CATANDUANES STATE UNIVERSITY

COLLEGE OF BUSINESS AND ACCOUNTANCY

Virac, Catanduanes

OVERVIEW OF AUDITING

AUDITING/AUDIT DEFINED:
- International Federation of Accountants (IFAC) Education Committee defines auditing as a
structured process that:
a. involves the application of analytical skills, professional judgment, and professional skepticism;
b. is usually performed by a team of professionals, directed with managerial skills;
c. uses appropriate forms of technology and adheres to a methodology;
d. complies with all relevant technical standards, such as International Standards on Auditing
(ISAs), International Standards on Quality Control (ISQCs), International Financial Reporting
Standards (IFRS), International Public Sector Accounting Standards (IPSAS), and any applicable
international, national or local equivalents as appropriate; and
e. complies with required standards or professional ethics.”

- Audit is an independent examination of the financial books and records of some person or persons
responsible or accountable to the third party with a view of verifying the accountancy of statement
prepared by or for the accounting party (R.R. Comber)

- Audit is “such an examination of the books, accounts, and vouchers of a business, as will enable
the auditor to satisfy himself that the Balance Sheet is properly drawn up, to give a true and fair
view of the state of the affairs of the business, and whether the Profit and Loss Account gives a
true and fair view of the profit or loss for the financial period, according to the best of his
information and the explanations given to him and as shown by the books; and if not, in what
respect he is not satisfied”. (Spicer and Pegler)

- Auditing is a systematic examination of the books and records of a business or the organization to
ascertain or verify and to report upon the facts regarding the financial operation and the result
thereof. (Montgomery)

- Auditing is a systematic process by which a competent, independent person objectively obtains

and evaluates evidence regarding assertions about economic actions and events to ascertain the
degree of correspondence between those assertions and established criteria and communicating
the results to interested users.

Important Concepts:

 Systematic process – Auditing consists of a series of sequential steps that include information
testing system and testing of transactions and balances.

 Competent, independent person

The auditor must be qualified to understand the criteria used and the competence to know how
and what evidence to accumulate to reach the proper conclusion. The auditor must also have an
independent mental attitude which involves impartial and objective thinking.

 Objectively obtains and evaluates evidence

This means examining the bases for the assertions (representations) and judiciously evaluating the
results without bias or prejudice either for or against the individual (or entity) making the
representations.

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
1
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

 Assertions about economic actions and events

These are the representations made by the individual or entity. They comprise the subject matter
of auditing. Assertions include information contained in financial statements, internal operating
reports, and tax returns
 Degree of correspondence
This refers to the closeness with which the assertions can be identified with established criteria.
The expression of correspondence may be quantified or it may be qualitative.

 Established criteria
These are the standards against which the assertions or representations are judged.

 Communicating the results

This is often referred to as attestation. The final stage in the audit process is the audit report –the
communication of the findings to users. The communication of findings is achieved through a
written report.

 Interested users
These are individuals who use (rely on) the auditor’s findings.

Objective of Auditing
The Philippine Standards on Auditing (PSA) 120 “Framework of Philippine Standards on Auditing”
states the objective of an audit as follows”

“The objective of an audit of financial statements is to enable the auditor to express an opinion
whether the financial statements are prepared in all material respects, in accordance with an applicable
financial reporting framework. An audit of financial statements is an assurance engagement.”

Auditing services are used extensively by business, government, and other not-for-profit
organizations. As society becomes more complex, there is an increased likelihood that unreliable
information will be provided to decision makers. This is referred to as “Information Risk”.

Four primary factors that contribute to information risk (causes of information risk):

1. Remoteness of information users from information providers

Decision makers, almost always, do not get first-hand knowledge about the business enterprise
with which they do business for the reasons that in many cases,
a. owners are divorced from management
b. directors are not involved in day-to-day operations or decisions
c. business may be dispersed among numerous geographic locations and complex corporate
structure

2. Potential bias and motives of information provider

A conflict of interest may be assumed to exist between management and owners regarding the
financial statements. Management usually desires to present the results of its stewardship in the
most favorable light. Information may possibly be biased in favor of the provider when his goals
are inconsistent with the decision maker.

