o Advisory services- professional services
offered by public accounting firms to
• External (Financial) Audits
o independent attestation performed by
an expert the auditor who expresses an
opinion regarding the presentation of
financial statements.
o Attest service- performed by Certified
Public Accountants (CPA) who work for
public accounting firms that are
independent of the client organization
being audited
o The Securities and Exchange
Commission (SEC) requires all publicly
traded companies be subject to a
financial audit annually.
o CPAs conducting such audits represent
the interests of outsiders: stockholders,
creditors, government agencies, and
the general public.
o The CPA’s role is similar in concept to a
judge who collects and evaluates
evidence and renders an opinion.
▪ A key concept in this process is
independence
o The external auditor must follow strict
rules in conducting financial audits.
• Attest Service versus Advisory Services
o Attest service- an engagement in which
a practitioner is engaged to issue, or
does issue, a written communication
that expresses a conclusion about the
reliability of a written assertion that is
the responsibility of another party.
o The following requirements apply to
attestation services:
▪ written assertions and a
practitioner’s written report.
▪ formal establishment of
measurement criteria or their
description in the
presentation.
▪ The levels of service in
attestation engagements are
limited to examination,
review, and application of
agreed-upon procedures
improve their client organizations’
operational efficiency and
effectiveness.
o IT risk management- The advisory
services units of public accounting firms
responsible for providing IT control-
related client support have different
names in different firms, but they all
engage in tasks known collectively as IT
risk management.
▪ they provide non-audit clients
with IT advisory services
▪ Work with their firm’s
financial audit staff to perform
IT-related tests of controls as
part of the attestation
function
o the purpose of the task, rather than the
task itself, defines the service being
rendered
• Internal Audits
o Institute of Internal Auditors (IIA)- an
independent appraisal function
established within an organization to
examine and evaluate its activities as a
service to the organization.
o An internal audit is typically conducted
by auditors who work for the
organization, but this task may be
outsourced to other organizations
o Certified Internal Auditor (CIA) or a
Certified Information Systems Auditor
(CISA)
o they represent the interests of the
organization
o governed mostly by the Institute of
Internal Auditors (IIA) and, to a lesser
degree, by the Information Systems
Audit and Control Association (ISACA).
• External versus Internal Auditors
o respective constituencies
▪ external auditors represent
outsiders
▪ internal auditors represent the
interests of the organization.
 o internal auditors often cooperate with
and assist external auditors in
performing aspects of financial audits.
o The independence and competence of
the internal audit staff determine the
extent to which external auditors may
cooperate with and rely on work
performed by internal auditors.
o A truly independent internal audit staff
adds value to the audit process
• Fraud Audits
o investigate anomalies and gather
evidence of fraud that may lead to
criminal conviction.
o Sometimes fraud audits are initiated by
corporate management who suspect
employee fraud.
o boards of directors may hire fraud
auditors to look into their own
executives if theft of assets or financial
fraud is suspected.
o Certified Fraud Examiner (CFE)
certification, which is governed by the
Association of Certified Fraud
Examiners (ACFE).
FINANCIAL AUDIT COMPONENTS
• Auditing Standards
o divided into three classes: general
qualification standards, field work
standards, and reporting standards
o GAAS establishes a framework for
prescribing auditor performance, but it
is not sufficiently detailed to provide
meaningful guidance in specific
circumstances.
o American Institute of Certified Public
Accountants (AICPA) issues Statements
on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
SASs are often referred to as auditing
standards, or GAAS, although they are
not the ten generally accepted auditing
standards.
o Statements on Auditing Standard-
authoritative pronouncements because
every member of the profession must
follow their recommendations or be
able to show why a SAS does not apply
in a given situation. The burden of
justifying departures from the SASs falls
upon the individual auditor.
