Lecture 11

Assurance and Assurance Related

Services-Review, compilation, Profit
forecast, Agreed upon procedures
and others

1
 Learning Outcomes
• Describe and identify other types of
professional services offered by accountants,
e.g.
• Engagement to review financial statement
• Engagement to perform agree upon procedure
• Engagement to compile financial information

• Describe and draft the procedures for review,

agreed upon procedures, compilation and
examination of prospective information
2
 Introduction
• Accountants are called to provide services other than
historical financial statements audit
• Accountants are increasing asked to perform a variety of
audit-like services known as attest service, for different
purposes. In an attestation engagement, accountants
report on the reliability of information or an assertion made
by another party. An example is when a bank requests an
accountant to report in writing whether an audit client has
adhered to all requirements of a loan agreement. This type
of service could be assurance or non assurance services
• How much to assure, how much evidence to collect and
what report to issue depend on the nature of engagement
services

3
Public accounting firm services
• Public accounting firms services
somewhat differently between these two
broad categories, the services provided by
Chartered Accountants generally can be
classified as follows:
• 1) Assurance services
• 2) Non assurances services

4
 Assurance vs non assurance
services
1. Assurance services
• Over historical financial statements:
— Audits ( Year financial statements audit and special
purpose audit)
— Reviews
• Over other financial and nonfinancial information:
— Attestation engagements
— Other assurance services
2. Non-assurance services • Consulting services • Tax
services • Valuation services • Personal financial planning
Compilations/Agreed upon procedures)
5
 Attestation services
• When the practitioner is asked to deliver services related to
providing some level of assurance over subject matter information
other than historical financial statements, then the service is known
Attestation Engagements.
• However Audits, reviews, and compilations of historical financial
statements are governed by specific standards related to those type
services and are not considered attestation engagements.
• Attestation engagements are best suited for engagements where
assurance is needed over subject matter information that involves
elements of financial statements less than complete statements
(such as accounts payable or inventory balances) or nonfinancial
information (such as performance statistics, compliance
requirements, or internal control systems or processes).

6
 Examples of attestation
engagements
• Agreed-upon procedures engagements
• Reporting on financial forecasts and projections
• Reporting on pro forma financial information
• Reporting on an entity’s internal control over
financial reporting
• Reporting on controls placed in operation for
third-party service organizations
• Compliance with laws and regulations

7
 Attestation engagement
• Attestation engagements can be classified
based on how the subject matter
information is initially evaluated or
measured against suitable criteria in of two
ways:
• Assertion-based engagements.
• Direct reporting engagements

8
 Assertion-based engagements.

• In assertion-based engagements, the evaluation or

measurement of the subject matter information is initially
performed by the responsible party, and the subject
matter information is in the form of an assertion by the
responsible party. For example, the management of an
entity (the responsible party) has evaluated its
compliance with the provisions of debt covenants
prescribed by a long-term debt agreement and asserts
that it has complied, in all material respects, with such
requirements.

9
• Examples of assertions include
management’s assertion that the entity
maintains an effective internal control
over financial reporting and
management assertions contained in
the financial statements.
• The practitioner’s conclusion provides
assurance or adds credibility (to the
assertion) when it supports the
management’s assertion.
10
 Direct reporting engagements

• In direct-reporting engagements, the practitioner directly

performs the evaluation or measurement of the subject
matter information without any assertion by the responsible
party, or obtains representation from the responsible party
that it has performed the evaluation or measurement but the
information is not available to the intended users. For
example, when management of an entity (the responsible
party) has not evaluated its compliance with the provisions
of debt covenants prescribed by a long-term debt agreement
and therefore makes no assertion as to compliance, the
practitioner may directly evaluate and measure compliance
and report the results to the intended users.

11
• In such engagements, the practitioner may
also obtain a representation from the
responsible party that has performed the
evaluation but such representation is not
available to the intended users.
• The practitioner expresses a conclusion
on the subject matter information which is
provided to the intended users in the
assurance report.

