CCH brings you... CHAPTER 1: Introduction to Attestation Engagements From the Attestation Guide, 2009 Visit CCHGroup.com/AASolutions for an overview of our complete set of Accounting and Auditing solutions. To learn more about this book, or to make a purchase, visit CCHGroup.com Vist CCHGroup.com/Books to browse the CCH online bookstore. ©2010 CCH. All Rights Reserved. CHAPTER 1 INTRODUCTION TO ATTESTATION ENGAGEMENTS CONTENTS Introduction Assurance Services 1.02 1.03 Assurance Services over Historical Financial Statements Audits Reviews Compilations Assurance Services over Information Other Than Historical Financial Statements Attestation Engagements Other Assurance Services Nonassurance Services 1.03 1.04 1.04 1.04 1.05 1.05 1.06 1.08 Consulting Services Exhibit 1-1: Consulting Services Terminology and Standards 1.12 Tax Services Valuation Services 1.13 1.14 Personal Financial Planning Services Attestation Engagements Exhibit 1-2: Attestation Engagement Standards Objective of Attestation Engagements Elements of Attestation Engagements 1.09 1.15 1.16 1.17 1.19 1.20 Three-Party Relationship Subject Matter Information Suitable Criteria Level of Assurance 1.21 1.22 1.23 1.25 Sufficient Appropriate Evidence Written Report Exhibit 1-3: Elements of an Example Attestation Engagement 1.27 1.28 1.01 1.30 1.02 Introduction to Attestation Engagements Distinguishing Attestation Engagements from Other Engagements Nature of the Subject Matter Information Primary Beneficiaries of the Service Ethics and Quality Control Considerations in Attestation Engagements Ethics Considerations Quality Control Considerations 1.31 1.31 1.32 1.33 1.33 1.35 INTRODUCTION Certified public accountants provide a variety of services that can be categorized, in broad terms, as either (1) assurance services or (2) nonassurance services. While certain standard-setting bodies classify CPA services somewhat differently between these two broad categories, the services provided by CPAs generally can be classified as follows: 1. Assurance services • Over historical financial statements: — Audits — Reviews — Compilations • 2. Over other financial and nonfinancial information: — Attestation engagements — Other assurance services Nonassurance services • Consulting services • Tax services • Valuation services • Personal financial planning OBSERVATION: While the AICPA, PCAOB, and the GAO define agreed-upon procedures and compilation engagements as an “assurance” service, in its International Framework for Assurance Engagements, the IFAC excludes these two types of services from its definition of “assurance” engagements. The IFAC framework defines agreed-upon procedures engagements and compilations of financial or Introduction to Attestation Engagements 1.03 other information as “related services” covered by their International Standards for Related Services. NOTE: For the purposes of this book, agreed-upon procedures engagements and compilation engagements are classified as a form of assurance services. This guide is narrowly focused on providing the practitioner with interpretive guidance dealing with attestation engagements, which for the purposes of this book will be considered a type of assurance service. This guidance will assist the practitioner in identifying potential attestation engagements, determining the applicable standards for such engagements, and planning, performing, and reporting on such engagements. ASSURANCE SERVICES The AICPA defines “assurance services” as follows: Assurance services are independent professional services that improve the quality of information, or its context, for decision makers. The IFAC defines an “assurance engagement” as follows: Assurance engagement means an engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. Using either of these definitions, “assurance services or engagements” can be described as services that enhance the quality, context, or usefulness of information for the benefit of intended users or decision makers. These services can involve financial or nonfinancial information. The information may be internal or external to the user and might involve discrete data or entire systems. Assurance Services over Historical Financial Statements The most commonly known assurance services provided by certified public accountants have been assurance over historical financial statements in the form of (1) audits, (2) reviews, or (3) compilations. 1.04 Introduction to Attestation Engagements Audits Audits of historical financial statements are designed to provide financial statement users with a high-level of assurance over the fair presentation of the audited financial statements. In an audit, the practitioner performs tests of financial statement assertions to form an opinion (positive assurance) on the financial statements taken as a whole. The objective of an audit is to provide a reasonable basis for expressing an opinion as to whether the financial statements are fairly presented in accordance with generally accepted accounting principles (or an other comprehensive basis of accounting). Reviews In a review service over historical financial statements, the practitioner performs inquiries and analytical procedures on the financial statement data to provide him with a reasonable basis for expressing limited assurance on the financial statements. The objective in a review is to provide a reasonable basis for stating that there are no material modifications that should be made to the financial statements in order for them to be in conformity with generally accepted accountingprinciples(oranothercomprehensivebasisofaccounting). Compilations In a compilation service related to financial statements, the practitioner presents in the form of financial statements information that is the representation of management, without undertaking to express any assurance on the financial statements. OBSERVATION: As previously noted, while the IFAC international standards do not classify compilations as an “assurance service,” the AICPA and PCAOB do consider it an assurance service. Within the context of the AICPA definition of an assurance service, compilations are viewed as services that improve the quality of information, or its context, for decision makers. Therefore, although compilations reports express no form of explicit assurance over the financial information compiled, there exists implied improvement in the quality of management’s information through the practitioner’s correction of any obvious misstatements in the compilation process. Introduction to Attestation Engagements 1.05 PRACTICE POINTER: In terms of the AICPA professional standards, compilations of historical financial information are considered an assurance service subject to their Standards for Accounting and Review Services (SSARs). However, compilations of prospective financial statements are considered an assurance service subject to the Statements on Standards for Attestation Engagements (SSAEs). This is the only type of compilation considered an attestation engagement subject to attestation standards. Assurance Services over Information Other than Historical Financial Statements While traditionally, assurance services provided by practitioners have been concentrated on providing audits, reviews, or compilations of historical financial statements, today’s business environment is marked by increased competition and the need for quicker and better information for decisions. In addition, the complexity of systems and the anonymity of the Internet present barriers to growth. Businesses and their customers need independent assurance that the information that decisions are based on is reliable. By virtue of their training, experience, and reputation for integrity, professional accountants are the logical choice to provide this assurance. Attestation engagements and other assurances service engagements are designed to meet this dynamic need for assurance. Attestation Engagements In a broad sense, an attestation engagement is one in which a practitioner, by virtue of issuing a report, provides some level of assurance on information that is the responsibility of another party. The term attest and its variants, such as attesting and attestation, are used in a number of state accountancy laws and in regulations issued by state boards of accountancy under such laws for different purposes and with different meanings from those intended by the various professional standards applicable to attestation engagements. In fact, the traditional financial statement audit is an attest service in that a practitioner (auditor), by virtue of issuing a report (audit opinion), provides reasonable assurance (a high-level of positive assurance) on the subject matter or information (financial statements) that is the responsibility of another party (management) for the use and benefit of other parties (financial statement users). However, for practical purposes the “attestation” term has evolved in the accounting profession to be commonly used to mean an 1.06 Introduction to Attestation Engagements engagement or service that provides assurance on information other than historical financial statements. OBSERVATION: For example, an attestation engagement would be appropriate to