Audit Chapter 25
What is negative assurance? Why is it used in a review engagement report?
A negative assurance states, along with factual statements, that nothing came to the accountant's attention that would lead the accountant to believe that the financial statements were not prepared in accordance with accounting standards. The reason for including such a statement in a review report is to provide financial statement users with some level of assurance that the financial statements are fairly stated. The level of assurance is less than that for an audit of historical financial statements, but more than the "no assurance" provided for a compilation.
Explain what is meant by prospective financial statements and distinguish between forecasts and projections. What 4 things are involved in an examination of prospective financial statements?
A prospective financial statement is a predicted or expected financial statement in some future period or at some future date. There are two general types of prospective financial statements: forecasts and projections. A forecast is a prospective financial statement that presents an entity's expected financial position, results of operations, and cash flows for future periods, to the best of the responsible party's knowledge and belief. A projection is a prospective financial statement that presents an entity's financial position, results of operations, and cash flows, to the best of the responsible party's knowledge and belief, given one or more hypothetical assumptions. An examination of prospective financial statements involves: Evaluating the preparation of the prospective financial statements. Evaluating the support underlying assumptions. Evaluating the presentation of the prospective financial statements for conformity with AICPA presentation guidelines. Issuing an examination report.
Distinguish the 3 types of service organization reports.
An SOC 1 report, Report on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting, is intended to meet the needs of entities (known as user entities) that use service organizations and their auditors, who are responsible for understanding internal controls over financial reporting at service organizations. SOC 1 reports are used to plan and perform audits of the user entity's financial statements by their auditors, who are referred to as user auditors. There are two types of reports on controls at the service organization relevant to user entities' internal control over financial reporting: 1. Report on management's description of a service organization's system and the suitability of the design of controls (referred to as a Type 1 report). 2. Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls (referred to as a Type 2 report). An SOC 2 report, Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems. For example, customers of a service organization may seek an SOC 2 report as part of their vendor risk management considerations. Similar to SOC 1 reports, there are two types of reports (Type 1 and Type 2). Use of these reports is generally restricted to specified parties, such as management of user entities, customers of the service organizations, regulators, suppliers, and business partners. An SOC 3 report, Trust Services Report for Service Organizations, is similar to an SOC 2 report except that the SOC 3 report is intended for wide distribution to current or potential users of the service organization. SOC 3 reports are prepared using the Trust Services principles and criteria shown in Table 25-2. While the distribution of an SOC 2 report is generally restricted, an SOC 3 report is a general-use report, which allows the service organization to share the report to current or prospective customers or to use it as a marketing tool demonstrating that they have appropriate controls in place to mitigate risks, such as those related to security or privacy.
Define what is meant by attestation standards. Distinguish between attestation standards and auditing standards.
Attestation standards provide a general framework for and set reasonable boundaries around the attestation function. They provide guidance to AICPA standard-setting bodies for establishing detailed standards and interpretations of standards for specific types of services. They also provide practitioners useful guidance in performing new and evolving attestation services where no specific guidance exists. The attestation standards, therefore, provide a conceptual framework for various types of services. Auditing standards do the same thing for the conduct of the ordinary audit of financial statements prepared in accordance with accounting standards.
What are the differences between the review reports for a private company under SSARS and for the interim financial statements of a public company?
Compilations and reviews under SSARS can only be issued for nonpublic companies for which an audit has not been performed. They may be for monthly, quarterly, or annual statements. Reviews are issued on quarterly information of publicly held companies as a part of the client's reporting requirements to the SEC and are subject to PCAOB standards. Although there are some minor differences in some of the review procedures performed and in the wording on a review report for a nonpublic company and a public company review report, they are substantively the same.
What steps should auditors take if during a compilation engagement they become aware that the financial statements are misleading?
For a compilation, the accountant does not have to make inquiries or perform other procedures to verify information supplied by the entity beyond those identified in the answer to Review Question 25-4. But if the accountant becomes aware that the statements are not fairly presented, he or she should obtain additional information. If the client refuses to provide the information, the accountant should withdraw from the compilation engagement.
What should auditors do if during a review of financial statements they discover that applicable accounting standards are not being followed?
For review services, if a client fails to follow applicable accounting standards, a modification of the report is needed. The accountant is not required to determine the effect of a departure if management has not done so, but that fact must also be disclosed in the report. For example, the use of replacement cost rather than FIFO for inventory valuation would have to be disclosed, but the effect of the departure on net earnings does not require disclosure.
