Professional Documents
Culture Documents
Auditing
I. Risk
= the effect of uncertainty on the achievement of objectives
effect can be positive or negative
The possibility that a negative event will occur (or a positive event will not occur) and
adversely/negatively affect the achievement of objectives, which can prevent value creation or
erode existing value.
1
(Management) Control
= any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives will be achieved.
VS Internal control
▸ All the devices managers use to ensure that the behaviors and decisions of people in the firm are
consistent with the firm's objectives and strategies.
▸ Designed properly, control devices individually and collectively influence employees behavior in
desirable ways and, consequently, increase the probability that the firm will achieve or exceed its
goals
2. Action control
= Ensure that employees perform (or do not perform) certain actions known to be beneficial (or
harmful) to the organization
Ex of culture control:
Mission statement= representation of the company’s culture
Tone of the top: how top managers behave influence ô employees
Giving stocks to employees
2
Objectives, risks, and controls
Types of risks
1. Hazard risks: poses a level of threat to life, health, property, or the environment
2. Control risks: the chance of a material misstatement in a company's financial statements
3. Opportunity risks: possibility that a better opportunity may become available after having
committed to an irreversible decision
Risk management
3
the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities
The risk management process steps are a generic guide for any organization, regardless of the type
of business, activity or function.
4
Even though most business leaders understand the fundamental connection of “risk and return”,
business leaders sometimes struggle to connect their efforts in risk management to strategic
planning.
6. Lack of appropriate risk culture and language around risk
Unfortunately, some organizations fail to recognize these limitations in their approach to risk
management before it is too late.
Benefits of ERM:
• Proactively
addressing
risk events
• Embedded
in informed
decision making
• Reducing
operational
surprises and losses
5
• Holistic portfolio view of the most significant risks to the
achievement of objectives
• Providing integrated responses to multiple risks
• Improving deployment of resources
• Top down, enterprise view of all the significant risks
• Reflect a common culture and language around risk
Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing
process. Unfortunately, some view ERM as a project that has a beginning and an end. While the
initial launch of an ERM process might require aspects of project management, the benefits of ERM
are only realized when management thinks of ERM as a process that must be active and alive, with
ongoing updates and improvements.
6
Growing scope of ERM
7
COSO ERM Framework:
1. Governance and Culture
Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight
responsibilities for ERM.
Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
1) Exercises board risk oversight
a) Accountability and Responsibility
b) Suitability of Enterprise Risk Management
8
c) Organizational Bias
d) Competence
e) Independence
ERM, strategy and objective-setting work together in the strategic planning process. A risk appetite is
established and aligned with strategy; business objectives put strategy into practice while serving as
a basis for identifying, assessing, and responding to risk.
1. Analyzes business context – external: PESTLE
Political: tax policies; competition regulation; tariffs; political stability
Economic: interest rates; inflation; minimum wages; GDP growth
Social: demographics; lifestyle changes; fashion; health and welfare
Technological: R&D; internet; automation
9
Legal: laws (employment, labor,...)
Environmental: climate change; attitudes towards the environment; catastrophes
1. Analyzes business context – internal
Capital
People Process
Technology
2. Defining risk appetite
The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the
entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.
10
3. Evaluate alternative strategies
11
3.
Performance
1) Risk identification
Management identifies potential events that, if they occur, will affect the entity, and determines
whether these events represent opportunities or whether they might adversely affect the entity’s
ability to successfully implement strategy and achieve objectives.
Risk Types
1. Business risk: Wrong business strategy; competitive pressure on price/market
share; Regional economic problems
2. Compliance risk: Breach of listing rules; Breach of financial regulations; Litigation risk
3. Financial risk: Credit risk; Unrecorded liabilities
4. Operational risk: Business process not aligned; Stock-out of raw materials; Loss of key
people; Inability to reduce cost base
• Known Knowns : these are the risks that have been correctly identified and properly measured ->
Things we know that we know; our general knowledge
• Known Unknowns : we know that we don’t know or we don’t know their potential risks -> Things
we thought we know but don’t really know
• Unknown Knowns: these are things that exist and have been influencing our life and our approach
to reality, but we are unaware of knowing them, or we do not realize their value, or worst we refuse
to acknowledge knowing them -> Things we thought we knew but we do not • Unknown Unknowns:
we don’t even know that we don’t know they exist and
they can hit us with serious unexpected impacts -> Things that we do not know at all, are believed to
be impossible to find or imagine in advance
12
Grey and Black Swans
Black Swans: Events characterized by their rarity, extreme impact, and retrospective (but not
prospective) predictability
• The highly unexpected happening
• The highly expected not happening
• Examples: 9/11, Internet bubble, collapses of Enron, Lehman Brothers, ...
