Other Assurance Services Most are Attestation Engagements Covered by Statements on Standards for Attestation Engagements (SSAE). Attestation Engagements Offer Some Level of Assurance on an Assertion by Another - Usually Client Management. Some New Non-Attest Assurance Services Only Offer General Assurance Not Necessarily Based on an Assertion.
Relationship Between Assurance and Attestation Other Assurance Services are NOT attest engagements, but are similar to management consulting. ElderCare (old term) and PrimePlus focus on financial planning and coordination and relationships with service providers. See figure 20.6 in text. Business Risk Assessment Process: Helping business clients identify and manage various business risks. CPA Performance View: Helping business clients better monitor and assess overall performance beyond traditional financial measures, such as the balanced scorecard approach encompassing the mission of organization and its various groups/departments. 20-2
What is Attest Work? An Engagement Where We Offer Some Form or Level of Assurance About a Subject Matter or an Assertion About a Subject Matter.
Subject Matter Historical or prospective performance or condition Physical characteristics Historical events Analyses Systems or processes Behavior
Criteria for Subject Matter To be Suitable, it must be: Objective Permit Reasonable, Consistent Measurement Complete Relevant to the Assertion To be Available, it must be either: Publicly Available or Presented in a Summary, the Assertion or CPA’s Report
Relationships Among Terms Used in Attestation Engagements 20-6
Levels of Attest Work Examination - Complete, Positive Opinion About the Assertion of Client Management (In our opinion, the assertion is fairly stated...) Review - “Negative” Assurance Conclusion That We Have No Basis to Doubt the Assertion (Based on our review, we are not aware of...) Agreed Upon Procedures - Presents the Procedures Performed and the Findings from Performing the Procedures (The procedures and findings are as follows…)
Attestation Engagements Type of Engagement Level of Assurance Nature of Report Procedures Examination Highest (reasonable) Expresses opinion Sufficient to limit attestation risk to low level There are 3 basic levels of Attest engagement. The first being a full opinion on the assertion or assertions. The AICPA has labeled this an “Examination” which is synonymous with…an “Audit” 3 3
Attestation Engagements Type of Engagement Level of Assurance Nature of Report Procedures Examination Review Highest (reasonable) Moderate or Limited Expresses opinion negative assurance Sufficient to limit attestation risk to low level Generally limited to inquiry & analytical procedures In a Review, our procedures are much more limited so that we give a “negative assurance” or conclusions on the assertions; saying we found nothing that would lead us to conclude that the assertions are not fairly stated. 3 4
Attestation Engagements Type of Engagement Level of Assurance Nature of Report Procedures Examination Review Agreed-upon procedures Highest (reasonable) Moderate or Limited Varies with procedures Expresses opinion negative assurance States findings Sufficient to limit attestation risk to low level Generally limited to inquiry & analytical procedures Procedures agreed- upon with the specified users In an “Agreed Upon Procedures” engagement we limit our procedures to what the requestor (usually one specific user of the assertions) asks us to do or to specific aspects of the assertion, such as only one account. 3 5
1-1 The Attest Function Client Management Responsible Party) CPA Subject Matter Consider Presenting Assertion Suitable Criteria Gather and Evaluate Evidence Prepare Necessary Adjustments Issue Report on Findings CPA’s Attest Report* Management may present: Nothing Description of Subject Matter, and/or An Assertion Users *If the criteria are not generally available to the users, it should be presented in the CPA’s report or management’s presentation.
Audit of Financial Statements 1-3 Audit of Financial Statements Client Accounting Personnel Maintain Records Financial Statements Prepare Independent Auditors Determine Fairness of Statements Propose Necessary Adjustments Issue Report on Findings Other Evidential Matter Generally Accepted Principles Audited Financial Auditors’ Report Outside Decision Makers
Statements on Standards for Attestation Engagements Note: For all clients, except attesting to internal controls at public companies (PCAOB Standard).
