Audit Practice Overview

Ever wondered what auditors actually do? Certified Public Accountants (CPAs) can work in several environments, including public practice at audit firms, private companies, academic institutions, or government agencies like the Commission on Audit.

The "Big 5" audit firms in the Philippines include SGV (EY), Isla Lipana (PWC), Manabat San Agustin (KPMG), P&A $Grant-Thornton$, and Navarro Amper (Deloitte). These firms are organized by market groups that specialize in specific industries like manufacturing, mining, telecommunications, and banking.

A typical career path in auditing starts as an Associate $1-2 years$, progressing to Senior Associate, then through various director levels before potentially becoming a Partner. Partners typically oversee multiple managers, who in turn supervise senior associates and associates in a pyramid structure.

Reality Check: The auditing profession exists largely because of the "expectation gap" - company management wants to present attractive financial statements (with higher assets and revenues), while users need reliable information. Recent scandals at Celadon Group and 2GO demonstrate why independent auditors are crucial for verifying financial information.

The audit process helps reduce information risk by providing assurance that financial statements fairly represent a company's performance and position, giving stakeholders more confidence in the data they're using to make decisions.

Types of Professional Services

Auditors provide both assurance and non-assurance services, but the difference matters! Assurance services involve expressing an independent opinion, while non-assurance services don't provide any guarantees about the information.

Assurance services can be either financial or non-financial, but absolute assurance is impossible due to inherent limitations like the need for judgment, testing limitations, and the fact that most evidence is persuasive rather than conclusive.

Two main types of assurance engagements exist:

• Assertion-based engagements (attestation) where the responsible party evaluates something and makes claims about it
• Direct reporting engagements where the practitioner does the evaluation directly

The hierarchy of services is important to understand:

1. Audit - provides high/reasonable assurance on financial statements (uses positive form reports)
2. Review - offers moderate/limited assurance through inquiry and analytical procedures (negative form)
3. Agreed-Upon Procedures - performs specific procedures and reports factual findings without assurance
4. Compilation - prepares financial statements without any assurance

Quick Tip: Remember that ASSURANCE > ATTESTATION > AUDIT. These terms are often used interchangeably but have different scopes of service. An audit is always an attestation, which is always an assurance service - but not vice versa!

Non-assurance services include tax preparation, consulting and advisory services like cybersecurity and digital transformation - all valuable but distinct from the assurance work that is the core of auditing.

Elements of Assurance Engagements

Every assurance engagement requires five key elements to function properly. First, there must be a three-party relationship involving:

• The practitioner (auditor) who performs the engagement
• The responsible party (management) who prepares the information
• The intended users who will rely on the assurance report

Second, there must be an appropriate subject matter - information that can be evaluated against criteria. Good subject matter must be identifiable, consistently measurable, and capable of being examined with evidence. This could include financial performance, non-financial metrics, physical characteristics, systems, or even behavior like corporate governance.

Third, the engagement needs suitable criteria - the benchmarks used to evaluate the subject matter. IFRS (International Financial Reporting Standards) is a common example for financial statements. For criteria to be suitable, they must demonstrate five key characteristics:

• Relevance - helps users make decisions
• Completeness - includes all relevant factors
• Reliability - allows consistent evaluation by different practitioners
• Neutrality - free from bias
• Understandability - clear and not subject to widely different interpretations

Remember This: Criteria can be either "established" (from laws or recognized expert bodies) or "specifically developed" for a particular engagement. The distinction matters because specifically developed criteria may require more explanation in your report.

The next two elements will be covered in the following page.

More Elements and Types of Audit

The fourth element of assurance engagements is sufficient appropriate evidence. Practitioners must approach engagements with professional skepticism - a questioning mindset that's alert to potential misstatements. The evidence gathered must be both sufficient (enough quantity) and appropriate (good quality, relevant and reliable).

The fifth element is a written assurance report that matches the type of engagement being performed.

Auditors perform three main types of audits:

1. Financial Statement Audit - performed by external auditors
2. Operational Audit - conducted by internal auditors
3. Compliance Audit - often performed by government agencies like COA

The profession is governed by several key standards:

• Philippine Standards on Auditing (PSAs) for financial statement audits
• Philippine Standards on Review Engagements (PSREs) for reviews
• Philippine Standards on Assurance Engagements (PSAEs) for other assurance work
• Philippine Standards on Related Services (PSRSs) for non-assurance services

Important Distinction: Reports on non-assurance engagements should never use words like "assurance," "audit," or "review," and shouldn't imply compliance with assurance standards. This helps users understand exactly what level of confidence they can place in the information.

