CCH brings you...
CHAPTER 1: Introduction to Attestation Engagements
From the
Attestation Guide, 2009
Visit CCHGroup.com/AASolutions for an overview of our complete set of Accounting and Auditing solutions.
To learn more about this book, or to make a purchase, visit CCHGroup.com
Vist CCHGroup.com/Books to browse the CCH online bookstore.
©2010 CCH. All Rights Reserved.
CHAPTER 1
INTRODUCTION TO ATTESTATION
ENGAGEMENTS
CONTENTS
Introduction
Assurance Services
1.02
1.03
Assurance Services over Historical Financial Statements
Audits
Reviews
Compilations
Assurance Services over Information Other
Than Historical Financial Statements
Attestation Engagements
Other Assurance Services
Nonassurance Services
1.03
1.04
1.04
1.04
1.05
1.05
1.06
1.08
Consulting Services
Exhibit 1-1: Consulting Services Terminology and
Standards
1.12
Tax Services
Valuation Services
1.13
1.14
Personal Financial Planning Services
Attestation Engagements
Exhibit 1-2: Attestation Engagement Standards
Objective of Attestation Engagements
Elements of Attestation Engagements
1.09
1.15
1.16
1.17
1.19
1.20
Three-Party Relationship
Subject Matter Information
Suitable Criteria
Level of Assurance
1.21
1.22
1.23
1.25
Sufficient Appropriate Evidence
Written Report
Exhibit 1-3: Elements of an Example
Attestation Engagement
1.27
1.28
1.01
1.30
1.02 Introduction to Attestation Engagements
Distinguishing Attestation Engagements
from Other Engagements
Nature of the Subject Matter Information
Primary Beneficiaries of the Service
Ethics and Quality Control Considerations in Attestation
Engagements
Ethics Considerations
Quality Control Considerations
1.31
1.31
1.32
1.33
1.33
1.35
INTRODUCTION
Certified public accountants provide a variety of services that can be
categorized, in broad terms, as either (1) assurance services or
(2) nonassurance services. While certain standard-setting bodies
classify CPA services somewhat differently between these two
broad categories, the services provided by CPAs generally can be
classified as follows:
1.
Assurance services
• Over historical financial statements:
— Audits
— Reviews
— Compilations
•
2.
Over other financial and nonfinancial information:
— Attestation engagements
— Other assurance services
Nonassurance services
• Consulting services
• Tax services
• Valuation services
•
Personal financial planning
OBSERVATION: While the AICPA, PCAOB, and the GAO
define agreed-upon procedures and compilation engagements as an “assurance” service, in its International Framework for Assurance Engagements, the IFAC excludes these
two types of services from its definition of “assurance”
engagements. The IFAC framework defines agreed-upon
procedures engagements and compilations of financial or
Introduction to Attestation Engagements
1.03
other information as “related services” covered by their International Standards for Related Services.
NOTE: For the purposes of this book, agreed-upon procedures engagements and compilation engagements are classified as a form of assurance services.
This guide is narrowly focused on providing the practitioner
with interpretive guidance dealing with attestation engagements,
which for the purposes of this book will be considered a type of
assurance service. This guidance will assist the practitioner in identifying potential attestation engagements, determining the applicable standards for such engagements, and planning, performing,
and reporting on such engagements.
ASSURANCE SERVICES
The AICPA defines “assurance services” as follows:
Assurance services are independent professional services that improve the quality of information, or its context, for decision makers.
The IFAC defines an “assurance engagement” as follows:
Assurance engagement means an engagement in which a
practitioner expresses a conclusion designed to enhance
the degree of confidence of the intended users other than
the responsible party about the outcome of the evaluation
or measurement of a subject matter against criteria.
Using either of these definitions, “assurance services or engagements” can be described as services that enhance the quality, context,
or usefulness of information for the benefit of intended users or decision
makers. These services can involve financial or nonfinancial information. The information may be internal or external to the user and
might involve discrete data or entire systems.
Assurance Services over Historical Financial Statements
The most commonly known assurance services provided by certified
public accountants have been assurance over historical financial
statements in the form of (1) audits, (2) reviews, or (3) compilations.
1.04 Introduction to Attestation Engagements
Audits
Audits of historical financial statements are designed to provide
financial statement users with a high-level of assurance over the fair
presentation of the audited financial statements. In an audit, the
practitioner performs tests of financial statement assertions to form
an opinion (positive assurance) on the financial statements taken as
a whole. The objective of an audit is to provide a reasonable basis
for expressing an opinion as to whether the financial statements are
fairly presented in accordance with generally accepted accounting
principles (or an other comprehensive basis of accounting).
Reviews
In a review service over historical financial statements, the practitioner performs inquiries and analytical procedures on the financial
statement data to provide him with a reasonable basis for expressing limited assurance on the financial statements. The objective in a
review is to provide a reasonable basis for stating that there are no
material modifications that should be made to the financial statements in order for them to be in conformity with generally accepted
accountingprinciples(oranothercomprehensivebasisofaccounting).
Compilations
In a compilation service related to financial statements, the practitioner presents in the form of financial statements information that
is the representation of management, without undertaking to
express any assurance on the financial statements.
OBSERVATION: As previously noted, while the IFAC international standards do not classify compilations as an “assurance service,” the AICPA and PCAOB do consider it an
assurance service. Within the context of the AICPA definition
of an assurance service, compilations are viewed as services
that improve the quality of information, or its context, for
decision makers. Therefore, although compilations reports
express no form of explicit assurance over the financial information compiled, there exists implied improvement in the
quality of management’s information through the practitioner’s correction of any obvious misstatements in the compilation process.
Introduction to Attestation Engagements
1.05
PRACTICE POINTER: In terms of the AICPA professional
standards, compilations of historical financial information are
considered an assurance service subject to their Standards
for Accounting and Review Services (SSARs). However,
compilations of prospective financial statements are considered an assurance service subject to the Statements on
Standards for Attestation Engagements (SSAEs). This is the
only type of compilation considered an attestation engagement subject to attestation standards.
Assurance Services over Information Other than Historical
Financial Statements
While traditionally, assurance services provided by practitioners
have been concentrated on providing audits, reviews, or compilations of historical financial statements, today’s business environment is marked by increased competition and the need for quicker
and better information for decisions. In addition, the complexity of
systems and the anonymity of the Internet present barriers to
growth. Businesses and their customers need independent assurance that the information that decisions are based on is reliable. By
virtue of their training, experience, and reputation for integrity,
professional accountants are the logical choice to provide this assurance. Attestation engagements and other assurances service engagements are designed to meet this dynamic need for assurance.
Attestation Engagements
In a broad sense, an attestation engagement is one in which a practitioner, by virtue of issuing a report, provides some level of assurance on information that is the responsibility of another party. The
term attest and its variants, such as attesting and attestation, are used
in a number of state accountancy laws and in regulations issued by
state boards of accountancy under such laws for different purposes
and with different meanings from those intended by the various
professional standards applicable to attestation engagements. In
fact, the traditional financial statement audit is an attest service in
that a practitioner (auditor), by virtue of issuing a report (audit
opinion), provides reasonable assurance (a high-level of positive
assurance) on the subject matter or information (financial statements) that is the responsibility of another party (management) for
the use and benefit of other parties (financial statement users).
