The traditional role of auditors is to express professional opinion on a set of prepared financial statements. What this means is that third parties rely on the audited information to make investment decisions as the main reason why we audit financial statements is to give it some credibility. There has been series of debate surrounding auditor’s liability and audited company accounts. The current stance of the law is that auditors can be exonerated from material misstatements in the accounts if it can be proven that professional care and due diligence are the basis of the audit procedures.

Notwithstanding the above, the role of auditors in investment analysis still cannot be over emphasised. This article is written to discuss the important roles of auditors in whole process of investment analysis. The roles of auditors in investment analysis will be looked at from two perspectives.

AS A CONSULTANT

As a consultant, the auditor who in most cases acts as information systems auditor is bestowed with the responsibility of evaluating the overall systems in the organization- paying particular attention to the robustness of the internal control system. A vital element of investment analysis is to enquire into the security of the initial investment. Auditors provide useful information regarding the controls in a company. An investor would not in his or her right senses make stake on an investment that is highly vulnerable and liable to collapse due to bad internal control. Auditors in organization advice management on the best ways to reduce risk or manage risk (both at the strategic and operational levels) so as to improve efficiency thereby increasing the financial and operational value of an investment.

The auditor bridges the credibility gap that exists between providers of funds and users of funds, irrespective of the increasing audit failures.

TRADITIONAL ROLES OF AUDITORS

In this section are brief discussion of what auditors traditionally does in general and how they relate to investment analysis.

AS A STATUTORY AUDITOR | ENSURE COMPLIANCE

Auditor’s traditional role is to ensure that a company has met the legal requirement of a state. This role is very important as it goes a long way to tell the general public that the company is a law abiding entity. Compliance in fact is what most businesses of today is all about. Failure to comply with any relevant law is enough to send a business backing.

ADVICE MANAGEMENT

Auditors advice management on the efficiency of operations and the quality of internal controls. Where there are lapses, the auditor being information professional is in a better position to dole out professional advice that the management can rely on and make substantial progress.

BOOST THE CONFIDENCE OF THE GENERAL PUBLIC

Attracting investment is all about creating an enviable public relation. This public relation is partially hinged on what the auditors tells the general company about the company. In fact, confidence of the public is improved by the mere fact that a company’s account is audited. This reliance of the public on information that has been certified by an auditor is however a cause for worry as auditors’ liability is increased by this dependency.

EXPRESS PROFESSIONAL OPINION

Audit report is an essential part of an annual report of a company that contains professional opinion of an independent third party called the auditor. The major thing that is contained in the auditor’s report is the professional opinion of the auditor on the compliance of financial statement to set of accounting standards.

Investment analysis is an art that involves all hands to be on deck. The role of auditors in investment analysis is an invaluable role in the world of investment appraisal. At the very least, auditors perform loan audit.

WHAT IS AUDIT REPORT?

Audit report in common term is the expression of opinion by an independent third party in this case an auditor as to the compliance and fairness of a set of financial statement of a company.

This is why most audit report begins with the phrase ‘in our opinion….’ This is to say that management has the primary responsibility for the effectiveness of the entity’s internal control over financial reporting and fair presentation of financial statements in conformity with generally accepted accounting principles (GAAP) and going concern.

Audit reporting is the last stage of audit engagement which includes: obtaining/ retaining engagement, planning the engagement, carrying out substantive procedures, carrying out risk assessment, and subsequently reporting.

Sarbanes Oxley Act 2002 and Accounting Standard 5 (AS 5) mandate auditors to prepare a report that covers both the effectiveness of a company’s internal control over financial reporting and comprehensiveness of financial statements. The report on internal control is presented only if an entity is a Securities and Exchange Commission (SEC) registrant.

Purpose of audit report

I am sure you are aware that the official definition of auditing includes the phrase “…communicating those results to interested users.” If this is true, then audit report is a medium through which auditors communicate to users three specific comments/ assertions bothering around the financial statements, the conduct of the audit, and the company in general:

1. Auditors / audit report tells us whether the financial statements are prepared in accordance with GAAP or International Financial Reporting Standards (IFRS). The auditor in the audit report must indicate how financial statements would appear if compliance with IFRS is satisfied in a case where there is no conformity.
2. Auditors through audit report draw the attention of the users of financial information to any unusual aspects of the audit examination. Auditors usually face restrictions/ constraints while auditing a company’s books of accounts. This is more prevalent when auditing in a corrupt environment. So, it is through the audit report that auditor highlights this. Auditors can also use their report to tell the users of accounting information that certain portion of the audit report where conducted by another firm.
3. The third purpose of audit report is to report to financial statements users any other matter affecting the entity. Substantial doubts- auditors expression of concern about a company’s ability to continue as a going concern in a situation where an entity is experiencing significant financial difficulty- is one thing that should be contained in the audit report apart from conformity with GAAP or IFRS. For example, auditors can highlight the effects of changes in accounting principles on the comparability of financial statements.

Auditors give standard report when three conditions are not met VIZ:

1.  
   • The financial statements presents fairly the financial conditions, results of operations, cash flows of the company are in accordance with the provision of IFRS;
   • There are no unusual issues affecting the conduct of the audit; and
   • The auditors do not need to draw the attention of the users of a company’s financial statements to any transaction or events

But because things are not always normal, even in a normal situation, we have other types of audit report that auditors can make.

TYPES OF AUDITORS OPINION

Unqualified opinion: this is the kind of opinion that auditors express when the financial statements are prepared in accordance with the relevant legislation and present fairly the state of affairs in the company.

Adverse opinion: here, the auditor expressed the opinion that the financial statement does not conform to GAAP and does not represent the true state of a company’s affairs.