Attestation Standards Statements on Standards for Attestation Engagements (SSAE) Includes General, Field Work and Reporting Standards Like the Auditing Standards (Ch 2) (These came long before.) Then, Organized by Subject of Attest Work: Financial Forecasts & Projections Pro Forma Financial Information Internal Control Compliance w/ Laws, Regs, Contracts Mgmt Discussion & Analysis (MD&A) Applying Agreed Upon Procedures
Basic Attestation Standards General Standards The engagement shall be performed by a practitioner having adequate technical training and proficiency in the attest function. The engagement shall be performed by a practitioner having adequate knowledge of the subject matter. The practitioner shall perform the engagement only if he or she has reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. In all matters relating to the engagement, an independence in mental attitude shall be maintained by the practitioner. Due professional care shall be exercised in the planning and performance of the engagement.
Basic Attestation Standards Standards of Fieldwork The work shall be adequately planned and assistants, if any, shall be properly supervised. Sufficient evidence shall be obtained to provide a reasonable basis for the conclusion that is expressed in the report.
Basic Attestation Standards Standards of Reporting The report shall identify the subject matter or the assertion being reported on and state the character of the engagement. The report shall state the practitioner's conclusion about the subject matter or the assertion in relation to the criteria against which the subject matter was evaluated. The report shall state all of the practitioner's significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto. The report shall state that the use of the report is restricted to specified parties under certain circumstances. Circumstances for limited report distribution: When the criteria used to evaluate the subject matter are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria When the criteria used to evaluate the subject matter are available only to specified parties When reporting on subject matter and a written assertion has not been provided by the responsible party When the report is on an attest engagement to apply agreed-upon procedures to the subject matter.
Other Primary Attest Examples Compliance With Laws, Regulations, Contracts/Grants or Agreements Financial Forecasts Financial Projections Internal Controls Management Discussion & Analysis Marketing Claims (Assertions) WebTrust SysTrust Trust Services
Compliance With Laws, Regulations, Contracts/Grants or Agreements May be Required Periodically by 3rd Party. Can Address One or Both Assertions: Actual Compliance Effectiveness of Internal Controls for Ensuring Compliance Can be Either an Examination or an Agreed Upon Procedures Engagement. Cannot be a Review.
Financial Forecasts & Projections Forecasts: Estimating What is Expected. Projections: Estimating based on Given Assumptions or “What if”. Can be Either an Examination or an Agreed Upon Procedures Engagement. Cannot be a Review.
Management Report on Internal Control Wilson Company maintains internal control over financial reporting, which is designed to provide reasonable assurance to the Company's management and board of directors regarding the preparation of reliable published financial statements. Internal control contains self-monitoring mechanisms, and actions are taken to correct deficiencies as they are identified. Even with effective internal control, no matter how well designed, has inherent limitations---including the possibility of the circumvention or overriding of controls---and therefore can provide only reasonable assurance with respect to financial statement preparation. Further, because of changes in conditions, internal control effectiveness may vary over time. The Company assessed its internal control as of December 31, 20X2, in relation to criteria for effective internal control over financial reporting described in Internal Control---Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission. Based on this assessment, the Company believes that, as of December 31, 20X2, its internal control over financial reporting met those criteria. 7 7
Accountants’ Report on Internal Control 1st Paragraph We have examined Wilson Company’s internal control over financial reporting as of December 31, 20X2, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Wilson Company’s management is responsible for maintaining effective internal control over financial reporting, and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying Management Report on Internal Control. Our responsibility is to express an opinion on Wilson Company’s internal control over financial reporting based on our examination. Is this an attest engagement? 8 8
Accountants’ Report on ICS 2nd Paragraph We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. This is where we say the limitations to our attest engagement. 9 9
Accountants’ Report on ICS 3rd Paragraph An entity’s internal control over financial reporting is a process effected by those charged with governance, management and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America. An entity’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and disposition of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements. 10 10
Accountants’ Report on ICS 4th Paragraph Because of inherent limitations of internal control, errors or irregularities may occur and not be detected. Also, projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. This is where we say the limitations of internal controls. 11 11
Accountants’ Report on ICS 5th & 6th Paragraphs In our opinion, Wilson Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20X2, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) We also have audited, in accordance with auditing standards generally accepted in the Untied States of America, the financial statements of Wilson Company and our report dated February 15, 20X3 expressed an unqualified opinion. 11 11
Report on Internal Controls Can be Either an Examination or Agreed Upon Procedures (AUP). Cannot be a Review if on Internal Controls over Financial Reporting.