However, for practical purposes the “attestation” term has evolved
in the accounting profession to be commonly used to mean an
1.06 Introduction to Attestation Engagements
engagement or service that provides assurance on information other
than historical financial statements.
OBSERVATION: For example, an attestation engagement
would be appropriate to meet requirements contained within
a debt agreement for the debt-issuing entity to obtain an
independent verification of compliance with specific debt
covenant requirements that must be met before new debt
can be incurred. In this example, a practitioner (independent
accountant), by virtue of issuing a report (attestation engagement report), provides assurance (conclusion on compliance) on the subject matter or information (debt covenant
requirements related to new debt issuance) that is the
responsibility of another party (entity management) for the
use and benefit of other parties (current and prospective
investors in the entity’s debt).
An expanded overview of attestation engagements is provided
later in this chapter and such engagements are the subject of the
remaining chapters of this book.
Other Assurance Services
The AICPA Special Committee on Assurance Services was created in
1994 to explore the expansion of assurance services into new areas
beyond the traditional assurances services over historical financial
statements and traditional attest engagements. The AICPA’s movement into developing additional assurance services began with the
1993 Audit/Assurance Conference. The conference had been concerned with the decline in the demand for audits and other attest
services, and the users of assurance services had expressed dissatisfaction with their scope and utility. It analyzed why the audit and
assurance function had come to this juncture and developed a broad
plan for shaping the future of assurance to enhance its value.
The AICPA authorized the Special Committee on Assurance Services to investigate the issues and what could be done to reposition
CPAs for the future. The Committee’s report, The Report of the Special Committee on Assurance Services, was issued in 1997. The report
called for the development of additional services to serve the needs
of clients. The Committee research identified a number of new service opportunities and the AICPA has actively developed the following assurance services:
1.
SysTrust Services As more organizations become dependent
on information technology to run their businesses, produce
Introduction to Attestation Engagements
1.07
products and services, and communicate with customers and
business partners, it is critical that their systems be secure,
available when needed, and consistently able to produce
accurate information. An unreliable system can trigger a
chain of business events that negatively affect a company and
its customers, suppliers, and business partners. SysTrust
responds to this business need by providing suitable criteria
and a process that enables a CPA to provide assurance that a
system is, in fact, reliable.
2.
3.
4.
5.
WebTrust Services During a WebTrust engagement, the practitioner “audits” a company’s online business practices to
verify compliance matters such as privacy, security, availability, confidentiality, consumer redress for complaints, and
business practices. WebTrust provides suitable criteria for
practitioners as well as a licensing process that enables CPAs
to provide assurance on Web sites.
ElderCare Services The Committee defines ElderCare Services as a service designed to provide assurance to family
members that care goals are achieved for elderly family
members no longer able to be totally independent. The service relies on the expertise of other professionals, with the
CPA serving as the coordinator and assurer of quality of services based on criteria and goals set by the client. The purpose of the service is to provide assurance in a professional,
independent, and objective manner to third parties (children,
family members, or other concerned parties) that the needs of
the elderly person to whom they are attached are being met.
ElderCare Services can involve three kinds of services: direct
services, assurance services, and consulting services. Direct
services entail the more traditional aspects of accounting and
financial services. Assurance services involve the measuring
and reporting on prescribed goals against stated criteria.
Consulting services include planning and evaluation of client needs.
Performance View Services This service enables CPAs to use
the skills they have traditionally used to handle the financial
portion of a client’s business to address the nonfinancial
aspects as well. This service identifies critical success factors
that lead to measures that can be tracked over time. These
measures are then used to assess progress in achieving specific targets linked to an entity’s vision and performance.
Risk Advisory Services The CPA profession has taken a leading role in the field of risk, and firms increasingly include risk
1.08 Introduction to Attestation Engagements
management in the wide range of services they provide to
their clients. Risk Advisory Services provide the CPA with:
a. A common language and framework for understanding
and communicating risk management issues; and
b. A series of practice guides describing tools, techniques,
and training that support the risk management process.
The performance of these types of assurance services may or may
not be subject to the attestation standards, depending on how an
engagement is developed and performed. The attestation standards
apply whenever a CPA is engaged to issue or does issue an examination, review, or agreed-upon procedures report on subject matter
(or an assertion about the subject matter) that is the responsibility
of another party. This definition is engagement-oriented and, therefore, the CPA must take care to define the nature of the services to
be provided and whether they are intended to provide assurance.
NONASSURANCE SERVICES
Typically, nonassurance services provided by CPAs can be categorized into one of the following:
•
•
Consulting services
Tax services
•
•
Valuation services
Personal financial planning
A common characteristic of these nonassurance services is that
the professional accountant’s services are designed to provide technical skills, education, observations, experiences, and knowledge to
subject matter for the direct use and benefit of the client. The services considered necessary are generally determined by agreement
between the client and the practitioner, and the outcome of the work
is not designed to provide any level of assurance to parties outside
the client or responsible party.
OBSERVATION: For example, an engagement to assist the
client’s management in evaluating the effectiveness of the
design and operation of its internal controls over financial
reporting and to make recommendations for improvements in
those controls, would be considered a “nonassurance consulting service” because the engagement is designed to provide technical skills and knowledge (the practitioner’s
Introduction to Attestation Engagements
1.09
expertise) to subject matter (the design and operation of controls) for the direct use and benefit of the client (management).
Examples of professional services typically provided by practitioners that would not be considered an attestation engagement
include:
•
Management consulting engagements whereby the practitioner provides advice or recommendations to a client;
• Engagements to advocate a client’s position (e.g., tax matters
being reviewed by the Internal Revenue Service);
•
•
•
•
•
Tax engagements involving the preparation of tax returns or
providing tax advice;
Compilations or reviews of financial statements;
Engagements in which the practitioner’s role is solely to assist
the client (e.g., acting as the company’s accountant in preparing information other than financial statements);
Engagements to testify as an expert witness in accounting,
auditing, taxation, or other matters; and
Engagements to provide an expert opinion on certain points
of principle, such as the application of tax laws or accounting
standards, given certain stipulated facts provided by another
party as long as the expert opinion does not express a conclusion about the reliability of the facts provided by another
party.
Consulting Services
Consulting services possess fundamental differences from the
engagements to provide assurance over assertions or subject matter
of other responsible parties. In an assurance service (including attestation engagements), the practitioner expresses a conclusion about
the subject matter or the reliability of a written assertion that is the
responsibility of another party. In a consulting service, the practitioner develops the findings, conclusions, and recommendations
based on the objectives of the engagement for the direct use and
benefit of the client. The nature and scope of work is determined
solely by the agreement between the practitioner and the client.
Generally, the work is performed only for the use and benefit of the
client rather than outside parties. The practitioner does not attest to
someone else’s assertion but is the one who develops the final presentation.
1.10 Introduction to Attestation Engagements
In a consulting engagement, the practitioner’s role is to assist the client or, on some occasions, to testify as an expert witness in accounting, auditing, taxation, or other matters, given certain stipulated
facts.