Limitation of scope opinion/ disclaimer of opinion: auditors make this kind of opinion when they are unable to express opinion.

Qualified opinion: this is the direct opposite of unqualified opinion.

CONCLUSION

At the beginning of this article, I promised to explain what audit report is and to tell you the reason why auditors prepare audit report which we have done. But, don’t forget the fact that auditing is just like financial accounting that is prone to changes. To this end, it will be in your own interest if you just spend some more time reading other articles in this website and buying some of the audit report books displayed below.

WHAT IS PROFESSIONAL LIABILITY?

Professional liability is the obligation that professionals like; accountant, lawyers, medical doctors, etc face as a result of factors like; negligence, incompetence, carelessness, etc. Example of professional liability is the auditors’ liability. Auditors face a lot of liabilities as a result of not meeting the expectation of users of audited information.

WHAT IS GENERAL LIABILITY?

General liability is that liability that has no limit to claims on assets of defendants. It is likened to an open source application where what you can do with anything is limitless. General liabilities are common in the insurance sector where insured make claims on subject that has a general cover.

WHAT IS LONG TERM LIABILITY?

Long term liability is the liability that spans over a period that is longer than six months. Bank loans are good example of long term liability. Obligations that are longer than six months are generally known as general liabilities.

WHAT IS CONTINGENT LIABILITY?

Contingent liabilities are liabilities that are provided for based on anticipated obligations. The accounting standard has made it more stringent to meet the requirement of classifying an item as contingent liability. This legislation is important as many business executives misused the room to include contingent liabilities in what I call ‘lax’ policies. Note that for an item to be seen as a contingent liability, a legal commitment to give out economic value must have been established.

WHAT IS vicarious LIABILITY?

Vicarious liabilities are those types of liabilities that a principal take responsibility of as a result of the action of agent. It is assumed that principals monitor the activities of the agents to ensure that they don’t put them into trouble. It should be however noted that facts of a case in the law court can be distinguished. A liability that arise when an agent leaves his principals assignment and engage in personal venture will be distinguished as not being vicarious liability and borne by the agent.

WHAT IS PUBLIC LIABILITY?

Public liability is the phrase used to describe the nature of certain kinds of businesses is accountable to the general public. This is the direct opposite of the ‘limited liability company’. Corporations that are owned and controlled by the government fall within the class of public liability company.

The keywords and phrases to be recognized from anything/ present in anything that will called a liability are’ commitment’ ‘obligation’ ‘economic value’ and ‘it must be as a result of past action’

Any situation that lack these keywords and phrases cannot be said to be a liability. I hope that this article has been able to answer the question ‘what is liability?’

FTA stands for Fraud Triangle Analytics. FTA is a revolutionary tool designed and introduced by the ACFE in November 2009 to enhance effectiveness of internal control measures on e-mails and instant messages (IM). It is a system that is based on keyword censor. FTA system is fed with keywords that will trigger investigation whenever certain keywords are mentioned a number of time.

A dashboard like interface is made use of to monitor the tempo of communication that is going on between employees while at the same time keeping within the confines of the law. Your chance of violating the privacy act and other acts that protects peoples’ private life is significantly reduced through the use of FTA.

You will notice a spike from your control dashboard each time an employee mention certain words up to a specified number over a period of time. At this point, all you will have to do is carryout a detailed analysis on the communication life of the identified individual. Note that FTA is a fraud detection, fraud prevention and fraud deterring tool that is usually imbedded into the internal audits process of a business to get the best in terms of internal control. This will now lead us to the following questions: what is internal control? What is internal audit? The answers to these questions will be base of the following paragraphs

WHAT IS INTERNAL CONTROL?

Internal controls are the totality of procedures, policies, and guidelines that are put in place to ensure that company’s objectives are met which includes the protection and safeguarding of company’s assets. Internal controls takes into account the control environment of a company before setting up a functional and operational internal control system.

Control objectives and control plans are two major tools that are used to ensure that attention is not diverted from the main idea behind the institution of internal control. It should be noted internal control should be more preventive (proactive) oriented rather than discovering (reactive) oriented

WHAT IS AN INTERNAL AUDIT?

Internal audit is the actions taken by management of a business through a committee to ensure that controls are implemented to the letters. Internal audit just like internal control should not only be focused on the protection of asset but should include evaluation of risk exposure of the business entity. Risk assessment technique should be employed to see if a company is at risk of being defrauded.

Internal audit committee can either be an independent entity or part of the main company. Internal audit committees perform better when it is truly independent of the day to day administrative and running of a business.

Now that you have known what internal audits and internal controls are, you can now imagine what the result will be when we combine these with the fraud fighting power of FTA. I will leave you to figure out the rest for your self.

Businesses have many stakeholders whose interest in the business always conflict and this conflict oftentimes lead to business failure if not properly checked and monitored. In this article are some useful tips on how to set up and implement good corporate governance in a business. This will basically dwell more on the contents of corporate governance.

CONTENTS OF QUALITY CORPORATE GOVERNANCE

• The board should live up to expectation: major policies and strategic decisions should be undertaken by the board members. The composition of the board members is dependent on the attitude of the business towards success. This is the first step that must be taken in setting corporate governance. It is important to have a mind set that strategic and vital decisions are to be made by board members. This should be incorporated into the corporate governance code.
• Ensure that the board members have people with blend mix of skills: the qualification, experience and competencies of those that will be in the board of a company should be enshrined in the code of corporate governance.
• Appointment of board members should be conducted by a nomination committee: procedure for the appointment of members of the board of directors must be written in the code of corporate governance.
• Financial statements should display managers’ remuneration for the public: in order to avoid infringing on someone’s private life thereby violating privacy act of many countries, it is a good practice to always include it in the code of corporate governance that remunerations will be publicly displayed in the financial statements of the company. though various accounting reporting standards provides that managers remunerations be displayed in the financial statements but, I have seen where non inclusion of this in the code of corporate governance of a small business caused a lot of heat.
• Independent non-executives should have significant influence in a company: for there to be checks on excessive use of powers, independent non-executives should have reasonable control over the affairs of the business to ensure transparency and accountability. Their number and the extent of power to be given to them should be included in the code of corporate governance. This will save a lot of headaches in the long run.