meet requirements contained within a debt agreement for the debt-issuing entity to obtain an independent verification of compliance with specific debt covenant requirements that must be met before new debt can be incurred. In this example, a practitioner (independent accountant), by virtue of issuing a report (attestation engagement report), provides assurance (conclusion on compliance) on the subject matter or information (debt covenant requirements related to new debt issuance) that is the responsibility of another party (entity management) for the use and benefit of other parties (current and prospective investors in the entity’s debt). An expanded overview of attestation engagements is provided later in this chapter and such engagements are the subject of the remaining chapters of this book. Other Assurance Services The AICPA Special Committee on Assurance Services was created in 1994 to explore the expansion of assurance services into new areas beyond the traditional assurances services over historical financial statements and traditional attest engagements. The AICPA’s movement into developing additional assurance services began with the 1993 Audit/Assurance Conference. The conference had been concerned with the decline in the demand for audits and other attest services, and the users of assurance services had expressed dissatisfaction with their scope and utility. It analyzed why the audit and assurance function had come to this juncture and developed a broad plan for shaping the future of assurance to enhance its value. The AICPA authorized the Special Committee on Assurance Services to investigate the issues and what could be done to reposition CPAs for the future. The Committee’s report, The Report of the Special Committee on Assurance Services, was issued in 1997. The report called for the development of additional services to serve the needs of clients. The Committee research identified a number of new service opportunities and the AICPA has actively developed the following assurance services: 1. SysTrust Services As more organizations become dependent on information technology to run their businesses, produce Introduction to Attestation Engagements 1.07 products and services, and communicate with customers and business partners, it is critical that their systems be secure, available when needed, and consistently able to produce accurate information. An unreliable system can trigger a chain of business events that negatively affect a company and its customers, suppliers, and business partners. SysTrust responds to this business need by providing suitable criteria and a process that enables a CPA to provide assurance that a system is, in fact, reliable. 2. 3. 4. 5. WebTrust Services During a WebTrust engagement, the practitioner “audits” a company’s online business practices to verify compliance matters such as privacy, security, availability, confidentiality, consumer redress for complaints, and business practices. WebTrust provides suitable criteria for practitioners as well as a licensing process that enables CPAs to provide assurance on Web sites. ElderCare Services The Committee defines ElderCare Services as a service designed to provide assurance to family members that care goals are achieved for elderly family members no longer able to be totally independent. The service relies on the expertise of other professionals, with the CPA serving as the coordinator and assurer of quality of services based on criteria and goals set by the client. The purpose of the service is to provide assurance in a professional, independent, and objective manner to third parties (children, family members, or other concerned parties) that the needs of the elderly person to whom they are attached are being met. ElderCare Services can involve three kinds of services: direct services, assurance services, and consulting services. Direct services entail the more traditional aspects of accounting and financial services. Assurance services involve the measuring and reporting on prescribed goals against stated criteria. Consulting services include planning and evaluation of client needs. Performance View Services This service enables CPAs to use the skills they have traditionally used to handle the financial portion of a client’s business to address the nonfinancial aspects as well. This service identifies critical success factors that lead to measures that can be tracked over time. These measures are then used to assess progress in achieving specific targets linked to an entity’s vision and performance. Risk Advisory Services The CPA profession has taken a leading role in the field of risk, and firms increasingly include risk 1.08 Introduction to Attestation Engagements management in the wide range of services they provide to their clients. Risk Advisory Services provide the CPA with: a. A common language and framework for understanding and communicating risk management issues; and b. A series of practice guides describing tools, techniques, and training that support the risk management process. The performance of these types of assurance services may or may not be subject to the attestation standards, depending on how an engagement is developed and performed. The attestation standards apply whenever a CPA is engaged to issue or does issue an examination, review, or agreed-upon procedures report on subject matter (or an assertion about the subject matter) that is the responsibility of another party. This definition is engagement-oriented and, therefore, the CPA must take care to define the nature of the services to be provided and whether they are intended to provide assurance. NONASSURANCE SERVICES Typically, nonassurance services provided by CPAs can be categorized into one of the following: • • Consulting services Tax services • • Valuation services Personal financial planning A common characteristic of these nonassurance services is that the professional accountant’s services are designed to provide technical skills, education, observations, experiences, and knowledge to subject matter for the direct use and benefit of the client. The services considered necessary are generally determined by agreement between the client and the practitioner, and the outcome of the work is not designed to provide any level of assurance to parties outside the client or responsible party. OBSERVATION: For example, an engagement to assist the client’s management in evaluating the effectiveness of the design and operation of its internal controls over financial reporting and to make recommendations for improvements in those controls, would be considered a “nonassurance consulting service” because the engagement is designed to provide technical skills and knowledge (the practitioner’s Introduction to Attestation Engagements 1.09 expertise) to subject matter (the design and operation of controls) for the direct use and benefit of the client (management). Examples of professional services typically provided by practitioners that would not be considered an attestation engagement include: • Management consulting engagements whereby the practitioner provides advice or recommendations to a client; • Engagements to advocate a client’s position (e.g., tax matters being reviewed by the Internal Revenue Service); • • • • • Tax engagements involving the preparation of tax returns or providing tax advice; Compilations or reviews of financial statements; Engagements in which the practitioner’s role is solely to assist the client (e.g., acting as the company’s accountant in preparing information other than financial statements); Engagements to testify as an expert witness in accounting, auditing, taxation, or other matters; and Engagements to provide an expert opinion on certain points of principle, such as the application of tax laws or accounting standards, given certain stipulated facts provided by another party as long as the expert opinion does not express a conclusion about the reliability of the facts provided by another party. Consulting Services Consulting services possess fundamental differences from the engagements to provide assurance over assertions or subject matter of other responsible parties. In an assurance service (including attestation engagements), the practitioner expresses a conclusion about the subject matter or the reliability of a written assertion that is the responsibility of another party. In a consulting service, the practitioner develops the findings, conclusions, and recommendations based on the objectives of the engagement for the direct use and benefit of the client. The nature and scope of work is determined solely by the agreement between the practitioner and the client. Generally, the work is performed only for the use and benefit of the client rather than outside parties. The practitioner does not attest to someone else’s assertion but is the one who develops the final presentation. 