Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-1
CHAPTER 21
ASSURANCE, ATTESTATION, AND
INTERNAL AUDITING SERVICES
Answers to Review Questions
21-1 Assurance services are independent professional services that improve the quality of
information, or its context, for decision makers. The definition focuses on decision-
making because good decision-making requires quality information that can be financial
or nonfinancial. An assurance service engagement can aid the decision maker in
21-2 SSAE No. 10 says an attest engagement occurs when a practitioner is engaged to issue or
does issue an examination, a review, or an agreed-upon procedures report on subject
matter, or an assertion about subject matter, that is the responsibility of another party.
21-3 Attestation standards provide for three types of engagements: (1) examination, (2)
review, and (3) agreed-upon procedures. However, an individual SSAE may prohibit one
or more of these types of engagements relating to specific subject matter. For example,
in reporting on a nonpublic entity’s internal control, the auditor may perform either an
21-4 The accountant can satisfy the requirement that the specified users take responsibility for
the sufficiency of the procedures to be performed by doing one of the following:
21-5 Many companies are now required by law to report on internal control. The Federal
Deposit Insurance Corporation Improvement Act (FDICIA) of 1991 requires that the
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-2
accountants to attest to the report. The Sarbanes-Oxley Act of 2002 imposes similar
requirements on all publicly traded companies. While an audit of internal control is not a
legal requirement for privately held companies (other than certain financial institutions
covered by FDICIA), some such companies may choose to engage accountants to provide
attestation services regarding internal control if deemed necessary to better evaluate
internal control over financial reporting or to provide additional assurance to third parties.
21-6 Prospective financial statements are either financial forecasts or financial projections.
Financial forecasts are prospective financial statements that present an entity’s expected
financial position, results of operations, and cash flows. They are based on assumptions
reflecting conditions the responsible party expects to exist and the course of action it
expects to take. Financial projections are prospective financial statements that present,
given one or more hypothetical assumptions, an entity’s expected financial position,
21-7 Three types of services can be performed under SSARS: (1) preparation of financial
21-8 In conducting a compilation, the accountant must have the following knowledge about
the entity:
• The accounting principles and practices of the industry in which the entity operates.
• A general understanding of the entity’s organization; its operating characteristics; and
• An understanding of the accounting principles and practices used by the entity in
measuring, recognizing, recording, and disclosing all significant accounts and
disclosures in the financial statements.
21-9 Corporate governance entails all management-administered policies and procedures to
control risk and oversee operations within a company. The IAF can help management
and the board identify and manage risk, and can help ensure the compliance of the
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-3
stakeholders.
21-10 Internal auditors play a direct role in helping management comply with at least two
sections of the Sarbanes-Oxley Act. By testing internal control over financial reporting,
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-4
the internal audit function directly assists management to certify the effectiveness of
internal controls as per Section 404. In so doing, internal auditors provide a degree of
assurance that internal controls over the reliability of financial reporting are working as
planned. This assurance facilitates senior management’s responsibility to certify to the
accuracy of the financial statements as required by Section 302.
21-11 The AICPA Special Committee on Assurance Services developed the following six
assurance services:
Risk assessment-assurance that the entity’s profile of business risks is comprehensive
and evaluation of whether the entity has appropriate systems in place to
effectively manage those risks.
Business performance measurement-assurance that an entity’s performance
PrimePlus-assurance that specified goals regarding the elderly are being met by various
caregivers.
21-12 There are three broad categories of risks associated with electronic commerce: business
practices, transaction integrity, and information protection. As seen in Table 21–8, Trust
Services are built on five principles:
Security: The system is protected against unauthorized access (both physical and
logical).
21-5
21-13 A WebTrust assurance engagement is performed as an examination under the attestation
standards. In examining an entity’s website, the practitioner uses guidance provided in SSAE
No. 10 and COSO’s Internal Control—Integrated Framework. In such an examination, the
practitioner expresses a positive opinion as to whether the presentation of assertions
conforms to the AICPA’s Trust Services principles and criteria. The WebTrust seal of
assurance symbolizes to potential customers that a CPA has evaluated the website’s business
practices and controls and has determined that it conforms to the principles and criteria. An
21-14 PrimePlus can be a potential major service for CPA firms because the population in the
U. S. and Canada is aging and many of these people have accumulated significant wealth.
Additionally, individuals are living to ages where they require some form of assisted–
living. In the past, these individuals relied on members of their family to provide some
level of care; however, changing demographics show a more mobile, younger generation.
Answers to Multiple-Choice Questions
21-15
d
21-23
d
21-16
b
21-24
c
21-17
d
21-25
a
21-18
c
21-26
c
21-19
b
21-27
b
21-20
a
21-28
c
21-21
c
21-29
d
21-22
b
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-6
21-30 A compilation is defined as presenting, in the form of financial statements, information
that is the representation of management or owners without undertaking to express any
assurance on the statements. A review is defined as the performance of inquiry and
analytical procedures to provide the accountant with a reasonable basis for expressing
limited assurance that no material modifications should be made to the statements in
21-31 a. A compilation of prospective financial statements involves
• Assembling, to the extent necessary, the prospective financial statements based on
the responsible party’s assumptions.
b. Independent Accountant’s Report
Board of Directors
Cheaney Rental Properties
We have compiled the accompanying forecasted balance sheet, statements of
income, retained earnings, and cash flows of Cheaney Rental Properties as of December
31, 2011, and for the year then ending, in accordance with attestation standards
established by the American Institute of Certified Public Accountants.
A compilation is limited to presenting, in the form of a forecast, information that
is the representation of management and does not include evaluation of the support for
the assumptions underlying the forecast. We have not examined the forecast and,
21-32 The following deficiencies were noted in Currie’s draft:
• The report does not contain the heading “Independent Accountant’s Report.”