Remuneration should depend upon performances: Responsible managers are accountable for their results. This should be written in black and white in the code of corporate governance. Care should be taken in order not to rely too much on material motivation that will obviously work against the long-term goal of a business. Performance appraisal is a complex subject matter that has been dealt with by authorities in different capacities. Buy these books displayed here for more on performance appraisal.

• Who should set the directors’ remuneration: it should be contained in the code of corporate governance that a special group should be responsible for setting directors’ perks (remuneration inclusive).
• Audit committee should always be in contact with external auditors: put it in the corporate governance code that there should be a cordial relationship between the audit committee and external auditors.
• The board should maintain a regular communication channel with shareholders: in order not to fall victim of oversight, always include this in the code of conducts of a company. This may sound obvious but is causing problems in many companies as I write this now.

ELEMENTS OF CORPORATE GOVERNANCE

Management and reduction of risk: corporate governance revolves around the management and reduction of risk and should reflect such.

Framework for ethical operation of business: code of corporate governance should be seen as a framework for ethical operation of business. Care should be taken to make sure that it is prepared to meet the standard of frameworks.

Overall performance linked to good supervision: because good supervision go a long way in determining the overall performance of businesses, code of corporate governance should be tailored to uphold quality internal control and good supervision.

Application of law: good governance is not about having the best rules, procedures and policies. It is all about the application of the laws with passion. Remove the spirit of law and it becomes ordinary piece of writing. An important element of corporate governance is the application of law.

Knowledge of how to establish good corporate governance is what every auditor that really want to be a force to reckon with must have.

You can learn more on corporate governance by buying these books displayed below.

The question however is; are auditors really independent? An independent audit cannot be conducted with first of all ensuring the auditors’ independence. Auditors’ independence is a serious issue in auditing that is facing different storms and hard times. So many factors are responsible for the lack of auditors’ independence; some of them are listed below;

FACTORS THREATENING AUDITORS’ INDEPENDENCE

Financial constraints: auditors submit themselves to the wimps and caprices of their clients just to ease financial constraint. Auditors’ independence will be enhanced if auditors are relieved of financial constraints.

Reduced number of credible accounting firms: the reduced number of accounting firms has made it difficult for companies to have choice in the selection of firms that will render services.

Relationship: auditors can never be independent when they are auditing their relatives or somebody related to them.

Political view: an auditor that has political view can not be independent in auditing. For auditors to be independent, they must stay clear off all forms of politics.

Religious beliefs: religion and auditing cannot go hand in hand. As an auditor, you must remove religious sentiment.

Affection: you cannot be objective in auditing people you have affection for.

Incentives: any auditor that collects any form of incentive cannot perform an independent audit. Independent audit is something that you must do with clean hands. If your hands are soiled with incentives, forget about carrying out an independent audit.

Time constraints: in the bid to meet up with deadlines, auditors seek assistance from their clients and in the process establish a working relationship. Though, there should a level of relationship between the auditor and the auditee, but limits must be observed.

Until measures are put in place to effectively check the above problems, auditors’ independence will still be an illusion. Auditors and auditing bodies should be more proactive in handling auditors’ independence issues. The lack of auditors’ independence is one of the major causes of historical corporate failures like the one experienced in Enron, WorldCom and the rest of them.

Above all, independent audit can only be achieved if auditors can simply talk to their conscience and be honest for once in their dealings. I am among those that believe that auditors of today are well equipped to tackle any fraudulent situation that they may face.

Some people say that huge frauds and misappropriations cannot be perpetrated without the knowledge of accountants in any financial circle. Well, this is their own opinion, what I say is that accountants and auditors ought to read the hand writing on the wall before it escalates into frauds.

Losses associated with frauds are larger than losses associated with every other variable that can cause businesses to lose money put together. I am here today to give you tips on what you need to know as an auditor in order to be reasonably prepared to assume the role of a fraud fighter.

• You must have vast knowledge of the operation of fraudsters: there is no how you can effectively combat fraud and fraudsters if you are not conversant with their mode of operations. You must put on a lion wear if you want to go for lion hunting. Fraud fighting is not a precision science that one needs to apply a formula and get what he or she wants.
• You must teach people around you how to handle frauds: there is no doubt that one of the best way to fight fraud is to educate the unsuspecting members of the general public about the greatest economic threat of our time. It is therefore the duty of auditors as fraud fighters to give out this education to the public for free.
• You must have good knowledge of IT infrastructures: as most of the frauds and other economic crimes performed in this age and time are perpetrated through computers and other IT infrastructures. Auditors must have good knowledge of this principal tool of fraud.
• You must understand the difference between auditing and fraud examination: most auditors have this mind set that frauds or irregularities has to be material before it will be given attention. This is not the case in fraud fighting, in fraud fighting; any fraud is material as what seemed to be immaterial fraud is always like iceberg that will eventually lead to a whole lot frauds.
• You must have analytical skills: fraud examination is a combination of analytical skill and other non-quantitative skills. Because most frauds are concealed in numbers. You must be friendly with figures for you to be a successful fraud fighter.
• You must have good knowledge of accounting and auditing: accounting is the language of business and frauds are committed in the business community. For you to do well in the field of fraud fighting, you must understand the language of the game.
• You must have good communication skills: fraud fighting involves a lot of communications and therefore require people with good communication skills to effectively perform your duty as a fraud fighter.
• You must the ability to speak and write in foreign language:
• Good understanding of law and provisions of the law is a compulsory requirement
• You must hone your interviewing skills, knowledge of psychology, and criminology: human behaviour-al skills and other life building skills are must for any auditor that wants to find his beat in the fraud fighting world. Studying people and their behaviour is very difficult that no one can claim to have accurate prediction of people are up to. You have to put in more effort for you to make headway in this aspect.