1.10 Introduction to Attestation Engagements In a consulting engagement, the practitioner’s role is to assist the client or, on some occasions, to testify as an expert witness in accounting, auditing, taxation, or other matters, given certain stipulated facts. OBSERVATION: Attest Services Related to Consulting Service Engagements When a practitioner provides an attest service as part of a consulting service engagement, the attestation standards apply only to the attest service. Statements on Standards for Consulting Services apply to the balance of the consulting service engagement. When the practitioner determines that an attest service is to be provided as part of a consulting service engagement, the practitioner should: • Inform the client of the relevant differences between the two types of services. • Obtain the client’s acknowledgment that the attest service is to be performed in accordance with the appropriate professional requirements. • Issue separate reports on the attest engagement and the consulting service engagement. If the report on the attestation engagement is submitted in the same document with the report on the consulting service engagement, it should be clearly identified and segregated from the consulting service engagement. In terms of the AICPA professional standards, consulting engagements are performed in accordance with Statements on Standards for Consulting Services (SSCS), and include consultations, advisory services, implementation services, transaction services, staff and other support services, and product services. An analytical approach and process is applied in a consulting service and typically involves some combination of activities relating to determination of client objectives, fact-finding, definition of the problems or opportunities, evaluation of alternatives, formulation of proposed action, results communication, implementation, and follow-up. Examples of consulting services include: 1. Consultations, in which the practitioner’s function is to provide counsel in a short time frame, based mostly, if not entirely, on existing personal knowledge about the client, the circumstances, the technical matters involved, client representations, and the mutual intent of the parties. Examples of Introduction to Attestation Engagements 1.11 consultations are reviewing and commenting on a clientprepared business plan and suggesting computer software for further client investigation. 2. Advisory services, in which the practitioner’s function is to develop findings, conclusions, and recommendations for client consideration and decision making. Examples of advisory services are an operational review and improvement study, analysis of an accounting system, assistance with strategic planning, and definition of requirements for an information system. 3. Implementation services, in which the practitioner’s function is to put an action plan into effect. Client personnel and resources may be pooled with the practitioner’s to accomplish the implementation objectives. The practitioner is responsible to the client for the conduct and management of engagement activities. Examples of implementation services are providing computer system installation and support, executing steps to improve productivity, and assisting with the merger of organizations. Transaction services, in which the practitioner’s function is to provide services related to a specific client transaction, generally with a third party. Examples of transaction services are insolvency services, valuation services, preparation of information for obtaining financing, analysis of a potential merger or acquisition, and litigation services. 4. 5. 6. Staff and other support services, in which the practitioner’s function is to provide appropriate staff and possibly other support to perform tasks specified by the client. The staff provided will be directed by the client as circumstances require. Examples of staff and other support services are data processing facilities management, computer programming, bankruptcy trusteeship, and controllership activities. Product services, in which the practitioner’s function is to provide the client with a product and associated professional services in support of the installation, use, or maintenance of the product. Examples of product services are the sale and delivery of packaged training programs, the sale and implementation of computer software, and the sale and installation of systems development methodologies. 1.12 Introduction to Attestation Engagements Consulting services do not include: • Any of the services described in the AICPA Statements on Auditing Standards (SAS), Statements on Standards for Accounting and Review Services (SSARS), or Statements on Standards for Attestation Standards (SSAE); • Engagements specifically to perform tax return preparation, tax planning/advice, tax representation, personal financial planning or bookkeeping services; • Situations involving the preparation of written reports or the provision of oral advice on the application of accounting principles to specified transactions or events, either completed or proposed, and the reporting thereof; and • Recommendations and comments prepared during the same engagement as a direct result of observations made while performing the excluded services. The performance of consulting services for an audit or attest client does not, in and of itself, impair independence of the practitioner. However, members and their firms performing attest services for a client should comply with applicable independence standards, rules and regulations issued by AICPA, the state boards of accountancy, state CPA societies, and other regulatory agencies. PRACTICE POINTER: Consulting services may be referred to by different names by the various standard-setting bodies or organizations. Exhibit 1-1 below provides a summary of the terminology and professional standards used for consulting services by each standard-setting organization. EXHIBIT 1-1 CONSULTING SERVICES TERMINOLOGY AND STANDARDS Organization Terminology Applicable Standards AICPA Consulting Services AICPA Statements on Standards for Consulting Services PCAOB Consulting Services PCAOB Statements on Standards for Consulting Services GAO Non-Audit Services No Standards Established Introduction to Attestation Engagements Organization Terminology 1.13 Applicable Standards IFAC Consulting and Advisory Services No Standards Established IIA Consulting Services IIA Attribute and Performance Standards for Consulting Services Tax Services The accounting profession has long been recognized for its services in the area of taxation. Professional accountants provide a wide range of tax services, including tax return preparation and compliance, tax planning and research, and technical advice on tax-related matters. The AICPA’s Tax Executive Committee has established Statements on Standards for Tax Services (SSTS) that sets forth the ethical tax practice standards for practitioners. Practitioners should fulfill their responsibilities as professionals by instituting and complying with these standards against which their professional performance can be measured. Compliance with professional standards of tax practice also confirms the public’s awareness of the professionalism that is associated with professional accountants. The SSTS ethical standards provide for an appropriate range of behavior that recognizes the need for interpretations to meet a broad range of personal and professional situations. The SSTSs have their origin in the Statements on Responsibilities in Tax Practice (SRTPs), which provided a body of advisory opinions on good tax practice. Various interested parties including the courts, Internal Revenue Service, state accountancy boards, and other professional organizations had recognized and relied on the SRTPs as the appropriate criteria for defining the requirements of professional conduct in a professional accountant’s tax practice. Therefore, the SRTPs, in and of themselves, had become de facto enforceable standards of professional practice, because state disciplinary organizations and malpractice cases in effect regularly held CPAs accountable for failure to follow the SRTPs when their professional practice conduct failed to meet the prescribed guidelines of conduct. Now the SSTSs have become the ethical tax practice standards for practitioners and have become a part of the AICPA Code of Professional Conduct. 1.14 Introduction to Attestation Engagements Valuation Services Over the years, an increasing number of professional accountants have begun providing professional valuation services to meet a growing demand for such services. These services include valuations of businesses, business ownership interests, securities, or intangible assets that could be performed for a wide variety of purposes including the following: 1. Transactions or potential transactions, such as acquisitions, mergers, leveraged buyouts, initial public offerings, employee stock ownership plans and other share based plans, partner and shareholder buy-ins or buyouts, and stock redemptions. 2. Litigation or pending litigation relating to matters such as marital dissolution, bankruptcy, contractual disputes, owner disputes, dissenting shareholder and minority ownership oppression cases, and employment and intellectual property disputes. 3. Compliance-oriented engagements, including (a) financial reporting and (b) tax matters such as corporate reorganizations; S corporation conversions; income, estate, and gift tax compliance; purchase price allocations; and charitable contributions. 