he Auditing Standards Board (ASB) has issued Statement on Standards for Attestation Engagements (SSAE) no. 10, Attestation Standards: Revision and Recodification. Because of the growing market demand for different kinds of attest services, it is the ASB’s aim in releasing the statement to clarify and broaden the applicability of the attestation standards and to provide guidance on practice issues. In the past, practitioners considered the line between consulting service engagements and attest engagements a somewhat blurry one. Thus, another goal of the SSAE no. 10 project is to remove that ambiguity (see “Drawing the Line,” below).
In 1986 the ASB issued the first SSAE, Attestation Standards, to capitalize on existing CPA skills and to provide guidance on applying that expertise to information other than historical financial statements. Using those attestation standards and succeeding ones, practitioners began to render assurance on many new types of information and business systems (see “What Are SysTrust and WebTrust?” below). The new statement—SSAE no. 10—supersedes all previously issued SSAEs; the effective date is June 1, 2001.
Chapter 1, “Attest Engagements,” of SSAE no. 10 provides a framework that establishes how practitioners are to conduct attest engagements and that can be used for developing guidance on specific services. (See “Official Releases, page 94). The ASB conformed the existing guidance on specific attest engagements, such as financial forecasts and projections and compliance with laws or regulations, and folded it into chapters 2 through 7. (See “A Guide to Services CPAs Can Offer and the Rules That Apply,” below, for examples of attest engagements and relevant guidance.)
WHAT IS AN ATTEST ENGAGEMENT?
In an attest engagement, the practitioner is attesting to, or providing assurance on, subject matter that is the responsibility of another party. The attestation standards apply, therefore, whenever an independent CPA has been engaged to issue, or issues, an examination report, a review report or an agreed-upon procedures (AUP) report on subject matter—or an assertion about the subject matter—that is the responsibility of another party.
However, chapter 1 of SSAE no. 10 specifically identifies certain engagements, such as a financial statement audit, that are not subject to the attestation standards. Consequently, when performing engagements under professional standards other than those governing attest engagements, practitioners should take steps to ensure that readers of their reports do not mistake them for attest reports. They can accomplish this by not drawing conclusions similar to those in an examination or a review attest report.
For example, a client may engage a practitioner to make recommendations for improvements in its internal control. If, in his or her report, the practitioner were to state that the client’s internal control was adequate or effective, a reader might mistakenly assume that statement is an attest report. Whether or not the practitioner intended such an interpretation, the attestation standards still would apply.
THE RESPONSIBLE PARTY—A MUST-HAVE
The practitioner and the responsible party have distinctly different roles in an attest engagement. The latter—who often is the client—is responsible or accountable for the subject matter and typically provides the practitioner with a written assertion about it. The responsible party, for example, might be a corporate officer charged with overseeing his or her company’s compliance with a law or regulation. In contrast, the practitioner acts as an objective, independent attester by performing the attest engagement and providing the examination, review or agreed- upon procedures attest report. He or she is not responsible for the subject matter or selecting the criteria.
While the practitioner can identify the responsible party in most attest engagements, in a few instances the subject matter precludes the existence of one. For example, a resort community’s chamber of commerce may want to publicize the town’s 300 days of sunny weather in the past year. Since no one is responsible for the weather, the client may make an assertion, assuming it has a reasonable basis for doing so.
CRITERIA—JUST RIGHT AND EASY TO GET AT
The ASB recognized that, for an attest service to be meaningful and useful, the criteria for evaluating the underlying subject matter have to be solid. Thus, the general attestation standards specify that for practitioners to be able to perform and report on an attest engagement, the criteria for evaluating the subject matter of the engagement must be suitable and available to users of the engagement report.
Suitability. SSAE no. 10 specifically acknowledges that some criteria, such as the COSO criteria for evaluating internal control over financial reporting, are “suitable.” Ordinarily, criteria are considered suitable if established by groups of experts that follow due process—for example, exposing the proposed criteria for public comment. But if groups that do not follow due process procedures or do not clearly represent the public interest developed the client’s criteria for evaluation, the practitioner should determine whether those criteria have the following required attributes of suitability: objectivity, measurability, completeness and relevance. If the practitioner does not find the criteria to be suitable, he or she should decline the engagement.
Availability. The availability test is very clear-cut; the criteria are considered to be “available” if they are any of the following:
Posted to a Web site.
Included with the client’s presentation of the subject matter (or assertion about the subject matter) and the practitioner’s attest report.
Sometimes, however, the criteria are contained in a contract, and one or more parties to the engagement prefer not to make the contract’s terms public. In that case, only parties to the contract—who also would be specified in the attest report—would be able to use the report.