There is no better time for you to become a fraud fighter than now as fraud and its ugly effects on businesses is threatening to send many businesses parking. Auditors with the right designation in fraud fighting are in hot demand today.

There are many frauds fighting association around today but, the most popular and respected on is the ACFE (Association of certified fraud examiners). Anybody can join the body as associates but will not be full members until you right and pass their exam.

Quality auditing is designed to ensure that standards for quality controls are met. Fraud audits are calculated efforts by internal auditors on the prevention, detection and deterrence of financial statements arising from asset misappropriation. In doing this, auditors should be aware of the risks and warning signs of fraud.

Many auditors are employed today to act as compliance auditors in different categories and levels. Security audit happens to be an area that gives growing concern to stakeholders both in business and government owned entities.

What I will be sharing with you today is my years of experience in the field of security audit. So, sit back and enjoy!

STEPS TO PERFORM SECURITY AUDIT

Identify what assets need to be protected: the first thing that needs to be done in any security audit is to identify the assets that need to be secured. Skipping this step is just like one going to war without taking out time to find out about his or her enemies. You will be better positioned to fight in a battle and possibly win the battle if you have good information about your enemy. Security audit cannot be carried out on every asset that a business has. There are assets that do not require to be secured. Spending scarce resource to protect these assets will be tantamount to spending $5 in order to protect an asset that is worth $1. Except access to that asset can lead to other more valuable asset, securing it is not economically viable.

Review control plans/activities of the company: companies drafts out control plans or actions that will be taken to ensure that the company’s objectives are met. Auditors acting as compliance auditors should evaluate these control plans in the light of prevailing circumstance to see if they are adequate to achieve result.

Test of procedures and policies: this can sometimes be called red hat team. This process suggests that group of security professionals be employed to launch attack on company’s information systems to see if they can beat any or all of the security measures. Many accounting firms that contract security services on behalf of their clients use this method to test the reasonableness of their security procedures and strategies. Though people used to frown at this method of testing a system but, it has finally gain its way into the heart of many accountants.

Compare actual results with expected results: since it is the objective of the management to protect company’s assets via reliable internal controls and internal audits, security auditors should compare the control objectives with the actual results on ground. Where managers assert that there is proper segregation of duties, compliance auditors should review processes to tell if this is actually followed.

Make recommendations to management: it is required of compliance auditors to report findings of their security audits to the relevant authority and then make recommendations and suggestions that can either be implemented by the managers or not.

Security audit is the back bone of internal control and internal control systems. Every auditor that is forward looking should hone their skills on security audit.

Go and be successful!

STEPS TO PERFORM LOAN AUDIT

Obtain a working knowledge of the contents of the loan covenants: obtain a copy of the loan covenant, read through it thoroughly so as to get a working knowledge of the content and legal implications of the content. Take particular note of restrictive clauses in the loan covenants. Where the contents of the loan covenant seems to be subtle, consult a legal practitioner (lawyer or attorney) for clarifications as laws and agreements are supposed to be clear and not clever.

Calculate ratios: calculate ratios to be sure that the loan covenant has not been violated. Ratios to be calculated will be dependent on the content of the agreement that is why you need to get a working understanding of the loan covenant.

Check your clients accounting policies: loan audit cannot be successfully performed if the auditor did not review the accounting policies of their clients.

Watch out for complex transactions: clients have a way of working with investment bankers and other loan experts to make transactions look complex so as to have their way around the generally accepted accounting practice (GAAP). Ask questions when in doubt of the right treatment for any particular complex transaction. Your professional body should be the first place that you will have to run to. You can also go to forums to post the question making sure you do not mention names.

Evaluate the treatments of other items in the accounts: take a close look at the treatments of other items in the account. Managers and business executives purposely give wrong treatment to certain items in the accounts just to fool the auditors. Loan audits are a technique used by auditors to discover areas prone to fraud and errors and subsequently lead to whistle blowing.

CONCLUSION

Make sure loans are used for what they are taken for. A common fraud in the banking sector is the ‘non performing loan fraud’. These are loans given to connected persons. Loan audit some times delves into discovering the true identity of those behind any loan given or taken.

With the way things are going, I see loan fraud as becoming the next gray area for fraudsters and perpetrators of financial crimes.

WHY DO WE NEED TO AUDIT THE SECURITY OF OUR PRINTER?

You may be asking at this point, why do we actually need to audit the security of our networked printer since we have all the network security technology in place? The simple answer is; because of the multifunction nature of printers, vulnerabilities that were not in existence in printers before now exist. Printers can now be remotely administered. If unchecked, loopholes in networked printers can be a gateway to other secure components of our network.

POSSIBLE ATTACK ON NETWORKED PRINTERS

A hacker can do the following

• Modify the IP (internet protocol) address of a networked printer to an unused IP address on the same subnet.
• Switch the IP address of his laptop to what the address of the printer previously was
• Captures all traffic (all data) sent over port 9100 to the IP address to which end users are configured to use.
• Forward all data to the ‘new’ IP address of the printer.