OBSERVATION: Attest Services Related to Consulting Service Engagements
When a practitioner provides an attest service as part of a
consulting service engagement, the attestation standards
apply only to the attest service. Statements on Standards for
Consulting Services apply to the balance of the consulting
service engagement. When the practitioner determines that
an attest service is to be provided as part of a consulting service engagement, the practitioner should:
•
Inform the client of the relevant differences between
the two types of services.
•
Obtain the client’s acknowledgment that the attest
service is to be performed in accordance with the
appropriate professional requirements.
•
Issue separate reports on the attest engagement and
the consulting service engagement. If the report on the
attestation engagement is submitted in the same
document with the report on the consulting service
engagement, it should be clearly identified and segregated from the consulting service engagement.
In terms of the AICPA professional standards, consulting engagements are performed in accordance with Statements on Standards for
Consulting Services (SSCS), and include consultations, advisory services, implementation services, transaction services, staff and other
support services, and product services. An analytical approach and
process is applied in a consulting service and typically involves some
combination of activities relating to determination of client objectives, fact-finding, definition of the problems or opportunities, evaluation of alternatives, formulation of proposed action, results
communication, implementation, and follow-up. Examples of consulting services include:
1.
Consultations, in which the practitioner’s function is to provide counsel in a short time frame, based mostly, if not
entirely, on existing personal knowledge about the client, the
circumstances, the technical matters involved, client representations, and the mutual intent of the parties. Examples of
Introduction to Attestation Engagements
1.11
consultations are reviewing and commenting on a clientprepared business plan and suggesting computer software
for further client investigation.
2.
Advisory services, in which the practitioner’s function is to
develop findings, conclusions, and recommendations for client consideration and decision making. Examples of advisory services are an operational review and improvement
study, analysis of an accounting system, assistance with strategic planning, and definition of requirements for an information system.
3.
Implementation services, in which the practitioner’s function is
to put an action plan into effect. Client personnel and
resources may be pooled with the practitioner’s to accomplish the implementation objectives. The practitioner is
responsible to the client for the conduct and management of
engagement activities. Examples of implementation services
are providing computer system installation and support,
executing steps to improve productivity, and assisting with
the merger of organizations.
Transaction services, in which the practitioner’s function is to
provide services related to a specific client transaction, generally with a third party. Examples of transaction services are
insolvency services, valuation services, preparation of information for obtaining financing, analysis of a potential merger
or acquisition, and litigation services.
4.
5.
6.
Staff and other support services, in which the practitioner’s
function is to provide appropriate staff and possibly other
support to perform tasks specified by the client. The staff provided will be directed by the client as circumstances require.
Examples of staff and other support services are data processing facilities management, computer programming,
bankruptcy trusteeship, and controllership activities.
Product services, in which the practitioner’s function is to provide the client with a product and associated professional
services in support of the installation, use, or maintenance of
the product. Examples of product services are the sale and
delivery of packaged training programs, the sale and implementation of computer software, and the sale and installation of systems development methodologies.
1.12 Introduction to Attestation Engagements
Consulting services do not include:
•
Any of the services described in the AICPA Statements on
Auditing Standards (SAS), Statements on Standards for
Accounting and Review Services (SSARS), or Statements on
Standards for Attestation Standards (SSAE);
•
Engagements specifically to perform tax return preparation,
tax planning/advice, tax representation, personal financial
planning or bookkeeping services;
• Situations involving the preparation of written reports or the
provision of oral advice on the application of accounting
principles to specified transactions or events, either completed or proposed, and the reporting thereof; and
•
Recommendations and comments prepared during the same
engagement as a direct result of observations made while performing the excluded services.
The performance of consulting services for an audit or attest client does not, in and of itself, impair independence of the practitioner. However, members and their firms performing attest
services for a client should comply with applicable independence
standards, rules and regulations issued by AICPA, the state boards
of accountancy, state CPA societies, and other regulatory agencies.
PRACTICE POINTER: Consulting services may be referred
to by different names by the various standard-setting bodies
or organizations. Exhibit 1-1 below provides a summary of
the terminology and professional standards used for consulting services by each standard-setting organization.
EXHIBIT 1-1
CONSULTING SERVICES TERMINOLOGY AND STANDARDS
Organization
Terminology
Applicable Standards
AICPA
Consulting Services
AICPA Statements on Standards
for Consulting Services
PCAOB
Consulting Services
PCAOB Statements on Standards
for Consulting Services
GAO
Non-Audit Services
No Standards Established
Introduction to Attestation Engagements
Organization
Terminology
1.13
Applicable Standards
IFAC
Consulting and
Advisory Services
No Standards Established
IIA
Consulting Services
IIA Attribute and Performance
Standards for Consulting Services
Tax Services
The accounting profession has long been recognized for its services
in the area of taxation. Professional accountants provide a wide
range of tax services, including tax return preparation and compliance, tax planning and research, and technical advice on tax-related
matters.
The AICPA’s Tax Executive Committee has established Statements on Standards for Tax Services (SSTS) that sets forth the ethical tax practice standards for practitioners. Practitioners should
fulfill their responsibilities as professionals by instituting and complying with these standards against which their professional performance can be measured. Compliance with professional standards of
tax practice also confirms the public’s awareness of the professionalism that is associated with professional accountants.
The SSTS ethical standards provide for an appropriate range of
behavior that recognizes the need for interpretations to meet a
broad range of personal and professional situations. The SSTSs have
their origin in the Statements on Responsibilities in Tax Practice
(SRTPs), which provided a body of advisory opinions on good tax
practice. Various interested parties including the courts, Internal
Revenue Service, state accountancy boards, and other professional
organizations had recognized and relied on the SRTPs as the appropriate criteria for defining the requirements of professional conduct
in a professional accountant’s tax practice. Therefore, the SRTPs, in
and of themselves, had become de facto enforceable standards of
professional practice, because state disciplinary organizations and
malpractice cases in effect regularly held CPAs accountable for failure to follow the SRTPs when their professional practice conduct
failed to meet the prescribed guidelines of conduct. Now the SSTSs
have become the ethical tax practice standards for practitioners and
have become a part of the AICPA Code of Professional Conduct.
1.14 Introduction to Attestation Engagements
Valuation Services
Over the years, an increasing number of professional accountants
have begun providing professional valuation services to meet a
growing demand for such services. These services include valuations of businesses, business ownership interests, securities, or
intangible assets that could be performed for a wide variety of purposes including the following:
1.
Transactions or potential transactions, such as acquisitions,
mergers, leveraged buyouts, initial public offerings,
employee stock ownership plans and other share based
plans, partner and shareholder buy-ins or buyouts, and stock
redemptions.
2.
Litigation or pending litigation relating to matters such as marital dissolution, bankruptcy, contractual disputes, owner disputes, dissenting shareholder and minority ownership
oppression cases, and employment and intellectual property
disputes.
3. Compliance-oriented engagements, including (a) financial
reporting and (b) tax matters such as corporate reorganizations; S corporation conversions; income, estate, and gift tax
compliance; purchase price allocations; and charitable contributions.
4.
