A New Look at the Attestation Standards

SSAE no. 10 supersedes all previous statements on attest engagement standards.
BY JANE M. MANCINO AND CHARLES E. LANDES

  

EXECUTIVE SUMMARY
CHANGES IN THE BUSINESS WORLD are creating more opportunities for CPAs to provide assurance on nonfinancial information. Practitioners are expanding their services by trading on the skills they’ve traditionally used to provide assurance on historical financial statements.

TO BROADEN THE APPLICABILITY of the attestation standards, the Auditing Standards Board is issuing SSAE no. 10, a revision and recodification of its attestation standards. The statement also will help CPAs distinguish between attest engagements and consulting engagements.

SSAE NO. 10 ENABLES PRACTITIONERS to provide direct reporting on an attest engagement’s subject matter, thus making attest reports clearer and more practical for those using them.

THE ATTESTATION STANDARDS APPLY whenever an independent CPA has been engaged to issue, or issues, an examination report, a review report or an agreed-upon procedures report on subject matter—or an assertion about the subject matter—for which another party is responsible.

FOR PRACTITIONERS TO BE ABLE TO PERFORM and report on an attest engagement, the criteria for evaluating the subject matter of the engagement must be “suitable” and “available” to anyone using the engagement report.

ALTHOUGH THE PRACTITIONER MUST EVALUATE whether criteria are suitable under the general attestation standards, the client or responsible party must select the criteria. The client alone makes the determination that the criteria are appropriate for its purposes.

Jane M. Mancino, CPA, is a technical manager and Charles E. Landes, CPA, is the director of the AICPA’s audit and attest standards team. Their views, as expressed in this article, do not necessarily represent the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation.

Key Factors in an Attest Engagement

Subject matter. The topic to which the engagement or that which is being tested pertains—for example, the effectiveness of a company’s internal control over financial reporting.

Responsible party. The individual(s) accountable for the subject matter, either personally or as the representative(s) of an entity.

Criteria. The specific standards or benchmarks chosen by the client or responsible party to evaluate the subject matter—for example, the Committee of Sponsoring Organizations (COSO)’s Internal Control—Integrated Framework. Since there may be more than one set of criteria for evaluating a particular subject matter, the client or responsible party must select those criteria. However, the client alone determines whether the criteria are appropriate for its purposes.

he Auditing Standards Board (ASB) has issued Statement on Standards for Attestation Engagements (SSAE) no. 10, Attestation Standards: Revision and Recodification. Because of the growing market demand for different kinds of attest services, it is the ASB’s aim in releasing the statement to clarify and broaden the applicability of the attestation standards and to provide guidance on practice issues. In the past, practitioners considered the line between consulting service engagements and attest engagements a somewhat blurry one. Thus, another goal of the SSAE no. 10 project is to remove that ambiguity (see “Drawing the Line,” below).

Drawing the Line

In developing more specific guidance on the applicability of attestation standards, the ASB considered the differences between attest and consulting services engagements.

One of the primary issues for a CPA in deciding whether an attest or a consulting services engagement is appropriate is the client’s objective in requesting the engagement. If the client seeks recommendations or advice on a certain matter, a consulting engagement is likely the more appropriate. But if the client wants a written report providing assurance about a specific subject, such as the entity’s internal control over financial reporting, then an attest engagement is called for.

Although some may see little distinction between a consulting engagement and an agreed-upon procedures (AUP) attest engagement, there are significant differences between the two. A written report is not required for a consulting services engagement, but it is mandated for an AUP attest engagement.

In addition, in an AUP attest engagement, the practitioner must obtain the specified parties’ agreement on the procedures to be performed. In a consulting engagement, although the client will likely discuss its objectives for the engagement with the practitioner, there is no requirement to obtain agreement on the detailed procedures he or she will perform.

In 1986 the ASB issued the first SSAE, Attestation Standards, to capitalize on existing CPA skills and to provide guidance on applying that expertise to information other than historical financial statements. Using those attestation standards and succeeding ones, practitioners began to render assurance on many new types of information and business systems (see “What Are SysTrust and WebTrust?” below). The new statement—SSAE no. 10—supersedes all previously issued SSAEs; the effective date is June 1, 2001.

What Are SysTrust and WebTrust?

Independent practitioners participating in SysTrust and WebTrust apply these programs’ standards to assurance engagements for business systems and Web sites, respectively.

Under the SysTrust program ( www.aicpa.org/assurance/systrust/index.htm ), a participating practitioner tests and evaluates a business system’s ability to operate without material error, fault or failure during a certain period in a specific computing environment. Companies whose systems earn a SysTrust report can offer their customers and business partners objective evidence of their systems’ reliability.

A practitioner participating in the WebTrust program ( http://www.webtrust.org/ ) evaluates a Web site’s practices and controls and issues an unqualified opinion on them. The AICPA and the Canadian Institute of Chartered Accountants jointly award a seal to Web sites whose business and information privacy practices, transaction integrity and protection of their customers’ e-commerce information meet WebTrust standards.