The above scenario is an example of man-in-the-middle attack. This process happens so fast that the end user will not notice that there has been any form of interference in the process.

STEPS TO AUDITING PRINTER SECURITY

The steps that are needed in auditing the security of our printer are very simple. They are states below:

1. Policies and procedures evaluation:

The first thing to do is to evaluate the company’ security policies as it relates to printing and printers. Ensure that policies and procedures to follow in the configuration of printers are clearly stated in the document. Many companies make the mistake of still considering printers as ordinary devices that are just networked within a company’s network thereby not giving adequate attention to it overall configuration.

1. Identification of risky points: sample of networked computers should be taken and vulnerable points identified. Freeware and shareware tools can be used to test the level of security available on a networked printer. Try obtaining the IP address of your networked computer from a remote location, manipulate the IP address as described above, then apply these freeware and shareware tools to the data gathered. If done successfully, it then means that there is a security threat in our networked printer environment. Another method that can be used to check for vulnerability to run Nmap scan against the printers selected for review. Nmap is used to scan a network to discover other printers that are connected to it. An attacker can use this technique to figure out which printer is on the subnet and launch attack on it. Common problems encountered in this kind of scanning for vulnerability are: (1) finding Telnet and FTP (file transfer protocol) enabled. Enable the telnet and FTP in order to be successful in this identification process. (2) Printers running an older version of SNMP (simple network management protocol). The use of version one of the SNMP, brings the problems of transferring data in its unencrypted state.

Again, Wireshark could be used to analyse traffic and capture anything sent to port 9100 of the IP, if successful, it then means that the IP of the printer is not locked.

STEPS TO MITIGATING THE IDENTIFIED VULNERABILITIES

Since the common attack that can be launched on networked computers is the man-in-the-middle attack, the IP addresses of every networked printer should be locked down. If management is using a centrally controlled printer, it should ensure that its policies and procedures adequately address the issue of printer security.

As true as the above may be, auditors are still the professionals/ experts on internal control matters. This assertion holds for the following reasons.

• Auditors need to fully understand a business’s working environment and internal control.
• Management may want to fool auditors into making audit risk (risk of giving the wrong opinion on the truth and fairness of financial statements of a company). Auditors evaluate internal controls of an entity so as to fix the level of acceptable detection risk that is the function of inherent risks and control risks.
• Auditors can be consulted to help organizations prevent and detect frauds and errors.

For auditors to achieve all the above, certain knowledge and skills needs to be acquired by auditors. Auditors must know how to evaluate internal controls of businesses. Auditors must have working knowledge of system development life cycle (SDLC).

Since the objectives of internal controls of businesses are to ensure the security of company’s assets, the evaluation of internal control should best be done from the result point of view. Auditors should seek to know if the control objectives of internal controls are met.

The cost of achieving a control objective in a system of internal control should not outweigh the benefits that should be derived from setting up the internal control in any business venture. Auditors can use either of these two tools to ensure that the internal control system is not defeating the aim for which it was set up. The tools are;

• The control matrix, and
• The systems flowchart

I will not go into the detailed steps of the above two tools as it will make this article too long for you to digest.

AUDITING THROUGH THE COMPUTER

Auditing through the computer describes the various steps taken by auditors to evaluate client’s software and hardware to determine the reliability of operations that is hard for human eyes to view and also test the operating effectiveness of related computer controls, e.g., access control.

Auditing through the computer is common in practice today as many companies/ businesses make use of computerized information systems and these in turn have significant controls embedded in them. Ignoring these computer controls will make auditors not to have the required insight into the effectiveness and reasonableness of the client’s internal control. And will not be reporting in compliance with the relevant laws and regulations that govern auditing as a profession.

 Though, external auditors most times uses this technique to test the controls in simple applications, but, internal auditors more frequently uses auditing through the computer technique to ensure that errors that may not be easily detected from the output are discovered and corrected.

AUDITING AROUND THE COMPUTER

Auditing around the computer is one of the several methods that auditors can use to evaluate a client’s computer controls. It involves picking source documents at random and verifying the corresponding outputs with the inputs. The client’s computerized information system processes the ‘test transaction’. For example, multiplying unit price with the number of products sold to ensure that the total revenue figure is correct.

No attempt is made to establish and evaluate the existence of controls. Auditing around the computer is appropriate in situations where significant computer controls are not required. For example, auditing around the computer can be used when computers are only used for calculation purposes.

CONCLUSION

Though, nothing is technically wrong with auditing around the computer if the auditor is satisfied with the control system in place and is able to gather sufficient evidence in this regard, but, in order to meet with the requirement of gaining sufficient understanding of a system (internal control), auditing through the computer will be the best bet for auditors to follow. Again, AS 5 (Auditing Standard) did not permit auditors to issue opinions on the operating effectiveness of internal control of a business if auditing around the computer approach is used.

To reduce auditor’s liabilities, auditors should assess control risk in a computerized system and, if appropriate, should evaluate the design and operating effectiveness of related controls. To ensure that the client’s management operates according to the generally accepted auditing standards (GAASs) and SOA (Sarbanes-Oxley’s Act of 2002) which is to establish and maintain an operational and functional internal control, auditors should employ auditing through the computer and not auditing around the computer.

Happy auditing!!

