REVIEW, COMPILATION, AND PREPARATION SERVICES Statements on Standards for Accounting and Review Services (SSARS), • Represent the standards for preparation, compilation, and review engagements of financial statements • Issued by the Accounting and Review Services Committee of the AICPA. Because the assurance provided in a preparation, compilation, or review engagement is considerably below that of audits, less evidence is required for these services and they can be provided at a lower fee than an audit. The relationship between evidence accumulation and assurance attained is shown in Figure 25-1.
3 Preparation Services: In a preparation service engagement, the
CPA is engaged by the client to prepare or assist in preparing financial statements, but the CPA does not provide any assurance on the financial statements or issue a report. The CPA’s responsibilities when performing a preparation service are similar to those performed in a compilation. The key differences are: • The CPA does not issue a report. • The CPA does not need to assess independence.
REVIEW OF INTERIM FINANCIAL INFORMATION FOR PUBLIC COMPANIES The SEC requires that quarterly financial statements be reviewed by the company’s external auditor prior to the company filing of the Form 10-Q with the SEC. • Because the same CPA must perform both the annual audit and the quarterly reviews, they are referred to as auditors, not accountants, for the interim review. Like a review under SSARS, a public company interim review includes the same five requirements for review engagements. However, the two types of reviews have the following differences: 1. Because an annual audit is also performed for the public client, the auditor must obtain sufficient information about the client’s internal control for both annual and interim financial information.
REVIEW OF INTERIM FINANCIAL INFORMATION FOR PUBLIC COMPANIES (CONT.) The two types of reviews have the following differences (cont.): 2. The auditor’s knowledge of the results of the annual audit procedures is used in considering the scope and results of the inquiries and analytical procedures for the review. 3. Under SSARS, the auditor makes inquiries about actions taken at directors’ and stockholders’ meetings; for a public company, the auditor reads the minutes of those meetings. 4. The auditor must also obtain evidence that the interim financial information agrees or reconciles with the accounting records for a public company interim review.
An example of a report for interim financial statements for a public company is
ATTESTATION ENGAGEMENTS In an attestation engagement, the CPA reports on the reliability of information or an assertion made by another party. Attestation Standards: The AICPA has issued attestation standards that are stated in sufficient general terms to enable CPAs to apply them to any attestation engagement. To provide additional guidance, the Auditing Standards Board of the AICPA issues Statements on Standards for Attestation Engagements (SSAE).
ATTESTATION ENGAGEMENTS (CONT.) Types of Attestation Engagements: The Auditing Standards Board decided not to attempt to define potential boundaries of attestation engagements in conceptual terms because new services are likely to arise. Levels of Service: Attestation standards define three levels of service: 1. Examination—Results in a positive conclusion, expressed in the form of an opinion. An example of this report is included in Figure 3-6. 2. Reviews—CPA provides a moderate level of assurance that is expressed as a negative assurance conclusion. 3. Agreed-upon procedures—The degree of assurance varies with the specific procedures agreed to and performed. The types of engagements and related reports are shown in Figure 25-7.
REPORTS ON CONTROLS AT SERVICE ORGANIZATIONS (SOC REPORTS) There are three types of service organization control (SOC) reports, which are referred to as SOC 1, SOC 2, and SOC 3 reports. SOC 1 Reports: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, is intended to meet the needs of entities that use service organizations and their auditors, who are responsible for understanding internal controls over financial reporting at service organizations. There are two types of reports on controls: 1. Report on management’s description of a service organization’s system and the suitability of the design of controls (Type 1 report). 2. Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls (Type 2 report).
REPORTS ON CONTROLS AT SERVICE ORGANIZATIONS (SOC REPORTS) (CONT.)
SOC 2 Reports: Report on Controls at a Service Organization
Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. The auditor uses the criteria in the Trust Services Principles for evaluating and reporting on controls in these areas. These are shown in Table 25-2. SOC 3 Reports: Trust Services Report for Service Organization: Similar to an SOC 2 Report, except it is intended for wide distribution to current or potential users of the service organization.
When the auditor and management or a third-party user
agree that the engagement will be limited to certain specific procedures, it is referred to as an agreed-upon procedures engagement. Agreed-upon procedures engagements appeal to CPAs because management, or a third-party user, specifies the procedures they want done and then the CPA issues a report describing the procedures agreed upon and the findings resulting from the procedures.