Chapter 1: The Demand for Audit and Other Assurance Services

Sarbanes-Oxley Act Passed by Congress in 2002; Applies to publicly held companies and their audit firms Most significant securities legislation since the 1933 and 1934 Securities Act Established the Public Company Accounting Oversight Board Section 404 requires auditors to report on the effectiveness of the companys internal control over financial reporting Auditing: the accumulation and evaluation of evidence about information to determine and report in the degree of correspondence between the information and established criteria. Auditing should be done by a Competent, Independent Person External Auditors are paid fees by the company but despite this, they normally are sufficiently independent to conduct audits that can be relied on by users Internal auditors report directly to top management and the board of directors, allowing them to stay independent of the operating units they audit Accumulating and Evaluating Evidence (Critical part of every audit) Evidence: any information used by the auditor to determine whether the information being audited is stated in accordance with the established criteria Evidence takes many different forms, including: Electronic and documentary data about transactions Written and electronic communication with outsiders Observations by the auditor Oral testimony of the auditee (client) Auditors must obtain a sufficient quality and volume of evidence --- and they must determine the types and amount of evidence necessary and evaluate whether the information corresponds to the established criteria Auditor must be qualified to understand criteria for audit, as well as competent to know the types and amount of evidence to accumulate Information and Established Criteria: To do an audit, information must be in a verifiable form and there has to be standards (criteria like FASB / IASB) by which the auditor can evaluate the information Information has many forms --- quantifiable information (Ex. Financial statements) and subjective information (Ex. Efficiency of manufacturing operations) Criteria for evaluating information varies depending on the information being audited For audit of financial statements, criteria may be GAAP or it may be IRFS For audit of internal control over financial reporting, criteria will be Integrated Control Integrated Framework, which is issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) For Audit of tax returns by IRS, criteria are found in the Internal Revenue Code For more subjective information, there is no definite criteria--- The criteria has to be determined pre-audit by the auditors and the entities being audited Audit Reports Final stage in the auditing process = preparing the audit report Audit report communicates the auditors findings to users. It must inform users of the degree of correspondence between the information audited and the established criteria

For the audit of a tax return, a competent, independent person (internal revenue agent) accumulates and evaluates evidence (Examines cancelled checks and other supporting records), looks at financial information (Federal tax returns filed by taxpayer) and determines corresponds with established criteria (Internal revenue code and all interpretations). He then reports on the results (with a report on tax deficiencies.) Accounting v. Auditing Accounting: the recording, classifying, and summarizing of economic events in a logical manner Accountants must understand standards and also develop a system to ensure the entitys economic events are properly recorded on a timely basis and at a reasonable cost Auditing accounting dataauditors determine whether information recorded reflects correctly the economic events that occurred during the accounting period Auditors understand accounting standards (GAAP + IFRS) to determine whether financial statements were recorded according to criteria Auditor must also have expertise in accumulating and interpreting audit evidence this expertise is what differentiates auditors from accountants Determining the proper audit procedures, deciding the number and types of items to test, and evaluating the results are unique to auditors Auditing has a significant effect on information risk; (Demand Driver Information Risk). If statements are audited, there is assumed to be less risk with regards to business decisions (Ex. Ability to obtain a loan / if loan obtained, the amount of interest paid) Information Risk reflects the possibility that the information upon which the business risk decision was made was inaccurate Causes of Information Risk: Remoteness of Information: It is nearly impossible for a decision maker to have much firsthand knowledge about the organization with which they do business in this global economy. Information from others must be relied upon. (But getting information from others increases the likelihood of misstated information) Biases and Motives of the Provider: If information is provided by someone whose goals are inconsistent with those of the decision maker, the information may be biased in favor of the providers (Ex. Honest optimism about future events = may result in misstatement) Voluminous Data: The higher the volume of transactions, the greater the risk that improperly recorded information is included in the records Complex Exchange Transactions: Exchange transactions between organizations have become increasingly complex and therefore more difficult to record properly (Ex. Correct accounting treatment of the acquisition of an entity) Reducing Information Risk: User Verifies Information: The user may go to the business premises to examine records and obtain information about the reliability of the statements User Shares Information Risk with Management: There is considerable legal precedent that management is responsible for providing reliable information to users. If management misstates and harms users, users can sue management, although it may be difficult for them to actually collect on losses Audited Financial Statements Are Provided: Users can obtain reliable information through an independent audit; users can safely assume audited information is reasonably compute, accurate, and unbiased Relationships among auditors, client, and external users

