Assurance Services

Assurance services refer to independent professional services offered by CPAs and others to improve information quality or its context for decision makers ("Assurance services, 2006). Traditional auditing services have focused on financial and governance issues and not on broader functional business units within organizations. Assurance services encompass a broad approach to assessing risk associated with and, potentially, touching all functional areas within an organization. Assurance service offerings have grown proportionally with advances in information technology. Assurance services focus on issues related to information security management, privacy and data governance issues, and nearly every other aspect of digital data management. Core competencies required of CPAs will need to change in order for these professionals to meet the growing demand and expertise in assurance services. CPA professionals need to be well versed in how information technology is affecting core business as well as the accounting profession. CPAs will also need to increase their overall customer service skills and business knowledge in order to fully meet their client's needs for assurance. Accounting firms will need to invest in training for their professional services personnel as CPAs will be required to have more in-depth knowledge of specific industries. Assurance services afford ample opportunity for accounting firms to expand into non-financial auditing markets. The competition to provide future assurance services will be fierce and will require a much broader set of competencies than have been traditionally relied upon by CPAs.

Keywords Accounting Technology; AICPA; Assurance Services; Attestation Services; Audit; Auditing Services; Big Four Accounting Firms; Business Risk Assessment; Certified Public Accountant Competencies; Internal Audit and Assurance Strategy (IAAS); Risk-base Audit; Strategic Audit; Trust Services

Accounting > Assurance Services

Overview

Assurance services are defined by the American Institute of Certified Public Accountants (AICPA) as independent professional services that enhance the quality or context of information for decision makers. The aim of assurance services is to reduce the risks that information provided is incorrect. Assurance services are founded on the CPA tradition of valuing the independent certification of data veracity by an outside party. Assurance is not just an assessment of financial data, but addresses the risks associated with a company’s non-financial information and processes as well. Auditing services and attestation services provided by CPAs could be confused with assurance services, but there are some important distinctions.

Auditing services are well known and have been provided by CPAs for many years. In the context of CPA services, an audit can be defined as "an independent assessment of the fairness by which a company's financial statements are presented by its management. It is performed by competent, independent and objective persons, known as auditors or accountants, who then issue a report on the results of the audit. When a CPA provides attestation, he or she expresses a conclusion about the reliability of a written statement that is the responsibility of someone else" (Wordweb, 2007). Attestation and auditing have typically been defined around financial services, while assurance services may cover all functional business areas in an organization. Given the definitions of audit and attestation, it is easy to see how assurance services are a natural extension of the traditional CPA auditing services.

The following list describes some of the types of assurance services available to companies. These represent services that are non-financial in nature ("Assurance services," 2006).

  • Customer satisfaction
  • Information Technology Assurance Services (ITAS)
  • Information systems security
  • Business risk assessment
  • Internal audit outsourcing
  • Accounts receivable review

Timeline: Auditing to Assurance Services

CPAs have been auditing financial statements since the early part of the 20th century. The examination of a company's financial records insures that financial information is presented in conformance with federal rules and regulations such as generally accepted accounting principals (GAAP). In the 1970s, companies were looking for lower level/lower cost options to typical CPA financial statement audits. CPAs began to provide "reviews" of financial statements which were based on inquiry and analysis of data rather than the physical inspection of financial data. The resulting reports provided "limited assurance" of a company's financial statements. Another service provided by a CPA was called a "compilation" in which the CPA simply helped a company put its financial data into a statement form ("Assurance services," 2006). This report provided no assurance about the integrity of a company's financial data because no testing of the data had been done.

In the 1980s, the role of the CPA expanded to include what we now know as assurance services. CPAs began to report on non-financial subjects, and included internal controls, contracts, and compliance. The resulting reports were termed "attestation engagements."

"In an attestation engagement, the CPA applies the tools used in audits and reviews to provide assurance on whether the subject matter of the engagement (such as internal control or management's discussion and analysis of operations) complies with applicable criteria for measurement and disclosure. The result is a report much like an audit (reasonable assurance) or review (limited assurance) of financial statements" ("Assurance services," 2006).

