AUDITING & ASSURANCE SERVICES

Course Code: MBAF-514

Credit Hours: 2
BY

Dr. KARUNAKARA RAO.R

 Course description
• The objective of the course is the developing of knowledge
and understanding in various types of audits in addition to
financial statement audit.
• The course would emphasize on the standard approvals of
performance and management auditing.
• It provides various technologies utilized in evaluating the
business entity from the various auditing perspectives.
• The course covers important areas such as compliance audit,
operational audit, governance audit, Internal Controls,
Internal audit Planning, Risk Based approaches to Audit,
Information Technology Audit and VFM auditing.
 Chapter 1 Auditing and Types of Auditing
• Introduction
• Classifications of Auditing
• Financial Audit
• Operational Audit
• Information Systems (IS) Audit
• Integrated Audit
• Investigative Audit
• Follow-up Audit
 Chapter 2: Internal Control
• Importance of Internal Controls
• Internal Control Frame work COSO (The Committee of Sponsoring
Organizations) standard
• Another Internal Controls frame work: COBIT (Control Objectives for
Information and Related Technology)
 Chapter 3: Internal and Risk based Audit
• Foundation of Internal Audit
• Explanation of risk based audit (RBA)
• The transition from systems based to risk based assurance
• Audit’s primary roles, objectives and concerns
• Risk based Audit Planning phases
• The maturity of the audit process
• The steps needed to embrace a risk based approach
• Audit risks
• Planning and Performing Internal Audit
• Internal auditing in practice (with special reference to Ethiopian
Government/MoFED manual)
 Chapter 4: Operational Auditing
• Operational audit definitions, types and applicable areas of the
business
• The operational audit process
• Benchmarks and performance standards
• Operational auditing in practice -how to audit your supply chain (with
special reference to Ethiopian Government / MoFED manual)
 Chapter 5: Auditing Corporate Governance
• 6 core principles of governance
• 7 governance warning signs
• Meeting Stakeholder requirements
• The key parties within Governance
• Corporate governance statements
 Chapter 6: Value for money auditing
• What is VFM auditing?; How does it differ from other audit
approaches?
• The benefits and dangers of VFM auditing
• The 3 E’s – the cornerstone of VFM auditing
• How to measure the 3 E’s
 Chapter 7: IT auditing
• Information system Audit Programs
• Global Technology Audit Guides (GTAGs)
• What can be done without specialist IT audit resource
• Defining the IT audit universe
• Focus on high risk areas
• Assess IT vulnerabilities
 Chapter 1 Auditing and Types of Auditing
Introduction
• The term audit is derived from the Latin term ‘audire,’ which means
to hear. In early days a person used to listen to the accounts read over
by an accountant in order to check them. He was known as auditor.
• Auditing is as old as accounting and there are signs of its existence in
all ancient cultures such as Mesopotamia, Greece, Egypt, Rome, U.K.
and India.
• Arthasashthra by Kautilya detailed rules for accounting and auditing
of public finances.
 Introduction
• During the 18th century, the Company form of organizations comes
into existence. In these companies capital is contributed by
shareholders but they do not have control over the day to day
working of the company. The shareholders who have invested their
money would naturally be interested in knowing the financial position
of the company. This originated the need of an independent person
who would check the accounts and report the shareholders on the
accuracy of the accounts and the safety of their investment.
 Definitions
• Lawrence R. Dicksee - An audit is an examination of accounting records
undertaken with a view to establishing whether they correctly and
completely reflect the transactions to which they report to relate."
• Taylor and Perry - "Audit is defined as an investigation of some statements
of figures involving examination of certain evidence, so as to enable an
auditor to make a report on the statement.
• F.R.M De Paula - "An audit denotes the examination of Balance Sheet and
Profit and Loss Account prepared by others together with the books of
accounts and vouchers relating there to in such a manner that the auditor
may be able to satisfy himself and honestly report that, in his opinion, such
Balance Sheet is properly drawn up so asto exhibit a true and correct view
of the state of affairs of the particular concern according to the information
and explanations given to him and as shown by the books".