12
What is the difference between an audit and an
attestation?
In an audit, an accountant expresses an opinion as to
whether or not a set of financial statements is presented fairly
with respect to the generally accepted accounting principles
(or IFRS, etc).

In an attestation engagement, an accountant expresses an

opinion on the reasonableness of a particular assertion or set
of assertions. Examples of assertions covered by attestation
engagements include financial forecasts and compliance with
laws or procedures
.
Note also that audits and attestations are performed based on
different sets of standards (though they are functionally
identical in most ways). 13
 Elliott Committee: Assurance
Services
Assurance services
are independent
professional services
that improve the
quality of information,
or its context, for
decision makers.
14
Assurance Engagements
An independent professional
service in which a practitioner
expresses a conclusion
designed to enhance the
degree of confidence of the
intended users other than the
responsible party about the
outcome of the evaluation or
measurement of a subject
matter against criteria.

15
IAASB: Assurance
Engagements

16
The Elements of an Assurance
Engagement
• An assurance engagement has the
following elements or characteristics:
1. A three party relationship involving a
practitioner, a responsible party, and
intended users.
2. An appropriate subject matter.
3. Suitable criteria.
4. Sufficient appropriate evidence, and
5. A written assurance report 17
 Assurance Standards and
Assurance Level
• Reasonable assurance means that the engagement
assurance risk is reduced to an acceptably low
level in the circumstances of the engagement.
• In a limited assurance engagement the risk is
greater than for a reasonable assurance
engagement, but still acceptable in the
circumstances of the engagement.

The nature, timing and extent of procedures for

gathering sufficient appropriate evidence in a limited
assurance engagement are deliberately limited
relative to a reasonable assurance engagement.
18
 Levels of Engagement
(A) In a reasonable assurance engagement such
as an audit of financial statements, the
practitioner reduces engagement risk to an
acceptably low level to obtain reasonable
assurance to express a conclusion in a positive
form. The procedures for obtaining the evidence
to support the conclusion would include
inspection, confirmation, calculation, re-
performance, observation, inquiry and analytical
procedures

19
(B) In a limited assurance engagement such as a review
of financial statements, the practitioner will also reduce
the engagement risk to an acceptably low level, but in
such engagements, the engagement risk is higher than
in a reasonable assurance engagement because of the
reduced and limited nature of evidence gathering
procedures.
• In a limited assurance engagement, the evidence
gathering procedures are deliberately limited relative to a
reasonable assurance engagement, and the practitioner
does not apply all the procedures used in a reasonable
assurance engagement. Consequently, the conclusion
in the assurance report is expressed in a negative form.

20
• (c) No assurance—The practitioner provides no
conclusion or form of assurance on the subject
matter information or the responsible party’s
assertion as to the subject matter information.
Most commonly applicable to agreed-upon procedure
engagements, the report is limited to describing the
procedures performed, their purpose, and the
factual findings identified as a result of the
procedures performed. The intended users are to
assess for themselves the procedures and findings
and draw their own conclusions.

21
 IAASB: Assurance
Engagements
• Ethical requirements.
• Appropriate subject matter.
• Suitable criteria.
• Sufficient appropriate evidence.
• Practitioner’s conclusion in a written report.
• Reasonable or limited assurance.
• Conclusion in positive or negative form.
• Rational purpose.

Assurance engagement risk is the risk that the

practitioner expresses an inappropriate conclusion
when the subject matter information is materially
misstated. 22
 Subject Matter
• Two important conditions relating to
the subject matter:
– The subject matter must be identifiable
and is capable of consistent evaluation
against suitable criteria.
– The subject matter must be in a form
that can be subjected to procedures for
gathering evidence to support that
evaluation.
23
 Criteria
• The criteria for all assurance engagements must
be suitable to enable reasonably consistent
evaluation of the subject matter within the context
of professional judgment. Suitable criteria should
reflect the following characteristics of:
– relevance; completeness;
– reliability;
– neutrality and
– understandability.