• The combination of low predictability and high impact makes Black Swan events highly problematic
Grey Swans: are Black Swans that we can somewhat take into account, but for which it is impossible
to completely figure out its properties and produce precise calculations
Examples of Black Swans:
Digital disruption has already happened:
• World’s largest taxi company owns no taxis (Uber)
• Largest accommodation provider owns no real estate(Airbnb)
• Largest phone companies own no telco infrastructure (Skype, WeChat)
• Most popular media owner creates no content (Facebook)
• World’s largest moviehouse owns no cinemas (Netflix)
• Largest software vendors don’t write the apps (Apple & Google)
• Only 11% of the Fortune 500 companies from 1955 still exist today
• The average time that companies stay in the top 500 has fallen from 75 years
to 15 years
• New York Times reported that the company’s digital transformation is
projected
to make 30% of current jobs obsolete by 2020
How to identify risk?
Interviews
• Open-ended questions (e.g. ‘What are the top three strategic risks that
the organization faces over the next two years?’) vs. Focused questions
(e.g., ‘What are the top 2-3 risks affecting the organization’s ability to
retain the new talent that it needs to execute its growth plans?’)
• Interviews with Board and/or Senior Management
• What keeps us up at night?
• What could go wrong?
• What must go right to succeed?
• What’s emerging that could impact our future performance...and are we prepared?
Workshops
• Facilitated by ERM staff
• Brings together employees from various levels and functions to obtain a
«bottom-up» view
• Must allow for a free exchange of ideas/concerns
• Can be a terrific team-building and educational exercise for participants
• Requires a skilled facilitator to ensure complete participaton and to override dominant voices
13
• Consider using anonymous voting technology
War-gaming
• Assess vulnerabilities to competitors’ strategies
• Develop plausible near-term strategies that existing or potential competitors
might adopt in a 1 to 3 year time frame
• What would you do if you were your competitor?
• What are your vulnerabilities and how might they attack?
• What innovations might emerge that are disruptive technologies?
Post-mortem analysis
• Uses prospective hindsight to identify potential risks to strategy
• Instead of asking «what could go wrong», ask «what whent wrong?»
• Can open whole new avenues of cause-effect observations that haven’t been considered
2)Risk assessment
14
2 factors: Probability and impacts
3) Prioritize risks
a. Adaptability
b. Complexity
c. Velocity
d. Persistence
e. Recovery
4)Risk responses
Management determines how it will respond to risks:
- Accept
- Avoid: stop doing what make it happens
- Pursue: actively pursue in the area anyway
- Reduce: if it happens, the csq will be ok
- Share: transfer the risks (outsourcing)
15
5. Review and revision
1)Risk reporting:
Data are «raw» observations (e.g., survey responses, website metrics)
• Information comes from processing the data (e.g., a survey can show the response to a
marketing campaign)
• Information is data that have been organized and processed into meaning to a user
• Information supports decision-making
• Transforming data into information is a crucial success factor for every entity
• Normally: more and better information translates into better decisions, but...
