Auditing
AUDITING
The objective of an audit is to provide reasonable assurance that an assertion corresponds with a set of specified and established criteria. An audit involves gathering and evaluating sufficient evidence to determine whether the assertion does correspond with the criteria. The auditors then prepare a communication indicating the work they have performed and their opinion regarding the degree of correspondence between the assertions and the established criteria.
TYPES OF AUDITS
The three primary types of audits are financial, operational, and compliance audits. In a financial audit, the management of an organization asserts that the financial statements are prepared in accordance with generally accepted accounting principles (GAAP), the applicable criteria. After gathering and evaluating relevant and reliable evidence, the financial statement auditor then attests to the degree of correspondence between the audited financial statements and GAAP.
In an operational audit, the management of an organization asserts that the operations of the organization are being conducted in accordance with management's established policies and procedures. Typically, the policies and procedures of the organization are designed by management to ensure effective and/or efficient operations. After gathering and evaluating relevant and reliable evidence, the operational auditor then attests to the degree of correspondence between the actual operations and the specified policies and procedures of the organization. Operational audits can result in recommended changes to increase the effectiveness and/or efficiency of operations.
In a compliance audit, an organization's management asserts that the organization or individual is complying with specific laws and/or regulations. After gathering and evaluating relevant and reliable evidence, the compliance auditor then attests to the degree of correspondence between the subject matter identified and the specific law and/or regulation. As such, the compliance auditor provides assurance that the organization or the individual is complying with the applicable laws and/or regulations.
Audits of governmental agencies are typically both financial and compliance audits. Standards to be used when auditing federal government agencies and recipients of federal funds are found in Government Auditing Standards, issued by the comptroller general of the United States. This publication, which is referred to as the Yellow Book, specifies that the auditor must evaluate compliance with laws and regulations when completing a governmental audit.
TYPES OF AUDITORS
The three broad groups of auditors are external, internal, and governmental. External auditors are certified public accountants (CPAs) licensed by their states to provide auditing services. The CPA profession has played an active role in developing and providing attestation, assurance, and auditing services. The American Institute of Certified Public Accountants (AICPA), a voluntary national professional organization, represents the accounting profession in the United States, in general, and the public accounting profession, in particular. The AICPA publishes books, journals, and other materials, manages a Web site (http://www.aicpa.org), lobbies legislators, and sets professional standards in a number of areas. State professional societies (e.g., the New York State Society of CPAs) provide a range of professional support at the state level.
The AICPA Code of Professional Conduct guides the CPA in the performance of professional services, including audits. The code consists of principles, rules, interpretations, and rulings, going from the very broad to the very specific. There are six ethical principles of professional conduct (e.g., integrity) that provide the basis for the rest of the code. The rules address more specific ethical concerns (e.g., independence). The interpretations provide more details regarding the rules (e.g., conflicts of interest). Rulings are answers to specific questions (e.g., may a CPA accept a gift from a client?). In addition, the AICPA has an elaborate enforcement mechanism in place to ensure compliance with the Code of Professional Conduct.
One of the most important provisions of the code is that external auditors must be independent of their clients when performing financial audits. According to Article IV of the AICPA's Code of Professional Conduct, "a member in public practice should be independent in fact and appearance when providing auditing and other attestation services" (http://www.aicpa.org). To be independent in fact, an auditor must have integrity; a character of intellectual honesty and candor; and objectivity, a state of mind of judicial impartiality that recognizes an obligation of fairness to management and owners of a client, creditors, prospective owners or creditors, and other stakeholders. To be independent in appearance, the auditor must not have any obligations or interests (in the client, its management, or its owners) that could cause others to believe the auditor is biased with respect to the client, its management, or its owners.
Internal auditors are employees of individual organizations. To increase internal auditors' objectivity, typically, internal auditors report to the audit committee of the board of directors, rather than to the management. Internal auditors are primarily involved in completing operational and compliance audits, although some perform financial audits of segments of their companies. The Institute of Internal Auditors (IIA) is an international professional organization representing the internal auditing profession. The IIA publishes materials, encourages local chapter activities, offers certification as a certified internal auditor, and provides general support for practicing internal auditors.
