Assurance Services in a Changing Environment

By Alan Levitan and Trimbak Shastri

In Brief

Evolving from Standards to Action

The authors present a generalized framework for audit, review, assurance, and investigative engagements in a changing information technology (IT) environment. The framework consists of four phases for assurance services and investigation process: considerations at the time of accepting the engagement; obtaining knowledge about the entity, including its controls, systems, and the environment in which it operates; remaining alert to unusual conditions while tracking fraud; and communicating the results. The framework can be adapted and used as a guide for a variety of investigative engagements. The practitioner should tailor the considerations, actions, and procedures under each phase according to the nature of the engagement.

Statement on Standards for Attestation Engagements (SSAE) 10 supersedes all prior SSAEs. The primary objective of attestation standards is to provide a general framework and to set reasonable boundaries around the attest function. SSAEs are designed to provide guidance to public accountants on attestation engagements other than the traditionally provided attest services, such as audits and reviews of financial statements. That is, SSAE 10 does not replace existing standards for attest services, including Generally Accepted Auditing Standards (GAAS) and Statements on Standards for Accounting and Review Services (SSARS).

Formerly, attest services were limited to GAAS audits. Standards for attest engagements, also called attestation standards (ATS), are a natural extension of GAAS, and GAAS have stood the test of time. Therefore, a framework based on GAAS could be developed for use in planning and executing both traditional (GAAS audits; SSARS reviews) and new and evolving assurance services according to the ATS.


Like GAAS, ATS are also grouped under general standards, standards of fieldwork, and standards of reporting. In both GAAS audits and ATS engagements the independent practitioner’s report (with or without reservations) would be based on sufficient evidence. GAAS covers engagements that provide a high level of assurance, whereas ATS covers engagements that provide assurance either at a high level (audit or GAAS-type) or at a moderate level (review or SSARS-type).

In GAAS audits, sufficient competent audit evidence is gathered to evaluate assertions embodied in the financial statements against criteria that are usually GAAP. Because the subject matter of engagements governed by ATS can take many forms, it is necessary to determine that suitable criteria either exist or could be developed for a particular situation for evaluation.

In all assurance engagements, the independent practitioner’s (IP) objective is to plan and execute the engagement efficiently and effectively. Efficiency is the completion of the examination process at the lowest examination cost, and effectiveness relates to the completion of an examination process that will not fail to detect individually, and in aggregate, material or significant (qualitative and quantitative) misstatements that may exist in management representations.

Completing the process effectively is critical and requires the IP to restrict the ultimate risk to an appropriately low level. Audit risk (ultimate risk)—the risk that the auditor may unknowingly fail to appropriately modify her opinion on financial statements that are materially misstated— refers to the IP’s incorrect conclusion that management’s representations are not materially or significantly misstated or misleading when in fact they are. The IP should obtain sufficient competent evidence to restrict the ultimate risk or audit risk to an appropriately low level.

Audit risk represents the joint risk of:

Substantive audit procedures are performed to gather evidence for evaluation in connection with financial statement assertions such as existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure. By contrast, tests of control audit procedures are performed to determine the effectiveness of identified internal control policies and procedures.

While the second fieldwork standard of GAAS explicitly requires the auditor to assess control risk, ATS does not refer to control risk. In such assurance engagements, however, the IP would assess combined inherent and control risk where appropriate (e.g., in engagements where the output is driven by a process or system).

A General Framework

The end result in audit and assurance services is the IP’s report based on his examination. As previously noted, the outcome of the IP’s examination process involves gathering and evaluating sufficient competent evidence to restrict ultimate risk to an appropriately low level. A sufficient competent evidence set would be determined by the IP based on combined inherent and control risk, and materiality and significance. In this regard, the IP needs to exercise professional judgment. Exercising professional judgment by the auditor would include exercising due care; maintaining an attitude of professional skepticism; being technically proficient in the subject matter; complying with professional standards and conduct and other applicable regulations; evaluating all relevant scenarios and alternatives; and reaching a balanced decision.

The framework can be adapted by both internal auditors and independent auditors, as both groups are proficient in assurance technology. When independence in appearance is not a requirement, assurance engagements can be undertaken by internal auditors. For example, an entity’s internal audit engagements, including fraud examination (when fraud examination is not part of GAAS audits), could be undertaken by the entity’s internal auditor adapting the framework proposed here.

A general framework for planning and executing assurance services based on the above and related to similarities and differences between GAAS and ATS consists of four broad phases:

Examination of Fraud and Other Subject Matters

In GAAS audits, auditors are required to provide reasonable assurance that the statements are free of material misstatements, whether caused by error or fraud. The distinguishing feature between fraud and error is whether the misstatement is caused intentionally (fraud) or unintentionally (error). Even a small amount of misstatement intentionally made to manage earnings (e.g., to reverse a loss into income) would be tantamount to fraudulent financial reporting.

In GAAS audits, misstatements due to fraud can arise because of fraudulent financial reporting or misappropriation of assets. Recent guidelines require the auditor to place increased emphasis on professional skepticism, with the audit team exchanging ideas about how frauds could occur. In this regard, the auditor, as part of risk assessments, would consider fraud risk factors, recognizing that frequently fraud occurs when there is incentive (e.g., financial gain), opportunity (e.g., lax IT controls), and ability to rationalize (e.g., belief by the employee that he is underpaid).

The framework can similarly be adapted to engagements in other areas, such as performance evaluations and IT reliability and security.

IT Assurance Engagements

The IP may be asked to perform an assurance engagement related to the company’s information processing and communications systems that employ IT. This might be a strictly attest engagement, or a nonattest assurance engagement. (See SSAAE 10 for information about the distinction between attest and nonattest assurance engagements.)

In an attest engagement, the IP is usually examining management’s representations or assertions about a subject matter. These assertions might relate, for example, to the reliability of the internal control system or to the degree of trust a customer or other business partner can have in the company’s website. The IP’s report would include an opinion on whether those assertions, in all material respects, are reliable.

With a nonattest assurance engagement, the IP seeks to improve the quality or context of information for the benefit of (usually internal) decision makers. In this case, instead of comparing the performance of a system to a set of management assertions, the IP compares the operation to that of an ideal (based on, for example, best practices) information and communications system, and suggests improvements.

The steps may be adapted to the four-phase framework, which would be slightly different depending on the type of engagement. The following steps apply only to attest engagements:

For a nonattest assurance engagement, the phases could be modified as follows:

Technology Changes

Engagement risk assessment is a continuous process. The practitioner should assess risk at the time of accepting the engagement, at the planning stage, during the examination, and during the wrap-up phase. In this regard, the IP would evaluate the implications of the dynamics of information and other technological changes in the entity on the engagement planning and execution. This includes changes in the entity’s IT platforms, Internet applications, and outsourced services.

Alan Levitan, DBA, CPA, is a professor, and Trimbak Shastri, PhD, CA, CMA, CIA, is an assistant professor, both in the School of Accountancy of the College of Business and Public Administration, University of Louisville.

Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2006 The CPA Journal. Legal Notices

Visit the new