 Definitions
• Prof. Montgomery - "Auditing is a systematic examination of the
books and records of business or other organization, in order to
ascertain or verify and to report upon the facts regarding its financial
operations and the result thereof."
• Spicer & Pegler - "Audit such an examination of the books of
accounts and vouchers of a business, as will enable the auditor to
satisfy himself that the Balance Sheet is properly drawn up, so as to
give a true and fair view of the state affairs of the business, and
whether the profit and loss account gives a true and fair view of the
profit or loss for the financial period according to the best of his
information and explanations given to him and as shown by the
books, and if not, in what respect he is not satisfied".
 Definitions
• The institute of Chartered Accountants of India defines "Auditing is a
systematic and independent examination of data, statements records
operations and performance (financial or otherwise) of an
enterprises". Li any auditing situations the auditor perceives and
recognize the preposition before him for examination collects
evidence evaluations the same and on this basis., formulated his
judgement which its communicated through his Audit Report.
 FEATURES OF AUDITING
• Audit is a systematic and scientific examination of the books of accounts of a business:
• Audit is undertaken by an independent person or body of persons who are duly
qualified for the job.
• Audit is a verification of the results shown by the profit and loss account and the state
of affairs as shown by the balance sheet.
• Audit is a critical review of the system of accounting and internal control.
• Audit is done with the help of vouchers, documents, information and explanations
received from the authorities.
• The auditor has to satisfy himself with the authenticity of the financial statements and
report that they exhibit a true and fair view of the state of affairs of the concern.
• The auditor has to inspect, compare, check, review, scrutinize the vouchers supporting
the transactions and examine correspondence, minute books of share holders,
directors, Memorandum of Association and Articles of association etc., in order to
establish correctness of the books of accounts.
 Objectives of auditing
• Primary objective - the primary duty (objective) of the auditor is to
report to the owners whether the balance sheet gives a true and fair
view of the Company's state of affairs and the profit and loss A/c gives
a correct figure of profit of loss for the financial year.
• Secondary objective - it is also called the incidental objective as it is
incidental to the satisfaction of the main objective. The incidental
objective of auditing are:
• Detection and prevention of Frauds (Embezzlement of Cash; Misappropriation
of Goods; and Fraudulent manipulation of Accounts) and
• Detection and prevention of Errors (Error of omission, Error of commission,
Error of principle, Compensating or offsetting errors, Error of duplication.)
 Types of Audits
• Audit is an art of systematic and independence review and
investigation on Financial Statements, Management Accounts,
Management Reports, Accounting Records, Operational Reports,
Revenues Reports, and Expenses Reports etc. The result of reviewing
and investigation will be reported to shareholders and others key
internal stakeholders of the entity.
• Audit reports sometime submit to others stakeholders like
government, banks, creditors or public. Audit is classified into many
different types and level of assurance according to the objectives,
scopes, purposes and the procedures of how auditing is performed.
 External Audit
• External audit is type of audit service that audit firm provides
Assurance Service, Consultant Service, Tax Service, Legal Service,
Financial Advisory, and Risk Management Advisory.
• External audit, also known as financial audit and statutory audit,
involves the examination of the truth and fairness of the financial
statements of an entity by an external auditor who is independent of
the organization in accordance with a reporting framework such as
the IFRS.
 External Audit
• The need for an external audit primarily stems from the separation of
ownership and control in large companies in which shareholders
nominate directors to run the affairs of the company on their behalf.
As the directors report on the financial performance and position of
the company, shareholders need assurance over the accuracy of the
financial statements before placing any reliance on them. External
audit provides reasonable assurance to the owners of the company
that the financial statements, as reported by the directors, are free
from material misstatements.
 Internal Audit
• Internal Auditing is an independence, and objectivity consulting service
which is design to add value to the business and improve entity’s
operation. It provides the systematic and discipline approach on evaluating
and assessing the risks management, internal control and corporate
governance.
