What the hell is audit?

Most people would like to think of Audit as a bunch of freaks sitting in a corner room and having a pesssimistic view of the world. Nice description, thank you. Your’s truly is also an auditor and guess what I could not disagree with you more, ‘cos I think I am a cool auditor :-), and that’s why I am blogging about audit!

Let me give you an analogy and explain audit through that:

Audit is a control function whose responsibility is to ensure that issues and problems in a company are addressed appropriately keeping the best interests of the shareholders and keeping in line with the law.

Think of audit like having a personal navigator in your car that keeps talking (giving feedback) all time and tells you if you are going in the right direction, are you running too fast or too slow, eggs to stop at the traffic lights so that the traffic cop (analogous to regulators) won’t catch for breaking the law, make the right turns so you get to the destination correctly etc. So, the audit function is effectively a friend of the company’s management.

Like the traffic regulations and police are there to ensure that you drive carefully so that you are safe and so are the other drivers, pedestrians, so also do audit keep the interest of the shareholders, board of directors, employees etc.

Simply put, Audit is a function that provides the shareholders and management comfort that the company is running in a controlled manner. And that the CEO or other people under him are not doing crazy things to boost their earnings, or people are not skipping steps only to be exposing the firm to regulators (like SEC, FSA, MAS etc.).

Sophisticated investors, if not the retail investors, should be well versed in the role of audit before making an investment. This goes both for Public and Private companies, as well as for all categories of “investors”. Speculators on the other hand do not care about the internal controls or reliability of numbers before they invest. They mostly operate based on short-term events, market sentiments and other opportunities to make a quick buck. So, we will leave speculators and day traders out of this conversation.

I would like to briefly describe auditing entity types and their roles so after this you should feel like a PhD when some body asks you next time “What the hell is audit?”.

There are 3 types of auditing entities for a properly organized industry like a Securities firm.

1. Internal Audit – they are paid for by the firm, but in theory report to the Audit Committee, which reports to the CEO and the Board of Directors. Since the Board of Directors represent the interest of the shareholder, the Internal Audit should in essence be quite independent of the business management namely the CEO and his reporting lines. As a result they should be independent enough to report and escalate issues that could be sensitive and impact the business management’s reputation, pay check or any such factors.
2. External Audit – They are also called the accounting firms, because most of  the time they look at and certify the numbers of the firm. (Numbers meaning, the Balance Sheet, Cash Flow Statement and the Income Statement). The external audit company like (PWC, KPMG, Deloitte or Ernst & Young) reviews a company’s numbers, but they cannot do that until they review the internal controls of the firm that make the numbers happen. They give an opinion of which generally takes the form “We did not find any major issues that are relevant to the financial statements of the firm”. Wording that is definitive but yet vague, but one that is accepted by the Securities and Exchange Commission (SEC) and other regulators.
3. Regulators – The regulators are SEC in the USA, Financial Services Agency (FSA) in UK and similar other countries. They are the overall body that “regulates” the financial industry and the listed or unlisted companies.

How they all come together in the normal course of operations?

Business management is responsible to run the daily operation of a company. From time to time, Internal Audit reviews certain  internal controls and processes of the firm, and issues “Audit reports” to the company’s management when certain controls are in the firm are not up to the mark, or failure in performing in certain functions could be detrimental to the cause of the company, the shareholders, potential violation of laws etc.,.

The External audit has to review the financial statements of the company before the same can be presented to the regulators or public as official numbers. This is also major step for acheiving Sarbannes Oxley section 404 (SOX 404) compliance on a yearly basis.

The Regulators check on a company’s controls on a cyclical basis and can review the company from front-to-back, review the functions of the audit department and also review the audit reports.

The work of external audit firms gets reviewed by a industry regulatory body like the Public Company Accounting Oversight Board (PCAOB) for adherence to set of guidelines. Such a quality check ensures that external audit firms who get paid by a company’s management (on behalf of the board of directors) to certify its financial statement does not unfairly certify the financial statements to the detriment of the share holders.

So there is a check, on a check, on a check, like a pyramid, where the company management is at the bottom and the Government (the regulators) is at the peak. The multiple levels of checks are designed to mitigate the risk of something like Enron blowing up in our faces.

Well, I still end the primer on audit here and add more if there are any questions or comments. So, the floor open to you.