Under the common law, liabilities can be brought against the auditor for breach of contract. Breach of contract in auditing is established when an auditor fails to exercise due care and professionalism in the discharge of his duties. The case of Smith v. London assurance corp. (1905) was the first US case involving an auditor and a client. Auditors may be liable to clients for tort liability. Auditors have a high responsibility to their client because of the relationship they establish with their clients. Third party can file a lawsuit against auditors if they can prove the following:

• They suffered an economic loss
• Auditor has failed to exercise appropriate professional care (ordinary negligence, gross negligence, and fraud)
• The financial statement was materially misstated.
• The loss was caused by reliance on the financial statements by the third party.

The effects of auditors liabilities was at a point relaxed but was later re-ignited. Hence, there is every need for auditors to take every precaution to safeguard them self from legal liability. Below are some tips that will help you as an auditor avoid being indicted.

• Being competent: the best way to mitigate yourself against auditors’ liability is to be competent in your work. Competency entails a lot of other qualities, it goes with; professionalism, due care and diligence. Competent auditors will have all the necessary qualifications needed to be an auditor. Know when to bring in as expert and do so, e.g., insist that management brings in a Fraud Examiner whenever case of fraud is established.
• Being conversant with the provisions of the law: Enactments like Sarbanes-Oxley Act has placed some restrictions on the activities of auditors. Auditors should equip themselves with the provisions of this Act as ignorant of the law is not an excuse.
• Operating under a limited Liability Partnership: having the word ‘limited’ in an accounting firms’ name will make the firm enjoys some benefits that accrue to Limited Liability Company.
• Careful wordings in the engagement letter: substantial amount of clients and third party liability can be avoided if auditors limit their exposure by choosing words to be included in the engagement letter carefully. Avoidance of ambiguous words should be your watchword – make sure the phrase “exclusion of punitive damage” is included in the engagement letter.

In as much as auditors’ liability cannot be completely mitigated, the above tips when correctly applied will help significantly reduce the incidence of legal actions against auditors. Rise up and face the future of auditing squarely.

To your liability free auditing career!

MYTHS OF FRAUD

• Most people are honest and will not steal: who told you that most people are honest? The fact that you may be honest does not mean that every other person out there is honest. For you to be successful in detecting and preventing fraud, you need to develop forensic mindset. A forensic mindset will make you suspect people while still working calmly with them.
• The owners cannot steal from themselves: this is a wrong concept; owners of business are in fact the class of people that perpetrate the highest fraud. This they do mostly by falsifying financial statements just to create the kind of picture they want to create in the mind of the general public.
• Fraud only occurs in large companies: fraud can occur in any size of business. Fraud has nothing to do with the size of the business.
• Most fraud is immaterial: this is one concept in accounting that many fraudsters have been leveraging on to commit fraud. Auditors should see every penny that cannot be accounted for as a gateway to billions that cannot be accounted for. Most celebrated fraud cases were discovered through the investigation and probing of small misappropriation.
• Most fraud is never detected: in as much as this is arguable, having this as a solace for the failure of auditing in fraud detection is a loser’s approach to life. Auditors should be optimistic that every fraud should and can be detected.
• Auditors cannot do a better job at discovering fraud: this is one big lie that perpetrators of fraud use to brain wash auditors to give up in the fight against fraud. They often say that the aspect of the legislation that demand auditors to finish their work within certain time frame makes it impossible for auditors to come out with meaningful work. Some even say that auditors are not spirits that can discover fraud committed when they are not there. These are all lies fashioned by fraudsters.
• Fraud is always well concealed: fraud can never always be well concealed.
• My client understands that I will not always find fraud: many auditors still believe in old concept of auditing. Thinking that your clients understand that you cannot always find fraud is just like a medical doctor saying that his/ her client understands that prescriptions don’t always work. If so, why then seeking medical attention in the first place?

Any auditor that wants to meet up with the challenge facing auditing and accounting as a whole should wake up from slumber and wipe away those myths about fraud from his or her eyes. Auditing and accounting must regain her lost glory if all auditors should demystify the myths behind fraud and auditing.

To a continued fight against fraud!

The change in business rule was necessitated by the pervasiveness (encompassing) of IT and dependence on IT for business processes. This then means that IT risk assessment has now become a significant portion of overall risk assessment of a business. Yet, many auditors still struggle with the issue or, if convinced of the importance of IT risk assessment, the question; how do I perform it becomes prominent.

If you are among the class of auditors that are wondering on how to carryout an effective audit of IT risk assessment in an entity, worry not as this article is for you. And if you already have an IT risk assessment skills, read on as this article will surely add one or two value to your IT audit knowledge bank.

BASICS OF AUDITING IT RISK ASSESSMENT

We are going to take a question approach to assessing the IT risk of a company. Since the primary/ main focus of an IT risk assessment is to identify risks that IT presents to the business, then it will be wiser to base your IT risk assessment on two broad questions

(1)   What is the magnitude of the risk (monetary or otherwise)

(2)   What is the probability of occurrence?

The aim of the above two questions is to enable an IT auditor to only identify material risk. Material risks are the probabilities that an outcome with negative that can significantly affect business operations will be achieved. After all, risk is assessed as both probability of occurrence and a magnitude of effect or the product of the two.

Armed with these two questions, one can then proceed into other four aspects of IT risk assessment:

1. FIRST ASPECT- RISK IDENTIFICATION

Below are some of the various ways that the auditor can employ to identify IT risk of a company.