Planning oriented engagements for income tax, estate tax, gift
tax, mergers and acquisitions, and personal financial planning.
The AICPA Consulting Services Executive Committee is a body
designated by AICPA Council to promulgate technical standards
and has developed Statement on Valuation Services (SSVS) No.1,
“Valuation of a Business, Business Ownership Interest, Security, or
Intangible Asset,” to improve the consistency and quality of practice among AICPA members performing business valuations.
AICPA members performing such services are referred to as valuation analysts, within the standards and are required to follow the
standard when they perform engagements to estimate value that
culminate in the expression of a conclusion of value or a calculated
value. The term “engagement to estimate value” refers to an
engagement or any part of an engagement (e.g., a tax, litigation, or
acquisition-related engagement) that involves estimating the value
of a subject interest. In the process of estimating value as part of an
engagement, the valuation analyst applies valuation approaches
Introduction to Attestation Engagements
1.15
and valuation methods, as described in this Statement, and uses
professional judgment. The use of professional judgment is an
essential component of estimating value.
There are generally two types of valuation services engagements
as follows:
1.
Valuation engagement—A valuation analyst performs a valuation engagement when (1) the engagement calls for the valuation analyst to estimate the value of a subject interest, and
(2) the valuation analyst estimates the value and is free to
apply the valuation approaches and methods he or she
deems appropriate in the circumstances. The valuation analyst expresses the results of the valuation as a conclusion of
value; the conclusion may be either a single amount or a
range.
2.
Calculation engagement—A valuation analyst performs a calculation engagement when (1) the valuation analyst and the
client agree on the valuation approaches and methods the
valuation analyst will use and the extent of procedures the
valuation analyst will perform in the process of calculating
the value of a subject interest (these procedures will be more
limited than those of a valuation engagement), and (2) the
valuation analyst calculates the value in compliance with the
agreement. The valuation analyst expresses the results of
these procedures as a calculated value. The calculated value
is expressed as a range or as a single amount. A calculation
engagement does not include all of the procedures required
for a valuation engagement.
Personal Financial Planning Services
Personal financial planning engagements are only those that
involve developing strategies and making recommendations to
assist a client in defining and achieving personal financial goals.
Personal financial planning engagements generally involve all of
the following tasks:
1.
Defining the engagement objectives;
2.
Planning the specific procedures appropriate to the engagement;
Developing a basis for recommendations;
Communicating recommendations to the client;
3.
4.
1.16 Introduction to Attestation Engagements
5.
Identifying the tasks for taking action on planning decisions
and making recommendations to assist a client in defining
and achieving personal financial goals.
In addition, personal financial planning services could include:
1.
2.
Assisting the client to take action on planning decisions.
Monitoring the client’s progress in achieving goals.
3.
Updating recommendations and helping the client revise
planning decisions.
Personal financial planning does not include services that are limited to:
1.
Compiling personal financial statements.
2.
3.
Projecting future taxes.
Tax compliance, including, but not limited to, preparation of
tax returns.
4.
Tax advice or consultations.
The AICPA has established the Personal Financial Planning Executive Committee to establish engagement responsibilities for professional accountants providing personal financial planning services in
the form of Statements on Responsibilities in Personal Financial Planning Practice (SRPFPs). The SRPFPs are published for the guidance of
AICPA members and do not constitute enforceable standards under
Rule 202 of the AICPA Code of Professional Conduct.
ATTESTATION ENGAGEMENTS
Attestation engagements provide assurance in the form of a report
on financial or nonfinancial information other than historical financial statements, that is the responsibility of another party, for the use
or benefit of third-party users. For the purposes of this book, “attestation engagements” is defined as those engagements covered by
the professional standards identified in Exhibit 1-2 below.
Introduction to Attestation Engagements
1.17
EXHIBIT 1-2
ATTESTATION ENGAGEMENT STANDARDS
Organization
Applicable Attestation Engagement Standards
AICPA
Statements on Attestation Standards (SSAE)
PCAOB
Interim Standards for Attestation Engagements
GAO
Standards for Attestation Engagements (Contained in
Government Auditing Standards)
IFAC
International Standards on Assurance Engagements
(Section 3000—Assurance Engagements Other Than
Audits or Reviews of Historical Financial Information)
IFAC
International Standards on Related Services (Section
4400—Engagements to Perform Agreed-Upon
Procedures Regarding Financial Information)
IIA
IIA Attribute and Performance Standards for Assurance
Services (other than assurance services over historical
financial statements)
Chapter 2, “Overview of Attestation Engagement Standards,”
provides a thorough discussion of these attestation standards of the
various standard-setting bodies or organizations.
Chapter 3, “Accepting, Planning, and Performing an Attestation
Engagement,” and Chapter 4, “Concluding and Reporting on an
Attestation Engagement,” provide general guidance on conducting
and reporting on an attestation engagement.
Attestation engagements for which specific attestation standards
have been developed by the AICPA are addressed in the following
chapters of this book:
•
Chapter 5, “Agreed-Upon Procedures Attestation Engagements” (AT 201)—An agreed-upon procedures engagement is
one in which a practitioner is engaged to issue a report of
findings based on specific procedures agreed to by the users
and the practitioner.
•
Chapter 6, “Financial Forecasts and Projections Attestation
Engagements” (AT 301)—A forecast presents an entity’s
expected financial position, results of operations, and cash
1.18 Introduction to Attestation Engagements
flows based on the client’s assumptions about conditions that
are expected to exist and the course of action that it is
expected to be taken. In contrast, a projection is based on one
or more hypothetical assumptions and, in that sense,
attempts to answer “what if” questions.
• Chapter 7, “Pro Forma Financial Statements Attestation
Engagements” (AT 401)—The objective of pro forma financial
information is to show what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an
earlier date.
• Chapter 8, “Integrated Internal Control Attestation Engagements” (AT 501)—An integrated internal control attestation
engagement involves the examination of the effectiveness of
an entity’s internal control over financial reporting that is
integrated with the audit of the entity’s financial statements.
The engagements involve examination level assurance only.
Engagements to provide limited assurance (review) on internal control are explicitly prohibited by AICPA attestation
standards.
OBSERVATION: Probably the most recognized attestation engagement regarding internal control is the attestation
engagement requirements established through Section 404
of the Sarbanes-Oxley Act (SOX). In accordance with Section 404 of SOX, the Securities and Exchange Commission
(SEC) issued rules requiring that each annual report of a publicly held company contain an internal control report that (1)
states that it is the responsibility of management to establish
and maintain an adequate internal control structure and procedures for financial reporting, and (2) contains an assessment, as of the end of the most recent fiscal year, of the
effectiveness of the internal control structure and procedures of the public company. In addition, Section 404 of SOX
requires the public companies’ external auditors to attest to,
and report on, the internal control assessment made by the
management of the public company in accordance with the
standards for attestation engagements adopted by the
PCAOB. Chapter 2, “Overview of Attestation Engagements
Standards,” discusses the differences between the internal
control attestation engagement requirements of the PCAOB
pursuant to Section 404 of SOX and the AICPA attestation
standards applicable to internal control over financial reporting pursuant to AT 501.