24
 Assurance Services
• Financial Statements Audit (ISA 200 -700)
(based on fair value, accrual , matching )
• Special purpose audit (ISA 800)
Professional accountant may be engaged to
report on financial statements on other basis
of accounting or engaged to report on
specific component of the financial
statements or on entity’s compliance with
financial matter in a contract or agreement
25
 Special purpose audit- Other
basis of accounting
 Basis used to comply with the
Requirements of a regulatory agency
 Cash or modified cash basis
 Income tax basis

26
Reviews

27
 Review of Historical Financial
Information
• Review as an alternative to an audit.
• Review performed by the auditor of the entity, for
example review of interim financial information.
• Historical financial information.
• Inquiries and analytical procedures.
• Limited assurance.
• Negative form of expression of the conclusion.

Negative form of expression of the conclusion

The review provides a basis to express a conclusion whether
anything has come to the practitioner’s attention that causes
the practitioner to believe that the financial information is not in
accordance with the applicable financial reporting framework. 28
 Review of Financial Statements
• The General procedures for a review
of financial statements would involve
the following:
– Obtain an understanding of the entity’s
business and the industry in which the
entity operates. - This would include
knowledge of the entity’s organisation,
production, distribution, and operating
locations.

29
– Obtain an understanding of the accounting
systems and the nature of the entity’s assets,
liabilities, revenues, and expenses. – This
would include inquiries about the entity’s
procedures for recording, classifying, and
summarising accounting transactions; and the
entity’s accounting policies and practices
– Inquires of the entity’s personnel
responsible for financial reporting about all
the material assertions in the financial
statements, changes in accounting policies,
and subsequent events.
30
– Inquire about the actions taken at meetings of
the board of directors, shareholders, and
other relevant board committees.
– Perform analytical procedures to identify
relationships and individual items that appear
to be unusual.
– Read the financial statements to determine if
they conform to the identified financial
reporting framework.
– When considered appropriate, obtain written
representations from management
responsible for the financial statements.
31
 Procedure for Review
ISRE 2400
•Make inquiries of management
– Company’s procedures for recording, classifying and summarising
transactions and disclosing information in accounts
– Actions taken in shareholders and board of directors meetings
– Accounts have been prepared in accordance to approved
accounting standards and consistently applied
– All transactions are recorded
– Whether there are any changes to the company’s business
activities and accounting principles and practices
•A review engagement does not include:-
– Understanding and test of controls
– Specific test of balances
– Procedures to identify subsequent events. Only inquiries about
subsequent events are required

32
 Differences between a review and audit of
financial statements
• The objective of audit is to express an opinion
whether the financial statements give a true
and fair view.
• Provides positive assurance on assertions.
• Provides reasonable but not absolute
assurance.
• Auditors apply approved standards on
auditing as performance criteria.

33
• Perform auditing procedures such as
confirmation, inquiry, physical
examination, inspection, computation
and observation
• Require and understanding of internal
control.
• Auditor provides an audit report.

34
• The Objective of review is to state whether anything has
come to the auditor’s attention that causes him to believe
that the financial statements do not present a true and
fair view.
• Provides negative assurance on assertions.
• Provides limited assurance (lower than assurance
provide by audit).
• Auditors to comply with auditing standards applicable to
review engagements.
• Perform primarily procedures such as inquiry and
analytical procedures.
• Does not ordinarily involve assessment of accounting
and internal control.
• Auditor issues a review report.
35
 Review Report – Unqualified
report Appendix 3
• We have reviewed the accompanying balance sheet of ABC as at 31st
December 2003 and the related statements of income and cash flow for
the year then ended. These financial statements are the
responsibilities of the company’s management. Our responsibility is to
issue a report on these financial statements based on our review
• We conducted our review in accordance with the approved standards of
auditing in Malaysia applicable to review engagements. This standard
requires that we plan and perform review to obtain moderate assurance
as to whether the financial statements are free from material
misstatement. A review is limited primarily to inquiries of company
personnel and analytical procedures applied to financial data and thus
provides less assurance than an audit. We have not performed an
audit, and accordingly, we do not express an audit opinion
• Based on our review, nothing has come to our attention that causes us
to believe that the accompanying financial statements are not
presented fairly, in all material aspects, in accordance to the approved
accounting standards