• Scope of internal audit is generally determine by audit committee, board of
directors or directors that have equivalence authorization. And if there is
no audit committee and board of directors, internal audit normally report
to owner of the company.
• Internal audit activities is normally covered internal control reviewing,
operational reviewing, fraud investigation, compliant reviewing, and others
special tasks that assigned from audit committee or BOD.
 Forensic or investigative Audit
• Forensic audit is normally performed by forensic accountant who have the skill in
both accounting and investigation. Forensic Accounting is the type of engagement
that undertaking the Financial Investigation in response to a particular subject
matter, where the findings of the investigation normally be used as evidence in
court.
• Forensic Audit involves the use of auditing and investigative skills to situations
that may involve legal implications. Forensic audits may be required in the
following instances:
• Fraud investigations involving misappropriation of funds, money laundering, tax evasion and
insider trading
• Quantification of loss in case of insurance claims
• Determination of the profit share of business partners in case of a dispute
• Determination of claims of professional negligence relating to the accountancy profession
• Findings of a forensic audit could be used in the court of law as expert opinion on
financial matters.
 Statutory Audit or Compliance Audit
• Statutory audit is referring to an audit of financial statements for
specific type of entities that required by law or local authority.
• The statutory audit is normally performed by external audit firms and
audit report will be issued by auditor and submit to government body
by entity.
• Compliance audit is type of audit that check against internal policies
and procedures as well as law and regulation. Law and regulation
here we mean the government’s law where the business is operating.
 Public Sector Audit
• State owned companies and institutions are required by law in several
jurisdictions to have their affairs examined by a public sector auditor.
In many countries, public sector audits are conducted under the
supervision of the auditor general which is an institute responsible for
strengthening public sector accountability and governance and
promoting transparency.
• Public sector audit involves the scrutiny of the financial affairs of the
state owned enterprises to assess whether they have been operated
in way which is in the best interest of the public and whether
standard procedures have been followed to comply with the
requirements in place to promote transparency and good governance
(e.g. public sector procurement rules).
 Financial Audit
• Financial audit refer to audit of entity’s financial statements by an
independence auditor where audit opinion will be provided on those
financial statements.
• Financial audit normally perform annually and at the end of the
accounting period. This type of audit is also known as financial
statements auditing.
• But, sometime as require management, bank, security exchange,
regulation, or else, the financial audit is also performing on quarterly
as well. Most of the entity prepare its financial statements based on
IFRS, and some entity’s financial statements are prepared based on
local GAAP.
 Tax Audit
• Tax audit is type of audit that performing by government tax
department or tax authority. Tax audit could be performed as the
result of in-compliant found by government agency or the schedule
set by government tax department.
• Tax audits are conducted to assess the accuracy of the tax returns
filed by a company and are therefore used to determine the amount
of any over or under assessment of tax liability towards the tax
authorities.
 Information System Audit or
Information Technology Audit (IT Audit)
• Information system audit is sometime called IT audit. This type of
audit assess and check the reliability of security system, information
security structure, and integrity of system.
• Sometime, financial auditing also require to has IT auditing as now
technology is increasing and most of client’s financial reports are
recording by complex accounting software. Audit approach also
changed due to the changing of management’s approach in recording
and reporting their entity’s financial information.
• Normally, before relying on information system (software) that use for
producing financial statements, auditor required to have IT audit
team to test and review those information system first.
 Value For Money Audit
• Value for money audit refer to audit activities that perform in assessing and
evaluating three main difference factors: Economy, Efficiency, and
Effectiveness.
• Economy, auditor assess and evaluate whether the resources that entity
purchases are at the low cost with acceptable quality where efficiency
audit, auditor check whether resources that entity use have better
conversion ratio.
• Effectiveness by the way look at the big picture of objective whether entity
using the resources meet it objective or not.
• Auditor might review entity’s purchasing system to assess and evaluate
whether it is helping entity to purchase materials or services at the low
costs or not.
 Integrated Audit
• Integrated audit is happen when there are two different areas of
audit require. For example, there is financial audit along with social
audit or there are some areas need to be confirm with financial audit.
