Issuance of attestation standards completes clarity project

By Ken Tysiac

The final task in the clarity project undertaken by the AICPA Auditing Standards Board (ASB) was completed Tuesday with the issuance of clarified attestation standards.

The ASB issued Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

The attestation standards establish requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter other than historical financial statements. Examples of this subject matter include an entity’s compliance with laws or regulations, the effectiveness of an entity’s controls over the security of a system, and the fairness of the presentation of a statement of greenhouse gas emissions.

In the clarity project, the ASB has redrafted its standards using drafting conventions designed to make the standards easier to read, understand, and apply. The identifier “AT-C” is used to differentiate the sections of the clarified attestation standards (“AT-C” sections) from the sections of the attestation standards that are superseded by SSAE No. 18 (“AT” sections).

SSAE No. 18 is effective for practitioners’ reports dated on or after May 1, 2017.

The standard is in keeping with the ASB’s general strategy of increasing convergence with the standards of the International Auditing and Assurance Standards Board. International Standard on Assurance Engagements 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information, is the foundation for:

  • AT-C Section 105, Concepts Common to All Attestation Engagements;
  • AT-C Section 205, Examination Engagements; and
  • AT-C Section 210, Review Engagements.

SSAE No. 18 restructures the attestation standards so that the applicability of any AT-C section to a particular engagement depends on the level of service provided and the subject matter of the engagement. AT-C Section 105 applies to all attestation engagements. AT-C Sections 205, 210, and 215, Agreed-Upon Procedures Engagements, each contain incremental performance and reporting requirements and application guidance specific to the level of service provided.

The applicable requirements and application guidance for any attestation engagement are contained in at least two AT-C sections: AT-C Section 105 and either AT-C Section 205, 210, or 215, depending on the level of service provided.

SSAE No. 18 also includes sections that contain incremental requirements and application guidance specific for four subject matters. Those “subject matter sections” address prospective financial information, pro forma financial information, compliance attestation, and controls at a service organization relevant to user entities’ internal control over financial reporting.

The applicable requirements and application guidance for an engagement to report on one of these subject matters are contained in three AT-C sections: AT-C Section 105; AT-C Section 205, 210, or 215, depending on the level of service provided; and the applicable subject-matter section.

SSAE No. 18 supersedes all of the existing attestation standards with the following exceptions:

  • AT Section 501, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. (The content of AT Section 501 has been clarified, revised, and issued as a Statement on Auditing Standards (SAS) in SAS No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AU-C Section 940).) The effective date for SAS No. 130 is for integrated audits for periods ending on or after Dec. 15, 2016.
  • AT Section 701, Management’s Discussion and Analysis. This section has not been clarified because practitioners rarely perform these engagements; however, it will be retained in the clarified attestation standards in its current form.

Ken Tysiac ( is a JofA editorial director.


Cybersecurity threats proliferating for midsize and smaller businesses

This report details how SMBs can properly protect private information from breaches, design and implement a cybersecurity policy, and create safeguards for training and education.


Test yourself on these often confused words

The spelling checker on your word processing program can do only so much to flag problems. Your best insurance is to learn the troublesome words that trip up writers and use them correctly by the standards of formal, written English.