Assurance Services in a Changing Environment

Assurance Services in a Changing Environment

By Alan Levitan and Trimbak Shastri

In Brief

Evolving from Standards to Action

The authors present a generalized framework for audit, review, assurance, and investigative engagements in a changing information technology (IT) environment. The framework consists of four phases for assurance services and investigation process: considerations at the time of accepting the engagement; obtaining knowledge about the entity, including its controls, systems, and the environment in which it operates; remaining alert to unusual conditions while tracking fraud; and communicating the results. The framework can be adapted and used as a guide for a variety of investigative engagements. The practitioner should tailor the considerations, actions, and procedures under each phase according to the nature of the engagement.

Statement on Standards for Attestation Engagements (SSAE) 10 supersedes all prior SSAEs. The primary objective of attestation standards is to provide a general framework and to set reasonable boundaries around the attest function. SSAEs are designed to provide guidance to public accountants on attestation engagements other than the traditionally provided attest services, such as audits and reviews of financial statements. That is, SSAE 10 does not replace existing standards for attest services, including Generally Accepted Auditing Standards (GAAS) and Statements on Standards for Accounting and Review Services (SSARS).

Formerly, attest services were limited to GAAS audits. Standards for attest engagements, also called attestation standards (ATS), are a natural extension of GAAS, and GAAS have stood the test of time. Therefore, a framework based on GAAS could be developed for use in planning and executing both traditional (GAAS audits; SSARS reviews) and new and evolving assurance services according to the ATS.

GAAS vs. ATS

Like GAAS, ATS are also grouped under general standards, standards of fieldwork, and standards of reporting. In both GAAS audits and ATS engagements the independent practitioner’s report (with or without reservations) would be based on sufficient evidence. GAAS covers engagements that provide a high level of assurance, whereas ATS covers engagements that provide assurance either at a high level (audit or GAAS-type) or at a moderate level (review or SSARS-type).

In GAAS audits, sufficient competent audit evidence is gathered to evaluate assertions embodied in the financial statements against criteria that are usually GAAP. Because the subject matter of engagements governed by ATS can take many forms, it is necessary to determine that suitable criteria either exist or could be developed for a particular situation for evaluation.

In all assurance engagements, the independent practitioner’s (IP) objective is to plan and execute the engagement efficiently and effectively. Efficiency is the completion of the examination process at the lowest examination cost, and effectiveness relates to the completion of an examination process that will not fail to detect individually, and in aggregate, material or significant (qualitative and quantitative) misstatements that may exist in management representations.

Completing the process effectively is critical and requires the IP to restrict the ultimate risk to an appropriately low level. Audit risk (ultimate risk)—the risk that the auditor may unknowingly fail to appropriately modify her opinion on financial statements that are materially misstated— refers to the IP’s incorrect conclusion that management’s representations are not materially or significantly misstated or misleading when in fact they are. The IP should obtain sufficient competent evidence to restrict the ultimate risk or audit risk to an appropriately low level.

Audit risk represents the joint risk of:

Inherent risk (IR). The risk of material misstatement occurring in an assertion without considering related internal control. IR is usually caused by external factors (e.g., regulations or the economy) that are beyond the entity’s control.

Control risk (CR). The risk of material misstatement occurring in an assertion that would not be prevented or detected and corrected on a timely basis by the entity’s internal control structure. Management should implement internal control policies and procedures, among other matters, to address inherent risk. An entity’s internal controls are unlikely to be foolproof because of, for example, the cost–benefits considerations of implementing a foolproof internal control structure.

Detection risk (DR). The risk of material misstatement that exists in an assertion that will not be detected by the audit procedures. The auditor would assess combined inherent and control risk for specific assertions according to the first two standards of fieldwork, in order to determine the detection risk level and the required degree of assurance from the nature, timing, and extent of substantive auditing procedures. The nature and timing of audit evidence represent competency (or quality, appropriateness) of audit evidence, and extent represents the sufficiency or size of evidence. Usually, the IP would first determine the nature and timing of evidence to be obtained, then determine the extent (in light of materiality and significance) and the degree of assurance required to restrict ultimate risk to an appropriately low level.