• For example, the NGO require their financial statements to be audited
along with technical areas that those NGO spending the money on.
• For example, NGO is working on public health and most of the money
spend and support by technical reports. This is call integrated audit.
Integrate audit also happen when the entity operate in many different
country and the financial statements are audit by different audit
firms.
 Special Audit
• Special audit is type of audit assignment and normally done by
internal auditor. This is happen when there is problem happen in the
organization like fraud or or others special case.
• For example, there is fraud happen in the payroll department and
these concern raise to audit committee or board of director or
sometime there is the request from CEO to have special audit on this
areas. Special audit is a bit different from forensic audit as special
audit done by internal staff of entity.
 Operational audit
• Operational audit is types of audit services that the review is mainly
focus on the key processes, procedures, system, as well as internal
control which main objective is to improve the productivity, as well as
efficiency and effectiveness of operation.
• Operation audit is also targeted the leak of key control and processes
that cause waste of resources and then recommend for improvement.
• Operational audit is the part of internal audit and their main aim is to
add value to the business their professional services. Systematic and
highly discipline is also the part that help to make sure the
operational audit add value to the organization.
 Environmental & Social Audit
• Environmental & Social Audits involve the assessment of environmental
and social footprints that an organization leaves as a consequence of its
economic activities. The need for environmental auditing is increasing due
to higher number of companies providing environment and sustainability
reports in their annual report describing the impact of their business
activities on the environment and society and the initiatives taken by them
to reduce any adverse consequences.
• Environmental auditing has provided a means for providing assurance on
the accuracy of the statements and claims made in such reports. If for
example a company discloses the level of CO2 emissions during a period in
its sustainability report, an environment auditor would verify the assertion
by gathering relevant audit evidence.
 Follow-up Audit
• Follow-up audit is a process by which internal auditors evaluate the
adequacy, effectiveness, and timeliness of actions taken by
management on reported observations and recommendations,
including those made by external auditors and others.
 Chapter 2: Internal Control
• Importance of Internal Controls
• Internal Control Frame work COSO (The Committee of Sponsoring
Organizations) standard
• Another Internal Controls frame work: COBIT (Control Objectives for
Information and Related Technology)
 Definitions of Internal control
• Lakis and Giurinas write that the concept of the word "control" itself
holds many definitions and meanings. They entail different goals,
values, and achievements that will be implemented in organizations.
Therefore, it can be expected that the concept of internal control can
be defined in various ways. It can be understood differently each time
depending on situation. In their words internal control is mostly
“concerned with authority management tools that help to control
processes and achieve enterprise goals”.
• Hightower defined internal controls as "program of activities
established to catch and monitor a potential exposure that could
result in a significant error, omission, misstatement, or a fraud".
 Definitions of Internal control
• "An internal control system encompasses the policies, processes, tasks,
behaviours and other aspects of a company that taken together:
• Facilitate its effective and efficient operation by enabling it to respond
appropriately to significant business, operational, financial, compliance and
other risks to achieving the company's objectives. This includes the
safeguarding of assets from inappropriate use of from loss and fraud, and
ensuring that liabilities are identified and managed:
• Help ensure the quality of internal and external reporting. This requires the
maintenance of proper records and processes that generate a flow of
timely, relevant and reliable information within and outside the
organization:
• Help ensure compliance with applicable laws and regulations, and also with
internal policies with respect to the conduct of business."
 Importance of Internal Controls
• Internal control is defined as a process determined by an entity's
board of directors, management and other personnel, designed to
provide reasonable assurance regarding the objectives in the
following areas:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Internal controls assure that the processes companies want to
happen will and things they don't want to happen won't.
 Importance of Internal Controls
• The overall purpose of internal control is to help a department
achieve its mission and accomplish certain goals and objectives. An
effective internal control system helps a department to:
• Promote orderly, economical, efficient and effective operations
• Produce quality products and services consistent with the department's
mission
• Safeguard resources against loss due to waste, abuse, mismanagement, errors
and fraud.
