For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

The Auditors


  • Identify when auditors work with internal controls
  • Distinguish between a control and a substantive or compliance test
  • Identify the differences between the COSO model and the COSO ERM model

This book, so far, has been written from the perspective of a manager trying to implement controls in his or her own organization.  Now we need to address an auditor’s perspective on controls because I imagine that many of you reading this book are auditors!

Because the COSO model is imbedded in auditing standards, auditors are usually required to consider controls on their audits.

In this section of the chapter, I want to make a few points about auditors and their responsibilities regarding internal controls:

  • How strong controls give the auditor confidence in their conclusions
  • Which steps of the audit involve internal controls
  • What a control test looks like, and how a control test supports the audit report
  • How auditors are required to react to weak controls

Strong controls give the auditor confidence in their conclusion

GAO and AICPA audit standards require auditors, who provide a high level of assurance that a subject matter meets a given criteria, to consider controls throughout their audits. Why?   Because strong internal controls let auditors know if they can believe what they see as they gather evidence to support their conclusions.  Weak internal controls make auditors doubt their conclusions. Consider this quote from the yellow book about evidence:

Yellow Book 6.61 a. Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent. 

For instance, let’s say an auditor chooses to sample 30 credit card charges out of 1500 credit card charges to determine whether the coach’s purchases were business related or not personal in nature.  And lets say that all 30 tests show that the coach’s purchases are business related.

If the auditors know that the school district has strong controls over credit card purchases, the auditor can confidently conclude that yes, everything is on the up and up, and the auditor can move on to tackle another audit objective because the auditor has put this objective to rest.

If, however, the controls are weak, the auditor has to wonder if maybe the sample didn’t scoop up his bad behavior, and the auditor feels less confident in the testing results.  The auditor may have to do some additional testing or a different kind of testing to comfortably conclude that the coach is not making personal purchases.

In other words, if the auditee has weak controls, the auditor’s test results are less convincing to the auditor.  And auditors are not going to put their professional name behind a conclusion (a conclusion that assures the reader that the subject matter meets a given criteria) they don’t believe in.

Auditors do not always have to work at a high assurance level.  Some audit standards allow auditors to get less assurance that the subject matter meets the criteria.  These are sometimes called reviews or agreed upon procedures.  And when an auditor is seeking limited assurance, they follow simpler standards, and these standards sometimes allow them not to worry about controls.

Which steps of the audit involve internal controls?

In an audit where the auditor is providing a high level of assurance that the subject matter meets the criteria, the auditor must consider controls in every phase of the audit: in the planning phase, the fieldwork phase and the reporting phase.

Consider this step-by-step process for conducting an audit and note how many times internal controls are mentioned:

Planning phase:

  1. Receive vague audit assignment
  2. Gain a general understanding of the audit subject and general control structure
  3. Choose relevant criteria to evaluate the subject matter against
  4. Break the audit subject into pieces
  5. Evaluate inherent risk for each of the pieces
  6. Refine objective and define sub-objectives
  7. Evaluate controls for each objective and sub-objective and determine key controls
  8. Design relevant tests – including substantive/compliance and control tests
  9. Allocate resources to the testing

Fieldwork phase:

  1. Formalize the audit program
  2. Perform substantive/compliance tests and control tests

Reporting phase:

  1. Write findings regarding fraud, waste, abuse, non-compliance, misstatements, control weaknesses
  2. Conclude against objectives
  3. Finalize report

Look how many times in that process I mentioned controls: Step #2, Step #7, Step #8, Step #11 and Step #12!  An auditor’s evaluation of the strength of the auditee’s controls shapes their audit and impacts their eventual audit conclusion that the subject matter meets the given criteria.

What kind of test are you performing?

Let’s focus on step #11 – perform substantive/compliance tests and control tests – for a few minutes.  Every time the auditor performs a test, they need to be conscious of how the results support their audit conclusion.  Ultimately, the auditor is interested in whether the coach used his card for personal purchases. The question of how he got away with it is usually of lesser importance to an auditor.

Our control objective for creating internal controls in this book is:  Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459? 

An auditor might also use that as their audit objective.  But they are more likely to write an audit objective that sounds like this:  Is the coach using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?

