conditions, bias, and subordination of judgment, or conflict of interest that impairs their ability to perform objectively, is rigorously presented in the standards. Additionally, the competencies, knowledge, and skills that an auditor must possess are described as well as the due professional care requirement for the performance of the engagement as important elements of the IIA standards. Finally, the attribute standards set requirements for continuing professional development and quality assurance for the internal audit activity (IIA, 2008).
The second part of the IIA standards covers the