Government auditors are employed by a particular agency of local, state, or federal government. Government auditors are primarily involved in performing compliance audits. Internal Revenue Service (IRS) auditors and Government Accountability Office (GAO) auditors are the most visible government auditors. IRS auditors examine tax returns to ensure that organizations and individuals report their information in compliance with the Internal Revenue Code. The GAO is an arm of the U.S. Congress that responds to Congressional requests for oversight, review, and evaluation of federal agencies and recipients of federal funds. Thus, GAO auditors often determine whether the agency being audited has spent the money in a manner that is consistent with Congressional mandates.
MANAGEMENT AND AUDITOR RESPONSIBILITY
When preparing the financial statements, management must follow GAAP, which are the principles and practices that govern financial reporting. Formal statements on financial accounting standards are issued by the Financial Accounting Standards Board, an independent standards setting organization in the United States. When financial statements of an entity are presented to the external auditor for a financial audit, the entity's management asserts that the financial statements are prepared in accordance with GAAP. Based on their audit, the auditors are responsible for rendering an opinion on whether the financial statements have been presented in accordance with GAAP in all material respects. To promote independence and objectivity, the audit committee of the company's board of directors is responsible for selecting and hiring the external auditors. In this role, the audit committee also acts as a liaison with the auditors who are performing the financial statement audit.
THE SECURITIES AND EXCHANGE COMMISSION
The Securities and Exchange Commission (SEC) was established by Congress in 1934 to enforce the Securities Exchange Act of 1934. The act requires publicly held companies to file annual audited financial statements (on Form 10-K) with the SEC. While not required by the act, nonpublic companies may also have their financial statements audited for several reasons. For example, the company may be planning to go public in the near future for which it will need audited financial statements for several previous years. Banks or other creditors may also require audited financial statements annually. Finally, a business may voluntarily hire an auditor to provide the owners with some assurance that its financial statements are reliable.
SARBANES-OXLEY ACT OF 2002
A significant number of high-profile business scandals (e.g., Enron, Tyco, and WorldCom in the United States, and Parmalat and Royal Ahold in Europe) that resulted in the restatement of previously issued financial statements early in the twenty-first century eroded investor confidence worldwide. Consequently the U.S. Congress responded by passing the Sarbanes-Oxley Act (SOX) of 2002 in an attempt to restore investor confidence.
An important aspect of SOX is that it increases the regulation of the external auditors at publicly traded companies. In addition, SOX has designated the SEC as the body to enforce the provisions of the act. The SEC has delegated the oversight of external auditors to the newly created Public Company Accounting Oversight Board (PCAOB). According to Section 103 of SOX, the PCAOB shall:
(1) register public accounting firms; (2) establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;" (3) conduct inspections of accounting firms; (4) conduct investigations and disciplinary proceedings, and impose appropriate sanctions; (5) perform such other duties or functions as necessary or appropriate; (6) enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto; (7) set the budget and manage the operations of the Board and the staff of the Board. (http://www.aicpa.org/info/sarbanes_oxley_summary.htm)
In essence, this section of SOX provides for government regulation of the audit profession and it represents one of most dramatic changes mandated by the new law.
Other changes mandated by SOX have significantly affected external auditors. For example, Section 404 of SOX mandates that all publicly traded companies include in their annual report an assessment made by management about the effectiveness of their internal controls and procedures for financial reporting purposes. SOX also requires that the company's independent auditors attest to and report on management's evaluation of their internal controls and procedures.
Section 302 of SOX mandates that the chief executive officer (CEO) and chief financial officer (CFO) of each publicly traded company prepare a statement to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer" (http://www.aicpa.org/info/sarbanes_oxley_summary.htm). If CEOs or CFOs knowingly and intentionally violate Section 302, they can be held criminally liable. And, under Title IX of SOX, the penalty for filing false financial statements with the SEC "for willful and knowing violations" are "a fine of not more than $5,000,000 and/or imprisonment of up to 20 years" (http://www.aicpa.org/info/sarbanes_oxley_summary.htm). For external auditors, this section of SOX has dramatically increased the attention being focused on the financial statement reporting process.
