ACCA P7 Chapter 12 Assurance Services

ACCA P7 lectures Download P7 notes

Chapter 12

Introduction to Assurance Services

The objective of an assurance engagement is the evaluation of a subject matter that is the responsibility of another party using identified suitable criteria, and to express a conclusion that provides the user with a level of assurance about that subject matter.

Elements of assurance engagements 

Whether a particular engagement is an assurance engagement will depend upon whether it exhibits all the following elements:

a three party relationship involving:

a professional accountant;

a responsible party; and

an intended user (this is the party that the report is prepared for).

a subject matter;

suitable criteria: these are the standards or benchmarks used to evaluate or measure the subject matter

a conclusion.

The subject matter may include:

information such as historic or prospective financial information, statistical information or performance indicators.

systems and controls

behaviour such as corporate governance, compliance with regulation or human resource practices

Level of assurance provided

In an attest engagement, the conclusion relates to an assertion by the responsible party. The assertion is the responsible party’s conclusion about the subject matter based on identified suitable criteria. The professional accountant can either express a conclusion about the assertion made by the responsible party, or provide a conclusion about the subject matter in a form similar to the assertion made by the responsible party.

In a direct reporting engagement, the professional accountant expresses a conclusion on the subject matter based on suitable criteria, regardless of whether the responsible party has made a written assertion on the subject matter.

Professional accountants ordinarily undertake engagements to provide either a high or a moderate level of assurance. Engagements are affected by various elements, for example, the degree of precision associated with the subject matter, the nature, timing and extent of procedures, and the sufficiency and appropriateness of the evidence available to support a conclusion.

‘High level assurance’ means that the professional accountant has obtained sufficient appropriate evidence to conclude that the subject matter conforms in all material respects with identified suitable criteria.

‘Moderate level assurance’ means that the professional accountant has obtained sufficient appropriate evidence to be satisfied that the subject matter is plausible in the circumstances.

Work required

The terms of the engagement should be agreed with the party who engages the practitioner.

Effective planning is required as with an audit.

The criteria to be used in the engagement must be considered as they will affect the amount of work required. Suitable criteria must be relevant, reliable, neutral, understandable and complete.

Sufficient appropriate evidence is required on which the conclusion is based. Sufficient documentation should be retained to provide evidence to support the conclusions reported and to show that appropriate standards were applied.

Form and content of reports

The international standard does not stipulate a standardised format for the report. Different wording will have to be used depending on the engagement.

A conclusion conveying a high level of assurance about the subject matter should usually be provided, with the report containing a clear expression of opinion.

Contents of report

The report must always include the following:

title;

addressee;

description of the engagement and identification of the subject matter;

statement to identify the responsible party and describe the accountant’s responsibilities;

if the report is for a restricted purpose, identification of the parties to whom it is restricted and for what purpose it was prepared;

identification of the standards under which the engagement was conducted;

identification of the criteria against which the subject matter was evaluated or measured;

a conclusion, including any reservations or denial of a conclusion;

date of the report; and

name of the firm or practitioner, and the place of issue of the report.

Risk assessment

Identification of business risks and how they are managed is a favourite topic of the examiner. In practice, an audit firm might be engaged to give assurance on the management of such risks.

The management of business risk is critical as directors must safeguard the assets of the entity.

Identification of risks

Many models are used to identify risks including:

Porter’s Five Forces

PEST analysis

SWOT analysis

Porter’s Five Forces

The examination of each of the five forces enable management to identify and evaluate the risks to the business. Collectively these factors determine the ability of the entity to make a profit.

PEST Analysis

This is a way of considering external factors which may impact upon the business.

The factors are:

Political

Industry regulations

Taxation issues

Social legislation

Environmental/Economic

Inflation

Exchange rates

Interest rates

Social

Welfare issues

Health and safety

Technological

SWOT Analysis

This approach is used to analyse the business internally in order to understand its current position with a view to developing a strategic plan. The following need to be identified:

Strengths

Weaknesses

Opportunities

Threats

The idea is to match strengths with opportunities and convert weaknesses into strengths. Threats should be converted into opportunities.

Analysing the risks

Risks need to be evaluated and quantified to determine how serious the risk is.

Risks are often prioritised as follows:

A – Immediate action is needed

B – Consider action and develop a contingency plan

C – Consider action

D – Keep under review

Control strategies will be needed to manage or mitigate the more serious risks identified.

Performance measurement

An audit firm may be asked to provide assurance on performance measures operating within a business.

Performance measurement aims to establish how well something or somebody is performing in relation to previous or expected activity or in comparison with another item or body.

The ‘item’ may be a machine, a factory, a subsidiary or the business as a whole. The ‘body’ may be an employee, a manager or a group of staff.

Performance measures

Different measures are appropriate for different businesses. Traditional financial performance measures are:

profit

revenue – costs

share price

cash flow

return on investment.

Financial measures do not give a full picture of a business’ performance. Increasingly entities are turning to non-financial performance measures.

Example

Suggest five non-financial performance measures that a manufacturing business could use internally.

Systems reliability

Businesses are exposed to risk if their computerised systems are unreliable. An audit firm may be asked to give assurance on the reliability of the systems in operation.

Example

What risks is a business exposed to as a result of unreliable systems?

Controls over computerised systems have been covered in earlier auditing studies.

Electronic commerce

The Internet

Many clients now conduct their business through the Internet.

Risks associated with the Internet.

Entities that engage in electronic commerce are subject to additional risks. Inherent risks arising can be categorised as follows:

Financial: if transactions fail then an entity will have difficulty remaining in business.

Reputational:
if the entity’s reputation is damaged, or confidence in its operations is lost, the entity will also have difficulty remaining in business.

Legal:
new legal issues need to be faced. Breach of these could give rise to serious problems.

Entities who sell via the Internet are faced with the following potential risks:

customer validity:
how do they know that a customer is who they say they are?

server reliability:
the site may be subject to denial of service attacks preventing the receipt of legitimate orders.

data theft:
firewalls can prevent this as they will deny external users the opportunity to access parts of the system.

A number of business risks are also faced including:

cash flow difficulties due to investment in the systems

loss of competitive advantage in a fast-moving market place if systems or processes fail or are suspended

failure of systems development

lack of profitability

customer dissatisfaction due to poor service

Assessment of internal controls

The assessment of controls becomes more complex as technology advances. The audit firm must consider the following in order to assess the system properly:

how many servers does the entity have?

what processing methods are used?

how is the network configured?

how are customers and suppliers authenticated?

what security methods are used?

how good are the general internal controls?

E-mail

E-mail reduces paperwork and results in speedier communication. However, there is a risk that unauthorised e-mails could result in unauthorised processing. Therefore, access controls over the system are paramount.

Electronic data interchange (EDI)

EDI refers to the exchange of electronic business documents between trading partners. The exchange of a fully integrated EDI system involves no papers and no human input.

The organisation needs to have controls in place to ensure that the data exchanged is authentic and secure.

Webtrust

Webtrust is designed to create confidence in consumers and entities who conduct business transactions over the Internet. Having the Webtrust seal on a business web site provides some assurance that the site owner has systems in place to preserve the confidentiality and security of a credit card holder.

The owner of a web site can engage a specially licensed accountant to provide the Webtrust assurance service. This accountant must conduct an updated assurance examination of the procedures in place at the site at least once every three months.