• Promote adherence to statutes, regulations, bulletins and procedures
• Develop and maintain reliable financial and management data, and accurately
report that data in a timely manner
 Who Is Responsible For Internal Controls?
• Management is ultimately responsible and should assume ownership
of the system. Leadership and direction should be provided by the
management team and each department is responsible for specific
internal control policies and procedures. All employees have some
responsibility as it is developed by people to guide people with a
means of accountability.
 What Can Each Department Do To Improve Its
Internal Controls?
• Implement separation of duties among different employees to reduce the risk of error or
inappropriate actions; ensure no one person has complete control over all aspects of any
financial transaction
• Ensure records are routinely reviewed and reconciled by someone other than the
preparer to determine that transactions have been processed accurately and
appropriately
• Ensure that cash, equipment, inventories, and other property are secured physically,
counted periodically, and compared to control records; limit access only to authorized
persons
• Provide employees with the appropriate training, direction, and supervision to ensure
they have the necessary knowledge and skills to carry out their duties; inform employees
of the proper channels for reporting suspected improprieties
• Make sure company-wide and department-level policies and procedures are formalized,
documented, communicated and readily available to employees; document day-to-day
operating procedures and practices to provide staff with guidance to ensure
management's directives are carried out and to help maintain continuity of operations in
the event of prolonged employee absences or turnover
 Internal Control Frame work COSO standard
• The role of internal control is represented by the Internal Control
Framework developed by COSO. The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) Framework is the
most widely recognized and implemented. Moreover, it is also well
developed, being published already in the year 1992 and recently
updated in 2013. Therefore, it gives comprehensive knowledge on the
subject.
• The committee is a joined initiative of five organizations which are
American Accounting Association, the American Institute of Certified
Public Accountants, Financial Executives International, Institute of
Internal Auditors, and the Institute of Management Accountants.
COSO FRAMEWORK
 Control Environment
• Integrity and Ethical Values
• Commitment to Competence
• Board of Directors and Audit Committee
• Management’s Philosophy and Operating Style
• Organizational Structure
• Assignment of Authority and Responsibility
• Human Resource Policies and Procedures
 Risk Assessment
• Company-wide Objectives
• Process-level Objectives
• Risk Identification and Analysis
• Managing Change
 Control Activities
• Policies and Procedures
• Security (Application and Network)
• Application Change Management
• Business Continuity/Backups
• Outsourcing
 Information and Communication
• Quality of Information
• Effectiveness of Communication
 Monitoring
• Ongoing Monitoring
• Separate Evaluations
• Reporting Deficiencies
 COBIT
• COBIT, which stands for Control Objectives for Information and
Related Technology, was published by the Information Systems Audit
and Control Foundation in 1996 and updated in 1998 and 2000.
COBIT is a comprehensive internal control framework specifically
pertaining to internal control issues associated with information
technology (IT). COBIT's mission is to "research, develop, publicize,
and promote an authoritative, up-to-date, international set of
generally accepted information technology control objectives for day-
to-day use by business managers and auditors."
 COBIT
• COBIT is an internationally developed, comprehensive IT evaluation tool
that envelops virtually every major generally accepted standard in the
world pertaining to controls and IT. Included for consideration during its
development were standards from numerous organizations, including the
International Organization for Standardization (ISO); Electronic Data
Interchange for Administration, Commerce, and Trade (EDIFACT); Council of
Europe; Organization for Economic Cooperation and Development (OECD);
ISACA; Information Technology Security Evaluation Criteria (ITSEC); Trusted
Computer Security Evaluation Criteria (TCSEC); COSO; United States
General Accounting Office (GAO); International Federation of Accountants
(IFAC); IIA; American Institute of Certified Public Accountants (AICPA); CICA;
European Security Forum (ESF); Infosec Business Advisory Group (IBAG);
National Institute of Standards and Technology (NIST); and the Department
of Trade and Industry (DTI) of the United Kingdom.
• COBIT defines control as "the policies, procedures, practices, and
organizational structures designed to provide reasonable assurance
that business objectives will be achieved and that undesired events
will be prevented or detected and corrected."