Overview of the Audit Process

Without having policies and procedures of quality control, an audit firm in Turkey cannot have the right to pursue an audit work for a client firm because it will not be able to be accredited by Public Oversight, Accounting and Auditing Standards Authority (KGK – POAASA). Therefore, the audit firm must prepare a quality control guide stating its policies and procedures to ensure that it meets its professional responsibilities to client firms and others. This guide also refers to the audit firm’s system of quality control.

In an audit firm, the responsibility of the system of quality control belongs to top management. Particularly, it belongs to the audit firm’s chief executive officer or the board of directors. When top management of the audit firm establishes policies and procedures designed to promote an internal culture recognizing that quality is essential in performing audit engagements, this internal culture will be adopted by the audit firm’s staff so that they perform audit work in compliance with auditing standards and legal requirements and issue reports that are in line with their obtained sufficient appropriate audit evidence. In order to maintain the quality status, for example, the audit firm’s training programs emphasize the importance of quality work, and the audit firm’s management reinforces quality work through performance evaluation, compensation, and promotion decisions.
 

Principles of audit process consist of the components of the audit process. There are eleven components of the principles of the audit process: procedures of quality control, objectives of the auditor, professional judgment, professional skepticism, financial statement cycles, management assertions, audit objectives, audit evidence, audit procedures, audit techniques, audit sampling, and audit documentation.

In an audit firm, the policies and procedures of quality control must be designed to prepare the audit firm and its staff to comply with relevant ethical requirements (see the figure below).

One of the ethical requirements refers to the Code of Ethics for Professional Accountants prepared by International Ethics Standards Board for Accountants (IESBA). All members of the accounting and auditing profession must adopt the following fundamental principles of ethics (IESBA 100.5).

Integrity: to be straightforward and honest in all professional and business relationships

Objectivity: not to allow bias, conflict of interest or undue influence of others to override professional or business judgments.

Professional competence and due care: to maintain professional knowledge and skill at the level required to ensure that a client firm receives competent professional service based on current developments in practice, legislation and techniques and act diligently in accordance with applicable technical and professional standards. 

Confidentiality: to respect the confidentiality of information acquired as a result of professional and business relationships, and therefore, not disclose any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use the information for his/her personal advantage or for the advantage of third parties.

Professional behavior: to comply with relevant law and regulations and avoid any action that discredits the accounting and auditing profession.  

Independence: In addition to these fundamental principles of ethics, an auditor must also maintain independence in planning, performing the audit and determining his/her audit opinion. In this context, independence includes both independence of mind and independence in appearance. Independence of mind is the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment, and thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism. Independence in appearance: the avoidance of facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude, weighting all the specific facts and circumstances, that a firm’s or a member of the audit team’s, integrity, objectivity or professional skepticism has been compromised.

Audit firm’s management must establish policies and procedures for deciding whether to accept a new client for an audit engagement, continue an existing client relationship for an audit engagement or accepting a new audit engagement for an existing client relationship. These policies and procedures are expected to minimize the risk of associating with a client firm whose management lacks integrity. 

Audit firm must establish policies and procedures designed to provide that it has sufficient staff with
the competence, capabilities and commitment to ethical principles to plan and perform the audit in
accordance with auditing standards and applicable legal and regulatory requirements and to enable
the audit firm to issue audit reports that have appropriate audit opinion. Some of policies and procedures of human resources in audit firms should include the following items: Recruitment, Performance evaluation, Capabilities, Competence, Career Development, Promotion, Compensation, and the estimation of personnel needs. Audit firm should adopt the following example policies and procedures of human resources: 

• All new personnel should be qualified to perform their work competently (recruitment).
• Work is assigned to staff who have adequate technical training and proficiency (competence).
• All staff should participate in continuing professional education and professional development activities (competence).
• Staff selected for promotion have the qualifications necessary for the fulfillment of their assigned responsibilities (promotion).
• Each auditor must be evaluated on every audit engagement using the audit firm’s individual engagement evaluation report (performance evaluation).