Did you catch the difference?  The auditor’s objective is asking whether the coach used his card for personal purchases.  The control objective we have been using throughout the book is asking whether the entity had any controls in place to deter him from using his card for personal purchases.  The auditor’s objective is missing the words ‘controls in place.’

The auditor may or may not be concerned about controls, as we discussed above.  The auditor has to be very clear what question he is asking because the question dictates the type of test the auditor must perform.  Phrasing the audit objective without the term ‘controls’ allows the auditor to focus on whether the coach actually broke the rules instead of only looking at whether controls were in place to keep him from breaking the rules.   Auditors find this demarcation so important that they label their audit tests in two categories.

What is a control test?

In general, auditors talk about audit tests as either control tests or substantive/compliance tests.

The term ‘substantive’ usually applies when the auditor is testing quantities, and the term ‘compliance’ is used when the auditor is testing another quality of the subject matter that does not involve dollars, such as eligibility.  A substantive/compliance test asks whether the subject matter meets the criteria.

A control test asks why the subject matter did not meet the criteria. Auditors need to tell the user  of the audit report if the coach used his card for personal purchases (the substantive/compliance test), but the auditor might also tell the users why he was able to do this without being caught (the control test).

Is it possible that the coach did not use his card for personal purchases even though there were no controls in place?  Sure, maybe he is an honest man.  Is it possible that the school has controls in place, but the coach still managed to buy some personal items with his card?  Yes, that is possible, too.  Here is a quote from the Green Book about that:

OV1.07 An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization’s objectives will be met. Factors outside the control or influence of management can affect the entity’s ability to achieve all of its objectives. For example, a natural disaster can affect an organization’s ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives. 

So if the auditor wants to answer the question “Did the coach use his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?,” then the auditor could choose a sample of transactions from the credit card statement, match the transactions to the receipts and then compare the transactions to Grace School District Policy #C7.459 to determine if any of the purchases were personal.  The auditor would likely call this a compliance test although some auditors may call it a substantive test.

To find out why or how the coach was able to use his card for personal purchases, the auditor could also look at the documents that evidence that the accounting department matched purchases on the credit card statement to receipts and compared them to policy each month.  That would constitute a control test.

If the control test turns out well and the compliance test turns out well, the auditor can confidently conclude that the coach is not making personal purchases.

How auditors react to weak controls

If either one or both of the tests do not turn out well, then the auditor will probably write a finding and report the problems to management. The finding could look like this:

CONDITION: The coach is making personal purchases with his purchasing card.

EFFECT: 7 out of 30 transactions tested from a population of 1500 transactions were for personal items such as family meals, alcoholic beverages, and a gas grill.

CAUSE: Accounting did not reconcile credit card purchases from the credit card statement to actual receipts for 9 months out of the year.

CRITERIA: Grace School District Policy #C7.459 prohibits the use of the credit card for personal purchases and defines business purchases as bla bla bla.  Accounting department policy #18a requires the accounting department to perform monthly reconciliations of the credit card statement to receipts and to verify the business purpose of all purchases.

RECOMMENDATION: We recommend that the coach reimburse the district for personal charges.  The district should confiscate the Coach’s card. The accounting department should perform reconciliations of the credit card statement to receipts monthly to verify that purchases are business related.

Notice that the condition statement is supported by a compliance or substantive test and the cause is supported by a control test.

How will an auditor react if the client refuses to improve?

Let’s assume that the auditor includes the above finding in the audit report and recommends the auditee act to correct the problems.

What if the auditee does not accept the auditor’s recommendation? What if the auditee doesn’t want to discipline the coach because he has taken the team to the state championship for the past three years?  What is the auditor going to do now?

If the audit report makes it into the hands of the oversight body and grantors, the auditor – technically – does not have to do anything further because they have fulfilled their responsibility.  They sought assurance that the credit cards were being used for business purposes, and they reported that they were not being used for business purposes. The auditor suggested improvements and shared the results with all stakeholders.  Now the matter is in management’s hands.

The auditor is not responsible for internal controls, only for evaluating internal controls relevant to their audit objective and reporting any weaknesses.

But that doesn’t mean the auditor is going to let the issue drop.  Depending on the audit standards they are following, they might have a professional responsibility to follow up on the finding and report management’s progress.

Even without the prompting of a standard, the auditor might be more tenacious and decide not to let the issue drop.  An auditor has a variety of techniques at their disposal to prompt the client to make the change.