CPA FIRMS
Audited financial statements submitted to the SEC or to other stakeholders are audited by CPAs. These CPAs practice in public accounting firms, many of which are referred to as professional services firms. The largest firms are commonly referred to as "The Big Four." These four firms are: Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers. These companies, and many other public accounting firms, typically operate as limited liability partnerships (LLPs) and thus carry the LLP designation in their names. In addition to accounting and auditing services, many CPA firms offer tax and consulting services. These consulting services include systems design, litigation support, pension and benefits consulting, and financial planning.
To ensure independence, CPA firms are not allowed to complete most consulting services for their publicly traded audit clients. Under Section 201 of SOX, it is unlawful for a CPA firm to provide any nonaudit service to an audit client,
including: (1) bookkeeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible. (http://www.aicpa.org/info/sarbanes_oxley_summary.htm)
GENERALLY ACCEPTED AUDITING STANDARDS
External auditors must follow generally accepted auditing standards (GAAS) when performing financial statement audits. These ten broad standards include three general requirements for the individual CPA, three standards for fieldwork, and four reporting standards. Authoritative guidance regarding the application of these ten general standards is provided in Statements on Auditing Standards, which are issued by the AICPA's Auditing Standards Board.
The general standards require CPAs to be proficient in accounting and auditing, to be independent from their clients, and to exercise due professional care. Before accepting an audit client, auditors must determine if they will be able to provide the necessary services on a timely basis and must have no financial or managerial relationship with the company whose financial statements are being audited.
The fieldwork standards address what is required when actually performing the audit work. The auditor must plan the engagement and supervise assistants. The auditor must obtain an understanding of the company's internal controls. The auditor must obtain sufficient competent evidence to support the financial statement assertions.
The reporting standards set requirements for the auditor's report. The report must explicitly refer to GAAP and must state an opinion on the financial statements as a whole. If there has been a change in accounting principles used by the company or inadequate disclosure of significant information, the auditor's report should address those issues.
For audits of publicly traded companies, the external auditor must also follow the auditing standards issued by the PCAOB. The first standard essentially adopts GAAS for publicly traded company audits and specifies the intention of the PCAOB to consider changes to GAAS on a go-forward basis. The second standard specifies the audit requirements for the internal control audits completed by external auditors, and the third standard specifies documentation requirements related to the evidential matter gathered on an audit of publicly traded companies.
TYPES OF AUDITORS' REPORTS
The auditor can issue five types of reports on financial statements: unqualified opinion, unqualified opinion with modified wording, qualified opinion, adverse opinion, or disclaimer of opinion. Importantly, SOX has brought about dramatic changes to the audit process followed by auditors at publicly traded companies. As a result, the auditors' reports for publicly traded and privately held companies are different. For privately held companies, if the financial statements present fairly, in all material respects, an entity's financial position (i.e., the balance sheet), results of operations (the income statement), and cash flows (the statement of cash flows) in conformity with GAAP, and if the audit is performed in accordance with GAAS, then a standard unqualified report can be issued.
The auditor would issue an unqualified report with modified wording in situations such as a change in accounting principle made by the client, when more than one auditor participated in the audit, where there is a question about the client continuing as a going concern for a year from the date of the balance sheet, or when the auditor wishes to highlight a specific matter. The modification does not affect the opinion.
Auditors would issue a qualified opinion in situations where they view a departure from GAAP as being material, but not pervasive or highly material relative to the entire set of financial statements; or when the auditors have not been able to obtain sufficient competent evidence pertaining to a material, but not pervasive or highly material, part of the financial statements. The auditors must add an explanatory paragraph before the opinion paragraph describing the reason for the qualification and then qualify the opinion paragraph. In the case of inadequate evidence, which is referred to as a scope limitation, the second paragraph of the report would also be modified.