Throughout the 1990s, revenues generated from traditional auditing and accounting services became flat. Accounting firms realized that financial statement auditing was a mature product and that the market expansion lay in offering expended services. Auditing of financial statements provided objectivity and integrity to users, clients and capital markets and the value that CPAs provided could be transferred to other services. In 1995, the American Institute of CPAs (IACPA) special committee on assurance services began a study of the audit-assurance function. The report of the AICPA was focused on looking forward beyond traditional CPA services to identify new opportunities for the accounting professional (Pallais, 1997). It was really the explosion of digital information and the knowledge economy that afforded new opportunities for assurance services. The risks associated with the easy sharing and movement of digital data is well documented in security and data privacy breaches. While risks to companies rose, so too did opportunities for companies to implement strategic solutions with increased access to metrics and data. The need for assurance services associated with information technology advances exploded as the digital economy developed. Issues specific to technology and the accounting field will be explored in greater detail later in this essay.

Avenues of Assurance Services

Assurance services were viewed as being aligned with audit-attestation but focused on a more comprehensive approach to reviewing specific subject matter within a given organizational context. The focus of assurance services was on improving information rather than advice or installing systems (Pallais, 1997). Assurance services encompass the following parameters:

  • Financial or non-financial subjects.
  • Direct or indirect information.
  • Internal or external processes/information.
  • Improved reliability and context.

The AICPA committee's study released in 1997 identified the following "six broad areas of potential "hot" assurance services for the accounting profession ("Special committee…," 1997):

  • Electronic commerce assurance.
  • Health care performance measurement.
  • Entity performance measurement.
  • Information systems quality.
  • Comprehensive risk assessments.
  • Elder care assurance.

A seventh area may be added (Schneider, 2013; Perego & Kolk, 2012).

  • Sustainability and greenhouse gas emissions.

Stakeholders and users of assurance services represent a wider audience than users of typical CPA auditing reports. Financial statements provide valuable information for senior mangers and Chief Financial Officers, but stakeholders for assurance services may come from any area of an organization. Because assurance services are subject-specific, and placed in a specific business context, stakeholders may include: (subject expert) Decision makers, boards of directors, creditors, or customers. Managers, accustomed to making decisions with incomplete data, benefit from assurance services which can lead to better decisions and decreased risk. Assurance services aim to evaluate the veracity of past business cycle data and benefit stakeholders across an organization (“Assurance services,” 2006).

Assurance services can be provided by a number of individuals, depending upon expertise within an industry. Generally, assurance services may be delivered by accountants, attorneys, or management or technical consultants (Elifisen, Wallage, Knechel, & Van Praag, 2004). This article focuses on the role of the CPA in providing assurance services, along with the new competencies that will be needed by CPAs in the future.

Applications

Role of the CPA in Providing Assurance Services

This essay has already reviewed some of the changes that occurred in the 1990s in the accounting industry. The market for financial accounting has become increasingly saturated and auditing is viewed as a compliance requirement rather than a service. Advances in information technology have impacted the field of accounting in a number of ways that will be examined later in this article. Other factors that are driving the need for new accounting services are: Globalization, risk assessment, internal controls governance, and corporate governance failure (Elifisen, Wallage, Knechel, & Van Praag, 2004).

Business cycles are being compressed and firms need to raise the bar in terms of providing services to their clients. Within the accounting industry, competition is fierce and merger mania continues (Nisberg, 2007). Assurance services provided by CPAs require enhanced communication skills and an emphasis on customer service. CPAs now need to understand the decision making process of end-users and customers in non-financial business units. Accounting curriculum must equip CPAs to be leaders in providing assurance services. In addition to enhanced communication skills, CPA training should focus on a number of areas. The following competencies are required for CPAs who wish to be adept at delivering strategic assurance services (Pallais, 1997):

  • Understanding of the strategic implications of information technology and accounting.
  • Comprehensive understanding of business strategy.
  • Enhanced research skills- knowledge of customer (decision maker) information needs.
  • Measurement criteria — non-financial.
  • Enhanced reporting of non-financial information.
  • Criteria for identifying business risk.
  • Knowledge of E-commerce solutions and security.
  • Systems design.

