According to textbook definition, audit is an independent examination of management-prepared financial information to ensure they give a accurate and fair picture.
However, to encompass different types of auditing, a broader understanding would surmise audit as an investigation carried out to verify managements representations while engaging professional expertise to propose improvements where possible, financial or non-financial.
We look at the 7 core types of auditing mostly undertaken at the behest of the caretakers of a business (though other stakeholders may also require them) in the life of a dynamic organization.
- External Audit 5. Operational Audit
- Internal Audit 6. Information Systems (IS) Audit
- Regulatory Audit 7. Forensic Audit
- Compliance Audit
This is the buzzword that gets thrown around the most when it comes to audit. An external audit is carried out by an unbiased third party (auditors) and a practical level of reassurance is provided after auditors gain an understanding of the entity and its internal controls and cross-check information presented by management.
For large organizations and those that meet the regulatory thresholds, an annual external audit is mandatory. Of course, recognizing their many benefits, some organizations choose to get audited voluntarily to build trust between the various interest groups surrounding the entity.
Another two sub-variations performed by external auditors are classified according to the amount of work and wording of the opinion.
- Full Audit: It is wider in scope and covers one complete financial period. The styling of opinion takes shape of a positive assurance meaning that the audit professional can claim with practical certainty (but not complete!) that no material misstatement was found in the financial statements.
Cost involved in a full audit is more than a review assignment because there is more work that needs doing to reach the standard of assurance given.
- Review: A review is generally a limited scope engagement that gives a negative assurance on the information given by management. It may or may not be for a year but the amount of work done is less than what an audit entail. The opinion makes use of terms such as ‘nothing has come to our attention to indicate financial statements are not free from substantial misstatement’. See the difference?
An organization can choose to employ an audit function in-house that carries out the same function as an external auditor. The notable variation is the lack of independence of the function when reporting to the same management whose controls and systems they are investigating.
The charter of the internal audit department may be set to include investigation of operations within the entity including system audits of functions such as HR, Payroll, Warehousing and Inventory. Management may even ask the audit team to carry out special assignments like compliance and operational audits.
The fundamental activity of financial audit is undertaken by the internal department regardless of the company hiring external auditors because finance affects most aspects of all organizations and the extra set of eyes builds management’s confidence in their established system of controls.
Corporate regulators of the region require certain entities to have annual audits undertaken periodically. In certain parts of the world the regulator carries out this audit themselves (IRS audit in USA) while in other jurisdiction they may have a reputable firm carry out the investigation.
- Tax audits are generally undertaken by regulator themselves to ensure there is no tax evasion.
- Financial audits are required for businesses that have significant impact on a wide group of stakeholders to promote business transparency
While financial audits have pre-set rules and industry standards of investigation, compliance audits are restrictive in the sense that the framework against which information will be corroborated is agreed between the stakeholders before the services of an auditor (whether external or internal) are engaged. Most common types of auditing for compliance are for:
- Debt covenants for banks and lenders; management provides auditor with the stipulations of the contract and they check the facts and figures of the specified time of the contract are in line with the contract.
- Grant terms; when an entity has a conditional grant or concession provided by the Government or another entity, the grantor may require an audit as assurance that the terms are still being followed or if penalties are due in case of violations by the grantee.
A critical view of the different operations of the company provides management with opportunity to improve their workflows, curtail inefficiencies and improve effectiveness of the system of internal controls. An operational audit may be undertaken for payroll, HR and even safety operations in a production environment.
The aim is to bring the operation standards in line with best practices and highlight any wastages or areas for improvements to keep the company running smoothly.
Information System audits have gained a lot of traction lately with the dominance of technology and use of data science across commerce. Organizations now consider a periodic IS audit essential to help them gain a competitive edge over their rivals and grow.
The focus is on security of data assets and proper management and controls over the use of information systems such as access controls, backup criteria and security protocols to prohibit hackers.
But use of management information systems is also a focal area in these types of auditing. The IS auditor is well-versed in latest commercial information systems and organizations often leverage this to their advantage by having them optimize their reporting and security features.
Basically, a kind of audit for fact finding which is utilized when instances of fraud are brought to light or when a legal case is brought against the entity by another stakeholder such as the Government or a lender.
The auditor is engaged by consent of both parties and in some instances by the court of law and is asked to look into the contentious matters and verify representations made by management. Areas that may be reported on include insurance claims, allegations of waste dumping, fraud or crime, etc.
Not all entities require all types of auditing during their life cycle. But certain investigations do provide a fresh perspective and greater understanding of what could help businesses improve their operations and fix small problems before they become crippling disasters.