All these services fall under the Philippine Standards on Quality Control (PSQCs) and the Philippine Framework for Assurance Engagements, which set the foundation for how practitioners should approach their work.

Regulatory Framework

Understanding the regulatory landscape is crucial for auditors. The profession is structured with international and local regulatory bodies that create the standards auditors must follow.

At the international level, the International Accounting Standards Board (IASB) develops accounting standards, while the International Auditing and Assurance Standards Board (IAASB) creates auditing standards. These international bodies produce IFRS (accounting) and ISAs (auditing) respectively.

The local equivalents in the Philippines are the Financial Reporting Standards Council (FRSC) for accounting standards and the Auditing and Assurance Standards Council (AASC) for auditing standards. They issue PFRS (Philippine Financial Reporting Standards, also known as GAAP) and PSA (Philippine Standards on Auditing, or GAAS).

All auditors must also follow:

• The Code of Ethics for Professional Accountants in the Philippines
• The Philippine Standards on Quality Control

Pro Tip: Remember that the Philippine Framework for Assurance Engagements doesn't establish specific standards by itself—it provides the conceptual foundation that all the standards are built upon. Think of it as the constitution of auditing.

When performing work that isn't an assurance engagement, practitioners should be careful with their language. Reports should never use words that might confuse users into thinking they're getting assurance when they're not—terms like "audit," "review," or "assurance" should be avoided in non-assurance reports.

Auditor's Professional Responsibilities and Quality Control

Audit firms must implement a System of Quality Control (SQC) with policies and procedures ensuring compliance with professional standards, regulatory requirements, and ethical codes. This system is crucial for maintaining audit quality.

For example, if an auditor from PWC is assigned to audit Philex Mining Corporation (a company with copper and gold mines across the Philippines), they need a strong SQC in place. If that auditor's father happens to be the VP for Finance at Philex, independence issues arise, and the auditor should request reassignment.

A proper SQC has six essential elements:

1. Leadership Responsibilities - Partners in charge oversee each engagement, while managing partners oversee the firm's overall quality

2. Ethical Requirements - Auditors must maintain integrity, objectivity, confidentiality, due care, and professional competence while preserving independence both in fact (state of mind) and appearance (perception)

3. Acceptance & Continuance of Client Relationships - Firms must assess client integrity and, for new clients, communicate with predecessor auditors (with management permission)

4. Human Resources and Assignment - Having sufficient personnel with expertise to handle clients, including specialists when needed

5. Engagement Performance - Compliance with professional standards and maintaining communication within the audit team

6. Monitoring - Regular evaluation of the firm's quality control system, including Engagement Quality Control Reviews (EQCR) where partners review other partners' work

Real-World Application: For listed companies, an Engagement Quality Control Review is required—this means one partner reviews another partner's work as a quality check before the audit report is issued.

These quality controls help ensure audits are performed consistently and professionally, regardless of which team members are assigned to an engagement.

Professional & Legal Responsibilities Regarding Fraud

Auditors have significant responsibilities when it comes to fraud. There are two main types: Fraudulent Financial Reporting (management fraud) involving manipulation of financial statements, and Misappropriation of Assets (employee fraud) like stealing inventory or creating fictitious employees.

The RCBC money heist illustrates fraud's complexity: $81 million was stolen from the Bank of Bangladesh through RCBC accounts, then laundered through a money remittance company and casinos $which weren't yet covered by anti-money laundering laws$. This led to imprisonment for the branch manager, the resignation of RCBC's president, and changes to money laundering regulations.

Three key fraud risk factors (red flags) auditors watch for include:

• Incentives/Pressure - Like bonuses, stock options, or business sale plans
• Opportunities - Especially weak internal controls
• Attitude/Rationalization - Personal justifications for unethical behavior

It's crucial to understand the division of responsibility:

• Management and the Board of Directors are responsible for preventing and detecting fraud
• Auditors provide reasonable assurance that financial statements are free from material misstatements due to fraud or error

Important Distinction: Auditors don't guarantee they'll find all fraud—they provide "reasonable assurance," not absolute certainty. This is why understanding risk factors is so important.

