Management is responsible for having a system of procedures and controls (safeguards and crosschecks) which will enable the production of financial statements which are not materially misstated. The term "not materially misstated" is used rather than the term "correct" since many of the items in financial statements are estimates.
Management is responsible for possessing transactions and advocating a proper respect for that system and a proper regard for those controls. Management assumes the responsibility for being totally open and honest with the CPA and for advocating such openness and honesty. This openness and honesty specifically includes knowledge of the possibility of the existence of errors (unintentional misstatements or omissions of amounts or disclosures), irregularities (intentional ones) and illegal acts (violations of laws or government regulations [including but not limited to embezzlement and fraud] made by or on behalf of the entity). Management is responsible for adjusting the company's financial statements to correct material misstatements and for affirming to the accountant in a representation letter that the effects of any uncorrected misstatements are immaterial to the financial statements taken as a whole.
The financial statements produced are management's, not the CPA's, because the transactions on which the financial statements are based are management's, not the CPA's. The CPA doesn't deposit the receipts, write the checks, make the sales or incur the expenses. Management does these things. Management owns the assets and incurs the liabilities. The CPA doesn't.
Though a coach may help an athlete train, critique and influence the athlete's techniques, and express an opinion of the athlete's abilities, the athlete's performance is his, not the coach's. Similarly, management's financial statements are management's statements, not the accountant's, even though the accountant may question or advise management, or express an opinion on management's statements. Management is, therefore, responsible for identifying and ensuring that the company complies with the laws and regulations applicable to the activities, and for making all financial records and related information available to the accountant.
The CPA may process the transactions and/or produce the financial statements on his computer or cause adjustments, sometimes substantial, to be made so that the financial statements are not materially misstated. However, since the financial statements are based on management's transactions, they are still management's financial statements, not the CPA's.
This fundamental fact is emphasized in CPAs' reports. For example, the first paragraph of the auditors' standard report states: "These statements are the responsibility of the Company's management. Our responsibility is to express an opinion on these financial statements based on our audit." The first paragraph of the reviewers' standard report states: "All information included in these financial statements is the representation of the management." The second paragraph of the compilers' standard report states: "A compilation is limited to presenting in the form of financial statements information that is the representation of management."
When management includes an individual component (e.g., inventories) in its statement of financial position, inherently it is making several assertions (positive statements or declarations) about the component. It is saying that the component is real (it exists), it is saying that it is priced right (it is valued properly according to the accounting rules), it is theirs (there are no liabilities except those disclosed), it is complete (there isn't any more or less), and that the words used to describe it are enough to meet the disclosure rules. For another example, when management includes sales at a certain figure in its operations statement, it is saying that sales actually occurred in that amount and that there were no other sales for the period.
In all three types of engagements, the CPA is supposed to sniff for anything that smells peculiar. As a matter of fact, in all his work the CPA is supposed to sniff. Sniffing is not a procedure. It is a pervasive requirement and attitude. It is called professional skepticism.
In a compilation engagement, the compiling CPA is supposed to sniff. But he is not required to perform any procedures unless he smells something "funny," or worse, in a financial statement. In that case he is supposed to look into what smells and get some more information or, as the need may be, cause management to make or agree to corrections. Otherwise, he is not required to go beyond sniffing.
In a review engagement, the CPA goes beyond sniffing and is required to perform so-called inquiries and analytical procedures, i.e., he is supposed to ask some questions and compare this year's numbers in the financial statements with the other numbers. If the answers to his questions, or the comparison of the numbers, cause him to wonder about some of the figures in the financial statements, he is supposed to follow through with other procedures and, if need be, cause management to make or agree to corrections. Following through may consist only of asking some more questions. On the other hand, if he doesn't get good answers, it may cause him to perform some verification procedures. But these additional procedures are performed only in connection with the figures he is wondering about. Otherwise, he is only required to ask questions and compare numbers.