The new basics for future CPAs are intrapersonal skills and technological competence, but those skills are just the beginning. CPA firms that provide specialized assurance services may need to organize into "intrapreneurial units" where innovative design and narrow market specialization will be required to meet customer demands. Globalization and increased international trade will also require new expertise in the accounting profession (Nisberg, 2007).

All indications are that the accounting industry will continue to change rapidly as the profession aligns its services and personnel by specialization. The perception is that there is a huge market opportunity for CPAs to provide assurance services as value-added billings for their firms. However, there are questions about what companies are willing to pay for in terms of assurance services (Elifisen, Wallage, Knechel, & Van Praag, 2004).

  • Will the market want assurance services and are customers willing to pay?
  • Will CPAs be able to maintain their independence?
  • Will CPAs be able to develop the necessary expertise and specificity required to advise organizations in non-financial matters?
  • Will assurance services provided meet compliance requirements?

Development of Assurance Services

In 1999, the International Standards for Professional Practice of International Auditing encouraged the use of the "strategic audit plan" as a means of expanding auditing services to non-financial areas. Historically, organizations had functional areas that maintained internal auditing procedures such as Legal and Quality Assurance that were responsible for internal oversight of some key controls. By implementing a strategic audit plan, auditable units were to be identified with the hope that over time, all business units would be audited. However, the changing dynamics of organizations didn't allow for enough continuity to successfully implement strategic audits. Functional business units changed so quickly that the risk environment was often very different by the time the audit was conducted and thus no longer applicable to the audit plan.

The challenges in implementing strategic audit plans led to the adoption of risk-based audit plans as an alternate solution. Risk-based audit plans tended to focus on perceived risk and avoided "unnecessary" review activities. As a consequence, some functional activities or areas were never reviewed. Neither the strategic audit nor risk-based audit strategies were ideal in assessing and monitoring total organizational risk, so a hybrid solution was developed.

The IAAS

An Internal Audit and Assurance Strategy (IAAS) was the proposed solution. An IAAS enables an organization to bridge the gap between a strategic audit plan and a risk-based audit. "An IAAS defines the customers and purpose of the internal assurance process, outlines the approach to obtaining that assurance, and details internal auditing's role in providing it" (Parkinson, 2004, p.64).

The IAAS can be thought of as a mechanism for filling the gaps between the strategic and risk-based audit so that no part of an organization is ignored in terms of the review process. An IAAS plan documents and identifies those requirements of an organization, and lays out a strategy for delivering on the strategy. Additional benefits to a well thought out IAAS insure that auditors and audit reviews clearly support organizational goals.

An IAAS takes into consideration an organization's mission, business context, assets, governance and risk models and tailors an approach to overall assurance programs. Only by examining an organization's purpose or the business it is in, can the relative importance or risk be assigned. Risk to an organization can be internal or external and may include:

  • Legal, political or economic risks- such as adherence to laws regulations or a response to social conditions.
  • Major business relationships with customers or suppliers can pose risk to an organization, as can the loss of a key asset such as business reputation, intellectual property or a business advantage.

In 2004, the Chartered Institute of Management Accountants (CIMA) published a report calledEnterprise Governance, Getting the Balance Right.The report proposed an interesting model that included two distinct aspects of a corporate governance model:

  • Corporate Governance = conformance.
  • Business Governance = performance.

In essence, the report states that there's more to success in business than following rules; systems must operate efficiently and the delivery of core services must be reliable. Risk can affect an organization from either of the above mentioned areas. Internal controls need to be put in place on both the corporate and business sides of governance to insure that risk is being addressed. "Because assurance concerns itself with controls, a comprehensive IAAS addresses both arms of the governance model. An assurance program cannot take credit for good organizational performance any more than it can for the organization obeying the law but, it can help improve performance and mitigate illegal activity" (Parkinson, 2004, p.65).

