Chapter 1: The Demand for Audit and Other Assurance Services

- Sarbanes-Oxley Act
o Passed by Congress in 2002; Applies to publicly held companies and their audit firms
o Most significant securities legislation since the 1933 and 1934 Securities Act
o Established the Public Company Accounting Oversight Board
o Section 404 requires auditors to report on the effectiveness of the companys internal control over
financial reporting
- Auditing: the accumulation and evaluation of evidence about information to determine and report in the
degree of correspondence between the information and established criteria.
o Auditing should be done by a Competent, Independent Person
External Auditors are paid fees by the company but despite this, they normally are sufficiently
independent to conduct audits that can be relied on by users
Internal auditors report directly to top management and the board of directors, allowing them to stay
independent of the operating units they audit
o Accumulating and Evaluating Evidence (Critical part of every audit)
Evidence: any information used by the auditor to determine whether the information being audited is
stated in accordance with the established criteria
Evidence takes many different forms, including:
Electronic and documentary data about transactions
Written and electronic communication with outsiders
Observations by the auditor
Oral testimony of the auditee (client)
Auditors must obtain a sufficient quality and volume of evidence --- and they must determine the
types and amount of evidence necessary and evaluate whether the information corresponds to the
established criteria
Auditor must be qualified to understand criteria for audit, as well as competent to know the types
and amount of evidence to accumulate
o Information and Established Criteria: To do an audit, information must be in a verifiable form and there
has to be standards (criteria like FASB / IASB) by which the auditor can evaluate the information
Information has many forms --- quantifiable information (Ex. Financial statements) and subjective
information (Ex. Efficiency of manufacturing operations)
Criteria for evaluating information varies depending on the information being audited
For audit of financial statements, criteria may be GAAP or it may be IRFS
For audit of internal control over financial reporting, criteria will be Integrated Control
Integrated Framework, which is issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
For Audit of tax returns by IRS, criteria are found in the Internal Revenue Code
For more subjective information, there is no definite criteria--- The criteria has to be determined
pre-audit by the auditors and the entities being audited
o Audit Reports
Final stage in the auditing process = preparing the audit report
Audit report communicates the auditors findings to users. It must inform users of the degree of
correspondence between the information audited and the established criteria



- For the audit of a tax return, a competent, independent person (internal revenue agent) accumulates and
evaluates evidence (Examines cancelled checks and other supporting records), looks at financial information
(Federal tax returns filed by taxpayer) and determines corresponds with established criteria (Internal revenue
code and all interpretations). He then reports on the results (with a report on tax deficiencies.)
- Accounting v. Auditing
o Accounting: the recording, classifying, and summarizing of economic events in a logical manner
Accountants must understand standards and also develop a system to ensure the entitys economic
events are properly recorded on a timely basis and at a reasonable cost
o Auditing accounting dataauditors determine whether information recorded reflects correctly the
economic events that occurred during the accounting period
Auditors understand accounting standards (GAAP + IFRS) to determine whether financial statements
were recorded according to criteria
Auditor must also have expertise in accumulating and interpreting audit evidence this expertise is
what differentiates auditors from accountants
Determining the proper audit procedures, deciding the number and types of items to test, and
evaluating the results are unique to auditors
- Auditing has a significant effect on information risk; (Demand Driver Information Risk).
o If statements are audited, there is assumed to be less risk with regards to business decisions (Ex. Ability to
obtain a loan / if loan obtained, the amount of interest paid)
o Information Risk reflects the possibility that the information upon which the business risk decision was
made was inaccurate
o Causes of Information Risk:
Remoteness of Information: It is nearly impossible for a decision maker to have much firsthand
knowledge about the organization with which they do business in this global economy. Information
from others must be relied upon. (But getting information from others increases the likelihood of
misstated information)
Biases and Motives of the Provider: If information is provided by someone whose goals are
inconsistent with those of the decision maker, the information may be biased in favor of the
providers (Ex. Honest optimism about future events = may result in misstatement)
Voluminous Data: The higher the volume of transactions, the greater the risk that improperly
recorded information is included in the records
Complex Exchange Transactions: Exchange transactions between organizations have become
increasingly complex and therefore more difficult to record properly (Ex. Correct accounting
treatment of the acquisition of an entity)
o Reducing Information Risk:
User Verifies Information: The user may go to the business premises to examine records and obtain
information about the reliability of the statements
User Shares Information Risk with Management: There is considerable legal precedent that
management is responsible for providing reliable information to users. If management misstates and
harms users, users can sue management, although it may be difficult for them to actually collect on
losses
Audited Financial Statements Are Provided: Users can obtain reliable information through an
independent audit; users can safely assume audited information is reasonably compute, accurate,
and unbiased
Relationships among auditors, client, and external users


