Vous êtes sur la page 1sur 58



Audit-related services
Assurance engagements
Risk assessments
E- commerce

It is important to have a sound knowledge of the types of
engagements covered in this chapter; you are very likely to
be required to apply this knowledge to practical scenarios in
the exam.
In the compulsory section of the December 2007 exam,
candidates were asked to consider the level of assurance
that could be provided over certain KPIs for 4 marks.
In the optional section of the same exam, 8 marks were
available for identifying and explaining matters relating to an
assurance engagement and a further 6 marks for a
discussion of the differences between a review and an
audit. As risks have featured in both sittings so far,
identifying such risks is an important area to focus on here.
In June 2008, there were 14 marks on offer in
total for a report which covered the purposes
and benefits of a due diligence report to a
potential purchaser, as well as a comparison of
the scope of such an engagement with that of an
The exam in June 2009 asked for an
explanation of the principal analytical
procedures used to gather evidence in a review
of interim financial information.

Audit firms may not just be asked for assurance
reports as we have seen - they can also be
engaged to deliver a number of related services,
providing varying amounts of assurance (if at all)
depending on the engagement.
Related services comprise reviews, agreed-
upon procedures and compilations (IAASB
Glossary) and are compared here with audits for

Auditing Related services

Nature of Audit
Review upon Compilation
service (ISRE 2400) Procedures (ISRS 4410)
(ISRS 4400)

level of
Reasonable Limited No No
assurance assurance assurance assurance
provided by
the auditor

Report Positive Negative of
findings of
provided assurance assurance information

A review will enable the auditor to state that
nothing has come to his attention that causes
him to believe that the financial statements are
not prepared in accordance with an identified
financial reporting framework. This is known as
negative assurance.
The objective of the review engagement is for
the accountant declares that a given premise is
either correct or not.

Example: review engagement
Auditors may sometimes be asked to review
interim financial information. In such an
engagement, the auditor is being asked to attest
assertions made, such as:
The accounting policies used are consistent with
those used in the prior year financial statements.
No material modifications to the interim financial
information as it has been presented are

ISRE 2400: Engagements to
review financial statements
The auditor should plan and perform the review with an
attitude of professional scepticism recognising that
circumstances may exist which cause the financial
statements to be materially misstated.
The auditor should obtain sufficient appropriate
evidence primarily through enquiry and analytical
procedures, to be able to draw conclusions. (comply
with Code of ethics and in accordance with ISAs)
The auditor and the client should agree on the terms of
the engagement and an engagement letter should be

ISRE 2400: Engagements to
review financial statements
Many of the requirements of the ISRE are similar to the
requirements of an audit because a review is extremely
similar to an audit
Obtain knowledge of the business
Same materiality requirements
Using the work of others
Document all important matters
Enquire about subsequent events
Extend procedures if material misstatements are suspected
Obtain written management representations when
P7 ACCA 10
List the main procedures you would
undertake if asked to perform a review for
a client whose financial statements you
previously audited but is now exempt from
the statutory audit.

P7 ACCA 11
Obtain an understanding of the entity's business activities,
the industry in which it operates and the system for
recording financial information and preparing financial
statements from prior year audit files and discussion with
Enquire regarding any
changes to the entity's accounting principles and practices;
changes in the entity's procedures for recording financial
information and preparing financial statements;
other relevant changes (eg a change in ownership).

P7 ACCA 12
whether all financial information has been recorded
completely, promptly and after the necessary authorisation;
about the existence of transactions with related parties and
whether they have been disclosed;
about contingencies and commitments.
Consider obtaining written representations from
Enquire about events subsequent to the date of the financial
statements that may require adjustment or disclosure in the
financial statements
Enquire of management the current status of any prior year
audit issues or management report points that would impact
the financial statements.
P7 ACCA 13
Obtain the trial balance and determine whether it agrees
with the general ledger and financial statements.
Obtain supporting schedules of each trial balance item
and determine whether the total agrees with the trial
Perform analytical procedures to identify relationships
and individual items that appear unusual and compare to
prior year audited financial information and, if available,
budgets and forecasts.
Obtain explanations from management for any unusual
fluctuations or inconsistencies in the financial