Risk

Risk is defined as the chance of something happening that will impact an organization's objectives. Risk doesn't have to result in a negative impact to an organization and having internal controls in place can identify risk opportunities that a company may want to act upon for competitive advantage. In either case, an organization must determine an acceptable level of risk, implement control systems and continuously assess processes to identify those that may not be properly controlled.

"Assurance is information that confirms the correct or incorrect operation of a function. If boards could know from personal examination that the organization was functioning as intended, they would not need an assurance function. It is because of the size and complexity of organizations that the need for internal assurance arises" (Parkinson, 2004, p.66).

Assurance services are concerned with identifying operational risks and places the risks within the context of the business being reviewed. A comprehensive IAAS document will identify the scope and depth of assurance services, but the International Standards for Professional Practice of International Auditing also recommends the development of a comprehensive risk assessment document that will serve as an overview for an organization's executive managers. The comprehensive risk assessment document should consider major processes and high-level inherent risks and how often key control systems should be reviewed. The executive management team of an organization needs to sign off on any comprehensive risk assessment document. All organizations need to be mindful that the assurance process needs to be tailored to their specific business context. Large organizations will need more audit resources than small organizations. The size and complexity of an organization will also require additional resources to implement assurance plans.

Issues

Top Tech Issues-Assurance Services

The AICPA conducts a yearly survey to monitor how professional accountants see their profession changing and being affected by advances in information technology. In 2007, CPAs identified Information Security as the top technological initiative, as it had been the top initiative for the previous five years. In 2006, Identity & Access Management was sixth on the survey list; in 2007, it had jumped to number two. Other top initiatives included: Privacy Management, Securing and Controlling Information Distribution and Mobile and Remote Computing.

If one considers the following list of top Assurance Services that the AICPA identified in 2006, it is easy to see that accounting technology will play a huge role in the delivery of assurance services ("Assurance services," 2006).

  • Comprehensive Risk Assessments
  • Business Performance
  • Electronic Commerce
  • Systems Reliability
  • Elder Care
  • Policy Compliance
  • Trading Partners
  • Mergers & Acquisition

“‘This top technology survey provides the CPA’s unique perspective regarding the impact of technology on financial management and the fulfillment of other fiduciary responsibilities, such as the safeguarding of business assets, oversight of business performance and compliance with regulatory requirements,’ said Barry Melancon, CPA, President and CEO of the AICPA. ‘We sponsor this survey each year because we believe that it is critical for CPAs to stay abreast of the latest technology initiatives and provide guidance regarding its impact to their clients and employers’” (AICPA, 2007).

The top ten Technology Initiatives as defined by the AICPA for 2007 were:

  • Information Security Management- refers to the overall approach to security that takes into account, people, processes and technology systems that safeguard critical systems and information from internal and external threats.
  • Identity Access Management- includes hardware, software, and processes used to authenticate user identity and control access to appropriate systems and data- based on pre-established rights and privileges.
  • Conforming to Assurance and Compliance Standards- refers to the strategies and systems that address organizational goals and statutory requirements which include collaboration and compliance tools to report on specific controls.
  • Privacy Management- governance over the disclosure and retention of personal information; convergence of security and privacy and adherence to applicable laws.
  • Disaster Recovery Planning (DRP) & Business Continuity Management (BCM)- encompass an overall approach to addressing risk or threats (natural or man-made) to provide stability and improve chances of business survival in the event of a disaster.
  • IT Governance- refers to the relationships and processes that help an organization balance risk vs return over IT and processes.
  • Security and Controlling Information Distribution- protecting and controlling the distribution of digital data (secure distribution, access to protected resources, and prevention of illegal distribution).
  • Mobile and Remote Computing- Technology that enables secure connection to information at any time regardless of physical location.
  • Electronic Archiving and Data Retention- Technology and processes that enable archiving and retrieval of information over a given period of time. Policies to insure destruction and archiving of information to meet compliance objectives.
  • Document, Content and Knowledge Management refers to the process of controlling electronic information through the capture, indexing, storage, retrieval, search and management of data (AICPA, 2007).