The auditor may hold a formal meeting with the oversight body to impress upon them the significance of the issue.  Depending on the culture of the organization, an informal chat on the bleachers at the state championship game with the chairman of the school board would be more apt to elicit change than a detailed audit report and formal meeting.

If the same auditor performs the audit next year, the auditor may expand the audit to include purchasing cards in other areas of the school and more findings may ensue.

The client’s refusal to do anything about the issue may prompt the auditor to elevate the category of finding from a ‘significant deficiency’ to a ‘material weakness’ in next year’s report.   In other words, a minor finding ( a significant deficiency) can become major (a material weakness) if the auditee refuses to take the auditor’s advice to strengthen controls.

The auditor can intensify the tone of the audit findings in the next year’s report by describing the situation in harsher terms and quantifying results in dramatic, eye-catching ways.  The auditor can qualify their audit conclusion in future reports.

If the auditee still won’t respond, auditors can remind the auditee of who else will be reviewing the report. An internal audit director of a large state agency could not get one of the divisions of the agency to improve controls after several meetings.  Eventually, she reminded the division director that her report would be shared with the state auditor’s office, and the state auditor may have questions for the division director about why he refused to implement the control.  The next day, the division director sent her a fully developed plan of action for implementing every one of her recommendations!

If none of these techniques elicits change, the auditor may choose not to perform the audit the following year. As you know, auditors are often criticized once a negative behavior comes to light that the auditor didn’t uncover.  In order to avoid criticism and a possible lawsuit, auditors will sometimes write a damning report, and then walk away from the client before the next risk hits the fan.

A client that refuses to acknowledge the auditors recommendations is likely engaging in other negative behaviors.  An uncooperative client, obviously, does not exhibit a strong ‘tone at the top,’ which is the very first principle necessary for a strong control structure mentioned in the Green Book!

What if the recommendations are not practical?

Now what if the reason the recommendations are not being followed is because the client is small and can’t implement the auditor’s recommendations because they are costly and impractical.  Here the auditor gets in a bit of a bind. The auditor knows that their small clients are never going to implement all 17 principles of the COSO model, but they also know that their client is at risk of something bad happening if they don’t implement more controls.

Auditors have a professional responsibility to let all stakeholders know about the risks their auditee is taking by not investing in controls.  And at the same time they know their clients can’t afford to invest any more money in controls.

In a case like this,, the auditor might just mention the issue in a report once and let it go.  Or the auditor could bring the issue up year after year in the audit report, but not escalate the matter if the auditee does nothing about it.  Each auditor will approach their responsibility differently depending on the auditor’s tenacity, their relationship with their client and their judgment about what is best for everyone involved.

How tenacious is your auditor?

The COSO ERM Model

Before we leave each other, I feel obliged to tell you that the COSO model has been used as a launching pad for another related model also promulgated by the COSO organization, the COSO ERM model.  ERM stands for Enterprise Risk Management.

The COSO ERM model was initially published in 2004 and was substantially revised in 2017.  The COSO ERM model focuses on organizational strategy and may better suit your purposes than the COSO model used by the Green Book.   Notice how this exhibit from the COSO ERM Executive Summary published in June of 2017 uses similar categories to our original COSO model and breaks the five components into 20 principles.  Presenting the model as a horizontal list eliminates some of the overlap and duplication issues we encounter with the COSO cube’s side and front.

The five components here loosely align with the COSO model’s five components:

  • ‘Governance and culture’ from the COSO ERM model loosely aligns with ‘control environment’ from the COSO model
  • ‘Strategy & objective setting’ and ‘performance’ loosely align with the COSO components of ‘risk assessment’ and ‘control activities’
  • ‘Review and revision’ from the COSO ERM model aligns with ‘monitoring’ in the COSO model
  • ‘Information, communication and reporting’ aligns with ‘information and communication’ in the COSO model.

Final thoughts

In the 1980’s, when I started my career, everyone in accounting and auditing gave lip service to internal controls and understood internal controls in a vague sort of way.  We knew that the same person that received the checks should not also deposit the checks and perform the cash reconciliations.

But the ideas of right and wrong procedures were not well documented and instead were passed down orally from one generation of accountants and auditors to another.  If you had a good boss, they would teach you the ropes and point you to a few tools to help you out.  If not, you were left hanging because there was no comprehensive literature to turn to.

