Chapter 4

Learning Objectives 4.1

After studying this chapter, you should be able to:

1 Understand the general definition of assurance services.

2 Identify the assurance and non-assurance services normally performed by auditors.

3 Explain what an assurance engagement entails.

4 Describe the five elements exhibited by all assurance engagements.

5 Know the various subject matters that can be covered in an assurance engagement.

6 Distinguish between the different suitable criteria applicable to an assurance service.

7 Understand what distinguishes a review from a compilation.

8 Give the distinguishing characteristics of the six special purpose reports.

9 Describe the key uses of reports on prospective financial information.

10 Explain the requirements of the Sarbanes-Oxley internal control reporting standards.

11 State the components of a triple bottom-line report based on the Global Reporting Initiative.

12 Discuss agreed-upon procedures and accounting compilation.

Auditor services are work that an audit firm performs for their clients. Except for consulting services, the work that auditors do is under the guidance of engagement standards set by the International Auditing and Assurance Standards Board (IAASB).

Consulting servicesengagements will not be discussed in this chapter.^!1

■ IAASB’S Technical Pronouncements

Illustration 4.1 shows the general structure of IAASB’s technical pronouncements.

Code of Ethics and ISQC

All auditor services standards have as their basis the IFAC Code of Ethics^!2(discussed in Chapter 3 Ethics for Professional Accountants) and International Standards on Quality Control^!3(ISQC) (see Chapter 1 International Auditing Overview). The Code has been employed by IFAC from the early days, but has been recently revised. Quality control standards are currently being created by the IAASB.

Two Audit Services Frameworks – “Assurance” and “Related Services”

Some engagement standards are based on “International Framework for Assurance Engagements” (assurance engagements), and others result from the “Related Services Framework” (related services engagements). Three sets of standards (ISAs, ISREs and ISAEs) share the assurance engagementframework and one standard set (ISRS) is based on the related services framework. ISAs, ISREs, ISAEs and ISRSs are collectively referred to as the IAASB’s Engagement Standards.

IAASB’s Engagement Standards

The IAASB engagement standards encompass the following:^!4

■ International Standards on Auditing (ISAs) are to be applied, as appropriate, in the audit of historical financial information.

■ International Standards on Review Engagements (ISREs) are to be applied in the review of historical financial information.

■ International Standards on Assurance Engagements (ISAEs) are to be applied in assurance engagements dealing with subject matters other than historical financial information.

■ International Standards on Related Services (ISRSs) are to be applied to compilation engagements, engagements to apply agreed upon proceduresto information, and other related services engagements as specified by the IAASB.

Assurance Engagements for Audits and Reviews for Historical Financial Information (ISAs and ISREs)

International Standards on Auditing (ISA) 100^!5 “Audits and Reviews of Historical Financial Information” describes the main concepts applicable to audit, review or special purpose engagements. Audit standards are described in ISA 200!–!799.^!6 Special Purpose Engagement and other examinations of historical financial information is ISA 800-899.^!7 Review standards are ISREs 2000-2699.

International Framework for Auditor Services

4.2

INTERNATIONAL FRAMEWORK FOR AUDITOR SERVICES

ILLUSTRATION 4.1

Assurance Engagements and Related Services

^!2

Structure of the IAASB’s Technical PronouncementsAppendix Services covered by IAASB Pronouncements ISQCs 1–99 International Standards on Quality Control

IFAC Code of Ethics for Professional Accountants “International Framework for Assurance Engagements” ISAEs 3000–3699 International Standards on Assurance Engagements IAEPSs 4700–4999 International Assurance Engagement Practice Statements

“Assurance Engagements on Subject Matters Other than

Historical Financial Information”

“Audits and Reviews of Historical Financial Information” IAPSs 1000–1999

International Auditing Practice Statements

ISA 100–989

International Standards on Auditing IREPs 2000–2999 International Review Engagement Practice Statements

ISREs 2000–2699 International Standards for Review Engagements

ISRS 4000–4699 International Standards on Related Services

“Related Services Framework”

Agreed-upon procedures

Compilations ISRS 4400 (currently ISA 920)ISRS 4410 (currently ISA 930) IRSPSs 4700–4999 International Related Services Practice statements

