If you have doubts that your audit customer understands what you do and how important you are 🙂 , share this article with them:
Plenty, my friend! Plenty.
So, you think you need an audit? Or maybe you heard that you could get by with a review instead? Maybe you were asked to find someone to do a performance audit? The folks who perform these tasks all give you some level of “assurance” that the something (like financial statements or a performance metric) is true; thus, we refer to them as assurance providers.
Wherever you are coming from, I hope that answering the questions below will do the following for you:
· help you clarify what type of service and assurance provider you really need;
· help you understand what your finished project will look like;
· help you talk the “lingo” with your assurance provider when getting a bid;
· help you find out how much this assurance service will cost you;
· and give the appropriate assurance provider clarity on what you need them to do – exactly.
Because, as you can imagine, assurance providers are a pretty exacting bunch and you don’t want to waste your time or money!
Here are the questions to consider:
1. How “sure” do you want the professional to be of the truth?
2. Do you expect the professional to follow a professional standard in doing their work?
3. What exactly do you want verified?
4. Which professional are you going to ask to do the verification?
5. Who is using the report and do they have any expectations?
6. Do you need this professional to be completely objective and independent in order for the verification to hold water?
7. How much do you have to spend?
8. Do you want help making the necessary improvements that the professional identifies?
Let’s take each question in turn:
1. How “sure” do you want the professional to be of the truth?
Auditors, reviewers, and monitors are all offering assurance or verification that something is true. [d1] Several audit standards refer to the work that auditors do as ”assurance services.”
And the more assurance a client wants that something is true, the more it costs the assurance provider to provide the assurance service. Anyone can quickly scan a situation and decide if something is true or not or look into someone’s eyes and decide that they trust whatever the person is saying. But assurance professionals don’t scan or trust! They verify! They test, they analyze, and they gather evidence to support everything they say in their final report.
Now, I want to be clear, that no assurance provider will promise absolutely that something is true, unequivocally, without a doubt. That would be too scary a promise for them to make. But, they will provide “reasonable assurance” that something is true.
The term “audit” is reserved for engagements that offer a high level of assurance, as is the related term “examination.” In other words, a ”high level of assurance” means the auditor has gathered convincing, strong evidence that the subject matter meets the criteria. A “review” offers a moderate level of assurance, and therefore, costs less to perform. An ”agreed-upon procedure” offers no assurance whatsoever. And a ”monitoring visit” is often silent about assurance all together and instead, points out flaws or noncompliance. Monitors also help the entity fix the flaws or non-compliance.
Please notice that I will be using the term ”assurance service” instead of the term ”audit” as we discuss each of the questions. Because not every assurance service is a full-blown audit conducted at a high level of assurance.
2. Do you expect the professional to follow a professional standard in doing their work?
I am sure you are aware by watching the news and reading the newspaper that journalists do not promise to follow any standard of evidence in their reporting. Oftentimes hearsay, rumor, and personal opinion will suffice. This gives journalists lots of leeway and freedom.
But professional assurance providers don’t have leeway and freedom. Every statement they make in their reports has to be backed up by convincing evidence. Professional assurance providers make a promise in their reports that something is true, and they have tests and documentation to back them up.
If the assurance provider follows a professional standard, you can have even more comfort that their promise is true because all professional assurance standards require that the assurance provider back up what they say with evidence. I regularly teach seminars to assurance providers on how to gather and document strong, convincing evidence and the students love it. It is probably their favorite topic because they are always looking for ways to get better evidence to support their audit reports.
All assurance standards require the auditor to gather evidence, undergo quality control reviews, and experience an audit themselves (called a peer review) that evaluates whether they are following standards and gathering good evidence. You will have to trust the “word” of the assurance provider who does not follow these standards because there will be no quality standards or quality control system to make sure what they are saying is valid.
How can you tell if your assurance provider is following standards? Look at their most recent reports. If you see the following, you are golden:
“We conducted this audit in accordance with generally accepted audit standards…”
“We conducted this audit in accordance with generally accepted government auditing standards…”
“We conducted this audit in accordance with the International Professional Practices Framework….”