1.  
   • Obtain a copy of the current IT risk assessment document. This is in the case when management already has an IT risk assessment document. Also, auditors should obtain a copy of the company’s operational business plan. The business plan should include: goals, objectives, weaknesses, strengths and strategies of the business. Other documents that the auditors can assess are: procedural and policy documents. Where access to the above documents is denied, the auditor should by default set the company’s IT risk at a very high level. These documents when allowed access to should then be reviewed by the auditor to identify the role of IT in the organization and critical points where risks are likely to occur. The auditor should place a high level of IT risk on companies with high reliance on IT infrastructures without adequate countermeasures in place.
   • Obtain an understanding of managerial, operational and administrative aspects of IT functions. Is the company cautious of technological changes/ advancement and the new level of risk that always characterize the advent of new technology?
   • Gather information about the qualification and competency of key IT staff of a company. The more competent the key staff is, the lower the risk level of the company as far as IT is concerned.
   • Get information about the harmony between IT infrastructures and company’s objectives. Are IT investments made in the wrong IT? Investment in the wrong information technology will increase the risk of losses associated with mismanagement of information technology. The returns from IT investments should be adequate to meet a company’s required rate of return. This may not necessarily be the case at all time as there are IT projects that will be embarked on just to satisfy other non-financial factors of investment appraisal.
   • A working knowledge of the change management process of the company should be sought. Does the IT function of the company include the writing or modification of codes? If yes, to what degree is the best practices of systems development life cycle (SDLC) adhered to? The higher the degree of adherence to SDLC best practices, the lower the IT risk of IT functions and that of the company as a whole.
   • Access control policy of the company should be evaluated in the light of information security best practices. How easy is it for people to have access to a company’s information system? How many times in the past has there been any reported case of unauthorized access to critical information and IT infrastructure? This evaluation should include assessment of both logical and physical access control measures.
2. SECOND ASPECT- IDENTIFICATION AND MANAGEMENT OF MULTIPLE AND CROSS-ENTERPRISE RISKS. This aspect of IT risk assessment attempts to identify various vulnerable points and check if there are countermeasures in place to help checkmate any eventuality. Special attention should be paid to enterprises that we have dealings with. For example, softwares and applications should be tested to ensure that no threat will be introduced into the company.
3. THIRD ASPECT- TAKING INTO CONSIDERATION RESTRICTING FACTORS THAT CONTRIBUTES TO IT RISK. Regulations, rules, standards and laws that have the potential of increasing IT risk should be assessed in the light of company’s current practice. Privacy Act is a good example of this. Companies should ensure strict adherence to all enactments made.
4. FOURTH ASPECT- IDENTIFYING THE RISK OF DOING NOTHING. Four options are open to a company as far as risk is concerned. They are:
   • Mitigate the risk,
   • Transfer the risk,
   • Assume the risk, and
   • Do nothing

IT risk is not an exception in this case; the effect of doing nothing about IT risk should be identified and assessed. Questions like, what do we stand to lose in the case of business interruptions that are related to IT risks? Should be asked so as to get an insight into what the company stands the chance of losing in the case of eventuality.

CONCLUSION

Acquisition of the right skills and judicious application of the tips given in this article should help every auditor position him/her self better to carry out quality IT risk assessment.

To your success as an auditor!

The regulatory bodies are doing their best to make sure that the value of information audited by auditors still remains intact, after all, auditing is all about rendering of credibility to a piece of information (financial statement in the context of accounting). A lot of auditing and accounting regulatory bodies spring up everyday in every part of the world. Auditing and accounting standards constantly get revised.

I am writing this article to bring to your notice that more things need to be done in the areas of monitoring the works of professional accountants who engage in auditing and other information professionals that are also in the field of auditing. It is not just enough to have piles of auditing standards and rules everywhere, more needs to be done to enforce the actual implementation of these standards, guidelines, policies and procedures. Auditors themselves need to be audited for a level of sanity to be achieved in the field of auditing and accounting.

This is no doubt a fact that no one can ever dispute. The reason for this submission is that auditors’ independence which is one of the principal pillars of conducting a reasonably fair audit has been seriously impaired. The problem is; how do you audit the auditors to ensure that their independence is not compromised?

Apart from the impairment of auditors’ independence, information overload is another problem that auditors have to battle with in order to pick the most relevant information for their audit work. Having knowledge of accounting information system SWOT analysis will be an indispensable tool in overcoming this problem.

The question raised above is the subject matter of this article. And below are some useful suggestions that I have to make in this regard.

• Peer review
• Close monitoring of auditors independence
• Enforcing rotational auditing
• Morale persuasion
• Setting up panels that will critically look into public criticism of any auditing firm

Look at both the past and recent accounting scandals, you will discover that they all one thing in common; the auditors’ independence were seriously compromised in all these cases. I strongly believe that setting laws and standards alone cannot take us far in this direction but auditing the auditors is a vibrant option and a clear way out of the mess that is beclouding auditing, future of auditing and accounting as a whole.

Auditing in a corrupt environment is an additional difficulty that auditors have to face in the source of their duty. Some of the traditional difficulties / challenges faced by auditors are as follows:

Auditors’ independence: auditors’ independence is one problem that has been facing the auditing profession from time immemorial. How do you expect an auditor that is connected to the auditee to carryout his or her duty(s) objectively? Leaders of a country appoint the Auditor general of the federation while the directors of a company appoint the auditors of a company. Auditors’ independence is one challenge/ difficulty that will remain problem area in the nearest future.

Difficulties in identifying the scope of audit: a lot of auditors find it difficult to identify the right scope of the audit work to be done.

Time scope of auditing: the large size of the entities audited in this modern and corrupt society makes it almost impossible for auditors to meet up with the time scope given by the regulatory bodies of both business and auditing.

Expectation gap: people place an undue pressure on auditors as a result of the fact that they don’t know the main objective of auditors. For the benefit of doubt, the traditional role of auditors is to lend credibility to a piece of information. This is usually financial statements of a company.