36
 Review report
Qualified - Departure from approved
accounting standards Appendix 4
• We have reviewed … (per the standard introductory paragraph)
• We conducted our review in accordance with the approved
standards of auditing … (per the standard scope paragraph)
• Management informed us that inventory has been stated at its cost
which is in excess of its net realisable value. Management’s
computation, which we have reviewed, shows that inventory, if
valued at the lower of cost and net realisable value as required by
Approved Accounting Standards, would have been decreased by
RM3M, and net income and shareholders’ equity wiould have been
decreased by Rm2.2M.
• Based on our review, except for the effects of the overstatement of
inventory described in the previous paragraph, nothing has come to
our attention that causes us to believe that the accompanying
financial statements are not presented fairly, in all material aspects,
in accordance to the approved accounting standards

37
 Review report
Qualified- Adverse report Appendix 4
• Standard intro and scope paragraph
• As noted in footnote xx, these financial statements do not reflect the
consolidation of the financial statements of subsidiary companies,
the investment in which is accounted for on a cost basis. Under the
approved accounting standards, the financial statements of the
subsidiaries are required to be consolidated.
• Based on our review, because of the pervasiveness effect on the
financial statements of the matter discussed in the preceding
paragraph, the accompanying financial statements are not
presented fairly, in all material aspects, in accordance to the
approved accounting standards

38
Review of Historical Financial
Information

39
Review of Historical Financial Information

40
Compilation

41
 Compilation service
A compilation is often the result of an accounting service known as
write-up work. With compilations, or compiled financial statements,
the outside accountant converts the data provided by the client into
financial statements without providing any assurances or
auditing services.
An example of a compilation report would be taking your internally
generated financial information and organizing it in financial statement
form.  When doing so, no procedures or testing is performed and no
assurances are provided on the financial statements.
In a compilation service related to financial statements, the practitioner
presents in the form of financial statements information that is the
representation of management, without undertaking to express any
assurance on the financial statements.
Compilation does not absolve accountants responsibility as they are
always responsible for exercising due care in performing all duties

42
 A compilation engagement may be required for various

purposes
• To comply with mandatory periodic financial reporting requirements
established in law or regulation; or
• For purposes unrelated to mandatory financial reporting under
relevant law or regulation, including for example:
• For management or those charged with governance, prepared on a
basis appropriate for their particular purposes (such as preparation of
financial information for internal use).
• For periodic financial reporting undertaken for external parties under a
contract or other form of agreement (such as financial information
provided to a funding body to support provision or continuation of a
grant).
• For transactional purposes, for example to support a transaction
involving changes to the entity’s ownership or financing structure
(such as for a merger or acquisition).
43
 Compilation engagement
• In conducting a compilation engagement, a professional
accountant applies his accounting expertise and does not
test the assertions underlying the preparation of the
financial statements
• The accountant should read the compiled financial
statements to determine whether they are in appropriate
form and free from obvious errors such as mathematical
or clerical mistakes or mistakes in the application of
accounting standards.
• The accountant is not required to perform procedures to
verify information supplied by the client.

44
• If he is aware that information supplied by the client is not
correct, he should consider perform additional procedures
and request management for more information.
• If there are material misstatements in the financial
information and management refuse to make the
amendments, the accountant should not associate himself
with the statements.
• In addition if there is a departure from the identified
reporting framework, the accountant should ensure that
the fact is disclosed in the financial statements and he
should highlight the departure in his report.