- Assurance Services: independent professional service that improves the quality of information for decision
makers (Because auditors are perceived as unbiased)
o Can be performed by CPAs or a variety of other professionals
o Demand for assurance services continues to grow as the demand increases for real-time electronic info.
- Attestation Services: CPA issues a report about the reliability of an assertion that is made by another party
o A type of assurance services provided by CPAs
o NOTE - Audit is a type of attestation service
o Five categories of attestation services
Audit of Historical Financial Statements: Management asserts that the statements are fairly stated in
accordance with applicable US or international accounting standards. In this form of attestation
service, auditor issues a written report expressing an opinion about whether the financial statements
are fairly stated in accordance with standards
These audits are the most common assurance service provided by CPA firms
Audit of Internal Control over Financial Reporting: For an audit of internal controls over financial
reporting, management asserts that internal controls have been developed and implemented
following well-established criteria.
Section 404 of SOX requires public companies to report managements assessment of the
effectiveness of internal control
SOX also requires auditors for large public companies to attest to the effectiveness of internal
control over financial reporting
WHY? This is important because such an evaluation, and in general, effective internal controls
would reduce likelihood of misstatements and would increase user confidence
Review of Historical Financial Statements: For a review of historical financial statements,
management asserts that the statements are fairly stated in accordance with accounting standards
(similar to audits)
This is a lower level of assurance CPA firms provide that costs less then an audit (high level of
assurance) because less evidence is needed. As a result, many nonpublic companies use this
attestation option to provide limited assurance on their financial statements without incurring
the cost of an audit
Attestation Services on Information Technology: For attestations on information technology,
management makes various assertions about the reliability and security of electronic information.
Transaction an information are increasingly shared online and in real time-- thus, demand for
even greater assurance about information, transactions, and the security protecting them
WebTrust and SysTrust (Both developed by AICPA and CICA) are examples of attestation services
developed to address assurance needs
WebTrust -- Assurance service designed to provide assurance to third-party users of a Website
o To provide WebTrust attestation service, CPA firm must be licensed by AICPA
o WebTrust seal assures user that the web site owner has met established criteria related to
business practices, transaction integrity, and information processes
SysTrust- created to evaluate and test system reliability in areas like security and data integrity
o SysTrust services can be done by CPAs to provide assurance to management, the board of
directors, or third parties about the reliability of information systems used to generate real-
time information
Other Attestation Services: CPAs provide numerous other attestation services
Many of these are natural extensions of the audit of historical financial statements as users seek
independent assurances about other types of information
Sometimes, CPA is asked to provide written assurance about reliability of an assertion made by
manaement (Ex. for bank loans, loan agreement asks company to engage a CPA and seek
assurance about the companys compliance with the rules of the loan)
Sometimes, CPA may also be asked to provide reliability of subject matter (to management or
other specified parties) when there is no written assertion from another party (ex. CPA can attest
to information in a clients forecasted financial statements, which are often used to obtain
financing)