P7 ACCA 14
Conclusions and reporting
The review report should contain a clear expression of
negative assurance.
The report should fulfill the following.
(a) State that nothing has come to the auditor's attention based
on the review that causes the auditor to believe the financial
statements do not give a true and fair view in accordance
with the identified financial reporting framework; or
(b) If matters have come to the auditor's attention, describe
those matters that impair a true and fair view in accordance
with the identified financial reporting framework including,
unless impracticable, a quantification of the possible effect(s)
on the financial statements and either
(i) express a qualification of negative assurance; or
(ii) express an adverse opinion if the matter is so material
and pervasive that the financial statements are misleading15
Conclusions and reporting
(c) If there has been a material scope limitation, describe
the limitation and either:
(i) express a qualification of the negative assurance
provided regarding the possible adjustments to the
financial statements that might have been determined to
be necessary had the limitation not existed; or
(ii) when the possible effect of the limitation is so
significant and pervasive that the auditor concludes that
no level of assurance can be provided, not provide any

P7 ACCA 16
P7 ACCA 17
Review of interim financial information
performed by the independent auditor
of the entity ISRE 2410
General principles
The auditor should comply with ethical principles
relevant to the audit when carrying out an interim review.
He should apply quality control procedures applicable
to the individual engagement.
In addition, he should plan and perform the engagement
with an attitude of professional scepticism.
The auditor should agree the terms of the engagement
with the client (these will not be the same terms as for
the audit, as the review will result in a lower level of
assurance than the annual audit).

P7 ACCA 18
Review of interim financial information
performed by the independent auditor
of the entity
The procedures follow the same pattern as an audit, but,
because this is a review not an audit, which gives a
lower level of assurance, they are not as detailed as
audit procedures.
The auditor should possess sufficient understanding of
the entity and its environment to understand the types of
misstatement that might arise in interim financial
information and to plan the relevant procedures (mainly
enquiry and analytical review) to enable him to ensure
that the financial information is prepared in accordance
with the applicable financial reporting framework.

P7 ACCA 19
The key elements of the review will be:
Enquiries of accounting and finance staff
Analytical procedures
The auditor should obtain written
representations from management that it
acknowledges its responsibility for the design
and implementation of internal control, that the
interim financial information is prepared and
presented in accordance with the applicable
financial reporting framework and that the effect
of uncorrected misstatements are immaterial (a
summary of these should be attached to the

P7 ACCA 20
Management representation regarding that all
significant facts relating to frauds or non-compliance
with law and regulations has been disclosed to the
auditor and that all significant subsequent events
have been disclosed to the auditor.
Assessment of the going concern

The review will not include the following:

Inspection/observation and confirmation of accounting
Obtaining additional evidence in response to enquiries
Other typical audit tests i.e. tests on assets or liabilities

P7 ACCA 21
Auditors should make enquiries of members of
management responsible for financial and
accounting matters about:
Whether the interim financial information has
been prepared and presented in accordance with
the applicable financial reporting framework
Whether there have been changes in accounting
Whether new transactions have required changes
in accounting principle
Whether there are any known uncorrected
P7 ACCA 22
Whether related party transactions have been
accounted and disclosed correctly
Whether there have been unusual or complex
situations, such as disposal of a business
Significant assumptions relevant to fair values
Significant changes in commitments and
contractual obligations
Significant changes in contingent liabilities
including litigation or claims
Compliance with debt covenants
Significant transactions occurring in the last days
of the interim period or the first days of the next
P7 ACCA 23
Knowledge or suspicion of any fraud
Knowledge of any actual or possible non-
compliance with laws and regulations that could
have a material effect on the interim financial
Whether all events up to the date of the review
report that might result in adjustment in the
interim financial information have been identified
Whether management has changed its
assessment of the entity being a going concern
P7 ACCA 24
P7 ACCA 25
P7 ACCA 26
ISRS 4400: Engagements to perform agreed-
upon procedures regarding financial information
Such an engagement may involve the audit firm performing
certain procedures concerning individual items of financial
data, a financial statement or even a complete set of financial
Some of the areas covered by such procedures are as
Compliance with best practice recommendations on directors
Going concern review
Compliance with the Combined Code.
The auditor should ensure with representatives of the entity
and, ordinarily, other specified parties who will receive copies
of the report of factual findings, that there is a clear
understanding regarding the agreed procedures and the
conditions of the engagement.
P7 ACCA 27
ISRS 4400: Engagements to perform
agreed-upon procedures regarding financial
The auditor should carry out the procedures agreed
upon and use the evidence obtained as a basis for the
report of factual findings. Procedures may include:
enquiry and analysis
recomputation, comparison and other accuracy checks
obtaining confirmations
No assurance is expressed because the audit firm is
simply reporting factual findings. (users of the report
form their own conclusion)
The report must be restricted to only those parties who
have agreed to the procedures to be performed.
P7 ACCA 28
Due Diligence
A typical due diligence engagement is where an
advisor (often an audit firm) is engaged by one
company planning to take over another to
perform an assessment of the material risks
associated with the transaction (including
validating the assumptions underlying the
purchase), to ensure that the acquirer has all the
necessary facts.
This is important when determining purchase
Similarly, due diligence can also be requested by