An audit firm must establish policies and procedures designed to provide that audit engagements are performed in accordance with auditing standards and applicable legal and regulatory requirements and enable the audit firm to issue audit reports that have appropriate audit opinion . Such policies include consistency in the quality of engagement performance, supervision responsibilities and review responsibilities. Some of the matters related to the consistency in the quality of engagement performance include processes for complying with auditing standards,
process of engagement supervision, staff training and coaching. Some of the supervision responsibilities cover identification of the matters for consultation by more experienced audit team members and tracking the progress of audit engagement Review responsibilities refers to the review of the work of less experienced team members by more experienced audit team members.

An audit firm must establish a monitoring process designed to provide that the policies and procedures related to the system of quality control are relevant, adequate, and operating effectively.  Examples of the monitoring process include ongoing evaluation of the audit firm’s system of internal control, annual testing of quality control procedures and periodic inspection of at least one completed engagement. Monitoring process requires that monitoring responsibility is assigned to a partner with sufficient and appropriate experience. 

The auditor is responsible for reasonable assurance considering the following reasons:
• In conducting audit, most audit evidence is collected through testing a sample of a population such as accounts receivable or inventory. Therefore, audit sampling includes some risk of not detecting a material misstatement. In addition, the auditor’s professional judgement is required for the areas to be tested, for the tests’ type, extent, and timing, and the evaluation of test results. Even if the auditor adopts the ethical requirements, he/she can make mistakes and errors in judgment.
• In conducting an audit, it is possible to face complex estimates, which involve uncertainty and can
be affected by future events.
• In conducting an audit, fraudulently prepared financial statements which are defined as intentional
misstatements or omissions of amounts or disclosures in financial statements to deceive users, are
often difficult for the auditor to detect, particularly when there is collusion among management.

Although financial statements are materially misstated, the probability of expressing an inappropriate audit opinion usually exists. This is called audit risk. Audit risk is a function of the risks of material misstatement and detection risk. In other words, there are two main components of audit risk: risk of material misstatements and detection risk.

Risk of material misstatement is the risk that financial statements are materially misstated prior
to audit. It is generated from the client firm. The auditor has no effect on it. It has two components, namely inherent risk and control risk.

Inherent risk measures the auditor’s assessment of the risk or likelihood of material misstatement being present about a class of transaction, account balance, or disclosure, before considering the effectiveness of related internal controls. This risk is generated from three main sources:

• Management integrity: The likelihood of material misstatement occurring in the financial statements is strongly influenced by the integrity of the management of the client firm. 
• Account risk: Material misstatement may also occur in the financial statements as a result of account balances being susceptible to misstatement. 
• Business risk: It is the risk resulting from significant conditions, events, circumstances, actions and inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies. 

Control risk is the risk that a material misstatement could occur in the client firm’s accounting data about a class of transaction, account balance, or disclosure that will not be prevented, or detected and corrected, on a timely basis by the client firm’s internal control. Therefore, internal control cannot eliminate but reduce risks of material misstatement due to possibility of human error, collusion, and inappropriate management.

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level, will not detect a misstatement that exists and that could be material. It is related to the nature, timing and extent of the auditor’s procedures that are determined by the auditor to reduce audit risk to an acceptably low level. Detection risk cannot be eliminated but can be reduced. Detection risk has two components: sampling risk and non-sampling risk. Sampling risk is the risk or the likelihood that the auditor fails to detect material misstatements about a class of transactions, account balances and disclosures because the entire population was not examined. Non-sampling risk is the risk or likelihood that the auditor will fail to detect material misstatements because sufficient appropriate audit evidence is not collected and/or is not evaluated properly because it should be noted that audit staff may not make optimal judgments to select the appropriate audit procedures and to reach appropriate conclusion throughout an audit.

Professional judgment is the application of relevant training, knowledge and experience, within
the context provided by auditing, accounting and auditing standards, in making informed decisions
about the courses of action that are appropriate in the circumstances of the audit engagement.
Therefore, the auditor exercising the professional judgment must have integrity, be competent and
maintain an objective, and unbiased attitude of mind.  Professional skepticism is an attitude questioning in mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. It is particularly necessary for the critical assessment, sufficiency and appropriateness of audit evidence. Integrity and honesty of the firm’s management cannot prevent the auditor from maintaining professional skepticism.  

In conducting an audit, it should be noted that there is a strong relationship among the financial statements, management assertions about components of the financial statements, audit  objectives, audit procedures, audit evidence and the audit report. Financial statements reflect management’s assertions about the components of financial statements. The auditor tests management’s assertions by considering audit objectives and conducting audit procedures through audit techniques that provide evidence on whether each management assertion is supported.