3. Voluminous data
As business grow, possibly millions of exchange transactions are processed daily via manual or
sophisticated computerized systems. This increases therefore the likelihood that improperly
recorded information may be included or buried in the records.

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
2
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

4. Complex exchange transactions

New and changing business relationships may lead to innovative accounting and reporting
problems. Some transactions are so complex and hence more difficult to record properly. Also,
transactions not quantifiable will require increased disclosures.

From the point of view of convenience the objectives of auditing can be divided into three
categories as follows:

Main objectives Subsidiary objectives Other objectives

Obtaining knowledge about the Detecting and Maintaining moral pressure

correctness, fairness and prevention of errors on employees
truthfulness of the financial and frauds
information

Satisfying government
regulations and/or legal
compliance

UNDERSTANDING THE PURPOSE OF AN AUDIT

An audit is simply a review of past history. The IS auditor is expected to follow the defined audit
process, establish audit criteria, gather meaningful evidence, and render an independent opinion about
internal controls.

If the assertions of management and the auditor’s report are in agreement, you can expect the
results to be truthful. If management assertions and the auditor’s report do not agree, that would signal a
concern that warrants further attention.

Your success as an auditor is to accurately report your findings, whether good or bad or indifferent.
A good auditor will produce verifiable results. Nobody should ever come in behind you with a different
outcome of findings. Your job is to report what the evidence indicates.

UNDERSTANDING THE AUDITOR’S RESPONSIBILITY

As an auditor, you are expected to fulfill a fiduciary relationship. A fiduciary relationship is simply one
in which you are acting for the benefit of another person and place the responsibilities to be fair and honest
ahead of your own interest. An auditor must never put the auditee interests ahead of the truth. People
inside and outside of the auditee organization will depend on your reports to make decisions. The auditor
is depended upon to advise about the internal status of an organization. This is a tremendous responsibility.

AUDITOR ROLE vs. AUDITEE ROLE

There are only two titles for persons involved in an audit. First is the auditor, the one who
investigates. Second is the auditee, the subject of the audit.

ISACA refers to this as audit vs. non-audit roles. Your purpose as an auditor is to be an independent
set of eyes that can delve into the inside of organizations on behalf of management or on behalf of everyone
in the outside world. Independent means that you are not related professionally, personally, or

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
3
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

organizationally to the subject of the audit. You cannot be independent if the audit’s outcome results in
your financial gain or if you are involved in the auditee’s decisions or design of the subject being audited.

When determining whether you are able to perform a fair audit, you should conduct an
independence test. In addition, you must remain aware of your responsibility as an auditor under the
various auditing standards.

TYPES OF AUDITS AND REVIEWS

Financial Statement Audit

A historically oriented, independent evaluation performed for the purpose of attesting to the
fairness, accuracy, and reliability of financial data.

Financial statement audit also referred to as independent audit or external audit, involves the
examination of financial statements to determine whether they are stated in accordance with specified
criteria, namely, the generally accepted accounting principles. Financial statement audits are designed to
obtain reasonable assurance about whether the financial statements are free of material misstatements.

Auditors attest to the presentation of financial information in conformity with specified standards.
Auditors do not attest to the financial strength of an entity, the wisdom of its management decisions, or
the risk of doing business with it.

Operations Audit

Also known as management audits and performance audits are examination of all or part of an
organization for the purpose of determining the effectiveness and/or efficiency of its operations.
Operational implies a focus on operations, as opposed to financial portion. Management implies that
information obtained in the audit process is useful to management in decision making. Performance
implies an evaluation of the performance of persons or nits in executing the entity’s objectives.
Effectiveness is a measure of how well an entity or unit of an entity achieves its goal or purpose. Efficiency
is achieved by minimizing the cost of accomplishing an objective.

Department Review

A current period analysis of administrative functions, to evaluate the adequacy of controls,

safeguarding of assets, efficient use of resources, compliance with related laws, regulations and
organization’s policy and integrity of financial information.

Information Systems (IS) Audit

The process of collecting and evaluating evidence to determine whether computer system
safeguards assets, maintain data integrity, achieves organizational goals effectively and consumes
resources effectively

There are three basic kinds of IS Audits that may be performed:

1. General Controls Review

A review of the controls which govern the development, operation, maintenance, and security of
application systems in a particular environment. This type of audit might involve reviewing a data

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
4
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

center, an operating system, a security software tool, or processes and procedures (such as the
procedure for controlling production program changes), etc.