In an audit engagement, the CPA also sniffs, asks questions and compares numbers. But, in addition, he has to feel, touch and taste, so to speak. He has to examine the evidence; he has to get the facts. But, for the greatest part, he only has to examine a portion of the evidence, a sample of it, sometimes a very small sample. He must do some testing. For examples: usually he reconciles (tests the reconciliations of) some bank accounts; he asks some customers to verify their balances; he observes and test-counts some inventory items; he searches for some unrecorded liabilities; he examines and compares with the accounting records, some sales invoices, some purchase invoices and some expense invoices. When he performs these types of auditing procedures, sometimes he may be required to dig deeper, depending on his findings.
Upon completion of his engagement, the CPA renders his report. This report broadly states what he has done and the conclusions he has reached. In an auditors' standard report, the auditing CPA expresses reasonable assurance about whether the financial statements are free of material misstatement. The auditing CPA expresses reasonable assurance because he cannot express absolute assurance since he has only examined a portion of the evidence, sometimes a very small portion.
In a reviewers' standard report, the reviewing CPA only expresses limited assurance that insofar as he is aware, the statements do not require any material modifications. The assurance is limited because the procedures are so limited.
In a compilers' standard report, the compiling CPA expresses no assurance because he has performed no procedures upon which any assurance can be based.
None of these reports offers complete or absolute assurance that the financial statements are fairly presented.
The second paragraph of the auditors' standard report states:
We conducted our audit in accordance with the generally accepted auditing standards. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe our audit provides a reasonable basis for our opinion.
The key phrases are "reasonable assurance," "material misstatement," "test basis," and "reasonable basis."
Auditing is a testing-samples-of-items business. That's the way it must be because no one can afford a 100% comprehensive audit in which every transaction and every item of business would be audited. An audit of financial statements is entirely different from an audit by the IRS which may make the taxpayer prove with documentation every single item in a population of items. Also, unlike the IRS, which may assume at the outset that the taxpayer's return is incorrect, the auditing CPA does not assume that management's financial statements are incorrect.
Using generally accepted auditing procedures, the auditing CPA selects a sample, sometimes a very small sample, of the population, and tests that sample. If the sample is supported by the evidence, then he can conclude that the entire population is supported by similar evidence. It's like sampling to predict the outcome of an election. Sometimes even a few minutes after an election, the outcome is known based on the returns of a minute portion (a sample) of the voters. That sample of voters is attributed to the entire population of voters.
In a test basis audit, the auditing CPA evaluates the effectiveness of certain matters (so-called risk assessments) and their consequent effect on the degree of his testing. Does management tend to override its own controls? Is the Company's performance erratic? How stable is the industry? How inherently risky is an item (inventories vs. property)? How good are the system and controls?
There's a pretty long list of matters to be evaluated and there is substantial guidance in the profession's Statements on Auditing Standards. Generally speaking, the greater the tendency of management to override, the more testing required. The better the system and controls, the less testing required.
Each auditor exercises his own judgment as to risk assessment. An auditing CPA's evaluations may differ from other CPAs' evaluations and still be within an acceptable range. Assuming all these risk assessments turn out to be low-risk, then the auditor's testing will be at the low end. But the auditor can still only provide "reasonable assurance" because the audit is still based on tests of samples. Furthermore, for virtually the same reason, he can only provide reasonable assurance that the financial statements are free of "material" misstatements.
The auditor's testing of inventories may show an inventory of $97,000 whereas the Company's financial statements show $100,000. He may conclude "that's close enough"; i.e., that's not a material misstatement. The same kind of conclusion may be reached with something like depreciation, which is always an estimate so CPAs' evaluations may differ and both of them can still be right.
Further, a misstatement may be material standing alone but not material in relation to the financial statements taken as a whole. For example, a $15,000 misstatement in a $100,000 inventory is material in relation to the inventory but is not material in relation to a $1,000,000 stockholders' equity in the same statement. An undiscovered $25,000 embezzlement may sound like a material irregularity but may be immaterial in relation to both cash balance and stockholders' equity.