4. Planning oriented engagements for income tax, estate tax, gift tax, mergers and acquisitions, and personal financial planning. The AICPA Consulting Services Executive Committee is a body designated by AICPA Council to promulgate technical standards and has developed Statement on Valuation Services (SSVS) No.1, “Valuation of a Business, Business Ownership Interest, Security, or Intangible Asset,” to improve the consistency and quality of practice among AICPA members performing business valuations. AICPA members performing such services are referred to as valuation analysts, within the standards and are required to follow the standard when they perform engagements to estimate value that culminate in the expression of a conclusion of value or a calculated value. The term “engagement to estimate value” refers to an engagement or any part of an engagement (e.g., a tax, litigation, or acquisition-related engagement) that involves estimating the value of a subject interest. In the process of estimating value as part of an engagement, the valuation analyst applies valuation approaches Introduction to Attestation Engagements 1.15 and valuation methods, as described in this Statement, and uses professional judgment. The use of professional judgment is an essential component of estimating value. There are generally two types of valuation services engagements as follows: 1. Valuation engagement—A valuation analyst performs a valuation engagement when (1) the engagement calls for the valuation analyst to estimate the value of a subject interest, and (2) the valuation analyst estimates the value and is free to apply the valuation approaches and methods he or she deems appropriate in the circumstances. The valuation analyst expresses the results of the valuation as a conclusion of value; the conclusion may be either a single amount or a range. 2. Calculation engagement—A valuation analyst performs a calculation engagement when (1) the valuation analyst and the client agree on the valuation approaches and methods the valuation analyst will use and the extent of procedures the valuation analyst will perform in the process of calculating the value of a subject interest (these procedures will be more limited than those of a valuation engagement), and (2) the valuation analyst calculates the value in compliance with the agreement. The valuation analyst expresses the results of these procedures as a calculated value. The calculated value is expressed as a range or as a single amount. A calculation engagement does not include all of the procedures required for a valuation engagement. Personal Financial Planning Services Personal financial planning engagements are only those that involve developing strategies and making recommendations to assist a client in defining and achieving personal financial goals. Personal financial planning engagements generally involve all of the following tasks: 1. Defining the engagement objectives; 2. Planning the specific procedures appropriate to the engagement; Developing a basis for recommendations; Communicating recommendations to the client; 3. 4. 1.16 Introduction to Attestation Engagements 5. Identifying the tasks for taking action on planning decisions and making recommendations to assist a client in defining and achieving personal financial goals. In addition, personal financial planning services could include: 1. 2. Assisting the client to take action on planning decisions. Monitoring the client’s progress in achieving goals. 3. Updating recommendations and helping the client revise planning decisions. Personal financial planning does not include services that are limited to: 1. Compiling personal financial statements. 2. 3. Projecting future taxes. Tax compliance, including, but not limited to, preparation of tax returns. 4. Tax advice or consultations. The AICPA has established the Personal Financial Planning Executive Committee to establish engagement responsibilities for professional accountants providing personal financial planning services in the form of Statements on Responsibilities in Personal Financial Planning Practice (SRPFPs). The SRPFPs are published for the guidance of AICPA members and do not constitute enforceable standards under Rule 202 of the AICPA Code of Professional Conduct. ATTESTATION ENGAGEMENTS Attestation engagements provide assurance in the form of a report on financial or nonfinancial information other than historical financial statements, that is the responsibility of another party, for the use or benefit of third-party users. For the purposes of this book, “attestation engagements” is defined as those engagements covered by the professional standards identified in Exhibit 1-2 below. Introduction to Attestation Engagements 1.17 EXHIBIT 1-2 ATTESTATION ENGAGEMENT STANDARDS Organization Applicable Attestation Engagement Standards AICPA Statements on Attestation Standards (SSAE) PCAOB Interim Standards for Attestation Engagements GAO Standards for Attestation Engagements (Contained in Government Auditing Standards) IFAC International Standards on Assurance Engagements (Section 3000—Assurance Engagements Other Than Audits or Reviews of Historical Financial Information) IFAC International Standards on Related Services (Section 4400—Engagements to Perform Agreed-Upon Procedures Regarding Financial Information) IIA IIA Attribute and Performance Standards for Assurance Services (other than assurance services over historical financial statements) Chapter 2, “Overview of Attestation Engagement Standards,” provides a thorough discussion of these attestation standards of the various standard-setting bodies or organizations. Chapter 3, “Accepting, Planning, and Performing an Attestation Engagement,” and Chapter 4, “Concluding and Reporting on an Attestation Engagement,” provide general guidance on conducting and reporting on an attestation engagement. Attestation engagements for which specific attestation standards have been developed by the AICPA are addressed in the following chapters of this book: • Chapter 5, “Agreed-Upon Procedures Attestation Engagements” (AT 201)—An agreed-upon procedures engagement is one in which a practitioner is engaged to issue a report of findings based on specific procedures agreed to by the users and the practitioner. • Chapter 6, “Financial Forecasts and Projections Attestation Engagements” (AT 301)—A forecast presents an entity’s expected financial position, results of operations, and cash 1.18 Introduction to Attestation Engagements flows based on the client’s assumptions about conditions that are expected to exist and the course of action that it is expected to be taken. In contrast, a projection is based on one or more hypothetical assumptions and, in that sense, attempts to answer “what if” questions. • Chapter 7, “Pro Forma Financial Statements Attestation Engagements” (AT 401)—The objective of pro forma financial information is to show what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an earlier date. • Chapter 8, “Integrated Internal Control Attestation Engagements” (AT 501)—An integrated internal control attestation engagement involves the examination of the effectiveness of an entity’s internal control over financial reporting that is integrated with the audit of the entity’s financial statements. The engagements involve examination level assurance only. Engagements to provide limited assurance (review) on internal control are explicitly prohibited by AICPA attestation standards. OBSERVATION: Probably the most recognized attestation engagement regarding internal control is the attestation engagement requirements established through Section 404 of the Sarbanes-Oxley Act (SOX). In accordance with Section 404 of SOX, the Securities and Exchange Commission (SEC) issued rules requiring that each annual report of a publicly held company contain an internal control report that (1) states that it is the responsibility of management to establish and maintain an adequate internal control structure and procedures for financial reporting, and (2) contains an assessment, as of the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures of the public company. In addition, Section 404 of SOX requires the public companies’ external auditors to attest to, and report on, the internal control assessment made by the management of the public company in accordance with the standards for attestation engagements adopted by the PCAOB. Chapter 2, “Overview of Attestation Engagements Standards,” discusses the differences between the internal control attestation engagement requirements of the PCAOB pursuant to Section 404 of SOX and the AICPA attestation standards applicable to internal control over financial reporting pursuant to AT 501. • Chapter 9, “Compliance Attestation Engagements” (AT 601)—Compliance attestation engagements include those Introduction to Attestation Engagements 1.19 related to either (1) examination of or applying agreed-upon procedures to an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants, or (2) agreed-upon procedures pertaining to only the effectiveness of an entity’s internal control over compliance with specified requirements (an examination-level service on