• The report is not dated.
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-7
First paragraph:
• The examination should state that it was conducted in accordance with “attestation
standards established by the American Institute of Certified Public Accountants.”
• The last word in the paragraph should be followed by “in the preparation and
Second paragraph:
• The information is the second paragraph is correct, but it should normally be in the
third paragraph. The second paragraph should state the standards according to which
the examination is performed.
• The report should state the practitioner’s belief that the examination provides a
reasonable basis for his opinion.
Third paragraph:
21-33 Deficiencies in the report on the compiled financial statements are as follows:
First paragraph:
• The financial statements are not properly identified.
• Reference to not providing “any assurance” is omitted.
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-8
Fourth paragraph:
• Reference to the omission of the statement of cash flows is omitted.
Inclusion of the sixth paragraph is inappropriate.
The accountant’s compilation report is not dated October 25, 2013.
21-34
1.
C
8.
C
2.
I
9.
C
3.
I
10.
I
4.
I
11.
C
5.
I
12.
C
6.
I
13.
C
7.
C
21-35 a. Consumers are reluctant to engage in electronic commerce for several reasons. First,
consumers want to know that the entity behind the website is “real.” In other words,
how can the consumers be sure that the entity follows good business practices and
that they will not be defrauded? Second, consumers are worried that electronic
101, and by using the guidance provided in TSP 100. Four steps would be taken to
complete the examination of management’s assertions:
• Obtain an understanding of Rhett Corporation’s electronic commerce business
and information privacy practices and its controls over the processing of
electronic commerce transactions and the protection of related private customer
information.
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21-9
Once the WebTrust seal is obtained, it is displayed on Rhett Corporation’s website. The
seal is managed by a third party service organization.
21-36 a. Changing demographics coupled with an aging population have led to situations
similar to the one faced by Mr. and Mrs. Jun, where Greg’s elderly mother may
require some form of assisted-living. The CPA can bring a level of assurance or
comfort to the family members through PrimePlus services. PrimePlus services build
off the CPA’s reputation for independence, objectivity, and integrity to provide a
for the individual’s income; paying bills and conducting routine financial transactions
for the client; and supervising investments and accounting for the estate. In an
assurance service, the practitioner issues periodic reports on the quality of care
provided to the elderly person.
b. The Juns must understand that the role of the practitioner in one of oversight. The
practitioner acts in the place of the absent family members and relies on qualified
specialists, employed by the client or the responsible family member, to provide the
Solution to Discussion Case
21-37 a. A practitioner may perform an agreed-upon procedures engagement to evaluate an
entity’s written assertion that it was in compliance with its state’s environmental laws
and regulation provided that
• The practitioner is independent.
• The responsible party will provide the assertion in writing to the practitioner prior
to the issuance of his or her report.
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21–10
• The practitioner and specified users agree upon the procedures performed or to be
performed.
• The specified users take responsibility for the sufficiency of the agreed-upon
procedures for their purposes.
limits for reporting purposes.
• Use of the report is restricted to the specified users.
In addition, the practitioner should obtain an understanding of the specified
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21–11
compliance requirements by considering the following:
• Laws, regulations, rules, contracts, and grants that pertain to the specified
compliance requirements, including published requirements.
• Knowledge about the specified compliance requirements obtained through prior
administrators).
• Knowledge about the specified compliance requirements obtained through
discussions with appropriate individuals outside the entity (e.g., a regulator or
third-party specialist).
b. If the entity maintained an internal control system which monitored the entity’s
compliance with its state environmental laws and regulations, the practitioner would
evaluate the effectiveness of the system as follows:
• Obtain an understanding of the relevant portions of the internal control system
• If control risk is to be assessed below the maximum, perform tests of controls to
support the assessed level of control risk.
Solutions to Internet Problems
21-38 a. From the homepage, under the tab “Periodicals,” click on the “Internal Auditor” link.
Click on the “About Us” link at the top of the page, then click on the “Advertising”
link. The mission is stated as follows: Internal Auditor’s mission is to arm
practitioners with the cutting-edge information and practices they need to do their
jobs today and tomorrow.
b. From the homepage, under the “Certification” tab, click on the “New to IIA
certifications” link and then the “Learn about our Certified Internal Auditor (CIA)
designation and other IIA Certifications” link. “There are many reasons to obtain an
“The Certified Internal Auditor® (CIA®) designation is the only globally accepted
certification for internal auditors and remains the standard by which individuals
Chapter 21 – Assurance, Attestation, and Internal Auditing Services
21–12
demonstrate their competency and professionalism in the internal auditing field.
Candidates leave the program enriched with educational experience, information, and
business tools that can be applied immediately in any organization or business
environment.”
21-39 a. Policies: The entity has defined and documented its policies relevant to the particular
principle.
Communications: The entity has communicated its defined policies to authorized
with its defined policies.
b. The WebTrust seal of assurance symbolizes that an independent accountant has
examined the site. It represents the practitioner’s report on management’s assertions
that the entity’s business is in conformity with the applicable Trust Services
Principles and Criteria. The seal communicates that the entity has effective security
21-40 a. Timberland, Lands’ End, and L. L. Bean all sell products over the Internet. Land’s
End has its security audited but the site does not specify which criteria are used in the
audit. Both Land’s End and L.L. Bean are verified by the VeriSign Trust Network.
Timberland is verified by Visa and Mastercard.
b. Verisign is different from WebTrust. When a user clicks on the VeriSign seal, he or
she is referred to a validation page that confirms that the entity (L.L. Bean, for
example) is a licensee of the VeriSign privacy program. This means that VeriSign