Legal requirements: auditors will have to struggle with legal requirement of both the country and professional bodies. Keeping with these legal requirements is not always easy as many people think.

Negative smartness of people: the activities of negatively smart stewards of both a nation and a country pose a serious threat to the smooth working environment of auditors.

The above are the regular or what some people will call the traditional difficulties or challenges faced by auditors, but these difficulties faced by auditors are further compounded by the presence of high level corruption. High level corruptions are those corruptions that involve influential people in a society. Auditing in a society where those at the helms of affairs are themselves corrupt to a fault is a new face of challenge that auditors have to face squarely. It is generally agreed that the best way to combat fraud (prevention and detection) is to have a strong internal control in place. So what will now be the faith of auditing, auditors and their work when those that make policies are themselves crafty? Laws are meant to be clear and not clever. But these bundles of thieves at the top have resorted to making laws clever rather than clear. It is now common practice that those in power control the business world.

Take Nigeria for example. Those that appoint auditor General of the federation are those that dictate the tune of the game and the so appointed auditor general are always people of questionable character. Corruption magnifies the auditor’s independence challenge.

I know you may at this point be asking, Chinweike, what then do you think is the way out? Well, my standard answer is; auditors and auditing professional bodies should form a formidable alliance with other professional bodies like the Fraud examiners to marshal out way forward. The appointment of the auditor general of the federation should be vested in the hands of the relevant professional bodies.

I strongly believe that financial crisis will be reasonably controlled if auditing is done in a relatively corruption free society. I still appreciate the fact that it is not the duty of the auditors to scout for corporate and national corruption, but, drastic action needs to be taken to reduce the incidence of corporate and national financial crisis that ultimately culminate into global financial crisis.

On the part of consumers of audited information, accepting the information as being credible is always difficult. People are generally aware of the happenings in both the corporate world and the government. They know that auditing in a corrupt environment is not as easy as it sounds in papers.

Apart from collaborative corruption, the next factor that is chiefly responsible for giving a non-qualified opinion where a qualified opinion should be given and vice-versa is the fact that many auditors and auditing firms lack the all important skill to successful auditing – understanding the language of figure and body language.

There is need for accountants who acts as auditors to develop their non-technical skills. This is made possible by sharpening their skills on psychological and criminological fields of studies.

There are situations that need the application of psychology and criminology to handle effectively and efficiently in order to produce result. Some Managers and Directors have notorious records of trying all their best to fool auditors at all times. They sharpen their criminal mind on a continuous basis. Hence, there is also an urgent need for auditors and accountants to keep pace with these managers and directors that have criminal tendencies.

The cases of WorldCom, Enron, Parmalat, Barings Bank, etc all provide further evidence that the traditional training given to accountants is not and will not be enough/ sufficient in handling the non-figure aspects of auditing.

I like the stand that ACCA took in their 2009/2010 theme. They recognized the new role that accountants are to play in this modern business environment. A critical analysis of that material reveals that accountants and auditors have more roles to play in the area of adding value to the overall business operation. This they do in different capacities – as advisors, management consultants, auditors, human resource managers, risk managers, business owners, systems consultants, etc.

The implication of this is that accountants have more reading and learning to do now than ever. They need to sharpen their technical and non-technical skills – street smartness included.

Auditing obviously has gone beyond the; show me era. The profession now demands that you don’t need to be showed a thing (evidence for assertions) before you find out the hidden truth regarding that issue yourself.

This presupposes that being an auditor in this modern age goes beyond paper qualification, a personal knowledge acquisition process has to be formulated and followed religiously so as to be relevant in auditing for the future.

Anybody who has been in the position to protech company’s information will tel you that information security can never be 100% secure.

As true as the above may be, information Auditing has lots in stock to offer as far as blocking of security loopholes is concerned. In this article are some tips on how to use auditing to gather information about information security loopholes that can be blocked through the help of information auditing.

The aim of every information security policy is to protect the company’s most valued assets (components). These assets are; software, hardware, data, procedures, networks and people.

In achieveing the above objectives, certaing standards needs to be met. And how do you ensure that those standards are met? You get that by auditing the information security processes and polices.

The steps that needs to be taken in order to be reasonably assured that the objective of information security is met are listed and briefly explained in this article.

• Ascertain the information security needs of the company. The first thing that every company need to do in order to block some information security loopholes is to ascertain their information security needs. This can be done in various ways but, few examples are; smapling users opinion and engaging the service of an expert.
• Gather the available information security policies on ground. Taking an information security SWOT analysis is a useful way of ensuring that information are not unduely exposed to danger.
• Compare the available policies with the industry standards. After the analysis has been made, the results should be benchmarked with the industry standard for any possible corrective action.
• Get fedback from end users. This comprise of both customers and operators. Valuable insight can be obtained from this group by simply asking for their feedback.
• Seek proof of implementation. Auditors are known for always asking for evidence of whatever they are told. Seek proof of implementation of policies. You can spend one or two days observing the actual implementation of things.
• set up team of white-hat hackers to test the various security systems on ground. Team of White-hat hackers are increasingly becoming a way of testing for vulnerabilities in our systems. Companies employ young specialists without prior knowledge of the company’s security architechture to channel various attack on their information security systems infrastructure. Any loophole discovered by this team are promptly blocked.
• Document findings. Future decisions are based on documented findings from previous works.
• Write a report/ Recommendation. Through this medium, management are communicated conerning the existing loopholes in the prevailing systems and recomendations made to get improved security.

By the time you finish the above steps, you will discover that auditing information security system does not only help us identify and block information security loopholes but, also helps us meet with other critical characteristics of information which are; availabilty, accuracy, authenticity, confidentiality, integrity, utility and possession.