• Systematic Process
o Conducting an audit is a systematic and
logical process that applies to all forms
of information systems.’
o systematic approach is particularly
important in the IT environment. The
lack of physical procedures that can be
visually verified and evaluated injects a
high degree of complexity into the IT
audit (e.g., the audit trail may be purely
electronic, in a digital form, and thus
invisible to those attempting to verify
it)
o a logical framework for conducting an
audit in the IT environment is critical
to help the auditor identify all-
important processes and data files.
• Management Assertions and
Audit Objectives
1. Existence or Occurrence- all assets
and equities contained in the balance
sheet exist and that all transactions in
the income statement actually
occurred.
2. Completeness- no material assets, equities, or
transactions have been omitted from the
financial statements.
3. Rights and Obligations- assets appearing on the
balance sheet are owned by the entity and that
the liabilities reported are obligations
4. Valuation or allocation- assets and equities are
valued in accordance with GAAP and that
allocated amounts such as depreciation expense
 are calculated on a systematic and rational
basis.
5. Presentation and Disclosure- assertion alleges
that financial statement items are correctly
classified (e.g., long-term liabilities will not
mature within one year) and that footnote
disclosures are adequate to avoid misleading
the users of financial statements • Communicating Results
o Auditors must communicate the results
of their tests to interested users.
o Audit opinion- distributed along with
the financial report to interested
parties both internal and external to
the organization.
o Audit risk- probability that the auditor
will render an unqualified (clean)
opinion on financial statements that
are, in fact, materially misstated.
o Errors are unintentional mistakes.
o Irregularities are intentional
misrepresentations associated with the
commission of a fraud such as the
• Obtaining Evidence
misappropriation of physical assets or
o Auditors seek evidential matter that
the deception of financial statement
corroborates management assertions.
users
o In the IT environment, this process
• Audit Risk Components
involves gathering evidence relating to
o Acceptable audit risk (AR) is estimated
the reliability of computer controls as
based on the ex-ante value of the
well as the contents of databases that
components of the audit risk model.
have been processed by computer
These are inherent risk, control risk,
programs.
and detection risk.
o tests of controls- which establish
• Inherent Risk
whether internal controls are
o associated with the unique
functioning properly.
characteristics of the business or
o substantive tests- determine whether
industry of the client
accounting databases fairly reflect the
o Firms in declining industries have
organization’s transactions and account
greater inherent risk than firms in
balances.
stable or thriving industries.
• Ascertaining Materiality
o Industries that have a heavy volume of
o The auditor must determine whether
cash transactions have a higher level of
weaknesses in internal controls and
inherent risk than those that do not.
misstatements found in transactions
o Placing a value on inventory when the
and account balances are material.
inventory value is difficult to assess due
to its nature is associated with higher
inherent risk than in situations where
inventory values are more objective.
o Auditors cannot reduce the level of
inherent risk.
 o Control risk- likelihood that the control
structure is flawed because controls
are either absent or inadequate to
prevent or detect errors in the
accounts
o Auditors assess the level of control risk
by performing tests of internal
controls.
• Detection Risk
o risk that auditors are willing to take
that errors not detected or prevented
by the control structure will also not be
detected by the auditor.
o Auditors set an acceptable level of
detection risk (planned detection risk)
that influences the level of substantive
tests that they perform
• Audit Risk Model
o to determine the scope, nature, and
timing of substantive tests (NTE)
o AR IR × CR × DR
• The Relationship Between Tests of Controls
and Substantive Tests
o Tests of controls and substantive tests
are auditing techniques used for
reducing audit risk to an acceptable
level.
o The stronger the internal control
structure, as determined through tests
of controls, the lower the control risk
and the less substantive testing the
auditor must do.
o Evidence of weak controls forces the
auditor to extend substantive testing to
search for misstatements.
o the more reliable the internal controls,
the lower the CR probability, that leads
to a lower DR, which will lead to fewer
substantive tests being required
o substantive tests are labor intensive
and time-consuming, they drive up
audit costs and exacerbate the
disruptive effects of an audit