P7 ACCA 29
It may include some or all of the following aspects:
Financial due diligence (a review of the financial position and
obligations of a target to identify such matters as covenants
and contingent obligations)
Operational and IT due diligence (extent of operational and
IT risks, including quality of systems, associated with a
target business)
People due diligence (key staff positions under the new
structure, contract termination costs and cost of integration)
Regulatory due diligence (review of the targets level of
compliance with relevant regulation)
Environmental due diligence (environmental, health and
safety and social issues in a target)

P7 ACCA 30
Due Diligence
Risks involved
Information for the target company is not readily accessible
to us, since our client is the acquirer
Need to be careful in identifying the values since the aim of
the two managements involved are different i.e. the aim of
the target company is to achieve a higher price and the
management of the acquirer [our client] to achieve the
lowest price.

Note that although due diligence uses the techniques of a

review engagement it is unlikely that any assurance
(positive or negative) will be provided. It is normally a report
of factual findings.

P7 ACCA 31
Due Diligence
Procedures to follow [assume a full comprehensive review]
Review of:
The business i.e. history, nature, competitors, risks
The company i.e. mission, management, departments,
complexity, organization
Financial Aspects i.e. financial statements, policies,
changes, recurring and non-recurring activities
Hidden risks i.e. commitments, contracts, contingencies, tax
liabilities, off balance sheet finance
Human Resource Issues i.e. trade unions, remuneration
packages, training

P7 ACCA 32
Compilations - ISRS 4410
In a compilation engagement, the accountant is engaged
to use accounting expertise as opposed to auditing
expertise to collect, classify and summarise financial
A compilation engagement is one where the accountant
is engaged to compile information. Examples include:
Preparing financial statements
Preparing tax returns
The information to be compiled does not have to be
financial information.
Assertions underlying the information are not tested and
no assurance is given.

P7 ACCA 33
The accountant does not give any assurance on the
information. However, the reader of the information will
gain some benefit from the accountant's involvement
because the service will be performed with professional
competence and due care.
The terms of the engagement should be agreed with the
client and the management should acknowledge their
responsibility for the presentation of the information. This
is often known as accounts preparation work.

P7 ACCA 34
Identify which of the following are agreed upon procedures
and which are compilation engagements:
Preparing a tax computation for the tax authorities
Reporting to a bank on whether the company is likely to
breach the terms of covenants
Preparation of financial statements
Reporting to regulators on compliance with financial
requirements of the regulator
Putting together a cash flow forecast for the bankers
Consolidating the accounts of several subsidiaries

P7 ACCA 35
Answer 12.2
Agreed upon procedures
Reporting to a bank on whether the company is likely to
breach the terms of covenants
Reporting to regulators on compliance with financial
requirements of the regulator
Compilation engagements
Preparing a tax computation for the tax authorities
Preparation of financial statements
Putting together a cash flow forecast for the bankers
Consolidating the accounts of several subsidiaries

P7 ACCA 36
Assurance engagements
An assurance engagement is one where a
professional accountant or practitioner evaluates
or measures a subject matter that is the
responsibility of another party against suitable
criteria, and expresses an opinion which
provides the intended user with a level of
assurance about the subject matter.
It is implied that such an opinion requires
evidence to be reached and a report to
communicate it.