- Other Assurance Services
o CPAs provide other assurance services that do not meet the formal definition of attestation services
Just like attestation services, these other assurance services focus on improving the quality of
information for decision makers.
However, they differ from attestation services in that the CPA is not required to issue a written
report. Also, The assurance does not have to be about the reliability of another partys assertion
about compliance with specified criteria.
o Large field of competitors in the market for other assurance services--- while audits are limited by
regulation to licensed CPAs, other forms of assurance is open to non-CPA competitors (Ex. market
research firms)
- Other Assurance Service Examples (Table 1-1)
o Controls over and risks related to investments, including policies related to derivatives
Service Activities: assess the processes in a companys investment practices to identify risks and to
determine the effectiveness of those processes
o Mystery shopping
o Assess risks of accumulation, distribution, and storage of digital information
Service Activities: assessing security risks and related controls over data and other information stored
electronically, including the adequacy of backup and off-site storage.
o Frauds and illegal acts risk assessment
Service Activities: develop fraud risk profiles, and assess the adequacy of company systems and
policies in preventing and detecting fraud and illegal acts
o Organic Ingredients
Service Activities: provide assurance on the amount of organic ingredients included in a companys
products
o Compliance with entertainment royalty agreements
Service Activities: assess whether royalties paid to artists comply with royalty agreements
o ISO 9000 certifications
Service Activities: certify a companys compliance with ISO 9000 quality control standards
o Corporate responsibility and sustainability
Service Activities: Reporting on whether information in a corporate responsibility report is consistent
with company information and established reporting criteria

- Nonassurance Services provided by CPAs
o 1- Accounting and bookkeeping
o 2- Tax Services
o 3- Management Consulting Services
- Relationship between assurance and nonassurance services
o Note --- Attestation services fall under the scope of assurance services
o

- 3 Types of Audits (performed by CPAs)
o Operational Audit: evaluates the efficiency and effectiveness of any part of an organization's operating
procedures and methods
At the completion of audit, management expects recommendations for improving operations
Operational audits are not limited to accounting-- can include evaluation of organizational structure,
computer operations, production methods marketing, and any other area in which auditor is qualified
Establishing criteria for evaluating the information in an operational audit is extremely subjective--
thus it is difficult to objectively evaluate if efficiency and effectiveness meets established criteria. As a
result, operational auditing is more like management consulting than what is usually considered
auditing
o Compliance Audits: conducted to determine whether the auditee is following specific procedures, rules or
regulations set by some higher authority.
Some examples may include determining whether accounting personnel are following procedures
prescribed by the controller, reviewing wage rates for compliance with minimum wage laws,
examining contractual agreements with bankers and other lenders to be sure the company is
complying with legal requirements, and determining whether a bank is in compliance with newly-
enacted government regulations
Results of compliance audits are typically reported to management (not outside users), because
management is the primary group concerned with the extent of compliance with prescribed
procedures and regulations
o Financial Statement Audits: conducted to determine whether financial statements are stated in
accordance with specified criteria (accounting standards). To do this, auditor gathers evidence to
determine if there are material errors or misstatements.
-
- Extensible Business Reporting Language (XBRL) is a language for the electronic communication of business and
financial data. It enables sorting and comparing of financial data. Public companies required to provide
interactive financial statement data.
- Types of Auditors
o Independent certified public accounting firms
Independent / external auditors that audit the published historical financial statements of all publicly
traded companies
o Governmental general accounting office auditors
Auditor working for the U.S. Government Accountability office (GAO), an office that performs the
audit function for Congress
The GAO reports to and is responsible solely to Congress
o Internal Revenue agents
IRS is responsible for enforcing the federal tax laws that have been defined b Congress and
interpreted by Courts
The IRS must audit taxpayers returns and determine whether they complied with tax laws
IRS auditors thus perform compliance audits
o Internal auditors
Internal auditors are employed by all types of organizations to audit for management; they have a
variety of roles, depending on the employer
To help maintain independence, the internal audit group typically reports directly to the president, or
the audit committee of the board of directors.
There is still a lack of independence because internal auditors work directly for the company-- this is
the major difference between internal auditors and CPA firms
-