this subject would be covered by AT 101). • Chapter 10, “Management’s Discussion and Analysis Attestation Engagements” (AT 701)—Public companies are required by the SEC to include a Management’s Discussion and Analysis (MD&A) in their annual reports and other documents. The provisions of AT 701 are applicable when practitioners are engaged to report on the MD&A prepared using the rules and regulations adopted by the SEC. Objective of Attestation Engagements The key to understanding the basics of attestation engagements is to understand the objective and basic elements of such engagements. The objective of an attestation engagement is for the practitioner to enhance the degree of confidence of the intended users, other than the responsible party, in certain subject matter information (financial or nonfinancial information other than historical financial statements) by gathering sufficient appropriate evidence on the subject matter information, evaluating or measuring the subject matter evidence against suitable criteria and providing some level of assurance in the form of a written report on the subject matter information. OBSERVATION: Attestation engagements are constructively similar to assurance engagements over historical financial statements. Consider the following examples: Assurance Engagement over Historical Financial Statements In the case of an audit of historical financial statements, a professional accountant (the practitioner) enhances the degree of confidence of the intended users (the financial statement users), other than the responsible party (management of the auditee), in the financial statements (the subject matter information) by gathering audit evidence (sufficient appropriate evidence), evaluating the audit evidence against applicable generally accepted accounting principles (suitable criteria) and providing an opinion (positive or reasonable assurance) in the form of an independent auditor’s report (written report). 1.20 Introduction to Attestation Engagements Attestation Engagement over Internal Control Effectiveness In the case of an attestation engagement over the effectiveness of an entity’s internal control over financial reporting, a professional accountant (the practitioner) enhances the degree of confidence of the intended users (the control report users), other than the responsible party (management of the entity), in the design and operation of internal controls over financial reporting (the subject matter information) by gathering evidence of control design and operation (sufficient appropriate evidence), evaluating the evidence against an appropriate internal control framework such as the Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (the suitable criteria) and providing an examination-level conclusion (positive or reasonable assurance) in the form of an independent accountant’s report on internal control (written report). While assurance engagements over historical financial statements and attestation engagements over financial and nonfinancial information are constructively similar, they are differentiated by the subject matter (historical financial statements versus other financial information and nonfinancial information) and by differing professional standards (audit, accounting and review standards versus attestation standards). Elements of Attestation Engagements All attestation engagements possess certain basic elements that must be present for the engagement to meet professional standards. These elements include: • Three-Party Relationship • • Subject Matter Information Suitable Criteria • • • Level of Assurance Sufficient Appropriate Evidence Written Report The information provided below is an introductory overview of the elements of an attestation engagement. For more specific guidance on planning, performing, and reporting on examination-level and review level attestation engagements, see Chapter 3, “Accepting, Planning, and Performing an Attestation Engagement,” and Chapter 4, “Concluding and Reporting on an Attestation Engagement.” Introduction to Attestation Engagements 1.21 Three-Party Relationship Attestation engagements, like other assurance engagements, involve three separate parties: 1. Responsible party The responsible party is the person(s) responsible for the subject matter in a direct reporting engagement or assertion over the subject matter of the engagement in an assertion-based engagement. For example, management of an entity that is responsible for the design and operation of the internal control processes (subject matter information) is considered the responsible party in an attestation engagement over the effectiveness of internal controls. 2. Intended users The intended users are persons or parties for whom the practitioner is providing the attestation engagement report. The responsible party can be one of the intended users of the report but not the only user. If they were the only user, the engagement would only involve a two-party relationship. An example of an intended user that is not the responsible party is a trustee financial institution that is a user of a compliance attestation engagement report related to an entity’s compliance with specified debt covenants. Practitioner The practitioner is the professional accountant possessing the necessary skills and knowledge of the subject matter and criteria to perform an attestation engagement and provide the desired level of assurance over the subject matter information for the benefit of the intended users. 3. OBSERVATION: The responsible party and intended users may be from different entities or within the same entity. For example, in the intended users’ example above, management of the debt-issuing entity is the responsible party, while one of the intended users was a trustee financial institution representing debt holders (different entity from the responsible party). However, in another example, an entity’s board (the intended users) may engage a practitioner to perform an attestation engagement over subject matter information that is the immediate responsibility of the entity’s management (the responsible party) although the board has ultimate responsibility. 1.22 Introduction to Attestation Engagements Subject Matter Information “Subject matter information” is the financial or nonfinancial information for which the practitioner gathers sufficient appropriate evidence to be evaluated or measured against suitable criteria as a reasonable basis for expressing a conclusion or reporting findings in the attestation engagement report. Attestation engagement subject matter information can take many forms, including: • Financial events, performance or condition information, such as specific transactions or events, account balances, or financial position or results; • Nonfinancial performance or condition information, such as entity performance in terms of effectiveness, efficiency, or program results; • System and process information, such as an entity’s internal controls or information technology systems; • Behavioral information, such as compliance with laws, regulations or contract provisions; and • Physical characteristics information, such as facility capacity or commodity supply information. To be capable of evaluation or measurement in an attestation engagement, subject matter information should be both: • Identifiable and capable of consistent evaluation or measurement against suitable criteria; and • Be reasonably subjected to procedures for gathering sufficient appropriate evidence to provide the desired level of assurance. OBSERVATION: A potential engagement to provide reasonable assurance over an assertion by management of a company that its product lasts longer than any other similar or competitive product on the market may not be capable of consistent evaluation or measurement against suitable criteria or be reasonably subjected to procedures to gathering sufficient appropriate evidence to support a reasonable assurance conclusion. Therefore, the assertion about the subject matter information may not be appropriate for an attestation engagement. Introduction to Attestation Engagements 1.23 Attestation engagements can be classified based on how the subject matter information is initially evaluated or measured against suitable criteria in of two ways: 1. 