Assurance Engagements on Subject Matters Other than Historical Financial Information (ISAEs)

International Standards on Assurance Engagements (ISAE) 3000R^!9“Assurance Engage- ments on Subject Matters Other than Historical Financial Information” describes concepts applicable to assurance services whose subject matter are not related to historical financial information. The ISAE standards are divided into two parts:

1 ISAEs 3000!–!3399 which are topics that apply to all assurance engagements.

2 ISAEs 3400!–!3699 which are subject specific standards, for example standards relating to examination of prospective financial information.^!10

The subject matter of ISAEs 3400!–!3699 now includes only examination of prospective financial information. However, in future it might include non-financial information (e.g. corporate governance, statistical, environmental), systems and processes (e.g. internal control (such as that required under the Sarbanes-Oxley Act), corporate governance, environmental management systems), and behavior (corporate governance, compliance, and human resources practices). Right now, as IAASB does not set standards, reports of social, environmental and economic assurance engagements are commonly based on a whole variety of established criteria, for example, the Global Reporting Initiative (GRI).^!11 Other Engagements Performed by Auditors

Not all engagements performed by auditors are assurance engagements. Other engagements frequently performed by auditors that do not meet the definition of an assurance engage- ment and which are therefore not covered by the framework for assurance engagements include:

■ engagements covered by International Standards for Related Services (ISRSs);

■ the preparation of tax returns where no conclusion conveying assurance is expressed;

■ consulting engagements such as tax consulting, or engagements in which a practitioner is engaged to testify as an expert witness in accounting, auditing, taxation or other matters, given stipulated facts.

Related Services Framework (ISRSs)

Engagements covered by International Standards on Related Services ISRS are based on the

“Related Services Framework” – a framework that is still in the development stage at the IAASB. Standards under this framework (ISRSs) are applied currently to two audit services:

agreed-upon procedures (ISRS 4400^!12) and compilations (ISRS 4410^!13). Compilations offer no assurance whatsoever. Agreed-upon procedures are assurance based on audit procedures in a very limited “agreed upon” area with a proscribed set of users.

Guidance and Practical Assistance Provided by Practice Statements (IAPS, IAEPs, IRSPSs)

The IAASB’s Standards contain basic principles and essential procedures together with related guidance in the form of explanatory and other material, including appendices.

International Auditing Practice Statements (IAPSs) are issued to provide interpretive guidance and practical assistance to auditors in implementing ISAs for audit, review, and special purpose engagements. International Assurance Engagement Practice Statements (IAEPSs) provide interpretive guidance for ISAEs, and International Related Services Practice Statements (IRSPSs) will provide assistance for auditors implementing ISRSs.

Assurance engagements are performed by a professional accountantand are intended to enhance the credibility of information about the subject matter. The subject matter of an assurance engagement is the topic about which the assurance engagement is conducted.

Subject matter could be financial statements, statistical information, non-financial performance indicators, capacity of a facility, etc. The subject matter could also be systems and processes (e.g. internal controls, environment, IT systems) or behavior (e.g.

corporate governance, compliance with regulation, human resource practices). The assurance engagement evaluates whether the subject matter conforms to suitable criteria that will meet the needs of an intended user. (See Illustration 4.1 “International Framework for Assurance Engagements.”)

■ Assurance Engagement Defined

Assurance engagement means an engagement in which a practitioner (professional accountant or auditor) expresses a conclusion (in report form) that is designed to enhance the degree of confidence users have about the evaluation of the subject matter against identified criteria.

Common examples of assurance engagements include: financial statement audits and reviews, independent assurance on sustainability reports (such as “triple bottom line” reports based on GRI Guidelines), and opinions on the effectiveness of internal controls.

Assurance engagements may be distinguished from other engagements performed by auditors, such as consulting engagements. When performing consulting for an audit client, the auditor may compromise auditor independence.