Less-is-More: less information, computation, and time can improve accuracy
Communication is the continual, iterative process of providing, sharing, and obtaining
necessary information
Essential in creating the «right» internal environment and to support other enterprise
risk management components
Relevant information is identified, captured, and communicated in a form and
timeframe that enable people to carry out their responsibilities
16
Internal communication: Information is disseminated through the entity
• The importance and relevance of ERM
• The entity’s objectives
• The entity’s risk philosophy, risk appetite and risk tolerance
• A common risk language
• The roles and responsibilities of personnel
Communication between the Board and top executives is crucial
External communication:
Opportunity to manage stakeholders’ risk perception
Provides information to external stakeholders in response to requirements and expectations
• The entity’s objectives
• The entity’s risk appetite and risk tolerance
Frequency and nature of reporting
• Most report to full Board at least annually; 50% report quarterly to a committee
• Discussion typically led by CRO, VP Strategy or Chief Audit Executive
• Typically, 30 minutes presentation
• Most report TOP10-15 risks
2)Risk monitoring
To ensure the (continued) effectiveness of ERM, the process and components of ERM itself are
evaluated
• ERM is not a one time special project
• Objectives change over time
• The environment (and associated risks) change over time
Assessing the presence and functioning of its components over time:
• Ongoing monitoring activities
• Separate evaluations
• Key risk indicators
Roles and responsibilities
Board of directors
Strategic role
Monitoring role
o Knowing the extent to which management has established effective ERM
o Being aware of and concurring with the organization’s risk appetite
o Being apprised of the most significant risks and whether management is responding
appropriately
Part of the internal environment
Composition
Board subcommittee
Chief Executive Officer (CEO)
Ultimate responsibility for the effectiveness and success of ERM
• «tone at the top» (= ethical environment within the firm created through management practices
and espoused values)
17
• Establish ERM fundaments
• Follow-up, monitoring
Chief Risk Officer (CRO)
• Risk manager
• Establish, direct, and manage effective risk management function
• Establishing ERM policies and participating in setting goals for implementation
• Framing authority and accountability (roles and responsibilities) for ERM
• Promotes ERM and facilitates development of technical ERM expertise
• Guides integration between ERM and other management activities
• Establishes a common risk language troughout business units
• Reports to the CEO on ERM progress
• Assess all the risks
• Prepares the risk heatmap
• Takes actions if misalignments with risk criteria
• Follow-up, monitoring
=> He/She doesn’t own any risk!!!
Senior managers
• Operational responsibility for managing risks related to their specific units’ objectives
• Delegate to line management / Risk Owners (processes, functions, departments ) responsible for
conducting ERM on a daily basis
Internal Audit
• Independent and objective
• Evaluation of adequacy and effectiveness of ERM
• Recommendations for improvement
• Supporting role vis à vis Board of Directors ( Risk Committee ) and senior management (CEO)
Limitations of ERM
• No one can predict the future with certainty
• Certain events are outside management’s control
• Reasonable assurance vs. absolute assurance
• Human judgement (cf. risk assessment which can be based on perceptions/ biases
• Costs vs. benefits
18
III. Internal control
Internal control: definition
To put it simply
• A control will be those activities that are performed on a periodic and consistent basis to
provide management with comfort that an objective is being achieved.
• Activities designed to mitigate risk and reinforce the validity of the desired outcome
Ex: With SOX, internal controls over financial reporting are designed and operate with the objective of
preparing financial statements that completely and accurately reflect the results of operations
19
Features of internal controls
Three IC frameworks
recognized globally:
1. Internal control – Integrated
Framework (COSO)
2. Guidance on Control (CoCo)
3. Internal Control: Revised
Guide for Directors on the
Combined Code (Turnbull Report)
COSO IC –
Integrated Framework
Objectives:
1. Operations: effectiveness and
efficiency of the entity’s operations,
including operational and financial
performance goals, and
safeguarding of assets against loss
2. Reporting: internal, external, and
non-financial reporting
20
3. Compliance: adherence to law and regulations to which the entity is subject, but also policies,
plans, rules, procedures, contracts, or other requirements
Components:
1. Control environment: norms, values, ethics, style of management, history, culture, shared
values
2. Risk assessment : identification and evaluation
3. Control activities: actions taken by management, the board and other parties to mitigate risk
and increase the likelihood that established objectives and goals will be achieved
4. Information & communication: High quality information must be communicated appropriately
(relevant, accuracy, timely, availability, appropriate)
5. Monitoring: ongoing evaluations of the entire process and recommendations for improvement
21
22
Control activities
Preventive: prevent that an error or misstatement can occur (e.g., storing cash in a locked safe and
segregating duties)
Detective: detect that an error or misstatement has occurred. It alerts the proper people after an
unwanted event (e.g., a burglar alarm)
Directive: Policy and procedure or guidance with instructions how to perform a task. It causes or
encourages the occurrence of a desirable event (e.g., policy and procedures, employee training, job
descriptions, etc.)
