Auditing: Principles, Process and Standards

9 min read

Auditing is the independent examination of an entity's financial information so that the auditor can express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial-reporting framework. In Pakistan, audits of listed companies are regulated by the Securities and Exchange Commission of Pakistan (SECP), conducted by chartered accountants registered with ICAP, and performed under the International Standards on Auditing (ISAs) adopted locally.

True and Fair View

Financial statements give a true and fair view when they are factually accurate, free from material misstatement and fairly reflect the underlying economic substance, taken as a whole.

Objectives of an audit

ISA 200 lists three overall objectives:

To obtain reasonable assurance that financial statements are free from material misstatement, whether due to fraud or error.
To report on the financial statements per the auditor's findings.
To communicate as required by the ISAs.

"Reasonable" — not absolute — assurance is the key. An audit is not an insurance policy.

Classification of audits

Basis	Types
Statutory requirement	Statutory (companies, banks), Non-statutory
Scope	Complete, Partial
Approach	Continuous, Periodical (final), Interim
Auditor	External (independent), Internal
Subject matter	Financial, Operational, Compliance, Forensic, Performance, Tax

Government audits in Pakistan are conducted by the Auditor-General of Pakistan (AGP) under Article 169-171 of the Constitution and the Auditor-General's (Functions, Powers and Terms and Conditions of Service) Ordinance, 2001.

Principles of auditing

ISAs codify a number of foundational principles auditors must observe:

Integrity and objectivity
Professional competence and due care
Confidentiality
Professional behaviour
Independence — both in mind and in appearance
Professional scepticism — a questioning mind, alert to circumstances indicating possible misstatement
Professional judgement

Key Points

The auditor is not responsible for preparing financial statements — that is management's duty.
Detection of fraud is incidental, not the primary objective.
Independence is reinforced through rotation: in Pakistan, audit-firm rotation for listed companies every 10 years and engagement partner rotation every 5 years.

The audit risk model

A simple but examinable formula:

Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)

Inherent Risk — susceptibility of an assertion to misstatement before controls (e.g., cash, complex estimates).
Control Risk — risk that internal controls fail to prevent/detect a misstatement.
Detection Risk — risk that the auditor's procedures fail to detect a misstatement. This is the only component the auditor controls; it is reduced by increasing the nature, timing and extent of substantive procedures.

If IR and CR are assessed high, the auditor must drive DR down, typically by doing more substantive testing.

Internal control

The COSO framework identifies five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring.

The auditor evaluates internal controls in two ways:

Tests of controls — to confirm controls operate effectively (e.g., re-perform a bank reconciliation, inspect authorisations).
Substantive procedures — direct tests of monetary amounts and disclosures, including tests of details and substantive analytical procedures.

Audit evidence

ISA 500 requires sufficient and appropriate audit evidence. Methods of obtaining evidence form the well-known mnemonic AEIOU + RIC:

Analytical procedures
Enquiry and confirmation
Inspection of records / assets
Observation
Recalculation
Reperformance
External Confirmation

Evidence quality rises with: independence of source, effective internal controls, direct auditor knowledge, and documentary rather than oral form.

Sampling

Audit sampling (ISA 530) is the application of audit procedures to less than 100% of items, expected to provide a reasonable basis to draw conclusions on the population. Types:

Statistical sampling — uses probability theory; allows quantification of sampling risk (e.g., Monetary Unit Sampling).
Non-statistical sampling — based on auditor judgement, common for small populations.

The auditor's report

The auditor's report (ISA 700 series) typically contains:

Title and addressee
Opinion paragraph (placed first since ISA 700 (Revised))
Basis for opinion
Key Audit Matters (for listed entities — ISA 701)
Other information section
Responsibilities of management and those charged with governance
Auditor's responsibilities
Signature, place and date

Types of opinion

Opinion	Trigger
Unmodified (clean)	Financial statements give a true and fair view
Qualified	Misstatement / scope limitation is material but not pervasive ("except for")
Adverse	Misstatement is both material and pervasive
Disclaimer	Auditor unable to obtain sufficient evidence; effect could be material and pervasive

The triangle to remember: material + pervasive → adverse (or disclaimer if scope limitation); material + not pervasive → qualified. "Pervasive" means affecting many items or fundamental to user understanding.

Special audits

Internal audit (IIA standards) — assurance and consulting activity for management.
Forensic audit — investigative; admissible in court (relevant in NAB and FBR cases in Pakistan).
Performance audit — by the AGP; examines economy, efficiency and effectiveness ("3 Es").
Information-systems audit (ISACA) — controls over IT environments; increasingly important under SBP's cybersecurity directives.

Recent developments

Pakistan's Code of Corporate Governance Regulations, 2019, the Companies Act, 2017 and SECP's framework have strengthened audit committee oversight. The shift to Expected Credit Loss under IFRS 9 and the consolidation requirements under IFRS 10 have made audits of banks and groups significantly more complex — themes that increasingly appear in CSS questions on emerging issues.