Describe the key difference between a type 1 and type 2 SOC 1 report.
In a Type 1 SOC 1 report, the accountant provides an opinion about the fairness of the description of the service organization's system and opinion about the suitability of the design of the controls in that system. In a Type 2 report, the accountant provides the opinions contained in a Type 1 report, plus an opinion on the operating effectiveness of controls at the service organization.
You have been asked to provide assurance on info contained in New Dominion's Corporate Sustainability Report. What standards would you use to perform this engagement?
In response to a request to provide assurance on information contained in New Dominion's Corporate Sustainability Report, the accountant would conduct the engagement in accordance with Statements on Standards for Attestation Engagements (SSAEs). The accountant would most likely be engaged to conduct an examination level attestation engagement whereby the accountant would issue an opinion on the presentation of management's assertions about compliance with specific sustainability criteria.
The Absco Corporation has requested that Herb Germany, CPA provide a report to bank as to the existence or nonexistence of certain loan conditions. The conditions to be reported on are the working capital ratio, dividends paid on preferred stock, aging of accounts receivable, and competence of management. This is first experience with co. should they accept the engagement? Substantiate your answer.
It would be appropriate for Germany to provide a report to Northern State Bank on all of the conditions except the competency of management. Reports on the working capital ratio, dividends paid on preferred stock, and aging of accounts receivable are factual matters within a normal auditor's competence. Reporting on the competence of management is highly subjective and should not ordinarily be in a debt compliance letter.
What is meant by the term level of assurance? How does the level of assurance differ for an audit of historical financial statements, a review, a compilation, and a preparation engagement?
Levels of assurance represent the degree of certainty the practitioner has attained, and wishes to convey, that the conclusions stated in his or her report are correct. Audits of historical financial statements prepared in accordance with accounting standards are one type of examination. They are governed by auditing standards. An audit results in a conclusion that is in a positive form. In this type of report, the practitioner makes a direct statement as to whether the presentation of the assertions, taken as a whole, conforms to the applicable criteria. The level of assurance is high. In a review, the practitioner provides a conclusion in the form of a negative assurance. In this form, the practitioner's report states whether any information came to the practitioner's attention to indicate that the assertions are not presented in all material respects in conformity with the applicable criteria. The level of assurance is limited. A compilation is defined in SSARS as presenting, in the form of financial statements, information that is the representation of management without undertaking to express any assurance on the statements. A preparation engagement is defined in SSARS as a service where the CPA is engaged by the client to prepare or assist in preparing financial statements, but the CPA does not provide any assurance on the financial statements or issue a report, even if the financial statements are expected to be used by, or provided to, a third party.
Distinguish the 3 forms of compilation reports that a CPA can provide to clients
One of three forms of compilation can be provided to clients: Compilation With Full Disclosure: Compilation of this type requires disclosures in accordance with accounting standards, the same as for audited statements. Compilation That Omits Substantially All Disclosures: This type of compilation is acceptable if the report indicates the lack of disclosures and the absence of disclosures is not, to the CPA's knowledge, undertaken with the intent to mislead users. Compilation Without Independence: A CPA firm can issue a compilation report even if it is not independent with respect to the client, as defined by the Code of Professional Conduct. However, the CPA firm must state its lack of independence in the report.
An audit client has engaged a third-party service organization to host its payroll software package on servers located at the service organization .what options do you have to obtain assurance about the controls embedded in the payroll application?
One option would be for you to visit the service organization to obtain evidence about the design and operating effectiveness of internal controls at the service organization. However, a more efficient option may be for the service organization to engage its auditor to provide a Type 1 report that provides an opinion about the fairness of the description of the service organization's system and opinion about the suitability of the design of the controls in that system. Or, the service organization may engage its auditor to provide a Type 2 report that provides the opinions contained in a Type 1 report, plus an opinion on the operating effectiveness of controls at the service organization.
What are the major differences between a compilation engagement and a preparation engagement?