Similarly, with laws and regulations, management bears primary responsibility for compliance, though auditors apply procedures to identify potential non-compliance that could materially affect the financial statements.

Audit Planning and Client Engagement

The audit process follows six key stages: Preliminary Engagement Activities, Audit Planning, Understanding Internal Controls, Testing Internal Controls, Substantive Testing, and Completing the Audit. Let's focus on the first two.

Preliminary Engagement Activities include:

1. Accepting or continuing client relationships by assessing client integrity
2. Evaluating independence and ethical requirements
3. Establishing engagement terms

The Engagement Letter is crucial—it's a written agreement between the audit team and client that outlines:

• Objectives and scope of the audit
• Responsibilities of both parties (auditor to express an opinion; management to prepare statements, implement controls, make adjustments, and comply with laws)
• The applicable financial reporting framework $PFRS/IFRS$
• Other regulatory requirements
• Audit fees

When planning an audit for a complex organization like JG Summit Holdings (with subsidiaries in real estate, banking, airlines, and other industries), auditors must understand the organizational structure and management team. The audit committee, often composed of independent directors, provides additional oversight.

Planning Insight: Understanding the client's organizational structure is essential for determining audit scope. For conglomerates like JG Summit, auditors need to know which subsidiaries require auditing and how they relate to each other.

The engagement letter sets expectations from the beginning, helping prevent misunderstandings and establishing clear boundaries between what the auditor will and won't do.

Audit Planning and Materiality

Audit planning is primarily the responsibility of partners and managers, who must:

1. Establish the overall audit strategy by determining:

   • Scope coverage (parent company and subsidiaries; annual or interim periods)
   • Timing (fieldwork schedule and document requirements)
   • Direction $focusing on high-risk areas like new accounting standards, economic impacts, or system changes$

2. Develop a detailed audit plan/program with specific procedures for each financial statement area, including time budgets and planned conclusions

Analytical procedures are powerful planning tools that analyze numerical relationships through:

• Ratio analysis (gross profit margin, return on assets)
• Trend analysis
• Regression analysis
• Variance analysis
• Benchmarking against competitors

PSA requires analytical procedures during planning and completion phases, while they're optional but useful during substantive testing.

Materiality is a critical concept that helps auditors decide what matters. Materiality thresholds are typically calculated as:

• 0.5% to 1% of Assets
• 1% to 3% of Revenues
• 5% to 10% of Net Income

Two key materiality levels are:

• Overall/Planning Materiality - applied at the financial statement level
• Performance Materiality - set at 50% of overall materiality and applied at the account balance level

Practical Application: If a company has total assets of 1 billion pesos, overall materiality might be set at 10 million (1%). Differences between recorded and audited amounts are compared to performance materiality (5 million) to determine if they're significant enough to require adjustment.

Immaterial differences are tracked in a Summary of Audit Differences (SAD) to ensure they don't collectively become material.

Materiality in Practice

Applying materiality involves thoughtful analysis of financial data. For a company with 1 billion pesos in total assets, you might set overall materiality at 10 million pesos (1% of assets) and performance materiality at 5 million pesos (50% of overall materiality).

When comparing audited versus unaudited amounts for individual accounts, you'll flag differences that exceed performance materiality:

• Cash: 30M vs 20M = 10M difference (material)
• Accounts Receivable: 6M vs 5M = 1M difference (immaterial)
• Inventory: 8M vs 10M = 2M difference (immaterial)
• Property, Plant & Equipment: 70M vs 50M = 20M difference (material)

The Summary of Audit Differences (SAD) tracks all discrepancies, even immaterial ones, because collectively they might become significant. This cumulative approach ensures no material misstatement slips through the cracks.

Materiality helps auditors focus testing efforts efficiently. From 5,000 total transactions, they might decide to test only transactions above 5M pesos or select a sample of 1,000 transactions based on risk assessment.

Decision Point: Always remember that materiality isn't just about numbers—it also involves professional judgment about what would influence users' decisions. Different industries and circumstances may require different materiality considerations.

Properly applying materiality concepts ensures the audit focuses on what truly matters to financial statement users while maintaining efficiency in the audit process.