The standards do not say what I am about to say… because they have no right to say it… and neither do I, really. But I am going to say it anyway!– and it is a very touchy thing to say to those who provide assurance. Here it is: A person should not call themselves an auditor unless they follow a professional standard. They can call themselves a monitor or an evaluator or a reviewer or an assurance specialist, whatever seems most comfortable… but I believe the term auditor is reserved for folks who follow an audit standard.
3. What exactly do you want verified? An assurance professional can give you assurance about a variety of things. You must provide to the assurance professional an “assurance objective”, which is the question you want answered. The assurance objective needs two components, a subject matter and a criteria to evaluate the subject matter against.
The more finite and specific the subject matter is, the easier it is for the assurance professional to evaluate. For instance, if you asked me to tell you whether the State Government of California was operating in compliance with laws and regulations, I would quickly let you know that I need an army of assurance professionals to do the job and it will take us several years. Remember, I have to gather and document evidence for everything I end up telling you in the audit report about whether the State of California was in compliance.
But, if instead, you asked me to verify whether the Treasury sold state bonds for infrastructure improvements to Marin County in accordance with federal and state laws, I could do that for you with just a few auditors, and I’d have the audit report to you in a matter of weeks.
Criteria is also really important here. So, when I am evaluating the bond issuances of the California State Treasury I will need to compare them to state and federal law. The state and federal law is my criteria. If a state law is fuzzy and open to interpretation, I am going to struggle using it and I may end up in a fight with the Department of Treasury because my interpretation of the law differs from theirs. This is a huge waste of time and can damage relationships. So, the clearer you can pose your question, the better for everyone: those accountable for the subject matter, the assurance professional, and the person paying for the assurance.
For more on this subject, see the archived Yellowbook-CPE whitepaper on audit objectives at https://yellowbook-cpe.com/the-
4. Do you need this professional to be completely objective and independent in order for the verification to hold water?
If you were to ask me if I thought my girls were off the charts beautiful, I would say, “Yes!” without hesitating. But I am not exactly objective, am I?
Instead, let’s say that I have been asked to evaluate whether a department within the Treasury is complying with rules and regulations. Where I work and who I report my assurance results to impacts my objectivity and independence and could impact the truthfulness of the final report. Just like being a mom affects my assessment of my own children. If the assurance provider is not able to freely tell the truth without suffering any negative consequences, their independence is compromised and the veracity of their promise is questionable.
Here are three common situations to consider:
Situation A: I work for a CPA firm who was hired through a competitive bidding process to audit the department. I will report to the board of directors of the Treasury.
Situation B: I work for the CFO of the organization, I will report my results back to the CFO, and the department being evaluated is also under the control of the CFO.
Situation C: I am an internal auditor for the Treasury and I report directly to the board of directors of the Treasury. I am a peer, not an underling, of the CFO.
A CPA hired through a competitive bidding process will most likely be able to maintain their independence and objectivity in performing the review. We can assume a CPA will have other clients and will not be wholly dependent on this one client for all their income. So, we can trust the results of the assurance provider in situation A.
In situation B, the CFO may not appreciate the assurance provider sharing negative results in their report that would make the CFO look bad. The independence of the assurance provider, and therefore the veracity of the assurance report, may be compromised.
In situation C, if the internal auditor is shielded from any negative ramifications of telling the truth and reports directly to the board of directors, we can trust the results of the assurance provider.
5. Who is using the report and do they have any expectations?
Who is requiring the assurance report? Is it a bank? Is it a grantor? A regulator? Or is it someone internal to your organization, like a division head or a board of directors? Each of these users has a different expectation for the content of the report and whether the assurance provider needs to follow specific standards and guidelines.
One way to figure this out is to look at prior assurance reports to see if any particular standard was followed and who performed the engagement. Looking at old reports is far from foolproof, however, because it assumes that the assurance provider who prepared the prior report knew what they were doing and that is never a good assumption!