Mgmt Discussion & Analysis MD&A is Management’s Narrative on the Historical & Maybe Prospective Performance. It Appears in the Annual Report and part of the SEC 10Q and 10K. CPAs Perform an Examination or Review. Normally, No 3rd Party to Specify Agreed-Upon Procedures.
Marketing Claims (Assertions) Usually Assertions of Lowest Prices or Other Comparison with Competition. Grocery Prices (Text example & problem 20-36) MCI Price Comparison Methodology How About Best Slot Machine Payout? Usually an Examination to be Beneficial.
Price Comparison “Methodology” We have examined the Proof Positive Methodology of MCI Telecommunications Corp. (MCI) for the period . . . The Proof Positive Methodology for comparing MCI’s billing charges to AT&T and between MCI services is described in the You Save Money With MCI section of the enclosed Proof Positive Account Review . . . In our opinion, the Proof Positive Methodology properly compares billing charges between MCI and AT&T and between alternative MCI services and accurately reflects the price differences for the period . . .
Casino Payout Promises We have audited the accompanying schedule of theoretical payout percentages for slot and video poker machines located in the casino area known as . . . We conducted our audit in accordance with generally accepted auditing standards. . .to obtain reasonable assurance about whether the schedule of theoretical payout percentages is free of material misstatement . . . In our opinion, such schedule of theoretical payout percentages for slot and video poker machines located in the casino area known as . . . presents fairly, in all material respects, the theoretical payout percentages for such . . . Note: This report is not compliant with current attestation standards - auditors merely adapted an audit report.
Trust Services Generally relates to assurance offered for IT services via eCommerce (generally called WebTrust) or other IT Applications (generally called SysTrust and was originally for trading partners, but now for Service Organizations) Original services were developed jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA). WebTrust & SysTrust are logos/seals to post on web sites. Examination required. This WebTrust Seal competes with several others to offer assurance to ecommerce customers – like Verisign. Per AICPA Technical Practice Aid TSP 100: fn 2 SysTrustSM, SysTrust for Service OrganizationsSM, and WebTrustSM are specific branded assurance services offerings developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) that are based on the trust services principles and criteria. Practitioners must be licensed by CICA to use these registered service marks. Service marks can only be issued for engagements that result in an unqualified examination opinion. For more information on licensure, see www.webtrust.org. 32
AICPA Trust Services Principles Criteria (for each principle) Security Availability Processing Integrity Confidentiality Privacy Criteria (for each principle) Policies Communications Procedures Monitoring Under AICPA standards, can be an examination or AUP.
Service Organization Control (SOC) Reports SOC 1 & SOC 2: SOC 1 reports are used by F.S. auditors – discussed further in Ch 8. Has Types 1 and 2 type of reports Type 1 reports: Addresses adequacy of the DESCRIPTION of the system/system’s internal controls. Type 2 reports include what type 1 reports include and adds results of the tests of the controls for operating effectiveness. 34
Environmental Independent Accountant’s Report We have examined the accompanying schedule of greenhouse gas emissions of XYZ Company for [identify period, for example, the year ended December 31, 20XX]. XYZ Company’s management is responsible for the schedule. Our responsibility is to express an opinion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of the nature of the company’s greenhouse gas emissions; examining, on a test basis, evidence supporting the company’s schedule of greenhouse gas emissions; and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. As described in footnote X, environmental and energy use data are subject to measurement uncertainties resulting from limitations inherent in the nature and methods used for determining such data. The selection of different but acceptable measurement techniques can result in materially different measurements. The precision of different measurement techniques may also vary. In our opinion, the schedule referred to above presents, in all material respects, the greenhouse gas emissions of XYZ Company for [identify period, for example, the year ended December 31, 20XX] in conformity with [identify criteria]. Reasons that entities report GHG emissions and request attestation services related to GHG emissions include the following: To participate in GHG emissions reductions programs. To respond to shareholder resolutions calling for companies to report and have their corporate social responsibility or GHG emissions information verified by a third party. To demonstrate responsible corporate behavior. The desire to be listed in the CDLI. To satisfy requests from customers regarding information about GHG emissions within their supply chain. For example, in October 2009, Section 13 of Executive Order 13514, Federal Leadership in Environmental, Energy, and Economic Performance, directed the U.S. General Services Administration (GSA) with the Department of Defense and the Environmental Protection Agency to assess the feasibility of requiring federal suppliers to provide GHG emissions data to the government. In August 2010, GSA launched the Federal Supplier Greenhouse Gas Emissions Inventory Pilot, a three-year program in which small businesses are required to develop annual GHG emissions inventories through September 2013. The program’s purpose is to assess the benefits and challenges experienced by small businesses when completing a GHG emissions inventory. 35