The integration of technology and business practices will help organizations achieve organizational goals, support employees and improve services to customers. Thoughtful and deliberate planning, execution and oversight of information technology initiatives will be an integral part of managing risk within organizations. Management, auditors and IT collaboration are key components of successful security and governance programs.

Competition for Assurance Services

Assurance service, like auditing, tax and compliance are the bread and butter of many accounting firms. With traditional financial accounting services on the wane, accounting firms are anxious to capitalize on the lucrative assurance services market.

Improving the audit choices for organizations (large and small) is challenging because most large companies go with the Big Four accounting firms and it is difficult for mid-tier firms to break into the market. It is true that the Big Four accounting firms have a global reach that many mid-tier accounting firms can only dream of, but there's a concern about the lack of competition within the industry as well.

Investors and Boards of Directors are known for being conservative and adverse to change which explains much of the allegiance of large multinationals to the Big Four Accountants. There's certainly an economy of scale that factors into the "reach" of the Big Four firms — the largest accounting firms have the depth and breadth of knowledge and expertise to service large international companies. Big Four audit fees are perceived as high and implementation of the IFRS accounting standards are only driving up fees (Perrin, 2007).

Room for Mid-Tier Accounting Firms

According to some critics, incumbent accounting firms (Big Four) don't have any incentive to improve services, quality, or be innovative. Since the largest accounting firms have a virtual monopoly on providing services to large/multinationals, many companies feel that they are a captive audience. With the growth in assurance services, there's an opportunity for smaller accounting firms to steal some of the market away from the big guys. Mid-tier providers will likely fill in specialized gaps; particularly in assurance services where subject matter expertise is paramount. It will be difficult for mid-tier accounting firms to invest in the training, expertise and personnel to compete with global giants. However, the idea of the "intrapreneurial units" (Nisberg, 2007) with subject matter expertise in a particular business or industry could help to level the playing field. With billions at stake in the assurance services marketplace, mid-tier accounting firms will be anxious to find their niche by offering more customized service and industry specific assurance services in the future.

Terms & Concepts

Audit: A situation where an independent CPA gives an opinion regarding the fairness of a given financial statement. The CPA bases their opinion on generally accepted accounting guidelines and principles such as cash basis or income tax basis.

Attestation Services: A situation where a CPA expresses their conclusion in writing regarding the reliability of a statement made by another party.

Assurance Services: Take into account the specific needs of individuals or groups; information put into a specific context for decision making.

AICPA: “National, professional association of CPAs, with approximately 330,000 members, including CPAs in business and industry, public practice, government, and education. It sets ethical standards for the profession and U.S. auditing standards for audits of private companies; federal, state and local governments; and non-profit organizations” (AICPA, 2007).

Big Four Accounting Firms: Refers to a group of professional services firms that handle auditing and accounting services for most publicly-traded companies; the Big Four include: PricewaterhouseCoopers, Deloitte Touche Thomatsu, Ernst & Young and KPMG.

Internal Audit and Assurance Strategy (IAAS): A wholistic approach to assessing organizational risk; includes the implementation of key controls within two distinct areas: Corporate governance (conformance) and business governance (performance). The IAAS strategy has been proposed as the best solution for identifying and managing organization-wide risk within an organization's business context.

Risk-base Audit: Focuses on areas within an organization that pose a perceived "high risk" of impacting an organization's business. Depending upon the criteria used, not all business units are audited-leaving companies vulnerable to unforeseen risks.

Strategic Audit: Refers to a plan to audit an organization's unique business units over time; emphasis on aligning risk assessment to business strategy.

Trust Services: “Trust Services (including WebTrust® and SysTrust®) are defined as a set of professional assurance and advisory services based on a common framework (that is, a core set of principles and criteria) to address the risks and opportunities of IT. Trust Services principles and criteria are issued by the Assurance Services Executive Committee of the AICPA” (AICPA, 2007).