2. Assertion-Based Attestation Engagements In assertion-based engagements, the evaluation or measurement of the subject matter information is initially performed by the responsible party, and the subject matter information is in the form of an assertion by the responsible party. For example, the management of an entity (the responsible party) has evaluated its compliance with the provisions of debt covenants prescribed by a long-term debt agreement and asserts that it has complied, in all material respects, with such requirements. Direct-Reporting Attestation Engagements In direct-reporting engagements, the practitioner directly performs the evaluation or measurement of the subject matter information without any assertion by the responsible party, or obtains representation from the responsible party that it has performed the evaluation or measurement but the information is not available to the intended users. For example, when management of an entity (the responsible party) has not evaluated its compliance with the provisions of debt covenants prescribed by a long-term debt agreement and therefore makes no assertion as to compliance, the practitioner may directly evaluate and measure compliance and report the results to the intended users. Subject matter information can often fail to be properly expressed in accordance with the applicable provisions of the criteria, and therefore may be materially misstated or misrepresented. For example, an entity’s assertion that its internal control over financial reporting meets the criteria established by COSO may not be fairly stated, in all material respects, and the attestation engagement report would communicate the assertion misrepresentation. Suitable Criteria Attestation engagement criteria serve as the benchmarks used in the evaluation or measurement of the subject matter information. Criteria can be in the form of formal requirements or guidelines, such as generally accepted accounting principles as promulgated by a standard-setting body or organization or compliance requirements 1.24 Introduction to Attestation Engagements contained in laws, regulations, or contracts, or more informal, such as an internally-developed performance budget or code of conduct. Suitable criteria must be available for there to be a sufficient and generally accepted frame of reference for the evaluation or measurement of the subject matter information. Without an acceptable frame of reference, the practitioner’s conclusions could be more open to individual interpretation and misunderstanding among interest parties to the engagement. OBSERVATION: Suitable criteria must be considered within the context of the attestation engagement circumstances. The same subject matter information could be evaluated or measured against different criteria. For example, in an internet-based marketing effort performance measurement attestation engagement, one responsible party might select the number of web site hits as suitable criteria, while another responsible party might select the actual amount of internetgenerated sales as the most suitable criteria. As long as the criteria possess the characteristics noted below, the criteria for evaluating similar subject matter information can differ in relation to specific engagement circumstances. The IFAC Framework for Assurance Engagements indicates that suitable criteria should possess the following characteristics: • Relevance—should actually contribute to conclusions that are of benefit to the intended users; • Completeness—should not omit relevant factors that could affect the practitioner’s conclusions; • Reliability—should allow for reasonably consistent evaluation or measurement in similar circumstances by different practitioners; • Neutrality—should contribute to practitioner conclusions that are free from bias; and • Understandability—should contribute to practitioner conclusions that are clear, comprehensive, and not subject to significantly different interpretations. In addition, suitable criteria should be “available” to the intended users of the attestation engagement report in an effort to allow the users to understand how the subject matter information has been evaluated or measured. Criteria can be made available through public assess (such as GAAP Codifications and the COSO framework), inclusion in a clear manner in the presentation of the subject matter information (benchmark measurements included in Introduction to Attestation Engagements 1.25 the body of a performance report), inclusion in a clear manner in the attestation engagement report (repeating a statutory reference and wording in the body of the practitioner’s report on compliance attestation), or by general understanding (measurements of weight or time). Level of Assurance “Level of assurance” is a result of the extent of work performed over the subject matter information and the extent of the conclusions that can be reached based on the results of the work. Although the attestation standards vary depending on the nature of the subject matter information, in general, the standards provide three different levels of assurance: 1. High Level of Assurance (examination level) An examination level attestation engagement is analogous to a financial statement audit. When engaged to perform an examination-level attestation engagement, the practitioner’s objective is to reduce assurance risk to an acceptably low level as a basis to express an opinion (a high level of assurance) as to whether the subject matter or assertion about the subject matter is in conformity with given criteria. In other words, the practitioner provides a positive or reasonable assurance conclusion in an examination. 2. Moderate Level of Assurance (review level) A review level attestation engagement is analogous to a review of historical financial statements. When engaged to perform a reviewlevel attestation engagement, the practitioner’s objective is to reduce assurance risk to a level that is acceptable in the circumstance of the engagement, but a higher acceptable risk than reasonable assurance (a moderate level of assurance). In the report, the accountant states a conclusion about whether any information came to his or her attention to indicate that the subject matter or assertion about the subject matter is not in conformity with given criteria. This conclusion is referred to as negative, limited, or moderate assurance. 3. No Assurance (agreed-upon procedures or compilation level) Although agreed-upon procedures and compilation engagement services are defined as “no assurance” level engagements, some level of user benefit is obtained by having the professional accountant perform certain procedures over the subject matter. 1.26 Introduction to Attestation Engagements a. Agreed-Upon Procedures In an agreed-upon procedures engagement, the practitioner issues a report of findings based on specific procedures performed on the subject matter. In an agreed-upon procedures engagement, the practitioner’s report is limited to reporting the findings of the procedures performed without drawing any conclusion. b. Compilation A compilation involves the practitioner using accounting expertise to collect, classify and summarize financial information. Compilations of historic financial statements are the most common compilations and are addressed by other professional standards. In terms of attestation engagements, compilations are limited to compilations of prospective information that is defined in AICPA attestation standards as a professional service that involves assembling the prospective financial statements based on the responsible party’s assumptions, performing the required compilation procedures, and issuing a compilation report. Compilation of prospective financial statements is the only type of compilation covered by the AICPA attestation standards. OBSERVATION: While the AICPA, PCAOB, and the GAO identify three levels of assurance by defining agreed-upon procedure and compilation engagements as an “assurance” service, in its International Framework for Assurance Engagements, the IFAC excludes these two types of services from its definition of “assurance” engagements. As a result, the IFAC framework recognizes only two types of assurance for attestation engagements: (1) reasonable assurance engagements and (2) limited assurance engagements. The level of assurance to be provided in an attestation engagement is a matter that involves certain considerations between the practitioner and the party engaging the practitioner. These considerations include: • Type of Subject Matter of the Engagement Various professional standards, as discussed in Chapter 2, provide certain limitations on the level of assurance that may be provided over certain subject matter in an attestation engagement. For example, the AICPA attestation standards provide for only an Introduction to Attestation Engagements 1.27 examination-level assurance (high level of assurance) attestation engagement over internal control over financial reporting and prohibits a review-level (moderate level of assurance) engagement over prospective financial statements. • Quality of the Subject Matter Information For high level of assurance or moderate level of assurance conclusions to be expressed, sufficient appropriate evidence must exist to provide the practitioner a reasonable basis for expressing a conclusion in the attestation engagement report. If it is likely that such evidence will not be available, an agreed-upon procedures attestation engagement (no assurance) may be more appropriate. • Level of Confidence Desired The needs of the intended users of the attestation engagement report as to the desired level of confidence in the subject matter or assertion over the subject matter should be considered when determining the type of attestation engagement to perform. For example, the higher the level of confidence needed by the intended users of the report, the more the consideration should be given to performing an examination level attestation engagement. Sufficient Appropriate Evidence In an attestation engagement, the practitioner must apply professional skepticism to obtain