•
Chapter 9, “Compliance Attestation Engagements” (AT
601)—Compliance attestation engagements include those
Introduction to Attestation Engagements
1.19
related to either (1) examination of or applying agreed-upon
procedures to an entity’s compliance with requirements of
specified laws, regulations, rules, contracts, or grants, or (2)
agreed-upon procedures pertaining to only the effectiveness
of an entity’s internal control over compliance with specified
requirements (an examination-level service on this subject
would be covered by AT 101).
• Chapter 10, “Management’s Discussion and Analysis Attestation Engagements” (AT 701)—Public companies are required
by the SEC to include a Management’s Discussion and Analysis (MD&A) in their annual reports and other documents. The
provisions of AT 701 are applicable when practitioners are
engaged to report on the MD&A prepared using the rules and
regulations adopted by the SEC.
Objective of Attestation Engagements
The key to understanding the basics of attestation engagements is
to understand the objective and basic elements of such engagements. The objective of an attestation engagement is for the practitioner to enhance the degree of confidence of the intended users, other
than the responsible party, in certain subject matter information (financial or nonfinancial information other than historical financial statements) by gathering sufficient appropriate evidence on the subject
matter information, evaluating or measuring the subject matter evidence against suitable criteria and providing some level of assurance
in the form of a written report on the subject matter information.
OBSERVATION: Attestation engagements are constructively similar to assurance engagements over historical financial statements. Consider the following examples:
Assurance Engagement over Historical Financial Statements
In the case of an audit of historical financial statements, a
professional accountant (the practitioner) enhances the
degree of confidence of the intended users (the financial
statement users), other than the responsible party (management of the auditee), in the financial statements (the subject
matter information) by gathering audit evidence (sufficient
appropriate evidence), evaluating the audit evidence against
applicable generally accepted accounting principles (suitable criteria) and providing an opinion (positive or reasonable
assurance) in the form of an independent auditor’s report
(written report).
1.20 Introduction to Attestation Engagements
Attestation Engagement over Internal Control Effectiveness
In the case of an attestation engagement over the effectiveness of an entity’s internal control over financial reporting, a
professional accountant (the practitioner) enhances the
degree of confidence of the intended users (the control
report users), other than the responsible party (management
of the entity), in the design and operation of internal controls
over financial reporting (the subject matter information) by
gathering evidence of control design and operation (sufficient appropriate evidence), evaluating the evidence against
an appropriate internal control framework such as the Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (the suitable
criteria) and providing an examination-level conclusion (positive or reasonable assurance) in the form of an independent
accountant’s report on internal control (written report).
While assurance engagements over historical financial statements and attestation engagements over financial and nonfinancial
information are constructively similar, they are differentiated by the
subject matter (historical financial statements versus other financial
information and nonfinancial information) and by differing professional standards (audit, accounting and review standards versus
attestation standards).
Elements of Attestation Engagements
All attestation engagements possess certain basic elements that
must be present for the engagement to meet professional standards.
These elements include:
•
Three-Party Relationship
•
•
Subject Matter Information
Suitable Criteria
•
•
•
Level of Assurance
Sufficient Appropriate Evidence
Written Report
The information provided below is an introductory overview of
the elements of an attestation engagement. For more specific guidance on planning, performing, and reporting on examination-level
and review level attestation engagements, see Chapter 3, “Accepting,
Planning, and Performing an Attestation Engagement,” and Chapter 4, “Concluding and Reporting on an Attestation Engagement.”
Introduction to Attestation Engagements
1.21
Three-Party Relationship
Attestation engagements, like other assurance engagements,
involve three separate parties:
1.
Responsible party The responsible party is the person(s)
responsible for the subject matter in a direct reporting
engagement or assertion over the subject matter of the
engagement in an assertion-based engagement. For example,
management of an entity that is responsible for the design
and operation of the internal control processes (subject matter information) is considered the responsible party in an
attestation engagement over the effectiveness of internal controls.
2.
Intended users The intended users are persons or parties for
whom the practitioner is providing the attestation engagement report. The responsible party can be one of the intended
users of the report but not the only user. If they were the only
user, the engagement would only involve a two-party relationship. An example of an intended user that is not the
responsible party is a trustee financial institution that is a
user of a compliance attestation engagement report related to
an entity’s compliance with specified debt covenants.
Practitioner The practitioner is the professional accountant
possessing the necessary skills and knowledge of the subject
matter and criteria to perform an attestation engagement and
provide the desired level of assurance over the subject matter information for the benefit of the intended users.
3.
OBSERVATION: The responsible party and intended users
may be from different entities or within the same entity. For
example, in the intended users’ example above, management of the debt-issuing entity is the responsible party, while
one of the intended users was a trustee financial institution
representing debt holders (different entity from the responsible party). However, in another example, an entity’s board
(the intended users) may engage a practitioner to perform an
attestation engagement over subject matter information that
is the immediate responsibility of the entity’s management
(the responsible party) although the board has ultimate
responsibility.
1.22 Introduction to Attestation Engagements
Subject Matter Information
“Subject matter information” is the financial or nonfinancial information for which the practitioner gathers sufficient appropriate evidence to be evaluated or measured against suitable criteria as a
reasonable basis for expressing a conclusion or reporting findings in
the attestation engagement report. Attestation engagement subject
matter information can take many forms, including:
•
Financial events, performance or condition information, such as
specific transactions or events, account balances, or financial
position or results;
•
Nonfinancial performance or condition information, such as entity
performance in terms of effectiveness, efficiency, or program
results;
• System and process information, such as an entity’s internal controls or information technology systems;
•
Behavioral information, such as compliance with laws, regulations or contract provisions; and
• Physical characteristics information, such as facility capacity or
commodity supply information.
To be capable of evaluation or measurement in an attestation
engagement, subject matter information should be both:
•
Identifiable and capable of consistent evaluation or measurement against suitable criteria; and
•
Be reasonably subjected to procedures for gathering sufficient appropriate evidence to provide the desired level of
assurance.
OBSERVATION: A potential engagement to provide reasonable assurance over an assertion by management of a
company that its product lasts longer than any other similar
or competitive product on the market may not be capable of
consistent evaluation or measurement against suitable criteria or be reasonably subjected to procedures to gathering
sufficient appropriate evidence to support a reasonable
assurance conclusion. Therefore, the assertion about the
subject matter information may not be appropriate for an
attestation engagement.
Introduction to Attestation Engagements
1.23
Attestation engagements can be classified based on how the subject matter information is initially evaluated or measured against
suitable criteria in of two ways:
1.
2.
Assertion-Based Attestation Engagements In assertion-based
engagements, the evaluation or measurement of the subject
matter information is initially performed by the responsible
party, and the subject matter information is in the form of an
assertion by the responsible party. For example, the management of an entity (the responsible party) has evaluated its
compliance with the provisions of debt covenants prescribed
by a long-term debt agreement and asserts that it has complied, in all material respects, with such requirements.