Corrective: Correct the negative effects of unwanted events (e.g., a requirement that all cost
variances over a certain amount be justified). Also, another control that covers the failure of one
control and corrects the error or misstatement caused by the failure of one control.
Control activities occur throughout the organization, at all levels and in all functions.
Entity level controls: Help to ensure that management directives pertaining to the entire entity are
carried out
e.g. job descriptions, code of conduct, controls over the period-end financial reporting
process, whistle-blower hotline
Process/transaction-level controls: Operate over one or more relevant assertions within a single
process/transaction
e.g. invoice approval
Authorization and approval: formal authorization and approval
System access: The ability that individual users or groups of users have within a computer
information system processing environment, as determined and defined by access rights configured
in the system
Safeguard controls: The restriction of access to information or physical assets
Exception/edit reports: A report that is generated by an entity to monitor something and followed
up on through to resolution
Reconciliation: The matching of two independent data sources leading to the identification and
investigation of discrepancies on a timely basis
Segregation of duties: assigning different people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets
Key performance indicators: Financial and non-financial quantitative measurements that are
collected by the entity, either continuously or periodically, and used by management to evaluate
23
Management
review: Review
of information
by the
management of
an organization
on a regular
basis.
Monitoring activities
Internal control deficiencies
Shortcoming in a component and relevant principle that reduces the likelihood that the entity can
achieve its objectives.
• Identified during monitoring or separate evaluations
• Must be reported timely to the appropriate individuals (e.g., board)
• Important consideration in the evaluation/effectiveness of the system of internal controls
Key aspects of IC
• Linked to the achievement of objectives
24
• It’s a process, not an end in itself
• Effected by people
• Providing only reasonable assurance
• Adaptable to the entity structure
Limitations of IC
1. Human errors
2. Management override
3. Collusion
4. Changing conditions
5. Lack of/insufficient segregation of duties
6. Inadequate knowledge of policies, procedures, or governing regulations
7. Form over substance
25
SOX internal controls over financial reporting
Section 404: requires CEO and CFO of publicly traded companies to opine on the design adequacy and
operating effectiveness of internal controls over financial reporting, as part of financial statements.
• All publicly traded US corporations are required to maintain an adequate system of internal controls
• Corporate executives and boards of directors must ensure that these controls are reliable and
effective
• Independent external auditors must attest to the adequacy of the internal control system
• Section 302 mandates disclosure of any changes in internal controls
COSO, CoCo, and Turnbull used as frameworks for the assessment
IV. Fraud
What is fraud?
A knowing misrepresentation of the truth or concealment of a material fact to induce another to act
to his or her detriment.
Consequently, fraud includes any intentional or deliberate act to deprive another of property or
money by guile, deception, or other unfair means.
(Definition by ACFE- Association of Certified Fraud Examiners)
The act is done intentionally
26
Economic crime
Economic crime, also known as financial crime, refers to illegal
acts committed by an individual or a group of individuals to
obtain a financial or professional advantage
Fraud is a type of crime, and all fraud is considered as a economic
crime but not all the economic crimes are fraud.
Ex: money laundry is a financial crime but not a fraud
According to PwC in 2020, 47% of organizations globally said
they’ve been a victim of fraud and economic crime. This the 2 report # in
22y. What about the 53%? Fraud is usually committed in the shadow, thus
these orga ca not be awarded => related to dark #.
Fraud detection
According to ACFE, almost the half of the detection happen by a tip.
= someone who saw smt, or a whistleblowing
The second way are audit
The third are management review. Managers should
perform frequently a performance review. If they spot
an unusual fluctuation in performance, it could trigger
a deep dive into the numbers that can highlight a
fraud.
The fraud triangle
This a framework commonly used to explain the
reason behind ind decisions to commit fraud. It
outlines 3 components that contribute to the decision
27
of committing fraud. If these 3 components are present, this might lead to a fraud like behaviour,
but it also depends on the personality. You will still get the gut to commit it.