Organizations who tried to do the right thing hired people who knew the ropes. Organizations who didn’t care about doing the right thing – or who didn’t know how to get their act together – struggled along.

Now, with the advent of the COSO model and the internet, we all have a standard that tells us how to get our act together.  Great minds who work with complex entities have spent time thinking about what ideal controls should look like.  And because the internet lets these great minds share their ideas easily, we have a document that we can access easily that collects their wisdom and advice in one place!

And these great minds didn’t stop with one draft; the more they think about and use the standard, the more they learn and the more they share.

I expect even more clarity and wisdom to evolve from these efforts, and maybe, one day, all of us can get our acts together because we know both what is right and how to make it right.

Truth! Justice! Order! And the American Way!  Wait… isn’t that Superman’s line?

Do I need an audit, a review, or a monitoring visit? What is the difference?

If you have doubts that your audit customer understands what you do and how important you are :) , share this article with them: 

Plenty, my friend!  Plenty.

So, you think you need an audit?  Or maybe you heard that you could get by with a review instead?  Maybe you were asked to find someone to do a performance audit? The folks who perform these tasks all give you some level of “assurance” that the something (like financial statements or a performance metric) is true; thus, we refer to them as assurance providers.

Wherever you are coming from, I hope that answering the questions below will do the following for you:
·      help you clarify what type of service and assurance provider you really need;
·      help you understand what your finished project will look like;
·      help you talk the “lingo” with your assurance provider when getting a bid;
·      help you find out how much this assurance service will cost you;
·      and give the appropriate assurance provider clarity on what you need them to do – exactly.
Because, as you can imagine, assurance providers are a pretty exacting bunch and you don’t want to waste your time or money!

Here are the questions to consider:

1. How “sure” do you want the professional to be of the truth?
2. Do you expect the professional to follow a professional standard in doing their work?
3. What exactly do you want verified?
4. Which professional are you going to ask to do the verification?
5. Who is using the report and do they have any expectations?
6. Do you need this professional to be completely objective and independent in order for the verification to hold water?
7. How much do you have to spend?
8. Do you want help making the necessary improvements that the professional identifies?

Let’s take each question in turn:

1. How “sure” do you want the professional to be of the truth?

Auditors, reviewers, and monitors are all offering assurance or verification that something is true.   [d1] Several audit standards refer to the work that auditors do as ”assurance services.”

And the more assurance a client wants that something is true, the more it costs the assurance provider to provide the assurance service.  Anyone can quickly scan a situation and decide if something is true or not or look into someone’s eyes and decide that they trust whatever the person is saying.  But assurance professionals don’t scan or trust!  They verify!  They test, they analyze, and they gather evidence to support everything they say in their final report.

Now, I want to be clear, that no assurance provider will promise absolutely that something is true, unequivocally, without a doubt.  That would be too scary a promise for them to make. But, they will provide “reasonable assurance” that something is true.

The term “audit” is reserved for engagements that offer a high level of assurance, as is the related term “examination.” In other words, a ”high level of assurance” means the auditor has gathered convincing, strong evidence that the subject matter meets the criteria.  A “review” offers a moderate level of assurance, and therefore, costs less to perform.  An ”agreed-upon procedure” offers no assurance whatsoever.  And a ”monitoring visit” is often silent about assurance all together and instead, points out flaws or noncompliance.  Monitors also help the entity fix the flaws or non-compliance.

Please notice that I will be using the term ”assurance service” instead of the term ”audit” as we discuss each of the questions. Because not every assurance service is a full-blown audit conducted at a high level of assurance.

2. Do you expect the professional to follow a professional standard in doing their work?

I am sure you are aware by watching the news and reading the newspaper that journalists do not promise to follow any standard of evidence in their reporting. Oftentimes hearsay, rumor, and personal opinion will suffice.  This gives journalists lots of leeway and freedom.

But professional assurance providers don’t have leeway and freedom. Every statement they make in their reports has to be backed up by convincing evidence. Professional assurance providers make a promise in their reports that something is true, and they have tests and documentation to back them up.