In conducting audits, financial statements are usually divided into smaller segments in order to manage the audit. In the same segment, related types or classes of transactions and account balances are kept closely. This is called cycle approach. For example, sales revenue, sales returns,
cash receipts, and allowance for doubtful accounts are the four classes of transactions that cause accounts receivable to increase and decrease. Therefore, they are all parts of the sales and collection cycle. In addition, each client firm has its own transaction cycles because transactions from one client firm to another may differ due to the client firm’ industry where it operates.

Management assertions are implied or expressed representations by management about classes of
transactions and the related accounts and disclosures in the financial statements. They are directly related to the financial reporting framework adopted by the company, because they are part of the financial reporting framework that management uses to record and disclose accounting information in financial statements. There are three categories of management assertions, namely management
assertions, account balances and presentation and disclosure. The auditor should consider the relevance of each management assertion for each significant class of transactions, account balance, and presentation and disclosure and determine whether management assertions about financial statements are justified.

The assertions are occurrence, completeness, accuracy, classification and cutoff.

• Occurrence: Transactions and events that have been recorded have occurred and pertain to the entity.
• Completeness: All transactions and events that should have been recorded.
• Accuracy: Amounts and other data relating to recorded transactions and events have been recorded appropriately.
• Classification: Transactions and events have been recorded in the proper accounts.
• Cutoff: Transactions and events have been recorded in the correct accounting period.

They are existence, completeness, valuation and allocation, and rights and obligations.

• Existence: Assets, liabilities, and equity interests exist.
• Completeness: All assets, liabilities, and equity interests that should have been recorded have been recorded.
• Valuation and allocation: Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation adjustments are appropriately
  recorded. 
• Rights and obligations: The entity holds or controls the rights to assets, and liabilities are the obligation of the entity.

They are occurrence and rights and obligations; completeness; accuracy and valuation; and classification and understandability.
• Occurrence and rights and obligations: Disclosed events and transactions have occurred and pertain to the entity.
• Completeness: All disclosures that should have been included in the financial statements have been included.
• Accuracy and valuation: Financial and other information is disclosed appropriately and at appropriate amounts.
• Classification and understandability: Financial and other information is appropriately presented and described, and disclosures are clearly expressed.

Audit objectives are closely related to management assertions. When performing the audit tests, there are three audit objectives other than specific audit objectives to help the auditor accumulate sufficient appropriate audit evidence. These are transaction-related audit objectives, balance-related audit objectives and presentation and disclosure-related audit objectives.

• Transaction-related audit objectives: They focus on whether transactions are properly recorded. There are six general transaction related objectives as follows: occurrence; completeness; accuracy; posting and summarization; and classification.
• Balance-related audit objectives: They focus on not only verification of the account balance but also verification of the detail that supports the account balance. There are eight general balance-related objectives as follows: existence, completeness, accuracy, classification, cut off, detail tie-in, realizable value, and rights and obligations.
• Presentation and disclosure-related audit objectives: They focus on information included in
  the footnotes to the financial statements, including its accuracy and understandability. There are four presentation and disclosure-related audit objectives as follows: Occurrence, rights and obligations; completeness; accuracy and valuation; classification and understandability.

Audit evidence is the information used by the auditor in arriving at the conclusions on which the
auditor’s opinion is based. In order to obtain sufficient appropriate evidence and to form an audit opinion, the auditor usually benefits from the following seven audit techniques.

• Inspection: It involves examining records and documents, whether external or internal, in paper form or electronic form or a physical examination of an asset. 
• Observation: It involves looking at a process or procedure being performed by others. 
• External Confirmation: It represents audit evidence obtained by the auditor as a direct written to the auditor from a third party, in paper form or by electronic. 
• Recalculation: It involves checking the mathematical accuracy of records and documents manually or electronically. 
• Inquiry: It consists of seeking information knowledgeable persons both financial and non-financial data within the client firm or outside the client firm. 
• Reperformance: It involves the auditor’s independent execution of procedures or controls that
  were originally performed as part of the entity’s internal control. 
• Analytical Procedures: They consist of evaluations of financial information through analysis
  of plausible relationships among both financial data and non-financial data.