■ Five Elements Exhibited by all Assurance Engagements

The International Framework for Assurance Engagements describes five elements^!14that all assurance engagements exhibit:

1 a three party relationship involving a practitioner, a responsible party, and the intended users;

2 a subject matter;

ELEMENTS OF AN ASSURANCE ENGAGEMENT

Certification Exam Question 4.1

Which of the following is a conceptual difference between the International Standards for Assurance Engagements (ISAE) and International Auditing Standards (ISA)?

(A) ISAEs provide a framework for the attest function beyond historical financial statements.

(B) The requirement that the practitioner be independent in mental attitude is omitted from the ISAEs.

(C) The ISAEs do notpermit an attest engagement to be part of a business acquisition study or a feasibility study.

(D) Internal control is important in ISAs but not ISAEs.

Elements of an Assurance Engagement

4.3

3 suitable criteria;

4 evidence; and 5 an assurance report.

Illustration 4.2 is a context data flow diagram of the engagement process. Illustration 4.3 shows a more in depth (zero level) data flow diagram of the relations between the five elements during an engagement process.

■ Three Party Relationship – Practitioner, Responsible Party and User

Assurance engagements always involve three separate parties: a practitioner, a responsible party, and the intended users. The practitioner (e.g. auditor, accountant, expert) gathers evidence to provide a conclusion to the intended users about whether a subject matter (e.g. financial statements) conforms, in all material respects, to identified criteria. The responsible party (usually management or the board of directors) is the one who is responsible for the subject matter, choosing the criteria and typically engaging the prac- titioner. The responsible party should not be the intended user. In some circumstances the intended users are identified by the responsible party or by law. Often the intended users are the addressees of the assurance report.

The responsible party is responsible for maintaining the accounting, computer and operation systems and determining accounting and internal control methods. As you can see from Illustration 4.3, the responsible party selects criteria (e.g. the tax code), deter- mines the subject matter (financial statements) and engages the practitioner (public accountant). The subject matter and criteria taken together generates the subject matter information. For example, the tax code criteria and financial statements subject matter combine to make the company income tax returns. In an audit, the criteria could be IFRS, the subject matter is financial performance and position of the company, and subject matter information would be the income statement and balance sheet. In prepar- ing internal control assurances, the criteria could be the COSO criteria, subject matter

ILLUSTRATION 4.2

Context Data Flow Diagram of Assurance Engagement Elements

Engagement process Responsible

party

Practitioner

Intended user

Suitable criteria

internal controls, and the subject matter information could be a measure of effectiveness of internal control.

The practitioner determines if the criteria is suitable, collects evidence about the subject matter information and issues an assurance report. For example, the auditor determines if the proper income tax codes are being used, evaluates the income tax information provided by the company by seeking evidence that the information is complete and all transactions from which the data were derived exist. Put another way – a responsible party measures, the auditor re-measures.

■ Subject Matter

The subject matter of an assurance engagement can take many forms, such as:

■ information or data about historical or prospective financial performance or physical characteristics (e.g. statistical information, non-financial performance indicators, capacity of a facility).

■ systems and processes (e.g. internal controls, IT systems).

■ Behavior (e.g. corporate governance, compliance with regulation, human resource practices).

The auditor should accept an assurance engagement only if the subject matter is the responsibility of a party other than the intended users or the auditor. That generally means that the intended user is not management or the auditor. The subject matter must be identifiable and capable of consistent evaluation or measurement against identified, suitable criteria (such as International Financial Reporting Standards (IFRS)). It must

ELEMENTS OF AN ASSURANCE ENGAGEMENT

ILLUSTRATION 4.3

Data Flow Diagram Assurance Engagement Elements and Engagement Sub-Processes

Suitable criteria

Practitioner Responsible

party

Intended user Determine

criteria

1.0 Generate

subject matter information

3.0 Issue assurance

report 6.0 Determine

subject matter 2.0

Engage practitioner

4.0

Collect evidence about fairness of subject

matter information 5.0

also be in a form that can be subjected to procedures for gathering evidence to support that evaluation or measurement.

■ Suitable Criteria

Suitable criteria are the benchmarks (standards, objectives, or set of rules) used to evaluate evidence or measure the subject matter of an assurance engagement. For example, in the preparation of financial statements, the suitable criteria may be IFRS, US Generally Accepted Accounting Principles (US GAAP), or national standards. When reporting on social or environmental aspects of the company an auditor might use the Global Reporting Initiative.