Substantive audit procedures are performed to gather evidence for evaluation in connection with financial statement assertions such as existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure. By contrast, tests of control audit procedures are performed to determine the effectiveness of identified internal control policies and procedures.

While the second fieldwork standard of GAAS explicitly requires the auditor to assess control risk, ATS does not refer to control risk. In such assurance engagements, however, the IP would assess combined inherent and control risk where appropriate (e.g., in engagements where the output is driven by a process or system).

A General Framework

The end result in audit and assurance services is the IP’s report based on his examination. As previously noted, the outcome of the IP’s examination process involves gathering and evaluating sufficient competent evidence to restrict ultimate risk to an appropriately low level. A sufficient competent evidence set would be determined by the IP based on combined inherent and control risk, and materiality and significance. In this regard, the IP needs to exercise professional judgment. Exercising professional judgment by the auditor would include exercising due care; maintaining an attitude of professional skepticism; being technically proficient in the subject matter; complying with professional standards and conduct and other applicable regulations; evaluating all relevant scenarios and alternatives; and reaching a balanced decision.

The framework can be adapted by both internal auditors and independent auditors, as both groups are proficient in assurance technology. When independence in appearance is not a requirement, assurance engagements can be undertaken by internal auditors. For example, an entity’s internal audit engagements, including fraud examination (when fraud examination is not part of GAAS audits), could be undertaken by the entity’s internal auditor adapting the framework proposed here.

A general framework for planning and executing assurance services based on the above and related to similarities and differences between GAAS and ATS consists of four broad phases:

Phase I: Considerations of matters for engagement acceptance, such as business risk; exposure to litigation; determining whether suitable criteria exist to evaluate assertions; practitioner proficiency in the subject matter; and the possibility of completing the engagement efficiently and effectively.

Phase II: Obtaining understanding of internal controls and management processes influencing the subject matter and related assertions; assessing combined inherent and control risk in light of factors, including economic, environmental, regulatory, industry-related, and entity-related (e.g., management integrity, competency, and information technology).

Phase III: Gathering and evaluating evidence efficiently and effectively in order to determine that management assertions embodied in the subject matter are fair in all material or significant respects according to appropriate criteria (e.g., GAAP).

Phase IV: Communicating the findings in sufficient detail.

Examination of Fraud and Other Subject Matters

In GAAS audits, auditors are required to provide reasonable assurance that the statements are free of material misstatements, whether caused by error or fraud. The distinguishing feature between fraud and error is whether the misstatement is caused intentionally (fraud) or unintentionally (error). Even a small amount of misstatement intentionally made to manage earnings (e.g., to reverse a loss into income) would be tantamount to fraudulent financial reporting.

In GAAS audits, misstatements due to fraud can arise because of fraudulent financial reporting or misappropriation of assets. Recent guidelines require the auditor to place increased emphasis on professional skepticism, with the audit team exchanging ideas about how frauds could occur. In this regard, the auditor, as part of risk assessments, would consider fraud risk factors, recognizing that frequently fraud occurs when there is incentive (e.g., financial gain), opportunity (e.g., lax IT controls), and ability to rationalize (e.g., belief by the employee that he is underpaid).

Phase I: Considerations for accepting the engagement. Determine the objective (engagement focus; type of fraud or probable causes and scenarios; criteria for evaluation, materiality, and significance; and anticipated engagement outcome), and create a team of professionals with appropriate skills to ensure collectively that the engagement will be efficiently and effectively (to restrict ultimate risk to an appropriate low level) completed.

Phase II: Obtain an understanding of the economy, environment, industry, entity, management characteristics, management process, and related matters that are likely to allow fraud to occur (e.g., incentives, allegations, opportunity, tone at the top, deficient IT security, opportunity for collusion, availability of documents, materiality or significance). These and related matters would be considered in order to assess fraud risk and develop examination procedures to gather sufficient competent evidence.

