Ch8. Auditing — Can You Trust the Financial Statements?

What Is an Audit?

Financial Statement Audit: An independent Certified Public Accountant (CPA) reviews whether a company’s financial statements are fairly presented in accordance with GAAP or IFRS, then issues a formal opinion.

Purpose of an Audit:

• Establish the credibility and reliability of financial statements
• Protect investors and creditors
• Deter financial fraud and misrepresentation

Key Standards: Generally Accepted Auditing Standards (GAAS), International Standards on Auditing (ISA), PCAOB Standards (for US public companies)

---

Types of Audit Opinions

Opinion	Meaning
Unqualified (Clean) Opinion	Financial statements are fairly presented in accordance with GAAP/IFRS
Qualified Opinion	Fairly presented except for a specific issue or scope limitation
Adverse Opinion	Financial statements are not fairly presented
Disclaimer of Opinion	Auditor was unable to obtain sufficient evidence, or independence is compromised

Public company audit requirement: All companies listed on US stock exchanges (NYSE, Nasdaq) must have their financial statements audited annually by an independent registered public accounting firm under SEC and PCAOB rules.

---

The Audit Risk Model

Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)

Risk	Meaning
Inherent Risk (IR)	The risk of material misstatement existing, irrespective of any controls
Control Risk (CR)	The risk that internal controls fail to prevent or detect a material misstatement
Detection Risk (DR)	The risk that the auditor’s procedures fail to detect a material misstatement

Strategy: When inherent and control risk are high, detection risk must be lowered → strengthen audit procedures

---

Audit Procedures

1. Planning: Set materiality thresholds, assess risk
2. Understanding Internal Controls: Evaluate the company’s internal control systems
3. Substantive Procedures:
   • Analytical procedures (ratio and trend analysis)
   • Tests of details (sampling of transactions)
   • Physical inspections and external confirmations
4. Completion and Opinion: Wrap up and issue the audit report

---

Internal Controls

Internal Controls: Processes designed within a company to ensure the reliability of financial reporting, efficiency of operations, and compliance with laws and regulations.

The COSO Framework — 5 Components:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring Activities

Key Control Mechanisms:

• Segregation of Duties
• Authorization and Approval Procedures
• Physical Safeguards
• Independent Verification

---

Auditor Independence

Independence is a fundamental requirement for the credibility of an audit.

• Independence in Fact: Professional judgment free from bias and self-interest
• Independence in Appearance: Appears independent to a reasonable, informed third party

Threats to Independence: Financial interests in the client, self-review, advocacy, familiarity, intimidation

---

Key Concept Cards

Four Types of Audit Opinions ★★★★★ : Unqualified, Qualified, Adverse, Disclaimer. Qualified = limited issue; Adverse = pervasive problems; Disclaimer = insufficient evidence. Memory tip: Unqualified > Qualified > Adverse > Disclaimer (order of reliability)

Audit Risk Model ★★★★☆ : AR = IR × CR × DR. The higher the inherent and control risk, the lower the detection risk must be. Memory tip: AR = IR × CR × DR

Segregation of Duties ★★★★☆ : Authorization, recordkeeping, custody, and reconciliation of assets are performed by different people. The cornerstone of fraud prevention. Memory tip: One person doing everything = risk of undetected fraud → segregation of duties

---

Practice Quiz

Q. A public company’s financial statements received a “qualified opinion.” What does this mean?

The financial statements are fairly presented overall, but the auditor takes exception to a specific matter (either a scope limitation or a departure from GAAP). Investors should scrutinize the specific issue cited in the audit report.

Q. Why is segregation of duties critical in internal controls?

If one person controls transaction authorization, recordkeeping, and asset custody, they can commit and conceal fraud on their own. Separating duties means that fraud requires collusion between at least two people, dramatically reducing the risk.