International Standards on Auditing have adopted a risk-based audit process. It divides the audit process into three stages. Initial stage refers to the risk assessment. It involves the client acceptance or continuance, understanding of the client firm’s business and industry and preparation of the audit plan. Second stage refers to risk response. It involves the processes of obtaining audit evidence. Final stage refers to reporting. It involves the evaluation of the audit evidence obtained, forming an audit opinion and preparation of the audit report. Each stage of the risk-based audit process covers a different aspect of the audit process. 

1. Accept client and perform initial audit planning: There are four issues to be considered at this sub-stage: (1) acceptance of a new client firm or continuance with an existing client firm, (2) the reason why a client firm needs an audit, (3) understanding with the client firm about the terms of the engagement, and (4) development of the overall strategy for the audit, including audit staffing and any required audit specialists. 
2. Understand the client’s business and industry: The auditor must be familiar with the client
   firm’s business and industry to identify and assess risk of material misstatement and to conduct an adequate audit. 
3. Perform preliminary analytical procedures: The auditor performs preliminary analytical
   procedures as part of risk assessment procedures to better take a financial picture of the client’s business and industry, and to assess the client firm’s business risk. For this reason, the auditor must identify items reported on the financial statements that require further attention due to high risk of material misstatements.
4. Set preliminary judgment of materiality and performance materiality: The auditor makes a preliminary judgment about materiality for the audit of the financial statements because the auditor along with its team members is responsible for determining whether financial statements are materially misstated. 
5. Identify significant risks due to fraud or error: The auditor identifies significant risk that
   is defined as an identified and assessed risk of material misstatement that requires special
   audit consideration in the auditor’s professional judgment whether due to fraud or error. In this stage, the auditor determines whether any of the risks identified area has significant risk within the framework of the auditor’s professional judgement in terms of effective audit planning.
6. Assess inherent risk: The auditor begins his/her assessment of inherent risk during the planning stage. He/she updates his/her assessments throughout the audit. He/she evaluates the information affecting inherent risk to assess the risk of material misstatement at the audit objective level for cycles, balances, and disclosures.
7. Understand internal control and assess control risk: In conducting an audit, the auditor must
   obtain and understand internal controls to identify and assess the risks of material misstatements. However, it should be noted that documentation of the client firm’s management is a major source of information in order to understand the client firm’s
   internal control system. Therefore, the auditor should also use procedures to understand the client firm’s internal control such as: inspection, inquiry of client firm’s staff, observation of employees performing control processes, and reperformance.
8. Finalize overall audit strategy and audit plan: At this sub-stage, the auditor has necessary information and understanding on the client firm’s business and industry, its preliminary analytical procedures, inherent risk, its internal control and its control risk. Using these parameters, the auditor will determine his/her audit strategy by preparing a mix of types of
   tests that will result in an effective and efficient audit by cycle approach. Then, the auditor prepares his/her audit plan which shows how the audit process will be operated including staffing and timing. 

At this stage, the auditor perform test of controls, substantive tests of transactions, substantive analytical procedures and tests of details of balances. The auditor obtains understanding of internal control by performing tests of controls that are audit procedures to test the effectiveness of controls in support of a reduced assessed control risk. Then, the auditor obtains evidence in support of the monetary correctness of transactions by performing substantive tests of transactions which include audit procedures testing for monetary misstatements to determine whether transaction-related audit objectives are satisfied for each class of transactions. Following the stages above, the auditor obtains additional evidence to determine whether the ending balances and footnotes in financial statements are fairly stated. At this stage, the auditor implements two types of procedures. One of them refers to substantive analytical procedures that assess the overall reasonableness of transactions and balances. This is an analytical procedure in which the auditor develops an expectation of recorded amounts or ratios to provide evidence supporting an account balance. The other procedure used by the auditor is the tests of details of balances, which are audit procedures to test for monetary misstatements in the balances reported on the financial statements. In other words, tests of details of balances consist of audit procedures testing for monetary misstatements to determine whether balance-related audit objectives are satisfied for each significant account balance. 

The reporting stage (Arens et al., 2017) consists of four sub-stage: 

1. Perform additional tests for presentation and disclosure
2. Accumulate Final evidence
3. Evaluate results
4. Issue audit report