Direct-Reporting Attestation Engagements In direct-reporting
engagements, the practitioner directly performs the evaluation or measurement of the subject matter information without any assertion by the responsible party, or obtains
representation from the responsible party that it has performed the evaluation or measurement but the information is
not available to the intended users. For example, when management of an entity (the responsible party) has not evaluated its compliance with the provisions of debt covenants
prescribed by a long-term debt agreement and therefore
makes no assertion as to compliance, the practitioner may
directly evaluate and measure compliance and report the
results to the intended users.
Subject matter information can often fail to be properly expressed
in accordance with the applicable provisions of the criteria, and
therefore may be materially misstated or misrepresented. For
example, an entity’s assertion that its internal control over financial
reporting meets the criteria established by COSO may not be fairly
stated, in all material respects, and the attestation engagement
report would communicate the assertion misrepresentation.
Suitable Criteria
Attestation engagement criteria serve as the benchmarks used in the
evaluation or measurement of the subject matter information. Criteria can be in the form of formal requirements or guidelines, such
as generally accepted accounting principles as promulgated by a
standard-setting body or organization or compliance requirements
1.24 Introduction to Attestation Engagements
contained in laws, regulations, or contracts, or more informal, such
as an internally-developed performance budget or code of conduct.
Suitable criteria must be available for there to be a sufficient and
generally accepted frame of reference for the evaluation or measurement of the subject matter information. Without an acceptable frame
of reference, the practitioner’s conclusions could be more open to
individual interpretation and misunderstanding among interest
parties to the engagement.
OBSERVATION: Suitable criteria must be considered within
the context of the attestation engagement circumstances.
The same subject matter information could be evaluated or
measured against different criteria. For example, in an
internet-based marketing effort performance measurement
attestation engagement, one responsible party might select
the number of web site hits as suitable criteria, while another
responsible party might select the actual amount of internetgenerated sales as the most suitable criteria. As long as the
criteria possess the characteristics noted below, the criteria
for evaluating similar subject matter information can differ in
relation to specific engagement circumstances.
The IFAC Framework for Assurance Engagements indicates that
suitable criteria should possess the following characteristics:
•
Relevance—should actually contribute to conclusions that are
of benefit to the intended users;
• Completeness—should not omit relevant factors that could
affect the practitioner’s conclusions;
• Reliability—should allow for reasonably consistent evaluation
or measurement in similar circumstances by different practitioners;
•
Neutrality—should contribute to practitioner conclusions that
are free from bias; and
•
Understandability—should contribute to practitioner conclusions that are clear, comprehensive, and not subject to significantly different interpretations.
In addition, suitable criteria should be “available” to the
intended users of the attestation engagement report in an effort to
allow the users to understand how the subject matter information
has been evaluated or measured. Criteria can be made available
through public assess (such as GAAP Codifications and the COSO
framework), inclusion in a clear manner in the presentation of the
subject matter information (benchmark measurements included in
Introduction to Attestation Engagements
1.25
the body of a performance report), inclusion in a clear manner in the
attestation engagement report (repeating a statutory reference and
wording in the body of the practitioner’s report on compliance
attestation), or by general understanding (measurements of weight
or time).
Level of Assurance
“Level of assurance” is a result of the extent of work performed over
the subject matter information and the extent of the conclusions that
can be reached based on the results of the work. Although the attestation standards vary depending on the nature of the subject matter
information, in general, the standards provide three different levels
of assurance:
1.
High Level of Assurance (examination level) An examination
level attestation engagement is analogous to a financial statement audit. When engaged to perform an examination-level
attestation engagement, the practitioner’s objective is to
reduce assurance risk to an acceptably low level as a basis to
express an opinion (a high level of assurance) as to whether
the subject matter or assertion about the subject matter is in
conformity with given criteria. In other words, the practitioner provides a positive or reasonable assurance conclusion in an
examination.
2. Moderate Level of Assurance (review level) A review level
attestation engagement is analogous to a review of historical
financial statements. When engaged to perform a reviewlevel attestation engagement, the practitioner’s objective is to
reduce assurance risk to a level that is acceptable in the circumstance of the engagement, but a higher acceptable risk
than reasonable assurance (a moderate level of assurance). In
the report, the accountant states a conclusion about whether
any information came to his or her attention to indicate that
the subject matter or assertion about the subject matter is not
in conformity with given criteria. This conclusion is referred
to as negative, limited, or moderate assurance.
3. No Assurance (agreed-upon procedures or compilation level)
Although agreed-upon procedures and compilation engagement services are defined as “no assurance” level engagements, some level of user benefit is obtained by having the
professional accountant perform certain procedures over the
subject matter.
1.26 Introduction to Attestation Engagements
a.
Agreed-Upon Procedures In an agreed-upon procedures
engagement, the practitioner issues a report of findings
based on specific procedures performed on the subject
matter. In an agreed-upon procedures engagement, the
practitioner’s report is limited to reporting the findings
of the procedures performed without drawing any
conclusion.
b. Compilation A compilation involves the practitioner
using accounting expertise to collect, classify and summarize financial information. Compilations of historic
financial statements are the most common compilations
and are addressed by other professional standards. In
terms of attestation engagements, compilations are limited to compilations of prospective information that is
defined in AICPA attestation standards as a professional
service that involves assembling the prospective financial statements based on the responsible party’s assumptions, performing the required compilation procedures,
and issuing a compilation report. Compilation of prospective financial statements is the only type of compilation covered by the AICPA attestation standards.
OBSERVATION: While the AICPA, PCAOB, and the GAO
identify three levels of assurance by defining agreed-upon
procedure and compilation engagements as an “assurance”
service, in its International Framework for Assurance
Engagements, the IFAC excludes these two types of services from its definition of “assurance” engagements. As a
result, the IFAC framework recognizes only two types of
assurance for attestation engagements: (1) reasonable
assurance engagements and (2) limited assurance engagements.
The level of assurance to be provided in an attestation engagement is a matter that involves certain considerations between the
practitioner and the party engaging the practitioner. These considerations include:
•
Type of Subject Matter of the Engagement Various professional
standards, as discussed in Chapter 2, provide certain limitations on the level of assurance that may be provided over certain subject matter in an attestation engagement. For
example, the AICPA attestation standards provide for only an
Introduction to Attestation Engagements
1.27
examination-level assurance (high level of assurance) attestation engagement over internal control over financial reporting and prohibits a review-level (moderate level of assurance)
engagement over prospective financial statements.
• Quality of the Subject Matter Information For high level of
assurance or moderate level of assurance conclusions to be
expressed, sufficient appropriate evidence must exist to provide the practitioner a reasonable basis for expressing a conclusion in the attestation engagement report. If it is likely that
such evidence will not be available, an agreed-upon procedures attestation engagement (no assurance) may be more
appropriate.
• Level of Confidence Desired The needs of the intended users of
the attestation engagement report as to the desired level of
confidence in the subject matter or assertion over the subject
matter should be considered when determining the type of
attestation engagement to perform. For example, the higher
the level of confidence needed by the intended users of the
report, the more the consideration should be given to performing an examination level attestation engagement.
Sufficient Appropriate Evidence
In an attestation engagement, the practitioner must apply professional skepticism to obtain sufficient appropriate evidence about
whether the subject matter information is fairly presented. In doing
so, the practitioner should consider issues of materiality, attestation
engagement risk, and the sufficiency and appropriateness of evidence.