Several standards may guide the report, depending on the assurance service. When using accounting criteria to report on internal control, the criteria may be an established internal control framework, such as the COSO^!15report criteria, or individual control objectives specifically designed for the engagement. When reporting on compliance, the criteria may be the applicable law, regulation or contract, or an agreed level of per- formance (for instance, the number of times a company’s board of directors is expected to meet in a year). Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding.

The Characteristics for Assessing Suitable Criteria

An auditor cannot evaluate or measure a subject matter on the basis of his own expect- ations, judgments and individual experience. That would not constitute suitable criteria.

The characteristics for assessing whether criteria are suitable are as follows:^!16

■ Relevance: relevant criteria contribute to conclusions that meet the objectives of the engagement, and assist decision making by the intended users.

■ Completeness: criteria are sufficiently complete when relevant factors that could affect the conclusions in the context of the engagement objectives are not omitted. Complete criteria include, where relevant, benchmarks for presentation and disclosure of the subject matter.

■ Reliability: reliable criteria result in reasonably consistent evaluation or measurement including, where relevant, presentation and disclosure of the subject matter, when used in similar circumstances by similarly qualified practitioners.

■ Neutrality: neutral criteria are free from bias.

■ Understandability: understandable criteria are clear and comprehensive and are not subject to significantly different interpretation.

Criteria Established or Specifically Developed

Criteria can be either established or specifically developed. Established criteria are those embodied in laws or regulations, or issued by recognized bodies of experts that follow due process. Examples of established criteria are GAAP, IFRS, the national tax code, etc.

Specifically developed criteria are those identified for the purpose of the engagement and which are consistent with the engagement objective. Examples of specifically developed criteria are criteria generally understood by the intended users (e.g. the criterion for measuring time in hours and minutes is generally understood); or criteria available only to specific intended users (e.g. the terms of a contract, or criteria issued by an industry association that are available only to those in the industry).

ELEMENTS OF AN ASSURANCE ENGAGEMENT

Concept and a Company 4.1

What is an assurance service? What is an audit-related service?

Ernst & Young (E&Y) were the independent auditors of HealthSouth between 2000 and 2002. They also conducted janitorial inspections of the company’s facilities. These inspec- tions were called “pristine audits.” E&Y advised HealthSouth to classify the payments for

“pristine audits” as “audit-related fees.”

HealthSouth, headquartered in Birmingham, Alabama, USA, is the largest provider of outpatient surgery, diagnostic and rehabilitative healthcare services in the USA with approximately 1,800 worldwide facilities in the USA, Australia, Puerto Rico, and the UK. Its former CEO, Richard M. Scrushy, is under an 85-count federal indictment, accused of conspiracy, securities fraud, mail and wire fraud, and money laundering. (SEC 2003)

A US government indictment charged that between 1996 and 2002 HealthSouth managers, at the insistence of Scrushy, inflated profits by $2.74 billion. Scrushy certified the HealthSouth financial statements when he knew that they were materially false and mis- leading. On November 4, 2003, he became the first CEO of a major company to be indicted for violating the Sarbanes-Oxley Act, which holds executives personally accountable for their companies’ financial reporting. (Business Week2003).

Six months elapsed from the start of the SEC’s investigation to the filing of its fraud suit against Scrushy in March 2003. It took just seven weeks, from March 19 to May 5, for the US Justice Department to accumulate 11 guilty pleas from Scrushy aides. All five CFOs in the company’s history have admitted to cooking the books. (Helyar 2003)

Pristine Audits

Scrushy devised a facilities inspection program called “Pristine Audits” and hired E&Y to do the work. The primary purpose of the inspections was to check the cleanliness and physical appearance of HealthSouth’s surgical and rehabilitation facilities. Under the program, E&Y made unannounced visits to each facility once a year, using dozens of junior-level accountants who were trained for the inspections at HealthSouth’s headquarters. For the most part E&Y used audit personnel who were not members of the HealthSouth audit- engagement team to conduct the pristine audits.

