Which of the following describes what is meant by generally accepted auditing standards?

Generally Accepted Auditing Standards

Generally Accepted Auditing Standards (GAAS) are a set of principles and requirements that provide the basis for how an auditor prepares for, performs, and reports the results of audits. Originally developed and issued by the American Institute of Certified Public Accountants (AICPA) in 1972, the current GAAS comprises 10 standards with which AICPA member auditors are required to comply. In its Statement on Auditing Standards No. 95, the AICPA’s Accounting Standards Board distinguishes between auditing standards and audit procedures by stating that “Auditing procedures are acts that the auditor performs during the course of an audit to comply with auditing standards” [1]. From this perspective, auditing standards in general and the GAAS in particular apply to any type of audit or audit methodology executed by auditors who choose or are obligated to follow the GAAS. Although the AICPA is an American organization, its membership comprises auditors in many different countries; as these members agree to follow GAAS as part of adhering to the AICPA’s code of professional conduct, the GAAS is in practice a global framework for auditing. Auditors typically use the GAAS as a minimum baseline for auditing activities, recognizing that depending on the country, industry, type of audit, and auditor affiliations, there may be multiple other principles or requirements an auditor needs to satisfy.

The 10 standards in the GAAS are grouped into three categories: general standards, standards of field work, and standards of reporting. These standards appear in Table 9.2.

Table 9.2. Generally Accepted Auditing Standards [1]

In addition to the GAAS, the AICPA’s Statements on Auditing Standards (SAS) provide more detailed guidance to member auditors on many more specific elements of auditing and audit procedures, including several directly applicable to IT auditing, summarized in Table 10.1. Some SAS documentation imposes additional auditing requirements in addition to providing explicit instructions regarding audit planning, performance, and reporting. AICPA offers additional prescriptive guidance in the form of statements on standards for attestation engagements (SSAE) for use with different types of organizations and audit environments, such as the Service Organization Control (SOC) assessments described in Chapter 5. Where such standards apply to a particular audit, adherence to GAAS and the AICPA Code of Professional Conduct generally means following all applicable SAS guidance.

Generally Accepted Auditing Standards

Auditing in many countries adheres to broad standards and principles collectively known as GAAS, analogous conceptually to the Generally Accepted Accounting Principles (GAAP) used in financial accounting and auditing. Despite the names of these standards and the work of international organizations to achieve some level of cross-national consensus on the standards, the specifics of what constitutes “generally accepted” varies from jurisdiction to jurisdiction, with the result that there is no single authoritative agreed-upon source of audit standards. Instead, leading national standards organizations in many countries work to develop standards that embody GAAS and promulgate those standards in their own countries. Such organizations often contribute or make available their standards and guidance for use or adaptation by auditing organizations in other countries. Some international standards organizations develop standards for general availability, giving authorities and individual organizations in multiple countries the option to use or adapt those standards if they choose. For example, the IAASB, part of the IFAC, produces numerous International Standards on Auditing (ISAs) that audit organizations in different countries (or multinational jurisdictions such as the European Community) adopt and mandate for organizations conducting audits subject to their jurisdiction. In the United States, the Statements on Auditing Standards (SAS) issued by the American Institute of Certified Public Accountants (AICPA) serve as GAAS for audits (especially external audits) in US organizations.

IT audit characteristics

Definitions, standards, methodologies, and guidance agree on key characteristics associated with IT audits and derived from Generally Accepted Auditing Standards (GAAS) and international standards and codes of practice. These characteristics include the need for auditors to be proficient in conducting the types of audits they perform; adherence by auditors and the organizations they represent to ethical and professional codes of conduct; and an insistence on auditor independence [7,8]. Proficiency in general principles, procedures, standards, and expectations cuts across all types of auditing and is equally applicable to IT auditing contexts. Depending on the complexity and the particular characteristics of the IT controls or the operating environment undergoing an audit, auditors may require specialized knowledge or expertise to be able to correctly and effectively examine the controls included in the IT audit scope. Codes of conduct, practice, and ethical behavior are, like proficiency, common across all auditing domains, emphasizing principles and objectives such as integrity, objectivity, competency, confidentiality, and adherence to appropriate standards and guidance [9,10]. Auditor independence—a principle applicable to both internal and external audits and auditors—means that the individuals who conduct audits and the organizations they represent have no financial interest in and are otherwise free from conflicts of interest regarding the organizations they audit so as to remain objective and impartial. While auditor independence is a central tenet in GAAS and international auditing standards, auditor independence provisions mandated in the Sarbanes–Oxley Act and enforced by the Securities and Exchange Commission (SEC) legally require independence for audits of publicly traded corporations.