45
Compilation

46
 Procedures for compilation
ISRS 4410
• Establish an understanding with the client
about the nature and limitations of the
services to be performed and a description of
the report
• Obtain a general knowledge about the
business and operations
• Obtain a general understanding about the
client’s business transaction, accounting
records, employees and the basis, form and
content of the accounts.
• Make inquiries to determine whether the
client’s information is satisfactory
47
 Procedures for compilation
• Read the compiled set of accounts and be alert
to any obvious omissions or errors from the
approved accounting standards
• Document matters which are important in
providing evidence.
• Obtain an acknowledgement from management
of its responsibility for the appropriate
presentation of the financial information and of
its approval of the financial information.

48
 Report on an engagement to compile
financial statements
• On the basis of information provided by management,
we have compiled, in accordance with the approved
auditing standard on auditing in Malaysia applicable to
compilation engagements, the balance sheet of ABC as
at 31st December 2003 and statement of income and
cash flow for the year then ended. Management is
responsible for these financial statements. We have not
audited or reviewed these financial statements and
accordingly express no assurance thereon.

49
Report on an engagement to compile financial
statements – with an additional paragraph that
draws the attention to the compilation without
disclosure

• On the basis of information provided by management,

we…. (per standard introductory and scope paragraphs)
• Management has elected to omit substantially all of the
disclosures and the statement of cash flows required by
the approved accounting standards. If the omitted
disclosures were included in the financial statements,
they might influence the user’s conclusions about the
company’s financial position, results of operations and
cash flows. Accordingly, these financial statements are
not designed for those who are not informed about such
matters

50
Report on an engagement to compile financial
statements – with an additional paragraph that
draws the attention to a departure from the
approved accounting standards

• On the basis of information provided by management,

we have compiled in accordance with the approved
standards on auditing in Malaysia …. (standard
introductory and scope paragraph)
• We draw attention to Note XX to the financial
statements because management has elected not to
capitalise lease on plant and machinery which is a
departure from approved accounting standards

51
Examination of prospective
financial information
Forecast
or
Projection

52
 Examination of prospective
financial information
• ISAE 3400
• FINANCIAL FORECAST-BEST ESTIMATE
ASSUMPTION
• FINANCIAL PROJECTION-HYPOTHETICAL
ASSUMPTION
• CONSLUSIONS
-MGT ASSUMPTIONS-NEGATIVE ASSURANCE
-

53
 Forecast vs Projection
Forecast
•Prospective financial information based on assumptions as
to future events which management expects to take place
and the actions management expects to take (best-
estimate assumptions).
Projection
•Prospective financial information based on hypothetical
assumptions about future events and management actions,
or a mixture of best-estimate and hypothetical
assumptions.

54
 Types of Prospective Financial Information

• Financial forecasts are prospective financial

information that presents an entity’s expected
results of operations or financial performance.
• They are based on best estimate assumptions
reflecting future events that the responsible
party expects to occur and the course of action
that the responsible party expects to take.
• Financial projections are prospective financial
information that presents an entity’s expected
financial position or operating results which are
prepared based mainly on hypothetical
assumptions. 55
• The primary difference between financial
forecasts and projections is that financial
projection is based on hypothetical assumptions
and it is an entity’s estimate of what will occur if a
specified hypothetical course of action is taken.
• It is intended to respond to a question such as:
“What would happen if…...?” A financial
projection is sometimes prepared to present one
or more hypothetical courses of action for
evaluation.

56
 Assurance on Prospective
Financial Information
Financial forecasts are Financial projections are
prospective financial prospective financial
information based on information based on
expectations of future hypothetical assumptions
events and actions. about future events and
actions.

General use Limited use

57
 Key areas to focus
• The key areas that forecasts and projections
relate to are capital expenditure, profits and
cash flows.
• Firms are often engaged to report on PFI for
various reasons.
• Problems include inherent uncertainties and
the extent to which auditors can be liable.
• ISAE 3400 The examination of prospective
financial information gives direction in this area.

58
 Accepting Engagement
• The auditor should not accept/withdraw from an engagement where:
─ The assumptions are clearly unrealistic; or
─ Then the auditor believes the PFI will be inappropriate for its intended use.