Next, ask the user of the report what they expect or if they have any guidelines you need to follow. You should be able to find out who the users are by finding out who got copies of prior reports (again, not foolproof!)
If the users are not sure, your next move is to ask organizations that are in a similar situation as yours what sort of assurance service they obtain. As you perform your due diligence, make sure you ask each person about the applicable laws, policies, contracts, and formation documents that could contain audit requirements. I frequently work with government auditors and for these auditors, contract terms, grant agreements, federal policy, and local law can all impact the content of the audit report and distribution list for the report.
6. Do you want help making the necessary improvements that the professional identifies?
A true, blue assurance engagement simply evaluates whether the subject matter meets the criteria period, end of story. But often, the assurance provider is expected to help fix problems. If the assurance provider crosses the line and becomes a consultant, their independence on future engagements is compromised.
I am going to get a little crude here… but please hang in with me. A consultant helps the client they are working with to create or improve on a subject matter. The consultant is helping to make the pretty baby, if you will.
A pure auditor will not help make the baby pretty. That is not their job. Their job is to say whether the baby is ugly and report the results back to the board of directors.
If the auditor does decide to cross the line and become a consultant and help make the baby pretty, they will not be as objective about the baby next time they come to audit. In other words, if you help make the baby, you can’t be trusted to say whether the baby is ugly or not… just like I can’t be trusted to be objective about how beautiful my precious girls are.
For more on this line of reasoning, see an archived article on Yellowbook-CPE.com about the difference between auditors and monitors. https://yellowbook-cpe.com/who-
And the subject matter and the controls over the subject matter are ultimately the responsibility of management, not the assurance provider.
7. How much do you have to spend?
Four things make the price of an assurance service rise – the level of assurance, the breadth of the subject matter, the complexity of the criteria, and whether the assurance provider follows audit standards.
In general, it costs more for an auditor to provide a higher level of assurance, so an audit will cost more than a “‘review” of the same subject matter. For instance, my church has an audit done every two years of its financial statements by a local CPA firm. This audit costs $15,000. In the off two year period, the church hires the same CPA firm to do a ”review” of its revenues and disbursements and this costs only $6000.
If the subject matter is large or broad, it will take a small army of assurance providers a long time to reach their conclusions. And if the audit criteria is vague or complex or highly specialized, the assurance provider will need specific skills and the rarer those skills are, the higher the price.
It will also cost more if the auditor follows audit standards because it costs more for the auditor to earn and maintain the necessary credentials, maintain convincing documentation, ensure audit quality, and undergo external reviews of audit quality.
If you are hiring a CPA, please read this
What you title the assurance service matters an awful lot to the professional you are hiring because it dictates to them which audit standards they need to follow and what level of assurance they must report to you.
For instance, a CPA firm would be very happy to earn your money by providing assurance, but they need to know what type of assurance project you want them to complete. Do you want a:
· Financial audit – where the subject matter is the financial statements or a component of the financial statements and the assurance level is high.
· Examination – where the subject matter is not the financial statements and the assurance level is high.
· Review – where the subject matter is varied and defined by the client and the assurance level is moderate.
· Agreed-upon procedure – where the CPA firm performs a specific procedure for the client and reports on the results and no assurance is given.
· A performance audit – where the assurance service provides a high level of assurance and is structured similarly to a financial audit, but the subject matter is not the financial statements. (It is very rare for a CPA firm to conduct a performance audit, because their standard setting body [(The AICPA] has not addressed this sort of engagement. More often than not, they will call this type of assurance service an examination.)
A CPA firm must know which type of assurance engagement you prefer because the standard setting bodies dictate what procedures they must follow in planning and conducting the audit and the standards also tell them the language that they must include in their resulting assurance reports. This topic deserves a more detailed description, so, please look for more in future posts.
I hope this helped you understand a little more about what audits are and aren’t. If you have any questions, please write to me at Leita@yellowbook-cpe.com