Bibliography

AICPA. (2007). 2007 top technology initiatives survey. Information Technology Center. Retrieved October 10, 2007, from: http://infotech.aicpa.org/Resources/Top+Technology+Initiatives/2007+Top+10+Technology+Initiatives/

AICPA. (1997, March). Special committee on assurance services releases recommendations to improve, expand CPAs' offerings. The CPA Letter. Retrieved October 9, 2007, from http://www.aicpa.org/pubs/cpaltr/mar97/scasrr.htm

Assurance services. (2006). Encyclopedia of Business and Finance. Retrieved October 4, 2007, from eNotes.com. http://www.enotes.com/business-finance-encyclopedia/assurance-services

Elifisen, A, Wallage, P, Knechel, W, & Van Praag, B (2004) The demand attributes of assurance services and the role of independent accountants. Norwegian School of Economics and Business Adminstration. Retrieved October 7, 2007, from http://www.nhh.no/for/dp/2004/0404.pdf

Hasan, M., Maijoor, S., Mock, T., Roebuck, P., Simnett, R., & Vanstraelen, A. (2005). The different types of assurance services and levels of assurance provided. International Journal of Auditing, 9, 91-102. Retrieved October 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=18008490&site=ehost-live

Li, Z., Pawlicki, A. R., McQuilken, D., & Titera, W. R. (2012). The AICPA Assurance Services Executive Committee Emerging Assurance Technologies task force: The Audit Data Standards (ADS) initiative. Journal of Information Systems, 26, 199-205. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=77252776&site=ehost-live

Nisberg, J. (2007). Future trends and accelerated change. Practical Accountant, 40,16-17. Retrieved October 3, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=25242836&site=ehost-live

Pallais, D. (1997, June 1). Are you ready for new assurance services? Journal of Accountancy. Retrieved October 5, 2007, from AllBusiness.com. http://www.allbusiness.com/accounting/618990-1.html

Parkinson, M. (2004). A strategy for providing assurance. Internal Auditor, 61, 63-68. Retrieved October 3, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=15238984&site=ehost-live

Perego, P., & Kolk, A. (2012). Multinationals' accountability on sustainability: the evolution of third-party assurance of sustainability reports. Journal of Business Ethics, 110, 173-190. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=80235137&site=ehost-live

Perrin, S. (2007, June). Four get choice. Financial Director, 34-35. Retrieved October 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=25399627&site=ehost-live

Schneider, B. A. (2013). Assurance opportunities broaden. Journal of Accountancy, 215, 32-36. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=89487685&site=ehost-live

Suggested Readings

Greenlees, E. M. (2006). Auditing & assurance services: A systematic approach. Accounting Education, 21, 330. Retrieved October 12, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=22055659&site=bsi-live

Janvrin, D.J. & Kurtenbach, J.M. (2006). The influence of disclosure regulation on selective disclosure: Impact on difficult-to-measure reporting activities and the importance of assurance services. Accounting & the Public Interest, 6, 70-94. Retrieved October 12, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=23464346&site=bsi-live

Nouri, H. & Machinga, R.J. (2003, September). Reports for assurance services. National Public Accountant,16-19. Retrieved October 12, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=10765192&site=bsi-live

Top tech 2006 predictions. (2006). Practical Accountant, 38, 21-22. Retrieved October 3, 2007, from EBSCO Online Database Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19635999&site=ehost-live

Essay by Carolyn Sprague, MLS

Carolyn Sprague holds a BA degree from the University of New Hampshire and a Masters Degree in Library Science from Simmons College. Carolyn gained valuable business experience as owner of her own restaurant which she operated for 10 years. Since earning her graduate degree Carolyn has worked in numerous library/information settings within the academic, corporate and consulting worlds. Her operational experience as a manger at a global high tech firm and more recent work as a web content researcher have afforded Carolyn insights into many aspects of today's challenging and fast-changing business climate.