Relevant source material

Much of the audit industry standards and guidance cited earlier applies to some or all of the types of auditing described in this chapter. In particular, GAAS and ISA principles and requirements are echoed or incorporated by reference into audit procedures and codes of conduct by most standards development organizations and certification bodies. Of the audit types included in this chapter, the most extensive guidance is available for financial auditing practices, in the form of United States and international auditing standards including:

Statements on Auditing Standards (SAS);

Statements on Standards for Attestation Engagements (SSAE);

International Standards on Auditing (ISA);

International Standards for Attest Engagements (ISAE).

Available frameworks on internal controls and IT governance provide substantial information relevant to operational auditing, notably including the COSO Internal Control—Integrated Framework[4] and ISACA’s COBIT 5: A Business Framework for the Governance and Management of Enterprise IT[8]. Resources for certification and compliance auditing tend to be more narrowly focused on the standards, regulations, or other basis of examination. Generally applicable guidance for these types of auditing include ISO 19011, Guidelines for Auditing Management Systems[35] and the ISO 9000 and ISO/IEC 20000 families of standards on quality management and service management, respectively. Applicable sources of information and auditing guidance for IT-specific auditing also vary widely depending on the technical subject matter, but in general include:

ISACA’s Standards for IS Audit and Assurance[36].

ISO/IEC 15504, Information Technology—Process Assessment[29].

ISO/IEC 27007, Information—Security Techniques—Guidelines for Information Security Management Systems Auditing[37].

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization[31].

International Standards for Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization[32].

Relevant source material

External IT auditors work from a foundation of general auditing standards and guidance, including procedures and guidelines used in conventional financial and operational audits. In addition to Generally Accepted Auditing Standards and International Standards on Auditing (ISA), guidance widely used in external auditing includes the Statements on Auditing Standards and Statements on Standards for Attestation Engagements issued by AICPA [16] and ISA and International Standards for Attest Engagements (ISAE) published by the International Federation of Accountants [17]. Procedural guidance and standards specifically focused on external auditing applicable to IT audits include:

ISO 19011, Guidelines for Auditing Management Systems[1].

Guidance from AICPA on Reporting on Controls at a Service Organization[18,19].

ISAE 3402, Assurance Reports on Controls at a Service Organization[20].

ISACA’s Standards for IS Auditing[21].

Relevant source material

Internal IT auditors rely on both general auditing standards and guidance and on IT-specific references appropriate to the subjects of the IT audits they perform and the approaches or organizational perspectives used by the IT audit program. GAAS and ISA provide principles and practices applicable to all types of auditing. Procedural guidance and standards specifically focused on internal auditing include:

IIA’s International Standards for the Professional Practice of Internal Auditing[2]

ISACA’s Standards for IS Audit and Assurance[11] and guidance on audit programs [14]

FFIEC IT Examination Handbook[12]

COBIT 5 for Assurance [16]

ISO 19011, Guidelines for Auditing Management Systems[6]

II.B. New Service Opportunities

Historically, the majority of attest services provided by public accounting firms were financial statements audits. However, public accounting firms have been increasingly asked to provide assurance on written representations other than historical financial statements. At first auditors responded to these requests for other attest services by applying the concepts underlying Generally Accepted Auditing Standards (GAAS). However, as the breadth of attest services expanded, it became increasingly difficult to apply GAAS to these and other attest engagements. An attest engagement is defined as “one in which a practitioner [public accountant] is engaged to issue or does issue a written communication that expresses a conclusion about the reliability of a written assertion that is the result of another party.” Attestation standards were first published by the American Institute of Certified Public Accountants (AICPA) in 1986 to provide guidance to public accountants in providing these other attestation services. Public accounting firms have built a reputation for independence, objectivity, and integrity in providing attestation services, including the financial statement audit, and this reputation will enhance their ability to be the provider of choice for new assurance services.

The concept of assurance services is a broader range of services that include attestation services. The definition of assurance services does not require a written report, nor does it require that the assurance be provided regarding a written assertion. Therefore, the services that public accounting firms are being asked to provide include this broader category of assurance services, many of which are related to information technology. Advances in information technology have changed and will continue to change how much information is available, how accessible the information is, and how this information is used to conduct business. Examples would be the use of electronic data interchange (EDI), to enhance the flow of information between organizations, electronic funds transfer (EFT), to transfer funds between institutions or accounts within an institution, and the use of e-commerce to facilitate transactions.