Political “Conflict Minerals”: certain minerals—tantalum, tungsten, tin, and gold—that are mined in the Democratic Republic of the Congo (DRC) or the surrounding areas. The Dodd-Frank Act requires: Issuers who use conflict minerals in their manufacturing processes and supply chain to disclose whether the minerals came from the DRC or the surrounding areas. If a company determines its conflict minerals originated in those countries, it will have to file a “Conflict Minerals Report” with the SEC and publish it on its website. The reports outline all of the due diligence the company performed as it sourced its supply chain and must be independently audited. Among the provisions of the Dodd-Frank Act are mandated disclosure rules, passed by the Securities and Exchange Commission in August 2012, about the use of “conflict minerals”. The term “conflict minerals” is used to describe certain minerals—tantalum, tungsten, tin, and gold—that are mined in the Democratic Republic of the Congo (DRC) or the surrounding areas. Federal law does not prohibit companies from sourcing conflict minerals, nor impose a penalty for doing so. However, the intent is to rely on public pressure to dissuade U.S. companies from indirectly sourcing conflict minerals, and hence fund the armed groups in the DRC. The SEC final rule requires issuers who use conflict minerals in their manufacturing processes and supply chain to disclose whether the minerals came from the DRC or the surrounding areas. Under the rule, if a company determines its conflict minerals originated in those countries, it will have to file a “Conflict Minerals Report” with the SEC and publish it on its website. The reports, which will outline to the SEC all of the due diligence the company performed as it sourced its supply chain, must be independently audited. The provision specifically mandates three steps for companies to follow: Determine if tin, tungsten, tantalum and gold are used to make its products. Determine if the metals they use originated in the DRC or neighboring countries. If the metals did not originate in affected nations, companies must report how the company determined the metals’ origins. If the metals were from DRC or adjoining countries—or the source is unknown—companies must trace the supply chain for the source and furnish “Conflict Minerals Report” (CMR) on those due-diligence efforts Under the rule, companies will file their first specialized disclosure report on May 31, 2014, for the 2013 calendar year and on May 31 in subsequent years. 20-36
Political Purpose of the audit is to express an opinion or conclusion as to whether the: Design of the issuer’s due diligence framework as set forth in the Conflict Minerals Report is in conformity with, in all material respects, the criteria set forth in the nationally or internationally recognized due diligence framework used by the issuer, and Issuer’s description of the due diligence measures it performed as set forth in the Conflict Minerals Report is consistent with the due diligence process that the issuer undertook. The audit is required to be performed in accordance with the “Yellow Book” & can consist of either an examination attestation engagement or a performance audit. Independent Private Sector Audit (IPSA) The purpose of the IPSA is to express an opinion or conclusion as to: (1) whether the design of the issuer’s due diligence framework as set forth in the Conflict Minerals Report is in conformity with, in all material respects, the criteria set forth in the nationally or internationally recognized due diligence framework used by the issuer, and (2) whether the issuer’s description of the due diligence measures it performed as set forth in the Conflict Minerals Report is consistent with the due diligence process that the issuer undertook. The independent private sector audit is required to be performed in accordance with the “Yellow Book” and can consist of either an examination attestation engagement or a performance audit. 20-37
NonAttest Assurance Services Somewhat Loosely Defined Category Part of AICPA and Profession’s move to Develop new Business for CPAs. CPA may offer Assurance as to the Quality of Care Given or Services Provided. Criteria Very Subjective.
PrimePlus/ElderCare Services Financial Goal setting, funding analysis, needs assessment Nonfinancial Interpersonal and interrelationship management Management of interaction between service providers and client Target market Older clients of CPA Children of older adults Other professionals that deal with older adults 20-39