2. Application Controls Review

A review of controls for a specific application system. This would involve an examination of the
controls over the input, processing, and output of system data. Data communications issues, program
and data security, system change control, and data quality issues are also considered.

3. System Development Review

A review of the development of a new application system. This involves an evaluation of the
development process as well as the product. Consideration is also given to the general controls over a
new application, particularly if a new operating environment or technical platform will be used.

Compliance audit

Audit undertaken to confirm whether a firm is following the terms of an agreement or the rules
and regulations applicable to an activity or practice prescribed by an external agency or authority.

Integrated Audit

This is a combination of an operational audit, department review, and IS audit application controls
review. This type of review allows for a very comprehensive examination of a functional operation within
the organization.

Investigative (Fraud) Audit

This is an audit that takes place as a result of a report of unusual or suspicious activity on the part
of an individual or a department. It is usually focused on specific aspects of the work of a department or
individual.

Follow-up Audit

These are audits conducted approximately six months after an internal or external audit report has
been issued. They are designed to evaluate corrective action that has been taken on the audit issues
reported in the original report. When these follow-up audits are done on external auditors' reports, the
results of the follow-up may be reported to those external auditors.

TYPES OF AUDITORS
1. Certified Accounting Firms

CPA Firms have as their primary responsibility the performance of audits of the published historical
financial statements of all publicly traded companies, most other reasonably large companies and many
smaller companies and non-commercial organizations.

CPA firms perform operational auditing as well as compliance auditing as part of their management
consultancy services.

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
5
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

2. Internal Auditors

Internal auditors are employees of individual companies who perform independent appraisal activity
within the organization such as review of accounting, financial and other operations as basis for service
to management. They provide management with valuable information for making decisions
concerning effective operation of its business.

The internal auditor is therefore concerned with all kinds of financial and other data gathered for both
internal and external users. Likewise, the internal auditor is also engaged in evaluating the efficiency
of resource utilization, the effectiveness with which the entity objectives are attained.

3. Government Auditors

Several government agencies perform a significant number of audits. These include the Commission
on Audit and the Bureau of Internal Revenue.

COA Auditors

Government auditors from COA determine whether the government agencies and other entities that
use public funds:

1. Present their financial statements fairly in accordance with GAAP and applicable laws and
regulations;
2. Conduct the programs with economy and efficiency;
3. Desired results are achieved.

BIR Examiners

BIR audits affect individuals as well as businesses. A form of compliance auditing, BIR audits or
examinations is designed to determine whether the taxpayers have complied with the tax laws. These
audits can be regarded solely as compliance audits.

An auditor involved in these areas must have considerable tax knowledge and auditing skills to conduct
an effective audit.

UNDERSTANDING THE VARIOUS AUDITING STANDARDS

There are two basic types of audits: one that verifies compliance (compliance test) and one that
checks the substance and integrity of a claim (substantive test). Just how does an auditor know what to do
in these audits? As an IS auditor, you are fortunate to have several credible resources available to assist
you and guide your clients.

Among these resources are standards and regulations that direct your actions and final opinion. It
would be quite rare to depart from these well-known and commonly accepted regulations. In fact, you
would be in an awkward situation if you ever departed from the audit standards. By following known audit
standards, you are relatively safe from an integrity challenge or individual liability. By adhering to audit
standards, a good auditor can operate from a position that is conceptually equal to Teflon non-stick coating.
Nothing negative or questionable could stick to the auditor.