sufficient appropriate evidence about whether the subject matter information is fairly presented. In doing so, the practitioner should consider issues of materiality, attestation engagement risk, and the sufficiency and appropriateness of evidence. Sufficiency involves considerations of the quantity of evidence, while appropriateness considers the quality of the evidence in terms of relevance and reliability. The quantity and quality of evidence is dependent upon the level of assurance required and the risk of the subject matter information being materially misstated or misrepresented. For example, the higher the level of assurance required and the higher the risk of misstatement or misrepresentation, the higher the quantity and/or quality of evidence that is required. OBSERVATION: Sufficiency (quantity) and appropriateness (quality) of attestation engagement evidence are interrelated in that lower quantity of higher quality evidence may be sufficient to manage engagement risk, while lower quality of evidence may require more quantity to manage the risk. 1.28 Introduction to Attestation Engagements Materiality consideration in an attestation engagement involves the practitioner understanding and assessing the factors that might influence the decisions of the intended users of the engagement report. Both quantitative and qualitative factors should be considered when assessing the needs of the intended users. For example, a finding of noncompliance in a debt covenant compliance attestation engagement may have resulted from a quantitatively immaterial amount of transactions, but the fact that the covenant has not been met may result in potential debt default conditions that are considered qualitatively material to the intended users. Attestation engagement risk is the risk that the practitioner expresses an inappropriate conclusion or reports inaccurate findings when the subject matter information contains material misstatements or misrepresentations. The higher the level of assurance (i.e., reasonable assurance in an examination engagement) that is required in the engagement, the more the practitioner must obtain sufficient appropriate evidence through the nature, timing, and extent of engagement procedures. The topics of materiality and attestation engagement risk are discussed in more detail in Chapter 3, “Accepting, Planning, and Performing an Attestation Engagement.” Written Report In an attestation engagement, the practitioner provides a written report containing a conclusion or some form of assurance obtained over the subject matter information or related assertion in relation to the suitable criteria; or, in the case of an agreed-upon procedures engagement, reports the findings resulting from the procedures performed. Reporting on attestation engagements varies depending on whether the engagement is an assertion-based or direct-reporting engagement and on the level of assurance provided as defined above. • Assertion-based attestation engagements—In the report on an examination level engagement, the practitioner may express a conclusion either in terms of: — The responsible party’s assertion (“in our opinion, the responsible party’s assertion that the entity has complied with the requirements of state law section XYZ is fairly stated, in all material respects”); or Introduction to Attestation Engagements 1.29 — The subject matter and criteria directly (“in our opinion, the responsible party complied, in all material respects, with the requirements of state law section XYZ”). • Direct-reporting engagements—The report expresses a conclusion only on the subject matter and criteria directly (“in our opinion, the responsible party complied, in all material respects, with the requirements of state law section XYZ”). There is no responsible party assertion to report on. In terms of level of assurance, the wording of practitioner’s attestation engagement report will vary depending on whether the engagement was designed to provide a high level of assurance, a moderate level of assurance, or no assurance. • High level of assurance—The practitioner’s conclusion is expressed in a positive opinion (“in our opinion, the responsible party complied, in all material respects, with the requirements of state law section XYZ”); • Moderate level of assurance—The practitioner’s conclusion is expressed in a negative form (“based on our work, nothing came to our attention that causes us to believe the responsible party did not comply, in all material respects, with the requirements of state law section XYZ”); • No assurance—The practitioner provides no conclusion or form of assurance on the subject matter information or the responsible party’s assertion as to the subject matter information. Most commonly applicable to agreed-upon procedures engagements, the report is limited to describing the procedures performed, their purpose, and the factual findings identified as a result of the procedures performed. The intended users are to assess for themselves the procedures and findings and draw their own conclusions. OBSERVATION: Similar to reports on audits of historical financial statements, the practitioner should not express an unqualified opinion or positive assurance conclusion (high level of assurance) when certain circumstances exist, including: • There is a material limitation on the scope of the practitioner’s work (which would result in a qualified conclusion or disclaimer depending on the materiality and pervasiveness of the scope limitation). 1.30 Introduction to Attestation Engagements • In an assertion-based engagement, the responsible party’s assertion is not fairly stated in all material respects (which would result in a qualified or adverse conclusion depending on the materiality and pervasiveness of the departure from the criteria). • In a direct-reporting engagement, the subject matter information is materially misstated or misrepresented, or does not conform to the criteria (which would result in a qualified or adverse conclusion depending on the materiality and pervasiveness of the departure from the criteria). Exhibit 1-3 provides an illustration of the required elements of an example attestation engagement. The example assumes that the practitioner has been engaged to provide reasonable assurance over the assertion of management of a government entity that it has complied with a contractual grant agreement to train and graduate a specified number of disadvantaged citizens in specific jobs for the benefit of the granting agency as the intended users of the report. EXHIBIT 1-3 ELEMENTS OF AN EXAMPLE ATTESTATION ENGAGEMENT Element Three-Party Relationship Description Responsible Party: Management of the Grantee Government Intended Users: The Grantor Agency and Management and the Board of the Grantee Government Attestor: The Practitioner Subject Matter Information Assertion-based engagement: the subject matter information is the assertion by management of the grantee government that they have met the compliance requirement in the contractual agreement in regards to training and graduating the specific number of disadvantaged citizens. Suitable Criteria The specific provision of the contractual agreement that specifies the number of trainees and graduates, what constitutes training and graduation, and defines the criteria for an individual to be classified a disadvantaged citizen. Introduction to Attestation Engagements Element Level of Assurance 1.31 Description Examination-level (high-level of assurance) that will result in the expression of a positive conclusion as to compliance. Sufficient Appropriate The engagement evidence will need to be of high Evidence enough quantity and quality to support the expression of a positive opinion or conclusion and acceptable to reduce the risk of an inappropriate conclusion on compliance to an acceptably low level. Written Report Assertion-based engagement expressing reasonable assurance: the practitioner will report in the form of a positive conclusion as to the fair statement of management’s assertion (e.g., “in our opinion, management’s assertion that grantee government complied with the section XYZ of the contract between the government and grantee agency during the [period] ended [date] is fairly stated, in all material respects”). Distinguishing Attestation Engagements from Other Engagements Quite often, a practitioner will be faced with responding to a request from a client or potential client for a type of service that may not be limited to a specific set of professional standards. Frequently, a practitioner will face a dilemma in choosing between performing an engagement under the attestation standards and another set of professional standards, such as the audit, accounting or review services, or consulting standards. Generally, the key factors to consider when deciding the most appropriate type of engagement are: • • The nature of the subject matter information; and The primary beneficiaries of the service. Nature of the Subject Matter Information When the practitioner is asked to deliver services related to providing some level of assurance over subject matter information other than historical financial statements, then the service is a candidate 1.32 Introduction