IS THE CLIENT ALWAYS RESPONSIBLE?
In developing the new attest guidance, the ASB considered not only engagements in which the client is the responsible party but also those in which it is not.
An example of the latter type of engagement is a situation in which a client engages a practitioner to perform an examination of another entity’s compliance with certain laws or regulations prior to a merger or acquisition. In considering its guidance for these types of engagements, and especially when the responsible party does not provide a written assertion, the ASB makes some important distinctions:
The Holy Grail: the written assertion. Ordinarily, as part of an attest engagement, the practitioner will obtain from the responsible party a written assertion—that is, any written declaration(s) that party makes about whether the subject matter is based on or in conformity with the criteria: for example, company management’s written statement that, as of a certain date, the company had effective internal control over financial reporting (based on the COSO criteria).
In broadening the availability of attest services, the ASB recognizes that the practitioner might not be able to obtain a written assertion in all cases. In an attest engagement where the responsible party is not the client, he or she may have little motivation to provide the practitioner with a written assertion. To enable practitioners to conduct such engagements but, at the same time, to help protect them from legal liability, the ASB concluded that
Examination and review attest reports should contain a statement that a written assertion about the subject matter was not provided.
Use of the report should be restricted solely to the client.
When the client is the responsible party and refuses to provide the practitioner with a written assertion, SSAE no. 10 specifically identifies the refusal as a client-imposed limitation on the scope of the engagement, requiring a modification to the examination report. On a review engagement, such a restriction would be sufficient cause for the practitioner to withdraw.
The bottom line: If the responsible party refuses to provide the practitioner with a written assertion in an examination engagement, the practitioner’s report must refer to that scope limitation and its use must be restricted to specified parties.
Do you need an assertion? Although the ASB eliminated the requirement for the practitioner to obtain a written assertion to perform an agreed-upon procedures attest engagement, SSAE no. 10 retains that requirement for performing an AUP engagement on compliance or internal control over compliance (in chapter 6, “Compliance Attestation”).
By omitting the assertion requirement in an AUP attest engagement, the ASB cleared the way to withdraw SAS no. 75 (see SAS no. 93, Omnibus Statement on Auditing Standards—2000 ) and fold into SSAE no. 10 relevant guidance on performing agreed-upon procedures for an element, account or item of a financial statement.
What about a representation letter? During an attest engagement, the client and the responsible party make many oral and written representations to the practitioner. A representation letter from the client or responsible party ordinarily confirms representations explicitly or implicitly given to the practitioner, indicates and documents their continuing appropriateness and reduces the possibility of misunderstanding about matters involving such representations.
The ASB believes practitioners should consider obtaining a representation letter in an attest engagement. But because of the complexity of practice issues raised by the broadened availability of attest services, the ASB does not require a representation letter on every attest engagement. Before agreeing to perform such an engagement, a practitioner should carefully review the requirements of SSAE no. 10.
However, in an examination or a review engagement, even when a representation letter is not required, the practitioner should consider obtaining one.
MORE OPTIONS IN REPORTING
SSAE no. 10 enables true direct reporting: For example, it permits the practitioner to state, in the introductory paragraph of an examination report, that he or she has examined the subject matter (which might consist of the effectiveness of the company’s internal control, in accordance with the COSO criteria, over financial reporting as of a particular date) and then to express an opinion on that subject matter. It also provides the practitioner with the option of structuring the report to address the written assertion.
However, if conditions exist that individually or together result in one or more material misstatements or deviations from the criteria (such as the COSO criteria for internal control), the practitioner—in order to most effectively communicate with the reader of the report—should modify the report and express his or her opinion or conclusion directly on the subject matter, not the assertion.
STANDARDS FOR TODAY AND TOMORROW
Since existing interpretations of the attestation standards (in particular, AT sections 100 and 400 of AICPA Professional Standards ) were affected by the changes reflected in SSAE no. 10, the ASB revised and reissued them (in the January 2001 edition).
A practice aid on attest engagements subject to the guidance in chapter 1 of SSAE no. 10 is in development and will be available later this year.
The new statement is effective when the subject matter or assertion is as of or for a period ending after June 1, 2001. Earlier application is permitted.
In developing and issuing SSAE no. 10, the ASB aims to give practitioners the evaluative and reporting capabilities they need to meet businesses’ growing demand for increasingly diverse assurance services. Observers believe the changes the new SSAE introduces will help practitioners effectively respond not only to clients’ current assurance needs but also to their future ones.