Preparation is defined in SSARS as a service where the CPA is engaged by the client to prepare or assist in preparing financial statements, but the CPA does not provide any assurance on the financial statements or issue a report, even if the financial statements are expected to be used by, or provided to, a third party. Similarly, in a compilation the CPA is engaged to assist management in presenting financial information in the form of financial statements without undertaking to obtain or provide any assurance that there are no material modifications that should be made to the financial statements in order for the statements to be in conformity with the applicable financial reporting framework. The key difference is that in a compilation the CPA must issue a compilation report and each page of the financial statements state "See accountant's compilation report." In a preparation service, the CPA does not issue a report, but the CPA includes a statement on each page of the financial statements that indicates, at a minimum, "no assurance is provided" on the financial statements.
Distinguish among engagements to prepare, compile, and review financial statements. What is the level of assurance for each?
Preparation is defined in SSARS as a service where the CPA is engaged by the client to prepare or assist in preparing financial statements, but the CPA does not provide any assurance on the financial statements or issue a report, even if the financial statements are expected to be used by, or provided to, a third party. Compilation is defined in SSARS as a service, the objective of which is to assist management in presenting financial information in the form of financial statements without undertaking to obtain or provide any assurance that there are no material modifications that should be made to the financial statements in order for the statements to be in conformity with the applicable financial reporting framework. Review is defined by SSARS as a service, the objective of which is to obtain limited assurance that there are no material modifications that should be made to the financial statements in order for the statements to be in conformity with the applicable financial reporting framework. In a review engagement, the accountant should accumulate review evidence to obtain a limited level of assurance. There is no level of assurance provided in a preparation or compilation engagement. Reviews provide limited assurance, but considerably less than a typical audit
Describe the 5 Trust Services principals.
The five Trust Services principles include the following: 1. Security - Security practices ensuring that the system is protected against authorized access (both physical and logical). 2. Availability - Availability practices, ensuring that the system is available for operation and use as committed or agreed. 3. Processing Integrity - Processing integrity, ensuring that system processing is complete, accurate, timely, and authorized. 4. Online Privacy - Online privacy practices, ensuring that personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed. 5. Confidentiality - Confidentiality practices, ensuring that information designated as confidential is protected as committed or agreed
List 5 things that are required of an auditor by SSARS for a compilation.
The following are required by SSARS for compilation engagements. The preparer of the statements must: Establish an understanding with the client in a written engagement letter about the objectives of the nature of the engagement. Possess knowledge of the accounting principles and practices of the client's industry. Know the client, the nature of its business transactions, accounting records and employees, and the basis, form, and content of the financial statements. Make inquiries to determine whether the client's information is satisfactory. Read the compiled financial statements and be alert for any obvious omissions or errors in arithmetic and generally accepted accounting principles. Request management to provide additional or corrected information if the accountant becomes aware that the records, documents, explanations, or other information, including significant judgments by management is complete, inaccurate, or otherwise unsatisfactory. Disclose in the report any omissions or departures from accounting standards of which the accountant is aware. This requirement does not apply to a compilation that omits substantially all disclosures. Prepare documentation to provide a clear understanding of the work performed and any findings or issues that are significant. Request management to revise the financial statements, if the accountant becomes aware of needed revisions to the financial statements required for those statements to be in accordance with the applicable financial reporting framework.
What procedures should the auditor use to obtain the info necessary to give the level of assurance required of reviews of financial statements?
The following types of procedures are emphasized for review services: Obtain agreement on engagement terms with management or those charged with governance. This is generally in the form of an engagement letter or other suitable form of written agreement. Obtain knowledge of the accounting principles and practices of the client's industry. The level of knowledge for reviews should be somewhat higher than that for a compilation. Obtain knowledge of the client. The information should be about the nature of the client's business transactions, its accounting records and employees, and the basis, form, and content of the financial statements. The level of knowledge should be higher than that for compilation. Make inquiries of management. The objective of these inquiries is to determine whether the financial statements are fairly presented,assuming that management does not intend to deceive the accountant. Inquiry is the most important of the review procedures. The following are illustrative inquiries: − Inquire as to the accounting standards framework used and the company's procedures for recording, classifying, and summarizing transactions, and disclosing information in the statements. − Inquire as to whether unusual or significant transactions have occurred during the year, including important actions taken at meetings of stockholders and the board of directors. − Inquire of persons having responsibility for financial and accounting matters whether the financial statements have been prepared in conformity with accounting standards. − Inquire as to whether they have knowledge of an actual or suspected fraud, communications from regulatory agencies, subsequent events, or actions taken by those charged with governance. Perform analytical procedures. The analytical procedures are meant to identify relationships and individual items that appear to be unusual. The appropriate analytical procedures are no different from the ones already studied in Chapters 7 and 8 and in those chapters dealing with tests of details of balances. Read the financial statements. The accountant should read the financial statements to determine whether they conform with the financial reporting framework. Reconcile the financial statements to the underlying accounting records. The accountant should obtain evidence that the financial statements agree or reconcile with the accounting records. Obtain a letter of representation. The accountant is required to obtain a letter of representation from members of management who are knowledgeable about financial matters. Prepare documentation. The accountant should prepare documentation of procedures performed, sources of evidence obtained, and conclusions reached.