Advances such as EDI, EFT, and e-commerce have created opportunities for public accounting firms to expand the services they provide. Users of EDI, EFT, and e-commerce must have assurance that the information used is reliable, accurate, and secure. In response the AICPA and the CICA have established guidelines for two assurance services: SysTrust and WebTrust. The SysTrust assurance service is designed to provide assurance regarding the availability, security, integrity, and maintainability of systems including those used in EDI, EFT, and e-commerce. The Web-Trust assurance service is designed to provide assurance related to the privacy, integrity, and protection of information in e-commerce transactions. These are just two examples of the many new assurance service opportunities available to public accounting firms.

Securities industry laws and regulations

Laws and regulations applicable to issuers of securities (commonly known as publicly traded organizations) are one of the most prominent sources of audit requirements. Securities-related regulations influence internal and external IT audits as well as many other types of auditing because they impose requirements on organizations and their auditors in terms of auditor independence, mandatory use of standards, and qualifications and competencies needed for auditors, audit firms, and the organizational stakeholders that select auditors and receive and respond to audit results. Laws such as the Sarbanes–Oxley Act in the United States, the European Council Directive on statutory audits, and comparable legislation in other countries also explicitly include internal controls over accounting and financial reporting within the scope of audit reports to which organizations must attest. The set of internal controls encompasses IT infrastructure, systems, operational processes, and security mechanisms implemented to protect the confidentiality and integrity of corporate financial data and other information assets.

Auditors

An auditor examines business accounting records to check for irregularities. These irregularities may include (1) deviations from generally accepted accounting methods, (2) errors, and (3) criminal activity. Organizations typically employ internal auditors. External auditors are also important. During an audit of financial records by an independent (external) auditor, known as a certified public accountant (CPA), guidance is provided by state and federal statutes, court decisions, a contract with the client, and professional standards as established by Generally Accepted Auditing Standards and Generally Accepted Accounting Principles. Because it is impossible to check every financial record and transaction, a CPA narrows an audit to certain records, such as financial reports and areas where problems are common to the particular concern. How accounting data are recorded and summarized is frequently studied.

At times, a CPA may encounter misleading financial information that attempts to make a business look better than its true financial position. The misleading information often is an attempt by management to attract investors. To counter this problem, cautious investors are more likely to favor a business that has had an audit by an outside independent CPA, as opposed to no audit or one performed by an internal auditor.

When an independent CPA completes an audit, a report is prepared. If a business’s financial records are dependable and credible, then the CPA expresses this favorable opinion in the audit report. This is known as the attest function.

CPAs, like other skilled professionals, are liable for damages proximately caused by their negligence. A CPA is liable to a client when he or she negligently fails to detect or fraudulently conceals signs that an employee of the client is embezzling. In addition, the CPA is liable for not detecting and reporting to the client that internal audit controls are lax (Twomey et al., 2001: 926).

Public (e.g., federal, state, and local) and private investigation practitioners have expanded their competency in accounting. This is in response to increased investigations into the white-collar crime arena.

Cross-training can be used to reduce the knowledge gap between auditor and criminal investigator. Cross-training involves the auditor being trained in criminal investigation and the criminal investigator being trained in auditing. An auditor’s training could include criminal law, evidence, interviewing, and interrogation. A criminal investigator’s training could include accounting principles and procedures and auditing. Both should have training in IT systems and related investigative methods.

The amount of digital financial data that must be analyzed during fraud investigations can be overwhelming and the number of financial transactions can amount to thousands for individuals and millions for businesses. However, well-trained fraud investigators apply numerous tools and methods to enhance efficiency. Computers contain standard office software used by businesses. This software contains metadata such as logs of changes to financial transactions. In addition, various commercial products are available to investigators to analyze financial data. Financial data can be loaded into a spreadsheet program of thousands of rows of data. Databases offer another tool to analyze data sets. Hybrid applications combine spreadsheet and database programs to perform tasks such as linking multiple data sets for analysis, creating subsets of tables from searches and queries, and applying formulas to aid analysis. Examples of clues investigators search for include looking for transactions occurring on non-business days (e.g., weekend), transactions with rounded amounts (since many businesses price products under the next dollar amount, say, $249.99), number of payments to vendors beyond the typical twelve times per year (i.e., monthly), duplicate invoice numbers and check numbers, and invalid social security numbers in payroll data (Kardell, 2011: 1–7).

The Association of Certified Fraud Examiners promotes professionalism, training, and certification (CFE). Bodnar and Hopwood (2004: 105) write: “Forensic accounting is one of several terms that is used to describe the activities of persons who are concerned with preventing and detecting fraud. The terms ‘fraud examiner,’ ‘fraud auditor,’ and ‘loss prevention professional’ are also descriptive of this type of activity.”