Phase III: While performing procedures for tracking the fraud trail, remain alert to conditions indicating unusual patterns, unusual relationships among accounting or nonaccounting data, or collusion among employees or management. Appropriately extend the examination procedures, in light of observed patterns and outcomes that are unusual, for gathering and evaluating evidence efficiently and effectively.

Phase IV: The IP’s communication of findings.

The framework can similarly be adapted to engagements in other areas, such as performance evaluations and IT reliability and security.

IT Assurance Engagements

The IP may be asked to perform an assurance engagement related to the company’s information processing and communications systems that employ IT. This might be a strictly attest engagement, or a nonattest assurance engagement. (See SSAAE 10 for information about the distinction between attest and nonattest assurance engagements.)

In an attest engagement, the IP is usually examining management’s representations or assertions about a subject matter. These assertions might relate, for example, to the reliability of the internal control system or to the degree of trust a customer or other business partner can have in the company’s website. The IP’s report would include an opinion on whether those assertions, in all material respects, are reliable.

With a nonattest assurance engagement, the IP seeks to improve the quality or context of information for the benefit of (usually internal) decision makers. In this case, instead of comparing the performance of a system to a set of management assertions, the IP compares the operation to that of an ideal (based on, for example, best practices) information and communications system, and suggests improvements.

The steps may be adapted to the four-phase framework, which would be slightly different depending on the type of engagement. The following steps apply only to attest engagements:

Phase I: Considerations for accepting the engagement. Determine the objective (e.g., What are management’s assertions? Are they clear and complete? What are the ways in which deviations could occur? Are there clear criteria for evaluating and measuring materiality and significance? What is the anticipated outcome?). Evaluate the IP’s team of professionals for appropriate IT skills and business judgment to efficiently and effectively complete the engagement.

Phase II: Obtain an understanding of the control environment, including management style and commitment to competence. Assess risks, especially the dependence on telecommunications and the nature of its implementation (e.g., the Internet is inherently riskier than private networks, and the acceptance of electronic orders is riskier than paper). Understand the industry and the internal processes that could raise questions about the assertions. Assess the combined inherent and control risk. Think creatively about how the system could be compromised.

Phase III: Gather a sufficient competent evidence set supporting management’s assertions. For example, verify encryption by accessing a server from a browser, then look for an https server and an SSL session.

Phase IV: Based on evidence gathered, issue a report on the assertions.

For a nonattest assurance engagement, the phases could be modified as follows:

Phase I: Considerations for accepting the engagement. Determine the objective (e.g., What are management’s objectives with the system? Are there clear criteria for an ideal system, for evaluating improvements, and for the anticipated outcome? Is the present system definable?). Evaluate the IP’s team of professionals for appropriate IT skills and business judgment to efficiently and effectively complete the engagement.

Phase II: Obtain an understanding of the industry and the client’s environment, including management style, types of decisions, and information needed. Think creatively; consult with experts and internal users. Define, for an ideal system, the internal and external sources of needed information. Specify the software, databases, telecommunications, and hardware required to support an ideal system. Assess the economic, technological, and operational feasibility of implementation of the ideal system, and decide if compromises must be made.

Phase III: Gather a sufficient competent evidence set supporting the recommendations, as well as evidence of the limitations. Include as support examples of what other companies are doing and literature from vendors.

Phase IV: Present the report in writing and orally, and follow up.

Technology Changes

Engagement risk assessment is a continuous process. The practitioner should assess risk at the time of accepting the engagement, at the planning stage, during the examination, and during the wrap-up phase. In this regard, the IP would evaluate the implications of the dynamics of information and other technological changes in the entity on the engagement planning and execution. This includes changes in the entity’s IT platforms, Internet applications, and outsourced services.

Alan Levitan, DBA, CPA, is a professor, and Trimbak Shastri, PhD, CA, CMA, CIA, is an assistant professor, both in the School of Accountancy of the College of Business and Public Administration, University of Louisville.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

Visit the new cpajournal.com.