Sufficiency involves considerations of the quantity of evidence, while
appropriateness considers the quality of the evidence in terms of relevance and reliability.
The quantity and quality of evidence is dependent upon the level
of assurance required and the risk of the subject matter information
being materially misstated or misrepresented. For example, the
higher the level of assurance required and the higher the risk of misstatement or misrepresentation, the higher the quantity and/or
quality of evidence that is required.
OBSERVATION: Sufficiency (quantity) and appropriateness
(quality) of attestation engagement evidence are interrelated
in that lower quantity of higher quality evidence may be
sufficient to manage engagement risk, while lower quality of
evidence may require more quantity to manage the risk.
1.28 Introduction to Attestation Engagements
Materiality consideration in an attestation engagement involves
the practitioner understanding and assessing the factors that might
influence the decisions of the intended users of the engagement
report. Both quantitative and qualitative factors should be considered when assessing the needs of the intended users. For example,
a finding of noncompliance in a debt covenant compliance attestation engagement may have resulted from a quantitatively immaterial amount of transactions, but the fact that the covenant has not
been met may result in potential debt default conditions that are
considered qualitatively material to the intended users.
Attestation engagement risk is the risk that the practitioner
expresses an inappropriate conclusion or reports inaccurate findings when the subject matter information contains material misstatements or misrepresentations. The higher the level of assurance
(i.e., reasonable assurance in an examination engagement) that is
required in the engagement, the more the practitioner must obtain
sufficient appropriate evidence through the nature, timing, and
extent of engagement procedures.
The topics of materiality and attestation engagement risk are discussed in more detail in Chapter 3, “Accepting, Planning, and Performing an Attestation Engagement.”
Written Report
In an attestation engagement, the practitioner provides a written
report containing a conclusion or some form of assurance obtained
over the subject matter information or related assertion in relation
to the suitable criteria; or, in the case of an agreed-upon procedures
engagement, reports the findings resulting from the procedures performed.
Reporting on attestation engagements varies depending on
whether the engagement is an assertion-based or direct-reporting
engagement and on the level of assurance provided as defined
above.
•
Assertion-based attestation engagements—In the report on an
examination level engagement, the practitioner may express
a conclusion either in terms of:
— The responsible party’s assertion (“in our opinion, the
responsible party’s assertion that the entity has complied
with the requirements of state law section XYZ is fairly
stated, in all material respects”); or
Introduction to Attestation Engagements
1.29
— The subject matter and criteria directly (“in our opinion,
the responsible party complied, in all material respects, with
the requirements of state law section XYZ”).
•
Direct-reporting engagements—The report expresses a conclusion only on the subject matter and criteria directly (“in our
opinion, the responsible party complied, in all material
respects, with the requirements of state law section XYZ”).
There is no responsible party assertion to report on.
In terms of level of assurance, the wording of practitioner’s attestation engagement report will vary depending on whether the
engagement was designed to provide a high level of assurance, a
moderate level of assurance, or no assurance.
•
High level of assurance—The practitioner’s conclusion is
expressed in a positive opinion (“in our opinion, the responsible party complied, in all material respects, with the requirements of state law section XYZ”);
• Moderate level of assurance—The practitioner’s conclusion is
expressed in a negative form (“based on our work, nothing
came to our attention that causes us to believe the responsible
party did not comply, in all material respects, with the
requirements of state law section XYZ”);
• No assurance—The practitioner provides no conclusion or
form of assurance on the subject matter information or the
responsible party’s assertion as to the subject matter information. Most commonly applicable to agreed-upon procedures
engagements, the report is limited to describing the procedures performed, their purpose, and the factual findings
identified as a result of the procedures performed. The
intended users are to assess for themselves the procedures
and findings and draw their own conclusions.
OBSERVATION: Similar to reports on audits of historical
financial statements, the practitioner should not express
an unqualified opinion or positive assurance conclusion
(high level of assurance) when certain circumstances exist,
including:
•
There is a material limitation on the scope of the practitioner’s work (which would result in a qualified conclusion or disclaimer depending on the materiality and
pervasiveness of the scope limitation).
1.30 Introduction to Attestation Engagements
•
In an assertion-based engagement, the responsible
party’s assertion is not fairly stated in all material
respects (which would result in a qualified or adverse
conclusion depending on the materiality and pervasiveness of the departure from the criteria).
•
In a direct-reporting engagement, the subject matter
information is materially misstated or misrepresented,
or does not conform to the criteria (which would result
in a qualified or adverse conclusion depending on the
materiality and pervasiveness of the departure from
the criteria).
Exhibit 1-3 provides an illustration of the required elements of an
example attestation engagement. The example assumes that the
practitioner has been engaged to provide reasonable assurance over
the assertion of management of a government entity that it has complied with a contractual grant agreement to train and graduate a
specified number of disadvantaged citizens in specific jobs for the
benefit of the granting agency as the intended users of the report.
EXHIBIT 1-3
ELEMENTS OF AN EXAMPLE
ATTESTATION ENGAGEMENT
Element
Three-Party
Relationship
Description
Responsible Party: Management of the Grantee
Government
Intended Users: The Grantor Agency and
Management and the Board of the Grantee
Government
Attestor: The Practitioner
Subject Matter
Information
Assertion-based engagement: the subject matter
information is the assertion by management of the
grantee government that they have met the
compliance requirement in the contractual
agreement in regards to training and graduating
the specific number of disadvantaged citizens.
Suitable Criteria
The specific provision of the contractual
agreement that specifies the number of trainees
and graduates, what constitutes training and
graduation, and defines the criteria for an
individual to be classified a disadvantaged citizen.
Introduction to Attestation Engagements
Element
Level of Assurance
1.31
Description
Examination-level (high-level of assurance) that will
result in the expression of a positive conclusion as
to compliance.
Sufficient Appropriate The engagement evidence will need to be of high
Evidence
enough quantity and quality to support the
expression of a positive opinion or conclusion and
acceptable to reduce the risk of an inappropriate
conclusion on compliance to an acceptably low
level.
Written Report
Assertion-based engagement expressing
reasonable assurance: the practitioner will report in
the form of a positive conclusion as to the fair
statement of management’s assertion (e.g., “in our
opinion, management’s assertion that grantee
government complied with the section XYZ of the
contract between the government and grantee
agency during the [period] ended [date] is fairly
stated, in all material respects”).
Distinguishing Attestation Engagements from Other
Engagements
Quite often, a practitioner will be faced with responding to a request
from a client or potential client for a type of service that may not be
limited to a specific set of professional standards. Frequently, a practitioner will face a dilemma in choosing between performing an
engagement under the attestation standards and another set of professional standards, such as the audit, accounting or review services, or consulting standards. Generally, the key factors to consider
when deciding the most appropriate type of engagement are:
•
•
The nature of the subject matter information; and
The primary beneficiaries of the service.
