AICPA Statements on Standards for Attestation Engagements (SSAEs, or attestation standards) establish requirements for performing and reporting on examination, review, and agreed-upon procedures (AUP) engagements. In an examination, the practitioner performs procedures to obtain reasonable assurance in order to be able to draw reasonable conclusions on which to base the practitioner's opinion on the subject matter or on an assertion; in a review, the practitioner performs procedures to obtain limited assurance in order to express a conclusion on the subject matter or an assertion; and in an AUP engagement, the practitioner performs specified procedures and reports findings on the performance of those procedures without providing an opinion or a conclusion. These engagements are intended to enhance users' confidence in financial and nonfinancial information other than historical financial statements.
If engaged to issue an opinion or a conclusion on historical financial statements, the practitioner would perform the engagement in accordance with Statements on Auditing Standards or Statements on Standards for Accounting and Review Services, respectively. To clarify the standards and to appropriately provide increased flexibility for practitioners to provide value to clients, the AICPA Auditing Standards Board (ASB) recently issued the following attestation standards:
- SSAE No. 19, Agreed-Upon Procedures Engagements.
- SSAE No. 20, Amendments to the Description of the Concept of Materiality.
- SSAE No. 21, Direct Examination Engagements. (In addition to creating a new AT-C section that enables a practitioner to perform a new service known as a direct examination, SSAE 21 revises the attestation standards for assertion-based examinations.)
- SSAE No. 22, Review Engagements.
Examples of underlying subject matter and criteria that a practitioner may report on in accordance with the attestation standards are whether:
- Environmental, social, and governance (ESG) practices meet criteria established by a regulator (see "ESG Offers Growth Opportunities for 2022," JofA, Dec. 2021).
- Product performance metrics are fairly stated and meet criteria established by an industry group.
- Electronic transactions, electronic documents, and supporting systems meet specific criteria, such as those specified by Visa or Mastercard.
- A long-term-care facility meets a state's requirements to participate in Medicare and Medicaid programs.
- Computer security systems meet specified criteria, such as those specified in the AICPA's System and Organization Controls 2 (SOC 2) framework or in the National Institute of Standards and Technology (NIST) Standards.
- Controls at a service organization are suitably designed and operating effectively to achieve specified control objectives, based on criteria for suitability of design and operating effectiveness.
- Enterprise risk management (ERM) systems meet COSO criteria.
- Labor practices meet federal Fair Labor Standards Act requirements.
The following case study relates to a day care center and:
- Identifies the attestation services that a practitioner might provide;
- Illustrates the differences between these services;
- Indicates when each service might be useful; and
- Explains how a practitioner may recommend a service to best meet a client's needs.
Attestation services share common attributes, which include performing client acceptance procedures, obtaining an understanding of the subject matter, reaching a written understanding of engagement terms with the engaging party, properly planning and performing the work, supervising team members, obtaining a management representation letter, and providing a practitioner's report.
Our hypothetical case study involves Key Day Care Center (Key), which Jane Key opened in 2020. Key is subject to many federal, state, and local rules and regulations, including those that require Key to:
- Perform background checks on child care providers;
- Maintain a certain ratio of child care staff to children;
- Meet education and training requirements for staff;
- Meet vaccination and health testing requirements for staff;
- Meet other safety standards; and
- Maintain liability insurance.
Given strong competition, Key's experienced management has designed and implemented policies that usually exceed these requirements.
Jane Key meets with her business's CPA, Sara Jones of Jones and Company, to discuss the possible services Jones may provide. Key explains that, based on their prior experience, Key has developed and successfully implemented policies and procedures that meet the legal requirements. Key's management requests an attestation service that provides findings on whether these policies and procedures are being implemented during the current period. Jones suggests that her firm perform an agreed-upon procedures engagement under AT-C Section 215, Agreed-Upon Procedures Engagements. Jones explains the following:
- Jones and Key can work together to determine the procedures to be performed that would assist Key in determining whether Key's systems and controls are being followed.
- Prior to the issuance of Jones's agreed-upon procedures report, Key will agree to and acknowledge that the procedures performed are appropriate for the purpose of assisting Key in determining whether Key's systems and controls are being followed.
- The report will describe the procedures performed and Jones's findings based on the performance of the procedures. As the engagement is not an examination or a review of Key's systems and controls, Jones will not express an opinion, conclusion, or any form of assurance.