Pressure: fr might feel pressure to commit fraud
Opportunity: fr can commit fraud
Rationalization: fraudsters usually justify their behaviour
1. Pressure/incentives
Personal pressure:
• High personal debts and unusual financial losses
o Gambling
o Substance abuse (drugs, alcohol, …)
o Living beyond one's means
o Extensive investment speculations
Work related pressure:
• Job frustration
• Resentment of superiors
• Protection of supplier or competitor
• Bonuses on a “formula” basis (based on financial performance only)
• Unfavorable economic conditions in the industry
• Heavy losses/investments that didn’t pay off
• Insufficient working capital/high debts
• Credit problems
2. Opportunity
1. Ineffective or no internal controls
a. Procedures not well understood/ designed
b. No internal audit (monitor)
c. Substance vs. Form
2. Weak management
a. tone et the top
3. Close associations with suppliers or competitors
4. Ineffective board or management
a. Lack of accountability
5. Ineffective internal audit staff / risk management
6. Ineffective auditor
3. Rationalization
• “Everyone does it”
• “I’m not hurting a person, it’s a company”
• “I was going to pay it back”
• “The company owed it to me”
• “I will only do it once”
Fraud risk management
usually part of a broader Risk management program
Constitued by different elements:
28
• Risk assessment: list and assess all the risks a c is exposed to; define prob and impact
• Standards and procedures: code of conduct define what is the acceptable behavior and
what should be done in case smt is detected
• Whistleblowing: outline or tool to allow people to anonymously report fraud
• Investigation: and follow up after receive report
• Accounting procedures: important to have a good understanding of the controls that
are in place in the organization to address the risk and to know that they work properly
• Training and communication: on what is fraud and should they do in case of fraud
• HR measures: stick or carrot (=santion if stealing or reward if good behavior)
• Audit and monitoring : external and internal audit to monitor the effectiveness the
Internal control
29
V. Auditing
What is auditing
In general, an audit is a professional assessment by a competent and independent person of an
entity's financial statements, internal control, organization, procedures, or transactions against a
standard.
Financial auditing
the process of examining an organization’s financial records to determine if they are accurate and in
accordance with any applicable rules (including accepted accounting standards), regulations, and
laws.
≠ Internal and external auditor
External auditing
• Auditors sell an opinion on the truth and fairness of financial information
• Reasonable assurance
• There is always some audit risk left, no matter how good the audit service is
• ≠ type of opinion:
- Unqualified opinion: fin. Stat. are true/ fair
- Qualified opinion: auditor find some mistake in FS BUT no evidence of systemic
errors
- Adverse opinion: Auditor think that FS doesn’t represent the actual situation/ C
don’t follow the rules
- Disclaimer: auditor has not enough info to have an opinion
Auditors are always prudent and will always warn c about any mistakes they found
Audit evidence
ISA 500: Information used by the auditor in arriving at the conclusions on which the auditor’s
opinion is based.
Audit evidence includes both information contained in the accounting records underlying the
financial statements and other information.
Audit evidence must be appropriate (= quality of the audit service) and sufficient (= qt)
Internal auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
32
VI. Guest lecture by Dirk Bebruyne
33
Internal audit cycle:
High view of IA
Audit universe: all the entities that needed to be audited
1. Audit risk assessment
2. Plan & organize the audit
3. Perform the audit
4. Report on observation
5. Remediation & follow-up
Effective governance
Internal auditors assess risks
To help keep bad things
from happening
To help assure good
things can happen
To help management
understand
o Where their
risks are
o Whether the
risks are under
control
o Whether the
risks are worth
taking
Internal auditors
34
Find out what’s working and what’s not
Keep an eye on the corporate climate
Look at the organization with fresh eyes
Look beyond the financial statements
Advocate improvements
Raise red flags
Tell it like it is
Auditors tell it like it is
Keep senior management aware of critical issues
Ensure factual communications of financial, operational and compliance data
Make suggestions based on knowledge of operations throughout the organization
International professional practices framework
Mandatory Guidance
– International Standards for the Professional Practice of Internal Auditing
– Definition of Internal Auditing
– Code of Ethics
Strongly Recommended
– Position Papers
– Practice Advisories –
Practice Guides
35
Should look to opp & techn
36
INTERNAL AUDIT: WHAT DO WE DO?