If in the auditor's judgment, pervasive or highly material deviation(s) from GAAP exist and the auditee fails to adjust the financial statements to the satisfaction of the auditor, then the auditor must express an adverse opinion. In this condition, the auditor expresses an opinion that the financial statements taken as a whole do not present fairly the financial position, results of operations, and cash flows of the company in accordance with GAAP. Adverse opinions are rarely, if ever seen in practice.
A disclaimer of opinion, which means that the auditor provides no opinion, is issued when the scope limitation (typically lack of evidence regarding financial statement assertions) is so pervasive or highly material that the auditor cannot conclude as to the fairness of the financial statements, taken as a whole. A disclaimer is also issued when the auditor lacks independence from the company being audited. Disclaiming an opinion is also permitted, but not required, in conditions of major uncertainty about the company's ability to continue as a going concern for a year following the date of the financial statements.
For publicly traded companies that report to the SEC, the guidelines issued by the PCAOB must be followed by auditors. Under Section 404 of the law, the audit firms are required to audit both the internal control system and the financial statements on an annual basis. As a result, the auditor report for publicly traded companies has changed.
see also Accounting; Audit Committees; Government Auditing Standards; Performance Audits
bibliography
American Institute of Certified Public Accountants Web site: http://www.aicpa.org retrieved February 2, 2006.
Internal Revenue Service Web Site: http://www.irs.gov retrieved February 2, 2006.
Messier, William F., Jr., Glover, Steven M., and Prawitt, Douglas F. (2006). Auditing & Assurance Services (4th ed.). Boston: McGraw-Hill/Irwin.
Mohammad J. Abdolmohammadi
Jay C. Thibodeau
Audit
AUDIT
A systematic examination of financial or accounting records by a specialized inspector, called an auditor, to verify their accuracy and truthfulness. A hearing during which financial data are investigated for purposes of authentication.
The internal revenue service (IRS) conducts two types of audits, called examination of taxpayer returns, and they are typically conducted using one of two types of procedures. The most common auditing procedure involves correspondence between the service and the taxpayer or interviews with the taxpayer in a local IRS office. A less common method involves field audits whereby IRS officials conduct the audit at the taxpayer's home or place of business. Treas. Reg. § 601.105(b)(1). The service determines which audit procedure should be followed in a particular case. During an audit, an IRS official may question the taxpayer about a particular transaction or transactions that appear on the taxpayer's return or may conduct a thorough investigation of the taxpayer's entire tax return.
Although many people fear audits by the IRS, the percentage of returns examined by the IRS is relatively low. For example, of 108,034,700 returns filed by taxpayers in 1997, the IRS examined 1,662,641, or about 1.5 percent of the total number of returns. Despite this low number, several stories surfaced in the 1980s and 1990s regarding abuses by IRS officials, many of which occurred during the audit process. Congress responded by enacting two "Taxpayer Bill of Rights," first in 1989 and again in 1996. The second act, the taxpayer bill of rights 2, Pub. L. No. 104-168, 110 Stat. 1452, established and delegated authority to the Office of Taxpayer Advocate. This office is responsible for assisting taxpayers in resolving problems with the IRS, identifying areas where taxpayers have had problems with the service, and identifying potential legislative and regulatory changes that could mitigate problems between the IRS and taxpayers.
further readings
Baran, Daniel J. et al. 1997. IRS Audit Protection and Survival Guide. New York: Wiley.
cross-references
audit
au·dit / ˈôdit/ • n. an official inspection of an individual's or organization's accounts, typically by an independent body. ∎ a systematic review or assessment of something: a complete audit of flora and fauna at the site.• v. (-dit·ed, -dit·ing) [tr.] 1. conduct an official financial examination of (an individual's or organization's accounts): companies must have their accounts audited. ∎ conduct a systematic review of: auditing obstetrical care.2. attend (a class) informally, not for academic credit.
audit trail
1. A record showing the occurrence of specified events relevant to the security of a computer system. For example, an entry might be made in the audit trail whenever a user logs in or accesses a file. Examination of the audit trail may detect attempts at violating the security of the system and help to identify the violator.
2. The external file that contains the sequential flow of information between the application and a graphics system.