P7 ACCA 37
Elements of an assurance engagement
Whether a particular engagement is an assurance
engagement or not will depend upon whether it exhibits all
the following elements:
(a) A three party relationship involving:
(i) a practitioner;
(ii) a responsible party; and
(iii) intended users (ie the person(s) that the report is
prepared for).
(b) An appropriate subject matter;
(c) Suitable criteria: ie the benchmarks used to evaluate or
measure the subject matter
(d) Sufficient appropriate evidence; and
(e) A written assurance report (providing either reasonable or
limited assurance).
P7 ACCA 38
Exercise 12.3
State specifically what the elements of an
assurance engagement would be for an
audit of financial statements.

P7 ACCA 39
Practitioner: Auditor.
Responsible party: Audit client management.
Intended users: Shareholders (primary users).
Subject matter: The entitys balance sheet / statement of
financial position, statements of income and cash flows.
Suitable criteria: Financial Reporting Standards.
Sufficient appropriate evidence: Evidence of audit
procedures tests of controls, substantive procedures,
Assurance report: Positive assurance: the financial
statements give/do not give a true and fair view.

P7 ACCA 40
Examples of assurance
Risk assessments
System reliability
Fraud investigations
Social and Environmental audits

P7 ACCA 41
ISAE 3000: Assurance
ISAE 3000 provides standards for
assurance engagements other than
audits or reviews of historical financial
information. In substance, many of the
requirements are similar to those required
for an audit or a review.
Assurance services improve the quality of
decision-making for users of information.

P7 ACCA 42
Requirements of standard
Accepting and continuing appointment
Should ensure that comply with the Code of Ethics for
Professional Accountants and the Quality Control Standard
(ISQC 1) with regard to the assignment.
Possess the necessary professional competencies to carry
out the assignment
The engagement must also genuinely be an assurance
engagement, that is, it must have the characteristics of an
assurance engagement (a three party relationship between
the practitioner, the intended user of the information and
the party responsible for the information). The responsible
party may be an intended user so long as he is not the sole
intended user of the information.
The practitioner should agree on the terms of the
engagement with the engaging party. For the avoidance of
confusion, this should normally be done in writing. 43
Requirements of standard
Planning and performing the engagement
The practitioner should plan the engagement so that it will be
performed effectively. This involves developing:
An overall strategy
A detailed engagement plan
Matters to be considered
Understanding of the entity and its environment
Appropriateness of the subject matter and criteria
- The subject matter should be capable of consistent evaluation
and measurement and capable of being subject to procedures
and evidence gathering.
- The criteria must be appropriate. For example, if an assurance
subject matter was design of internal controls, internationally
recognised criteria such as the COSO framework would be
appropriate (other example requirements of Combined Code).
Materiality and engagement risk
P7 ACCA 44
Requirements of standard
Gain appropriate evidence to base conclusion by
performing procedures using combination of
inspection, observation, confirmation, recalculation,
APs and inquiry.
Document matters arising
Consider subsequent events
Assess the work of expert that is used (suitably
qualified and possess the adequate skills)

P7 ACCA 45
In a reasonable assurance engagement, a practitioner
should be able to give a 'positive' expression of his
conclusion. This does not mean that a report in a
reasonable assurance engagement should not be
modified, it means the practitioner should be able to
draw a conclusion on the basis of the evidence
ISAE 3000 does not stipulate a standardised format
for the report. Different wording will have to be used
depending on the engagement.

P7 ACCA 46
To include:
Title and addressee identified in engagement letter
Nature of engagement [e.g. internal audit, health &
Respective responsibilities
Scope of work and restrictions to be noted and the level
of assurance
Disclaimer/restriction of use
Standards and criteria used
In our opinion internal control is effective in all material
aspects based on XYZ criteria

P7 ACCA 47
Risk assessments
The management of business risk is critical as directors
must safeguard the assets of the company.
An audit firm might be engaged to give assurance on the
management of such risks.
Interested stakeholders, particularly investors, need
assurance that the risk taken by the company, in effect
with their investment, is acceptable to them and that the
returns that they receive are in accordance with that
level of risk.
Other stakeholders will also be interested in the
effectiveness of risk management in a company.
Examples are lenders and employees. This is because
the ultimate risk is that a business might fail.