Nature of the Subject Matter Information
When the practitioner is asked to deliver services related to providing some level of assurance over subject matter information other
than historical financial statements, then the service is a candidate
1.32 Introduction to Attestation Engagements
for an attestation engagement. Audits, reviews, and compilations of
historical financial statements are governed by specific standards
related to those type services and are not considered attestation
engagements as defined in this book. Attestation engagements are
best suited for engagements where assurance is needed over subject
matter information that involves elements of financial statements
less than complete statements (such as accounts payable or inventory balances) or nonfinancial information (such as performance
statistics, compliance requirements, or internal control systems or
processes).
Primary Beneficiaries of the Service
When the direct primary beneficiary and intended user of the
desired service is limited to the client or responsible party, rather
than other third-party beneficiaries, then the service is not a candidate for an attestation engagement. In attestation engagements, the
primary beneficiaries of the assurance service are not limited to the
client or party responsible for the subject matter information. The
intended users of an attestation engagement report must include
parties other than the responsible party.
If the requested service primarily involves evaluating information in an effort to provide advice or recommendations to the client
or responsible party rather than reporting on the results of the work
for the benefit of third parties, then the required service is likely
more appropriately performed as a consulting service and not an
attestation engagement.
OBSERVATION: One of the most common dilemmas
encountered by practitioners in determining the type of
engagement to perform to meet the needs of unique or nontraditional service requests is the determination of whether a
potential engagement is best performed as an attestation
engagement or consulting service. One of the key considerations in responding to this dilemma is the determination of
the number of parties to the engagement or direct beneficiaries of the service.
In a consulting engagement (such as evaluating system
processes and providing recommendations for the benefit of
management for the improvement of those processes), the
parties are generally limited to two: (1) the practitioner providing the advice, and (2) the party seeking and receiving the
advice—the engagement client.
In an attestation engagement (e.g., one that provides a
reasonable assurance conclusion on an entity’s compliance
with debt covenants in order to issue new debt), the parties
Introduction to Attestation Engagements
1.33
generally include three groups: (1) the party responsible for
the subject matter—the debt-issuing entity’s management,
(2) the intended users of the report—debt holders and potential investors in the new debt, and (3) the practitioner providing the assurance.
Ethics and Quality Control Considerations in Attestation
Engagements
In addition to the professional standards applicable to the performance of attestation engagements, practitioners providing attest
services are also subject to ethics and quality control considerations
and standards that are applicable to their other assurance engagements. For example, in its International Framework for Assurance
Engagements, the IFAC states that practitioners who perform assurance engagements (including all attest services) are also governed
by the IFAC Code of Ethics for Professional Accountants, and International Standards on Quality Control.
Ethics Considerations
The IFAC Code of Ethics establishes fundamental ethics principles
that deal with integrity, objectivity, professional competence and
due care, confidentiality, and professional behavior. An essential
component of ethics in the conduct of attestation engagements is the
principle of independence. A practitioner who performs an attest
service must be independent of the party responsible for the subject
matter of the attest engagement. The IFAC Code of Ethics provides
a conceptual framework approach to independence that considers
threats to independence and safeguards to address those threats.
In addition to the IFAC Code of Ethics, the AICPA Code of Professional Conduct (the AICPA Code) provides guidance for the CPA
to conduct his professional practice, including the conduct of attestation engagements. A member CPA must observe all of the rules
and interpretations in the AICPA Code. The AICPA Code consists of
two sections: (1) the Principles and (2) the Rules. The Principles provide the framework for the Rules, which govern the performance of
professional services by CPAs. The Council of the AICPA is authorized to designate bodies to promulgate technical standards under
the Rules. A member who performs auditing, review, compilation,
management consulting, tax, or other professional services, including attestation engagements, shall comply with standards promulgated by bodies designated by Council. The AICPA Council has
1.34 Introduction to Attestation Engagements
designated the Accounting and Review Services Committee
(ARSC), the Auditing Standards Board (ASB), and the Consulting
Services Executive Committee (CSEC), jointly, to establish professional standards for attestation engagements.
Rule 201 of the AICPA Code is concerned with general standards, including guidance on organizational structure that the CPA
must observe in the performance of all professional services, including attestation engagements. These general standards deal with the
following:
•
Professional Competence. Undertake only those professional
services that the member or the member’s firm can reasonably expect to be completed with professional competence.
•
Due Professional Care. Exercise due professional care in the
performance of professional services.
• Planning and Supervision. Adequately plan and supervise the
performance of professional services.
• Sufficient Relevant Data. Obtain sufficient relevant data to
afford a reasonable basis for conclusions or recommendations
in relation to any professional services performed.
Rule 202 of the AICPA Code addresses compliance with standards that the CPA must observe in the performance of all professional services, including attestation engagements. Statements on
Standards for Attestation Engagements (SSAE) and SSAE Interpretations have been issued under the authority established by Rule
202. Practitioners should have sufficient knowledge of the SSAEs to
identify those that are applicable to his attestation engagement, and
he should be prepared to justify departures from the SSAEs and
related interpretations.
AICPA Ethics Rulings consist of formal rulings made by the
AICPA’s professional ethics division’s executive committee after
exposure to state societies, state boards, practice units, and other
interested parties. Ethics Rulings summarize the application of
Rules of Conduct and Interpretations to particular sets of factual circumstances. CPAs who depart from such ethics rulings in similar
circumstances will be requested to justify such departures.
In addition to the IFAC and AICPA, the PCAOB and GAO have
also established ethics and general standards that should be followed in attestation engagements conducted in accordance with the
standards established by those standard-setting bodies.
Introduction to Attestation Engagements
1.35
PRACTICE POINTER: The IFAC Code of Ethics, the AICPA
Professional Code of Conduct and the ethics and general
standards of the PCAOB and GAO are discussed in detail in
the CCH publication The CPA’s Multi-State Guide to Ethics
and Professional Conduct. This Guide provides a discussion
of the ethics principles and practical approaches to ethical
dilemmas, including those related to independence.
Quality Control Considerations
In addition to the IFAC International Standards on Quality Control,
the AICPA has issued Statement on Quality Control Standards
(SQCS) No. 7 to establish standards and provide guidance for a
practitioner’s firm in meeting its responsibilities for a system of
quality control for its accounting and auditing practice. SQCS-7
defines an accounting and auditing practice as engagements including audit, attestation, compilation, review and any other services for
which standards have been established by the AICPA Auditing
Standards Board or the AICPA Accounting and Review Services
Committee under Rules 201 or 202 of the AICPA Code of Professional Conduct.
SCQS-7 describes elements of quality control and other matters
essential to the effective design, implementation, and maintenance
of the quality control system. SQCS-7 indicates the practitioner’s
system of quality control should include policies and procedures
addressing each of the following elements:
1.
2.
Leadership responsibilities for quality within the firm (the
“tone at the top”);
Relevant ethical requirements;
3.
Acceptance and continuance of client relationships and specific engagements;
4.
5.
6.
Human resources;
Engagement performance; and
Monitoring.
The nature of the policies and procedures developed by practitioners to comply with these quality control standards will depend
on various factors such as the size and operating characteristics of
the firm. The system of quality control should be designed to provide the firm with reasonable assurance that the segments of the
practitioner’s engagements are performed in accordance with professional standards when such standards are applicable.