• The auditor and the client should agree on the terms of the engagement.
Before accepting such an engagement, the audit firm should consider the following
factors.
• The intended use of the information. For example, is it intended for internal or
external use?
• Whether the information will be for general or limited distribution.
• The nature of the assumptions on which the information is based.
• The information to be included.
• The period covered by the information

.
59
 Level of assurance
• Due to the nature of PFI, the audit firm will
be unable to conclude on whether the
results will be achieved. Also there may be
insufficient evidence available to conclude
that the assumptions are free from
material misstatement. Therefore, the
audit firm can generally only provide a
limited level of assurance

60
 Negative assurance
In accordance with ISAE 3400 the auditor will give negative assurance.
Negative assurance is assurance of something in the absence of any evidence
to the contrary.
ISAE 3400 recommends negative assurance that assumptions are reasonable
basis for PFI.

It would state in the report that nothing had come to

your attention that would cause you to believe that the
assumptions do not provide a reasonable basis for the
cash forecast.

61
 Procedures to examine cash
flow forecast
• Recalculate and cast the cash flow forecast to verify arithmetical accuracy.
• Review past forecasts with actual outcomes to establish the accuracy of the company
forecasts in the past.
• If forecasts have been reasonable in the past, this would make it more likely that the
current forecast is reliable.
• • Confirm the assumptions that have been made in the preparation of the cash flow
forecast. For example, you are aware that costs are rising so you would expect cost
increases to be reflected in the cash forecasts.
• • Review the sales department detailed budgets for the two years ahead and discuss
with them the outlets that they will be targeting. This would help the auditor to
determine whether the cash derived from sales is soundly based.

62
 Procedures to examine cash
flow forecast (Continued)
• Review the production department’s assessment of the non-current assets
required to increase the production of wedding cakes to the level required
by the sales projections. Obtain an assessment of estimated cost of non-
current assets, reviewing bids from suppliers, if available. This would
provide evidence on material cash outflows.
• Agree the opening balance of the cash forecast to the closing balance of the
cash book, to ensure the opening balance of the forecast is accurate.
• Consider the adequacy of the increased working capital that will be required
as a result of the expansion. Increased working capital would result in cash
outflows and it would be important to establish its adequacy.
• If relevant review the post year-end period to compare the actual
performance against the forecast figures.
• Review board minutes for any other relevant issues which should be
included within the forecast.

63
 Reporting on entity’s Risk
management & internal control

64
 Reporting on an entity’s internal
control
• In line with s 404 of SOX act 2002-US
• Listed companies in Malaysia are
required to issue a statement of internal
control in line with the requirement of
MCCG

65
 Director statement of Risk
management & internals control
• As a principle of good CG ,companies should maintain a
sound internal control to safeguard shareholders investment
and the company assets. This is recognized in the MCCG
which places the responsibility for the proper internal controls
on the directors of the company and considers it the director’s
duty to review the adequacy and integrity of a company’s
internal control.
• In Malaysia the BOD of listed companies are required to
make disclosures on the state of internal control and Risk
Management referred to as the director statement on risk
management & internal control are normally presented in a
separate statement which is the annual report of the company

66
 Recommended Practice Guide
AAPG 3(old RPG 5)
• Based on the guidance provided in AAPG
3,the review is conduced to assess whether
the statement on internal control properly
reflects the process the entity has adopted
in reviewing the adequacy and integrity of
its internal control systems.
• The review report on the statement on
internal control contains an expression of
negative assurance.(Limited Assurance)
67
 US SOX 404
• In the US ,the SOX 2002 has made it mandatory for
the management of public listed companies to issue
an internal control report. In Addition to
acknowledging its responsibility for maintaining
adequate internal control the management of public
entities also issue an assertion regarding the
effectiveness of the internal control over financial
reporting. Under US SOX, the independent auditors
of the company are required to express an opinion
on the management’s assertion regarding the
internal control over financial reporting
68
Agreed on Procedures ISRS
4400

69
 Agreed Upon Procedures Engagements

• An agreed upon procedures engagement is one in

which a practitioner is engaged by a client to
issue a report of findings based on specific
procedures performed on financial or other
information. In such engagements, procedures of
an audit nature are normally applied.