The accountants carried out the reviews using as criteria a 50-point checklist designed by Mr. Scrushy. The checklist included procedures such as seeing if magazines in waiting rooms were orderly, the toilets and ceilings were free of stains, and the trash receptacles all had liners. Other items on the checklist included: check the walls, furniture, floors and whirlpool areas for stains; check that the heating and cooling vents “are free of dust accumulation;” that the “floors are free of trash;” and that the “overall appearance is sanitary.” A small portion of the checklist pertained to money matters, though none of it pertained to accounting. Assignments included checking if petty-cash drawers were secure and company equipment was properly tagged. The checklists did not cover insurance- billing procedures or the quality of the medical treatment. (Weil 2003a)

In 2002 E&Y ended their relationship with HealthSouth, and HealthSouth discontinued the pristine audits.

A “Clean Audit” for HealthSouth

Concept Story

s

Describing the pristine audits, Mr. Scrushy told an investor group: “We believe one of the reasons that we have done so well has to do with the fact that we do audit all of our facilities, 100 percent, annually. And we use an outside audit firm, our auditors, Ernst & Young. They visit all our facilities, 100 percent.” On its website, HealthSouth said the pristine audit,

“administered independently by Ernst & Young LLP ... ensures that all of our patients enjoy a truly pristine experience during their time at HealthSouth. The average score was 98 percent, with more than half of our facilities scoring a perfect 100 percent.”

E&Y Fees Charged HealthSouth

HealthSouth’s April 2001 proxy (form DEF14A), filed with the SEC, said the company paid E&Y $1.03 million to audit its 2000 financial statements and $2.65 million of “all other fees.”

The proxy said the other fees included $2.58 million of “audit-related fees,” and $66,107 of

“non-audit-related fees.” In its April 2002 proxy, HealthSouth said it paid E&Y $1.16 million for its 2001 audit and $2.51 million for “all other fees.” The proxy said the other fees included $2.39 million for “audit-related fees” and $121,580 for “non-audit-related fees.”

Neither proxy described in any detail the audit-related or non-audit-related services for which E&Y was paid. Andrew Brimmer, a HealthSouth spokesman, was quoted as saying the “audit-related-fee” figures for each year included about $1.3 million for the pristine audits. Mr. Brimmer said HealthSouth paid E&Y $5.4 million for 2002, including

$1.1 million for financial-statement audit services and $1.4 million for the pristine audits.

(Weil 2003a)

Pristine Audits as “Audit-Related Fees”

A March 2002 E&Y report to HealthSouth’s Board of Directors included an attachment that summarized E&Y’s fees and provided a suggested “Proxy Disclosure Format.” The attachment classified the pristine audits as “audit-related services” and the fees for them as

“audit-related fees.” (Weil 2003a)

David Howarth, a spokesman for E&Y is quoted as saying: “The audit-related category is not limited to services related to the financial statement audit per se. At the time of HealthSouth’s disclosures, there were no SEC rules that defined audit-related services.

Describing operational audit procedures as audit-related services was reasonable.” Howarth claimed that SEC ruled that audit-related fees would include assurance services traditionally performed by the independent auditor, including “internal-control reviews.” He main- tained the pristine audit was an internal control review. “Under the new SEC rules adopted in response to the Sarbanes-Oxley Act, these (internal control review) fees are specifically mentioned as ones that should be included in audit-related fees.” (Weil 2003b)

After the Weil 2003b article appeared, Scott A. Taub, the Deputy Chief Accountant of the SEC wrote a letter to E&Y partner Ed Caulson. Taub wrote: “The Commission’s current rules state that registrants are to “disclose, under the caption Audit-Related Fees, the aggre- gate fees billed in each of the last two fiscal years for assurance and related services by the principal accountant that are reasonably related to the performance of the audit or review of the registrant’s financial statements.” (emphasis added) It is clear from a reading of the release text and related rules that the Commission’s intent is that only fees for services that are reasonably related to the performance of an audit or review of the financial statements and that traditionally have been performed by the independent accountant should be classified as audit-related.”(Taub 2003)

A “Clean Audit” for HealthSouth (continued)