to Attestation Engagements for an attestation engagement. Audits, reviews, and compilations of historical financial statements are governed by specific standards related to those type services and are not considered attestation engagements as defined in this book. Attestation engagements are best suited for engagements where assurance is needed over subject matter information that involves elements of financial statements less than complete statements (such as accounts payable or inventory balances) or nonfinancial information (such as performance statistics, compliance requirements, or internal control systems or processes). Primary Beneficiaries of the Service When the direct primary beneficiary and intended user of the desired service is limited to the client or responsible party, rather than other third-party beneficiaries, then the service is not a candidate for an attestation engagement. In attestation engagements, the primary beneficiaries of the assurance service are not limited to the client or party responsible for the subject matter information. The intended users of an attestation engagement report must include parties other than the responsible party. If the requested service primarily involves evaluating information in an effort to provide advice or recommendations to the client or responsible party rather than reporting on the results of the work for the benefit of third parties, then the required service is likely more appropriately performed as a consulting service and not an attestation engagement. OBSERVATION: One of the most common dilemmas encountered by practitioners in determining the type of engagement to perform to meet the needs of unique or nontraditional service requests is the determination of whether a potential engagement is best performed as an attestation engagement or consulting service. One of the key considerations in responding to this dilemma is the determination of the number of parties to the engagement or direct beneficiaries of the service. In a consulting engagement (such as evaluating system processes and providing recommendations for the benefit of management for the improvement of those processes), the parties are generally limited to two: (1) the practitioner providing the advice, and (2) the party seeking and receiving the advice—the engagement client. In an attestation engagement (e.g., one that provides a reasonable assurance conclusion on an entity’s compliance with debt covenants in order to issue new debt), the parties Introduction to Attestation Engagements 1.33 generally include three groups: (1) the party responsible for the subject matter—the debt-issuing entity’s management, (2) the intended users of the report—debt holders and potential investors in the new debt, and (3) the practitioner providing the assurance. Ethics and Quality Control Considerations in Attestation Engagements In addition to the professional standards applicable to the performance of attestation engagements, practitioners providing attest services are also subject to ethics and quality control considerations and standards that are applicable to their other assurance engagements. For example, in its International Framework for Assurance Engagements, the IFAC states that practitioners who perform assurance engagements (including all attest services) are also governed by the IFAC Code of Ethics for Professional Accountants, and International Standards on Quality Control. Ethics Considerations The IFAC Code of Ethics establishes fundamental ethics principles that deal with integrity, objectivity, professional competence and due care, confidentiality, and professional behavior. An essential component of ethics in the conduct of attestation engagements is the principle of independence. A practitioner who performs an attest service must be independent of the party responsible for the subject matter of the attest engagement. The IFAC Code of Ethics provides a conceptual framework approach to independence that considers threats to independence and safeguards to address those threats. In addition to the IFAC Code of Ethics, the AICPA Code of Professional Conduct (the AICPA Code) provides guidance for the CPA to conduct his professional practice, including the conduct of attestation engagements. A member CPA must observe all of the rules and interpretations in the AICPA Code. The AICPA Code consists of two sections: (1) the Principles and (2) the Rules. The Principles provide the framework for the Rules, which govern the performance of professional services by CPAs. The Council of the AICPA is authorized to designate bodies to promulgate technical standards under the Rules. A member who performs auditing, review, compilation, management consulting, tax, or other professional services, including attestation engagements, shall comply with standards promulgated by bodies designated by Council. The AICPA Council has 1.34 Introduction to Attestation Engagements designated the Accounting and Review Services Committee (ARSC), the Auditing Standards Board (ASB), and the Consulting Services Executive Committee (CSEC), jointly, to establish professional standards for attestation engagements. Rule 201 of the AICPA Code is concerned with general standards, including guidance on organizational structure that the CPA must observe in the performance of all professional services, including attestation engagements. These general standards deal with the following: • Professional Competence. Undertake only those professional services that the member or the member’s firm can reasonably expect to be completed with professional competence. • Due Professional Care. Exercise due professional care in the performance of professional services. • Planning and Supervision. Adequately plan and supervise the performance of professional services. • Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed. Rule 202 of the AICPA Code addresses compliance with standards that the CPA must observe in the performance of all professional services, including attestation engagements. Statements on Standards for Attestation Engagements (SSAE) and SSAE Interpretations have been issued under the authority established by Rule 202. Practitioners should have sufficient knowledge of the SSAEs to identify those that are applicable to his attestation engagement, and he should be prepared to justify departures from the SSAEs and related interpretations. AICPA Ethics Rulings consist of formal rulings made by the AICPA’s professional ethics division’s executive committee after exposure to state societies, state boards, practice units, and other interested parties. Ethics Rulings summarize the application of Rules of Conduct and Interpretations to particular sets of factual circumstances. CPAs who depart from such ethics rulings in similar circumstances will be requested to justify such departures. In addition to the IFAC and AICPA, the PCAOB and GAO have also established ethics and general standards that should be followed in attestation engagements conducted in accordance with the standards established by those standard-setting bodies. Introduction to Attestation Engagements 1.35 PRACTICE POINTER: The IFAC Code of Ethics, the AICPA Professional Code of Conduct and the ethics and general standards of the PCAOB and GAO are discussed in detail in the CCH publication The CPA’s Multi-State Guide to Ethics and Professional Conduct. This Guide provides a discussion of the ethics principles and practical approaches to ethical dilemmas, including those related to independence. Quality Control Considerations In addition to the IFAC International Standards on Quality Control, the AICPA has issued Statement on Quality Control Standards (SQCS) No. 7 to establish standards and provide guidance for a practitioner’s firm in meeting its responsibilities for a system of quality control for its accounting and auditing practice. SQCS-7 defines an accounting and auditing practice as engagements including audit, attestation, compilation, review and any other services for which standards have been established by the AICPA Auditing Standards Board or the AICPA Accounting and Review Services Committee under Rules 201 or 202 of the AICPA Code of Professional Conduct. SCQS-7 describes elements of quality control and other matters essential to the effective design, implementation, and maintenance of the quality control system. SQCS-7 indicates the practitioner’s system of quality control should include policies and procedures addressing each of the following elements: 1. 2. Leadership responsibilities for quality within the firm (the “tone at the top”); Relevant ethical requirements; 3. Acceptance and continuance of client relationships and specific engagements; 4. 5. 6. Human resources; Engagement performance; and Monitoring. The nature of the policies and procedures developed by practitioners to comply with these quality control standards will depend on various factors such as the size and operating characteristics of the firm. The system of quality control should be designed to provide the firm with reasonable assurance that the segments of the practitioner’s engagements are performed in accordance with professional standards when such standards are applicable.