Chapter 1, “Attest Engagements,” of SSAE no. 10 provides a framework that establishes how practitioners are to conduct attest engagements and that can be used for developing guidance on specific services. (See “Official Releases, page 94). The ASB conformed the existing guidance on specific attest engagements, such as financial forecasts and projections and compliance with laws or regulations, and folded it into chapters 2 through 7. (See “A Guide to Services CPAs Can Offer and the Rules That Apply,” below, for examples of attest engagements and relevant guidance.)

A Guide to Services CPAs Can Offer and the Rules That Apply
Examples of attest services Examination Review Agreed-upon procedures (AUP) Relevant guidance
Financial forecasts and projections Yes Prohibited Yes SSAE no. 10, chapter 3
Pro forma financial information Yes Yes Yes SSAE no. 10, chapters 2 and 4
Internal control over financial reporting Yes Prohibited Yes SSAE no. 10, chapters 2 and 5
Internal control over operations Yes Yes Yes SSAE no. 10, chapters 1 and 2
Compliance with laws and regulations Yes Prohibited Yes SSAE no. 10, chapter 6
Management’s discussion and analysis (MD&A) presented in accordance with SEC rules and regulations Yes Yes Yes SSAE no. 10, chapters 2 and 7
MD&A presented in accordance with rules other than SEC rules and regulations (for example, GASB or state insurance department rules for insurers) Yes Yes Yes SSAE no. 10, chapters 1 and 2
WebTrust and SysTrust Yes N/A N/A www.aicpa.org/assurance/index.htm
Attest engagements for the U.S. Department of Housing and Urban Development (AUP for electronic submission of financial data) N/A N/A Yes www.hud.gov/reac/products/fass/mf_doc.html

and

www.hud.gov/reac/products/fass/pha_doc.html

Source: AICPA and U.S. Department of Housing and Urban Development.

WHAT IS AN ATTEST ENGAGEMENT?

In an attest engagement, the practitioner is attesting to, or providing assurance on, subject matter that is the responsibility of another party. The attestation standards apply, therefore, whenever an independent CPA has been engaged to issue, or issues, an examination report, a review report or an agreed-upon procedures (AUP) report on subject matter—or an assertion about the subject matter—that is the responsibility of another party.

However, chapter 1 of SSAE no. 10 specifically identifies certain engagements, such as a financial statement audit, that are not subject to the attestation standards. Consequently, when performing engagements under professional standards other than those governing attest engagements, practitioners should take steps to ensure that readers of their reports do not mistake them for attest reports. They can accomplish this by not drawing conclusions similar to those in an examination or a review attest report.

For example, a client may engage a practitioner to make recommendations for improvements in its internal control. If, in his or her report, the practitioner were to state that the client’s internal control was adequate or effective, a reader might mistakenly assume that statement is an attest report. Whether or not the practitioner intended such an interpretation, the attestation standards still would apply.

THE RESPONSIBLE PARTY—A MUST-HAVE

The practitioner and the responsible party have distinctly different roles in an attest engagement. The latter—who often is the client—is responsible or accountable for the subject matter and typically provides the practitioner with a written assertion about it. The responsible party, for example, might be a corporate officer charged with overseeing his or her company’s compliance with a law or regulation. In contrast, the practitioner acts as an objective, independent attester by performing the attest engagement and providing the examination, review or agreed- upon procedures attest report. He or she is not responsible for the subject matter or selecting the criteria.

While the practitioner can identify the responsible party in most attest engagements, in a few instances the subject matter precludes the existence of one. For example, a resort community’s chamber of commerce may want to publicize the town’s 300 days of sunny weather in the past year. Since no one is responsible for the weather, the client may make an assertion, assuming it has a reasonable basis for doing so.

CRITERIA—JUST RIGHT AND EASY TO GET AT

The ASB recognized that, for an attest service to be meaningful and useful, the criteria for evaluating the underlying subject matter have to be solid. Thus, the general attestation standards specify that for practitioners to be able to perform and report on an attest engagement, the criteria for evaluating the subject matter of the engagement must be suitable and available to users of the engagement report.

Suitability. SSAE no. 10 specifically acknowledges that some criteria, such as the COSO criteria for evaluating internal control over financial reporting, are “suitable.” Ordinarily, criteria are considered suitable if established by groups of experts that follow due process—for example, exposing the proposed criteria for public comment. But if groups that do not follow due process procedures or do not clearly represent the public interest developed the client’s criteria for evaluation, the practitioner should determine whether those criteria have the following required attributes of suitability: objectivity, measurability, completeness and relevance. If the practitioner does not find the criteria to be suitable, he or she should decline the engagement.