You can learn more about auditing standards by reading and then implementing information
provided by the following:

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
6
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

 Financial Accounting Standards Board (FASB)

 Generally Accepted Accounting Principles (GAAP)
 American Institute of Certified Public Accountants (AICPA)
 Statement on Auditing Standards (SAS), standards 1 through 101, which are referenced and applied
by the AICPA.
 Committee of Sponsoring Organizations of the Treadway Commission (COSO), providing the COSO
internal control framework that is the basis for PCAOB standards
 Public Company Accounting Oversight Board (PCAOB), issuing audit standards AS-1, AS-2, and AS-
3
 U.S. National Institute of Standards and Technology (NIST), providing federal IS standards
 U.S. Federal Information Security Management Act (FISMA), which specifies minimum security
compliance standards for government systems including the military
 IS Audit and Control Association (ISACA) and IT Governance Institute (ITG) issue COBIT guidelines
that were derived from COSO with a more specific emphasis on information systems.
 International Organization for Standardization (ISO) Basel Accord Standard II (Basel II), governing
risk in banking
 Organization for Economic Cooperation and Development (OECD), providing guidelines by
participating countries promoting multinational business

Although this list may appear daunting, it is important to remember that all these examples are in
fundamental agreement with each other. Each standard supports nearly identical terms of reference and
supports similar audit objectives. These standards will have slightly different levels of audit or audit scope.
The IT Governance Institute and ISACA have developed a set of IT internal control standards for CISAs to
follow. These incorporate several objectives of the COSO internal control standard that have been
narrowed to focus on IT functions. Let’s look at a brief overview of the ISACA standards.

ISACA IS Audit Standards

The members of ISACA are constantly striving to advance the standards of IS auditing. CISAs should
check the ISACA website (www.isaca.org) for updates on a quarterly basis. The current body of ISACA Audit
Standards are organized using a format numbered from 1 to 11:
S1 Audit Charter The audit charter authorizes the scope of the audit and grants you
responsibility, authority, and accountability in the audit function.
S2 Independence Every auditor is expected to demonstrate professional and organizational
independence.

S3 Professional The auditor must act in a manner which denotes professionalism and respect.
Ethics and
Standards of
Conduct
S4 Professional The auditor must have the necessary skills to perform the audit. Continuing
Competence education is required to improve and maintain skills
S5 Planning Successful audits are the result of advance preparation. Proper planning is
necessary to ensure that the audit will fulfill the intended objectives.
S6 Performance of This standard provides guidance to ensure that the auditor has proper
Audit Work supervision, gains the correct evidence to form conclusions, and creates the
required documentation of the audit.
S7 Audit Reporting The auditor report contains several required statements and legal disclosures.
This standard provides guidance concerning the contents of the auditor’s
report.
S8 Follow-up The follow-up activities include determining whether management has taken
Activities action on the auditor’s recommendations in a timely manner.

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
7
CATANDUANES STATE UNIVERSITY
COLLEGE OF BUSINESS AND ACCOUNTANCY
Virac, Catanduanes

S9 Irregularities This standard outlines how to handle the discovery of irregularities and illegal
and Illegal Acts acts involving the auditee.

S10 IT Governance This standard covers the authority, direction, and control of the information
technology function. Technology is now pervasive in all areas of business. Is
the auditee properly managing IT to meet their needs?
S11 Use of Risk This standard provides guidance for implementing a risk-based approach in
Analysis in Audit audit planning.
Planning

AUDITOR IS AN EXECUTIVE POSITION

Many people are envious of the CISA auditor’s position. They see nice cars, lunches with important
people, expensive suits, and comfortable expense accounts. Nobody seems to pay attention to the
humorous situation of six auditors sharing one folding table while sitting in a closet, balancing laptop
computers with only one network jack and one telephone to share. Frankly, the auditor position grants you
the luxury of being well-paid observers with professional benefits. Occasionally, your office and travel
accommodations may not be the best. However, the reality is that most people look up to auditors with
respect.
Your clients expect you to be authoritative and professional regardless of the circumstances. Your
office is mobile, so you are depended on to handle decisions in the field. Your clients include the highest
levels of management within an organization. Those clients expect you to assist them with your
observations and occasional advice. You will deal with the challenges of providing advice in a manner that
does not interfere with the independent audit. Remember the independence question raised a few pages
ago?
Personnel at every level of your client’s organization have an expectation of your appearance. You
are going to be judged by your speech, mannerisms, clothing, and grooming. You should always wear
professional attire to a level more formal than the attire of your client. Your neat and pressed appearance
instills respect and confidence. Your courtesy of manner and speech dictates you should use reassuring
words. Any humor by the auditor should always be restrained and professional.

AUDITING IN A CIS ENVIRONMENT

Topic: Overview of Auditing
Prepared by: Maribel Sta. Rosa - Zafe
8