If the assurance provider follows a professional standard, you can have even more comfort that their promise is true because all professional assurance standards require that the assurance provider back up what they say with evidence.  I regularly teach seminars to assurance providers on how to gather and document strong, convincing evidence and the students love it.  It is probably their favorite topic because they are always looking for ways to get better evidence to support their audit reports.

All assurance standards require the auditor to gather evidence, undergo quality control reviews, and experience an audit themselves (called a peer review) that evaluates whether they are following standards and gathering good evidence.  You will have to trust the “word” of the assurance provider who does not follow these standards because there will be no quality standards or quality control system to make sure what they are saying is valid.

How can you tell if your assurance provider is following standards?  Look at their most recent reports.  If you see the following, you are golden:
“We conducted this audit in accordance with generally accepted audit standards…”
“We conducted this audit in accordance with generally accepted government auditing standards…”
“We conducted this audit in accordance with the International Professional Practices Framework….”

The standards do not say what I am about to say… because they have no right to say it… and neither do I, really.  But I am going to say it anyway!– and it is a very touchy thing to say to those who provide assurance.  Here it is: A person should not call themselves an auditor unless they follow a professional standard. They can call themselves a monitor or an evaluator or a reviewer or an assurance specialist, whatever seems most comfortable… but I believe the term auditor is reserved for folks who follow an audit standard.

3. What exactly do you want verified?  An assurance professional can give you assurance about a variety of things.  You must provide to the assurance professional an “assurance objective”, which is the question you want answered.  The assurance objective needs two components, a subject matter and a criteria to evaluate the subject matter against.

The more finite and specific the subject matter is, the easier it is for the assurance professional to evaluate.  For instance, if you asked me to tell you whether the State Government of California was operating in compliance with laws and regulations, I would quickly let you know that I need an army of assurance professionals to do the job and it will take us several years.  Remember, I have to gather and document evidence for everything I end up telling you in the audit report about whether the State of California was in compliance.

But, if instead, you asked me to verify whether the Treasury sold state bonds for infrastructure improvements to Marin County in accordance with federal and state laws, I could do that for you with just a few auditors, and I’d have the audit report to you in a matter of weeks.

Criteria is also really important here.  So, when I am evaluating the bond issuances of the California State Treasury I will need to compare them to state and federal law.  The state and federal law is my criteria.  If a state law is fuzzy and open to interpretation, I am going to struggle using it and I may end up in a fight with the Department of Treasury because my interpretation of the law differs from theirs.  This is a huge waste of time and can damage relationships.  So, the clearer you can pose your question, the better for everyone: those accountable for the subject matter, the assurance professional, and the person paying for the assurance.

For more on this subject, see the archived Yellowbook-CPE whitepaper on audit objectives at

4. Do you need this professional to be completely objective and independent in order for the verification to hold water?

If you were to ask me if I thought my girls were off the charts beautiful, I would say, “Yes!” without hesitating.  But I am not exactly objective, am I?

Instead, let’s say that I have been asked to evaluate whether a department within the Treasury is complying with rules and regulations.  Where I work and who I report my assurance results to impacts my objectivity and independence and could impact the truthfulness of the final report.  Just like being a mom affects my assessment of my own children.  If the assurance provider is not able to freely tell the truth without suffering any negative consequences, their independence is compromised and the veracity of their promise is questionable.

Here are three common situations to consider:

Situation A: I work for a CPA firm who was hired through a competitive bidding process to audit the department. I will report to the board of directors of the Treasury.
Situation B: I work for the CFO of the organization, I will report my results back to the CFO, and the department being evaluated is also under the control of the CFO.
Situation C: I am an internal auditor for the Treasury and I report directly to the board of directors of the Treasury.  I am a peer, not an underling, of the CFO.

A CPA hired through a competitive bidding process will most likely be able to maintain their independence and objectivity in performing the review.  We can assume a CPA will have other clients and will not be wholly dependent on this one client for all their income.  So, we can trust the results of the assurance provider in situation A.

In situation B, the CFO may not appreciate the assurance provider sharing negative results in their report that would make the CFO look bad.  The independence of the assurance provider, and therefore the veracity of the assurance report, may be compromised.

In situation C, if the internal auditor is shielded from any negative ramifications of telling the truth and reports directly to the board of directors, we can trust the results of the assurance provider.