70
The important matters that must be agreed-upon between
the practitioner and the client in such an engagement
include:
–Nature of the engagement – to state that the procedures
do not constitute an audit or a review and that no
assurance will be expressed.
–Purpose of the engagement.
–Identification of the financial information to which the
procedures will be applied.
–Nature, timing and extent of the specific procedures to
be applied in the engagement.
–The expected form of the report of factual findings.
–Limitations or restrictions on the distribution of the report

71
Procedures for performing agreed
procedures engagement
ISAE 4400
• The auditor should carry out the procedures agreed upon
and use the evidence obtained as the basis for the report
of factual findings. The procedures may include:
- Inquiry
- Observation
- Inspection
- Obtaining confirmation

• It is important to describe what is the purpose of the

engagement and what are the ‘agreed procedures’ to be
carried out so that the reader can understand the nature
and extent of work carried out by the accountant

72
Agreed-Upon Procedures

73
74
Trust services

75
 Trust Services Engagement
• Electronic commerce involves individual and
organisations conducting business transaction using
computers for examples-EDI-where formal contract exist
between business parties over internet.This growth in
technology has increased concerns by businesses and
individuals
• AICPA & CIA developed SysTrust and WebTrust-2
unique sets of principles by which professional
accountants could evaluate business system and
control.
• The combined underlying principles of these two
services into one common principle called Trust Services

76
 Trust Services(apply to both web
trust and sys trust)
Principles are:
• Security― The system is protected against unauthorised
access (both physical and logical).
• Availability― The system is available for operation and use
as committed or agreed.
• Processing Integrity― System processing is complete,
accurate, timely, and authorised.
• Online Privacy― Personal information obtained as a result of
e-commerce is collected, used, disclosed, and retained as
committed or agreed.
• Confidentiality― Information designated as confidential is
protected as committed or agreed.
• REFER TO THE GUIDES ISSUED BY ACIPA
77
 Web trust engagement
During a WebTrust engagement, the practitioner
“audits” a company’s online business practices to
verify compliance matters such as privacy,
security, availability, confidentiality, consumer
redress for complaints, and business practices.
WebTrust provides suitable criteria for practitioners
as well as a licensing process that enables CPAs
to provide reasonable assurance on Web sites.

78
 WebTrust Assurance Process
A practitioner may provide assurance service on a website by
following the WebTrust assurance process. The entity would have
to meet all of the WebTrust Principles as measured by the
WebTrust Criteria. The professional accountant would conduct an
examination to verify and attest to the management's assertions.
The process would include the following:
• Obtain an understanding of the entity’s electronic commerce
business practices and its controls over the processing of
electronic commerce transactions and the protection of related
private customer information.
• Selectively test transactions executed in accordance with the
disclosed practices.
• Test and evaluate the operating effectiveness of the controls.
• Perform other procedures that are considered necessary.

79
 Sys trust
• As more organizations become dependent on information
technology to run their businesses, produce products and
services, and communicate with customers and business
partners, it is critical that their systems be secure,
available when needed, and consistently able to produce
accurate information.
• An unreliable system can trigger a chain of business
events that negatively affect a company and its
customers, suppliers, and business partners. SysTrust
responds to this business need by providing suitable
criteria and a process that enables a CPA to provide
assurance that a
80
 Sys Trust
• The system components include its
infrastructure, software, personnel, procedures
and data
• SysTrust follows the principles of Trust Services
• The professional accountant evaluates a system
against the Trust Services principles and criteria
to determines whether controls over the system
exist.
• The practitioner then perform tests to determine
whether those controls were operating
effectively during the specified period.

81
End of Lecture

82