P7 ACCA 48
Possible assurance criteria
The criteria by which risk assessment is
evaluated will depend on the specific
needs of the company and the user.
However, some possibilities are:
The requirements of the UK Turnbull
Management's policy on risk management

P7 ACCA 49
Risk assessment services to be
provided by audit firms
identification and assessment of primary
potential risks faced by an entity;
independent assessment of risks identified
by an entity; and
evaluation of an entitys systems for
identifying and limiting risks.

P7 ACCA 50
Systems reliability
Directors are required to put information
systems in place in the business to be
provided with reliable timely accurate
Auditors can offer assurance services on
the design and operation of those
systems. Increasingly the systems used in
businesses are highly computerised.

P7 ACCA 51
Computer systems
The two key risks are:
The system being put at risk by a virus or breakdown
The system being invaded by an unauthorised user who could
Affect the smooth operation of the system
Obtain commercial sensitive information
The client is likely to have contingency plans in the event of the
system being affected by the risks outlined above. However, it
is also important to know that the original system is as reliable
as could be expected, and whether it is the best system that the
company could be using, at the given cost.
The company might seek such assurances from its service
provider. However, the service provider has a vested interest in
the company believing that its system is reliable and the best
available, because he is paid to supply it.
This means that the directors might seek an assurance service
from its auditors, to undertake work to ascertain if the
assertions of the service provider are correct.
P7 ACCA 52
Electronic commerce
A business can engage in 'e-commerce' to a great or small
degree. The greater the involvement, the more the risk
associated with the involvement
There are a variety of business risks specific to a company
involved in e-commerce.
Risk of non-compliance with law, issues of where the domain
is for legal purposes
Contractual issues arising: are legally binding agreements
formed over the Internet?
Risk of technological failure (crashes) resulting in business
Difficulties in determining accounting policies (particularly
relating to revenue)
Impact of technology on going concern assumption, extent of
risk of business failure
P7 ACCA 53
Electronic commerce
Security risks Vulnerable to attacks from
access to confidential information
steal and sell information
corruption of information [viruses]
Loss of trust in the system / reputational risk
Cost in developing and operating a website
More competition and lower profit margins
may cause financial problems to the
P7 ACCA 54
Web assurance
It has been a feature of electronic commerce that people
seem to be happy to browse on line, but less happy to make
purchases, due to a lack of knowledge about the company
they were dealing with. This led to concerns about
Processing of the transaction
Use of the personal information that must be given to
complete the sale
Poor business practices by the company (late delivery/errors
in orders etc)
Web assurance seeks to remove this barrier by providing
assurance to the users of the service.
Assurance that the systems and tools used in e-commerce
provide appropriate data integrity, security, privacy and
An example of an assurance service developed in relation to
e-commerce is WebTrust. 55
Web Trust
An assurance assignment under WebTrust would involve
looking at the assertions of the company relating to the
concerns above, and seeking evidence as to whether what
they say about their service is true, and whether their
systems comply with pre-determined criteria.
The outcome of the exercise is that if the accountant has
assurance that the systems comply and the
representations made about the service is fair, the website
can be WebTrust accredited.
Web Trust Certification
Is the procedure that tests whether a website business
complies with certain principles and criteria that ensures
the integrity, security, privacy and reliability of the data.

P7 ACCA 56
Web Trust principles
(1) Business Practices & Disclosures business
transactions are executed in accordance with
disclosed business practices.
(2) Transaction Integrity the web site maintains
effective control to complete customers orders
and bill customers as agreed.
(3) Information Protection and Privacy the web
site maintains controls to protect private
customer information from uses unrelated to its

P7 ACCA 57
Exam Focus
In April 2002 the previous examiner wrote an
article in the Student Accountant, "e-com, 'e-saw,
This outlines the issues discussed in international
guidance relating to e-commerce and the audit. It
is not designed to give guidance on assurance
engagements relating to a business's Internet
activities. However, the issue relating to controls
are relevant in the context of providing assurance
on systems.

P7 ACCA 58