5. Who is using the report and do they have any expectations?

Who is requiring the assurance report?  Is it a bank?  Is it a grantor?  A regulator?  Or is it someone internal to your organization, like a division head or a board of directors? Each of these users has a different expectation for the content of the report and whether the assurance provider needs to follow specific standards and guidelines.

One way to figure this out is to look at prior assurance reports to see if any particular standard was followed and who performed the engagement.  Looking at old reports is far from foolproof, however, because it assumes that the assurance provider who prepared the prior report knew what they were doing and that is never a good assumption!

Next, ask the user of the report what they expect or if they have any guidelines you need to follow.  You should be able to find out who the users are by finding out who got copies of prior reports (again, not foolproof!)

If the users are not sure, your next move is to ask organizations that are in a similar situation as yours what sort of assurance service they obtain.  As you perform your due diligence, make sure you ask each person about the applicable laws, policies, contracts, and formation documents that could contain audit requirements.   I frequently work with government auditors and for these auditors, contract terms, grant agreements, federal policy, and local law can all impact the content of the audit report and distribution list for the report.

6. Do you want help making the necessary improvements that the professional identifies?

A true, blue assurance engagement simply evaluates whether the subject matter meets the criteria period, end of story. But often, the assurance provider is expected to help fix problems.  If the assurance provider crosses the line and becomes a consultant, their independence on future engagements is compromised.

I am going to get a little crude here… but please hang in with me.  A consultant helps the client they are working with to create or improve on a subject matter.  The consultant is helping to make the pretty baby, if you will.

A pure auditor will not help make the baby pretty. That is not their job. Their job is to say whether the baby is ugly and report the results back to the board of directors.

If the auditor does decide to cross the line and become a consultant and help make the baby pretty, they will not be as objective about the baby next time they come to audit.  In other words, if you help make the baby, you can’t be trusted to say whether the baby is ugly or not… just like I can’t be trusted to be objective about how beautiful my precious girls are.

For more on this line of reasoning, see an archived article on about the difference between auditors and monitors.

And the subject matter and the controls over the subject matter are ultimately the responsibility of management, not the assurance provider.

7. How much do you have to spend?

Four things make the price of an assurance service rise – the level of assurance, the breadth of the subject matter, the complexity of the criteria, and whether the assurance provider follows audit standards.

In general, it costs more for an auditor to provide a higher level of assurance, so an audit will cost more than a “‘review” of the same subject matter.  For instance, my church has an audit done every two years of its financial statements by a local CPA firm. This audit costs $15,000.  In the off two year period, the church hires the same CPA firm to do a ”review” of its revenues and disbursements and this costs only $6000.

If the subject matter is large or broad, it will take a small army of assurance providers a long time to reach their conclusions.  And if the audit criteria is vague or complex or highly specialized, the assurance provider will need specific skills and the rarer those skills are, the higher the price.

It will also cost more if the auditor follows audit standards because it costs more for the auditor to earn and maintain the necessary credentials, maintain convincing documentation, ensure audit quality, and undergo external reviews of audit quality.

If you are hiring a CPA, please read this

What you title the assurance service matters an awful lot to the professional you are hiring because it dictates to them which audit standards they need to follow and what level of assurance they must report to you.

For instance, a CPA firm would be very happy to earn your money by providing assurance, but they need to know what type of assurance project you want them to complete.  Do you want a:
·      Financial audit – where the subject matter is the financial statements or a component of the financial statements and the assurance level is high.
·      Examination – where the subject matter is not the financial statements and the assurance level is high.
·      Review – where the subject matter is varied and defined by the client and the assurance level is moderate.
·      Agreed-upon procedure – where the CPA firm performs a specific procedure for the client and reports on the results and no assurance is given.
·      A performance audit – where the assurance service provides a high level of assurance and is structured similarly to a financial audit, but the subject matter is not the financial statements.  (It is very rare for a CPA firm to conduct a performance audit, because their standard setting body [(The AICPA] has not addressed this sort of engagement.  More often than not, they will call this type of assurance service an examination.)

A CPA firm must know which type of assurance engagement you prefer because the standard setting bodies dictate what procedures they must follow in planning and conducting the audit and the standards also tell them the language that they must include in their resulting assurance reports. This topic deserves a more detailed description, so, please look for more in future posts.

I hope this helped you understand a little more about what audits are and aren’t.  If you have any questions, please write to me at

Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.



Lost your password?