Assurance Services: independent professional service that improves the quality of information for decision makers (Because auditors are perceived as unbiased) Can be performed by CPAs or a variety of other professionals Demand for assurance services continues to grow as the demand increases for real-time electronic info. Attestation Services: CPA issues a report about the reliability of an assertion that is made by another party A type of assurance services provided by CPAs NOTE - Audit is a type of attestation service Five categories of attestation services Audit of Historical Financial Statements: Management asserts that the statements are fairly stated in accordance with applicable US or international accounting standards. In this form of attestation service, auditor issues a written report expressing an opinion about whether the financial statements are fairly stated in accordance with standards These audits are the most common assurance service provided by CPA firms Audit of Internal Control over Financial Reporting: For an audit of internal controls over financial reporting, management asserts that internal controls have been developed and implemented following well-established criteria. Section 404 of SOX requires public companies to report managements assessment of the effectiveness of internal control SOX also requires auditors for large public companies to attest to the effectiveness of internal control over financial reporting WHY? This is important because such an evaluation, and in general, effective internal controls would reduce likelihood of misstatements and would increase user confidence Review of Historical Financial Statements: For a review of historical financial statements, management asserts that the statements are fairly stated in accordance with accounting standards (similar to audits) This is a lower level of assurance CPA firms provide that costs less then an audit (high level of assurance) because less evidence is needed. As a result, many nonpublic companies use this attestation option to provide limited assurance on their financial statements without incurring the cost of an audit Attestation Services on Information Technology: For attestations on information technology, management makes various assertions about the reliability and security of electronic information. Transaction an information are increasingly shared online and in real time-- thus, demand for even greater assurance about information, transactions, and the security protecting them WebTrust and SysTrust (Both developed by AICPA and CICA) are examples of attestation services developed to address assurance needs WebTrust -- Assurance service designed to provide assurance to third-party users of a Website To provide WebTrust attestation service, CPA firm must be licensed by AICPA WebTrust seal assures user that the web site owner has met established criteria related to business practices, transaction integrity, and information processes SysTrust- created to evaluate and test system reliability in areas like security and data integrity SysTrust services can be done by CPAs to provide assurance to management, the board of directors, or third parties about the reliability of information systems used to generate real-time information Other Attestation Services: CPAs provide numerous other attestation services Many of these are natural extensions of the audit of historical financial statements as users seek independent assurances about other types of information Sometimes, CPA is asked to provide written assurance about reliability of an assertion made by manaement (Ex. for bank loans, loan agreement asks company to engage a CPA and seek assurance about the companys compliance with the rules of the loan) Sometimes, CPA may also be asked to provide reliability of subject matter (to management or other specified parties) when there is no written assertion from another party (ex. CPA can attest to information in a clients forecasted financial statements, which are often used to obtain financing)

Other Assurance Services CPAs provide other assurance services that do not meet the formal definition of attestation services Just like attestation services, these other assurance services focus on improving the quality of information for decision makers. However, they differ from attestation services in that the CPA is not required to issue a written report. Also, The assurance does not have to be about the reliability of another partys assertion about compliance with specified criteria. Large field of competitors in the market for other assurance services--- while audits are limited by regulation to licensed CPAs, other forms of assurance is open to non-CPA competitors (Ex. market research firms) Other Assurance Service Examples (Table 1-1) Controls over and risks related to investments, including policies related to derivatives Service Activities: assess the processes in a companys investment practices to identify risks and to determine the effectiveness of those processes Mystery shopping Assess risks of accumulation, distribution, and storage of digital information Service Activities: assessing security risks and related controls over data and other information stored electronically, including the adequacy of backup and off-site storage. Frauds and illegal acts risk assessment Service Activities: develop fraud risk profiles, and assess the adequacy of company systems and policies in preventing and detecting fraud and illegal acts Organic Ingredients Service Activities: provide assurance on the amount of organic ingredients included in a companys products Compliance with entertainment royalty agreements Service Activities: assess whether royalties paid to artists comply with royalty agreements ISO 9000 certifications Service Activities: certify a companys compliance with ISO 9000 quality control standards Corporate responsibility and sustainability Service Activities: Reporting on whether information in a corporate responsibility report is consistent with company information and established reporting criteria

Nonassurance Services provided by CPAs 1- Accounting and bookkeeping 2- Tax Services 3- Management Consulting Services Relationship between assurance and nonassurance services Note --- Attestation services fall under the scope of assurance services

3 Types of Audits (performed by CPAs) Operational Audit: evaluates the efficiency and effectiveness of any part of an organization's operating procedures and methods At the completion of audit, management expects recommendations for improving operations Operational audits are not limited to accounting-- can include evaluation of organizational structure, computer operations, production methods marketing, and any other area in which auditor is qualified Establishing criteria for evaluating the information in an operational audit is extremely subjective-- thus it is difficult to objectively evaluate if efficiency and effectiveness meets established criteria. As a result, operational auditing is more like management consulting than what is usually considered auditing Compliance Audits: conducted to determine whether the auditee is following specific procedures, rules or regulations set by some higher authority. Some examples may include determining whether accounting personnel are following procedures prescribed by the controller, reviewing wage rates for compliance with minimum wage laws, examining contractual agreements with bankers and other lenders to be sure the company is complying with legal requirements, and determining whether a bank is in compliance with newly-enacted government regulations Results of compliance audits are typically reported to management (not outside users), because management is the primary group concerned with the extent of compliance with prescribed procedures and regulations Financial Statement Audits: conducted to determine whether financial statements are stated in accordance with specified criteria (accounting standards). To do this, auditor gathers evidence to determine if there are material errors or misstatements. Extensible Business Reporting Language (XBRL) is a language for the electronic communication of business and financial data. It enables sorting and comparing of financial data. Public companies required to provide interactive financial statement data. Types of Auditors Independent certified public accounting firms Independent / external auditors that audit the published historical financial statements of all publicly traded companies Governmental general accounting office auditors Auditor working for the U.S. Government Accountability office (GAO), an office that performs the audit function for Congress The GAO reports to and is responsible solely to Congress Internal Revenue agents IRS is responsible for enforcing the federal tax laws that have been defined b Congress and interpreted by Courts The IRS must audit taxpayers returns and determine whether they complied with tax laws IRS auditors thus perform compliance audits Internal auditors Internal auditors are employed by all types of organizations to audit for management; they have a variety of roles, depending on the employer To help maintain independence, the internal audit group typically reports directly to the president, or the audit committee of the board of directors. There is still a lack of independence because internal auditors work directly for the company-- this is the major difference between internal auditors and CPA firms