Availability. The availability test is very clear-cut; the criteria are considered to be “available” if they are any of the following:

Published.

Posted to a Web site.

Included with the client’s presentation of the subject matter (or assertion about the subject matter) and the practitioner’s attest report.

Sometimes, however, the criteria are contained in a contract, and one or more parties to the engagement prefer not to make the contract’s terms public. In that case, only parties to the contract—who also would be specified in the attest report—would be able to use the report.

IS THE CLIENT ALWAYS RESPONSIBLE?

In developing the new attest guidance, the ASB considered not only engagements in which the client is the responsible party but also those in which it is not.

An example of the latter type of engagement is a situation in which a client engages a practitioner to perform an examination of another entity’s compliance with certain laws or regulations prior to a merger or acquisition. In considering its guidance for these types of engagements, and especially when the responsible party does not provide a written assertion, the ASB makes some important distinctions:

The Holy Grail: the written assertion. Ordinarily, as part of an attest engagement, the practitioner will obtain from the responsible party a written assertion—that is, any written declaration(s) that party makes about whether the subject matter is based on or in conformity with the criteria: for example, company management’s written statement that, as of a certain date, the company had effective internal control over financial reporting (based on the COSO criteria).

In broadening the availability of attest services, the ASB recognizes that the practitioner might not be able to obtain a written assertion in all cases. In an attest engagement where the responsible party is not the client, he or she may have little motivation to provide the practitioner with a written assertion. To enable practitioners to conduct such engagements but, at the same time, to help protect them from legal liability, the ASB concluded that

Examination and review attest reports should contain a statement that a written assertion about the subject matter was not provided.

Use of the report should be restricted solely to the client.

When the client is the responsible party and refuses to provide the practitioner with a written assertion, SSAE no. 10 specifically identifies the refusal as a client-imposed limitation on the scope of the engagement, requiring a modification to the examination report. On a review engagement, such a restriction would be sufficient cause for the practitioner to withdraw.

The bottom line: If the responsible party refuses to provide the practitioner with a written assertion in an examination engagement, the practitioner’s report must refer to that scope limitation and its use must be restricted to specified parties.

Do you need an assertion? Although the ASB eliminated the requirement for the practitioner to obtain a written assertion to perform an agreed-upon procedures attest engagement, SSAE no. 10 retains that requirement for performing an AUP engagement on compliance or internal control over compliance (in chapter 6, “Compliance Attestation”).

By omitting the assertion requirement in an AUP attest engagement, the ASB cleared the way to withdraw SAS no. 75 (see SAS no. 93, Omnibus Statement on Auditing Standards—2000 ) and fold into SSAE no. 10 relevant guidance on performing agreed-upon procedures for an element, account or item of a financial statement.

What about a representation letter? During an attest engagement, the client and the responsible party make many oral and written representations to the practitioner. A representation letter from the client or responsible party ordinarily confirms representations explicitly or implicitly given to the practitioner, indicates and documents their continuing appropriateness and reduces the possibility of misunderstanding about matters involving such representations.

The ASB believes practitioners should consider obtaining a representation letter in an attest engagement. But because of the complexity of practice issues raised by the broadened availability of attest services, the ASB does not require a representation letter on every attest engagement. Before agreeing to perform such an engagement, a practitioner should carefully review the requirements of SSAE no. 10.

However, in an examination or a review engagement, even when a representation letter is not required, the practitioner should consider obtaining one.

MORE OPTIONS IN REPORTING

SSAE no. 10 enables true direct reporting: For example, it permits the practitioner to state, in the introductory paragraph of an examination report, that he or she has examined the subject matter (which might consist of the effectiveness of the company’s internal control, in accordance with the COSO criteria, over financial reporting as of a particular date) and then to express an opinion on that subject matter. It also provides the practitioner with the option of structuring the report to address the written assertion.

However, if conditions exist that individually or together result in one or more material misstatements or deviations from the criteria (such as the COSO criteria for internal control), the practitioner—in order to most effectively communicate with the reader of the report—should modify the report and express his or her opinion or conclusion directly on the subject matter, not the assertion.

STANDARDS FOR TODAY AND TOMORROW

Since existing interpretations of the attestation standards (in particular, AT sections 100 and 400 of AICPA Professional Standards ) were affected by the changes reflected in SSAE no. 10, the ASB revised and reissued them (in the January 2001 edition).

A practice aid on attest engagements subject to the guidance in chapter 1 of SSAE no. 10 is in development and will be available later this year.

The new statement is effective when the subject matter or assertion is as of or for a period ending after June 1, 2001. Earlier application is permitted.

In developing and issuing SSAE no. 10, the ASB aims to give practitioners the evaluative and reporting capabilities they need to meet businesses’ growing demand for increasingly diverse assurance services. Observers believe the changes the new SSAE introduces will help practitioners effectively respond not only to clients’ current assurance needs but also to their future ones.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.