Explain why a review of interim financial statements for a public company may provide a greater level of assurance than an SSARS review
The review procedures are essentially the same for public company and SSARS reviews. Some additional procedures are required for public company reviews that are beyond the scope of SSARS as follows: The level of knowledge the accountant has about the client's internal control is likely to be higher for public company reviews. Because an annual audit is done for public companies that have an interim review, the accountant must also obtain sufficient information about the client's internal control for both annual and interim financial information. The auditor's knowledge of the results of the audit procedures performed during the annual audit will affect the scope of the procedures performed during the review of interim financial information. The accountant will also have a good idea whether the quarterly statements were accurate after the annual audit is complete. This information will be useful in determining the review procedures in subsequent years. Under SSARS, the auditor makes inquiries about actions of directors and stockholder meetings; for public companies, the auditor reads the minutes of those meetings.
What type of report might a service organization use as a marketing tool to provide potential customers information about the internal controls related to security at the service organization?
The service organization would engage the accountant to issue an SOC 3 report, Trust Services Report for Service Organizations. The SOC 3 report is intended for wide distribution to current or potential users of the service organization. SOC 3 reports are prepared using the Trust Services principles and criteria shown in Table 25-2. Because an SOC 3 report is a general-use report, the service organization is allowed to share the report to current or prospective customers and use it as a marketing tool to demonstrate they have appropriate controls in place to mitigate risks, such as those related to security or privacy.
Preparation service
a nonattest engagement in which the accountant is engaged by the client to prepare or assist in preparing financial statements, but the CPA does not provide any assurance on the financial statements or issue a report, even if the financial statements are expected to be used by, or provided o, a third party
Compilation service
a nonaudit engagement in which the accountant is engaged to assist management in the preparation of financial statements and issue a report to a client or third party without providing any CPA assurance about those statements
Review service (SSARS review)
a review of unaudited financial statements designed to provide limited assurance that no material modifications need be made to the statements in order for them to be in conformity with accounting standards or, if applicable, with another comprehensive basis of accounting
Attestation engagement
a type of assurance service in which the CPA firm issues a report about the reliability of information or an assertion made by another party
Examination
an attest engagement that results in positive assurance expressed as an opinion as to whether or not the assertions under examination conform with the applicable criteria
Review
an attestation engagement that provides limited assurance expressed in the form of negative assurance as to the CPAs' awareness of any information indicating that the assertions are not presented in conformity with the applicable criteria
Agreed-upon procedures engagement
an engagement in which the procedures to be performed are agreed upon by the CPA, the responsible party making the assertions, and the intended users of the CPA's report; the degree of assurance provided by the CPA will vary based on procedures agreed to and performed
Service organization control (SOC) report
an engagement where a service organization's auditor reports on internal controls at the service organization, with a type 1 report including information about management's description of the service organization's system and the suitability of the design of the organization's controls while the type 2 report also includes information about the operating effectiveness of those controls
Prospective financial statements
financial statements that deal with expected future data rather than with historical data
Forecasts
prospective financial statements that present and entity's expected financial position, results of operations, and cash flows for future periods, to the best of the responsible party's knowledge and belief
Projections
prospective financial statements that present and entity's financial position and results of operations and cash flows for future periods, to the best of the responsible party's knowledge and belief, given one or more hypothetical assumptions
Public company interim review
reviews of interim, unaudited financial information performed to help public companies meet their reporting responsibilities to regulatory agencies
Statements on Standards for Accounting and Review Services (SSARS)
standards issued by the AICPA Accounting and Review Services Committee that govern the CPA's association with unaudited financial statements of nonpublic companies
Statements on Standards Attestation Engagements (SSAE)
statements issued by the AICPA to provide a conceptual framework for various types of attestation services