The concept of reasonable assurance applies not only to errors but also to irregularities and illegal acts. Errors are unintentional mistakes whereas irregularities are intentional ones. An audit is designed to provide reasonable assurance of detecting material irregularities. However, because of the characteristics of irregularities, particularly, those involving forgery and collusion, a properly designed and executed audit may not detect a material irregularity. An audit is also not designed to detect errors or fraud that is immaterial to the financial statements.
Here are some examples of irregularities that may well not be detected by an auditing CPA. Forged signatures (or the unauthorized use of a signature stamp) of key officials like check signers, credit approvers, or purchase order approvers. Collusion between a cashier and an accounts receivable clerk. Collusion among several individuals involved in ordering and maintaining inventory records and handling inventories. Theft of items from inventory, or cash from a cash drawer.
These types of irregularities may never be detected or may not be caught until some time after an engagement has been completed. That does not necessarily mean that the CPA performed inadequate audit procedures. Similarly, a material error may not be caught until after the engagement. That also does not necessarily mean the CPA did not follow generally accepted auditing standards.
A company may separately engage an accountant, for an additional fee, to provide services which specifically focus on identifying and addressing weaknesses in internal controls and searching for the existence of fraud. However, these services are not part of an audit engagement.
The second paragraph of the reviewer's standard report states:
A review consists principally of inquiries of company personnel and analytical procedures applied to financial data. It is substantially less in scope than an audit in accordance with generally accepted auditing standards, the objective of which is the expression of an opinion regarding the financial statements taken as a whole. Accordingly, we do not express such an opinion.
The third paragraph states: "Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in conformity with generally accepted accounting principles."
In these paragraphs, the reviewing CPA is stating that, based only on the very limited (compared to an audit) procedures performed, he is not aware that the financial statements need to be adjusted materially.
The standards do require him, however, to perform additional procedures if, in the course of conducting his inquiries and analytical procedures, he encounters items or matters which are "incorrect, incomplete or otherwise unsatisfactory." The additional procedures can run the gamut from simply asking some more questions to, given unsatisfactory answers, performing some audit-type procedures.
Typical inquiries follow. What are your procedures for recording, classifying and summarizing information? Was $xxx in the bank? Were the receivables valued properly (take into account bad debts)? Did you own the vehicles? Were all accounts payable recorded? Sometimes the CPA doesn't have to ask questions if he already knows the answer from other experience. But he always has to ask some questions in a review engagement.
Typical analytical procedures follow. Compare this year's sales with last year's and explain the difference. Compare this year's gross profit with last year and explain the difference. Compare this year's interest expense with average outstanding debts to see if it makes sense.
The standards do not require a reviewing CPA to design his review to provide reasonable assurance of detecting material errors, irregularities, and illegal acts. Nor do the standards require the reviewing CPA to design his review to provide any assurance of detecting error or fraud that is immaterial. The only items he is responsible for are those that are discoverable in the ordinary conduct of his review and follow-up. Even so, he would not be responsible if he received satisfactory answers to his follow-up questions.
The second paragraph of the standard report for compilation engagements states:
A compilation is limited to presenting in the form of financial statements information which is the representation of management (owners). We have not audited or reviewed the accompanying financial statements and, accordingly, do not express any form of assurance on them.
Compilation engagements do not require the performance of any procedures. They do require the compiling CPA to read the financial statements to see if they are "appropriate in form and free from obvious material mistakes" in accounting and disclosures. This means that he must sniff the financial statements to see if anything material smells funny. But that's all.
He might find apparent inconsistencies; for example, that the company has large receivables but no allowance for doubtful accounts. He might find that inventories are up substantially but accounts payable are down substantially and there has been no change in bank debt. He might find that the disclosures on long-term debt are insufficient. His course of action is to ask questions about these items and, if necessary, take further steps. Since he has performed no procedures, he has no responsibility for uncovering material errors, irregularities and illegal acts.