Business Process Audits:
Operational Audits: Determining if resources are being used effectively and efficiently to fulfill
the organization's mission and objectives
Financial Audits: Reviewing accounting /financial transactions accuracy and proper treatment.
Compliance Audits: Determining if entities are complying with applicable laws, regulations,
policies and procedures
Internal Control Reviews: Review of operation and adequacy of controls around major business
functions (i.e. payroll, accounts payable and financial reporting)
37
Auditors refer to the CEO but mainly to the Audit Committee
38
PROFESSIONAL ASSOCIATIONS
Institute of Internal Auditors (IIA)
Association of Certified Public Accountants (AICPA)
Information Systems and Control Association (ISACA)
Association of Certified Fraud Examiners (ACFE)
Is it for you?
What's in it for you?
Work with multiple clients in diverse industries
Not locked into a specific audit area/function
Exposure to different methods and approaches to auditing
Exposure to high level executives and audit committee members
You perform your work from various locations – not stuck in the same office
Possibility to obtain multiple certifications (i.e., CIA, CISA, etc.)
Travel to fun/exciting locations
Premier status on multiple airlines and with multiple hotels
A ton of frequent flier miles and hotel points (free vacations)
What's the catch?
Frequent change in work type and subject matter
Hard schedules/deadlines (get in, get out)
Accountable for every hour of work day (i.e., bill clients by the hour)
Challenging work environment
Work with and for different people throughout the year
Often work and travel alone
Required to maintain multiple certifications (i.e., CIA, CISA, CPA, etc.)
Required training and firm policy compliance
Travel to small locations with little to do in the evenings.
The hotel staff knows your name and family history.
Staying at home is a "fun" vacation.
What are the keys to success?
Be comfortable with being uncomfortable.
Learn from those around you and above you.
Find the learning opportunity in every mistake you make.
Ask questions!
39
4) FCPA Reviews
5) Fraud Investigations
6) Physical Inventory Exemption
7) Hire, Train, and Develop staff for future IR Finance roles
8) On call function to support acquisitions, special projects, etc.
Reflection about the audit of tomorrow (digitalization, data analytics, predictive continuous
auditing, automation...)
41
Data analytics: example of outputs: (only for illustration)
42
43
Continuous monitoring and auditing
Purpose
Continuous Monitoring:
« Continuous monitoring enables management / the business to continually review business
processes for adherence to and deviation from their intended levels of performance and effectiveness
»
Continuous Auditing:
« Continuous auditing enables internal audit to continually gather from processes data that supports
auditing activities »
Benefits of Continuous Monitoring Systems:
Control:
Automated report generation (consistency over time)
Automatic notification to the control performer
Ease of control transfer (no modification of ERP permissions)
Automatic escalation process
Timely detection of invalid transactions
Traceability of control performance (evidences, timing, etc.)
Flexibility:
Flexible frequency: no burden on the IT staff
Centralization of the control documentation in one place
Technical aspects:
Control offloading: no additional customization of the ERP
As long as the data structure remains the same, the control will operate
44
Example MCQ:
When implementing an enterprise risk management (ERM) framework, a large
organization should be aware that ERM:
o only allows for risks to be measured in financial terms
o relies largely upon the analysis and evaluation of risks against criteria that are set
by the board
o will always improve the competitive position of the organization
o will always require assessment of risk management processes from both internal
and external auditors
Which of the following components are supporting aspects of the COSO ERM framework?
o Governance and culture; review and revision
o Performance; review and revision
o Governance and culture; information, communication, and reporting
o Strategy and objective-setting; performance
An entity determined that its variable interest rate on borrowing will increase significantly
in the near future. Consequently, the entity hedged its variable rate by locking in a fixed
rate for the relevant period. According to COSO, this decision is which type of response to
risk?
o Reduction
o Acceptance
o Avoidance
o Sharing
A procedure for confirming that the balance in a chequebook matches the corresponding
bank statement is a:
o Safeguard control
o Reconciliation
o Exception report
o Management review
45
Auditing has characteristics of a credence good because:
o It is difficult to observe the audit quality in advance
o It is difficult for consumers/users of audit services to ascertain the quality even
after the audit happened
The most important difference between an internal auditor and an external auditor is that
the internal auditor is always an employee of the organization:
o True
o False
46