Key's management agrees that an AUP engagement will meet its needs. Although not required, because of the nature of the engagement, Jones advises Key's management that Jones's report will include an alert advising readers that it is intended solely for the information and use of Key's management and is not intended to be and should not be used by anyone other than Key's management. The expected restriction on the use of Jones's report is noted in the engagement letter.
As the engagement progresses, Jones frequently meets with Key's management to discuss the nature, timing, and extent of the procedures that Jones has performed or is planning to perform. Near the completion of the engagement, and before the issuance of Jones's AUP report, Jones asks Key to sign the representation letter that includes Key's agreement and acknowledgment that the procedures performed are appropriate for the purpose of assisting Key in determining whether Key's systems and controls are being followed.
Jones's report includes the policies and procedures established by Key's management, the procedures performed by Jones, and Jones's findings. See the chart, "Jones's Report," (below) for an excerpt.
Jones also may separately suggest improvements to Key's procedures, especially where the legal requirements were not always met.
In 2021, Key's business grew; it advertised that its policies and procedures exceed those required by laws and regulations and that those policies and procedures were implemented. For example, although the regulations called for two child care providers for every 10 children up to age 3, Key requires three providers for every eight children in this age group. Key concurrently began receiving requests from current and prospective customers and from regulators to provide a report on the accuracy of its advertising. Key's management and Jones discussed alternative services to address these issues, which included:
- A general-use agreed-upon procedures report;
- An assertion-based examination engagement; or
- A review engagement.
Jones explains each service to help Key decide which service to use. Jones notes that a direct examination cannot be used for compliance with regulations.
AGREED-UPON PROCEDURES ENGAGEMENT
Jones informs Jane Key that the use of the AUP report need not be restricted; Key could provide an unrestricted report to regulators and to current and potential customers. Jones inquires whether Key believes that the intended users of the report should agree to and acknowledge that the procedures performed are appropriate for their purposes. If Key believes that agreement and acknowledgment will help users find value in the report, Jones advises that Key's management, as part of its agreement to and acknowledgment of the appropriateness of the procedures performed, should communicate with each of the required intended users to confirm that they agree to and acknowledge that the procedures performed are appropriate for their purposes. The representation letter will include a statement that Key's management has so confirmed with the intended users of Jones's AUP report. If Key's management believes that the intended users will find value in the report without agreeing to the procedures performed, there is no need for Key to communicate with the intended users. If Jones's report does not contain an alert restricting its use, it is intended for general use, and users need not have agreed to the procedures.
Concerned that, while regulators might agree to the agreed-upon procedures, customers will want additional comfort about Key's compliance, Key wants to consider services that provide an opinion or a conclusion by Jones.
ASSERTION-BASED ENGAGEMENT (AT-C SECTION 205)
In an assertion-based examination engagement, Key should provide an assertion and would have a reasonable basis for making its assertion. Jones would obtain reasonable assurance about whether the subject matter is in accordance with (or based on) the criteria, in all material respects, or whether an assertion about the subject matter is fairly stated, in all material respects.
In this engagement, besides the steps that apply to all attestation engagements, Jones should:
- Obtain management's assertion about whether Key complied with specified laws, regulations, rules, contracts, or grants and determine whether Key has a reasonable basis for its assertion.
- Identify and assess the risks of material misstatement, whether due to fraud or error, based on an understanding of Key's policies; the specified regulations; the evaluation of whether the policies are in accordance with the regulations; and other circumstances.
- Obtain sufficient appropriate evidence about whether material misstatements exist by designing and implementing appropriate responses to the assessed risks.
- Issue a report that provides Jones's opinion as to whether Key's policies are in accordance with the specified regulations.
REVIEW (AT-C SECTION 210)
In a review, Key should provide an assertion and would have a reasonable basis for making its assertion.
Jones would perform procedures to obtain limited rather than reasonable assurance. Jones would conclude whether she was aware of any material modifications that should be made to:
- Key's policies in order for them to be in accordance with the specified regulations; or
- Key's assertion in order for it to be fairly stated.
In a review, the nature and extent of procedures are less than in an examination.
Since Key's management does not have a reasonable basis to provide an assertion, it cannot receive an assertion-based examination or review. Ultimately, Key's management asked Jones to provide an AUP engagement and to issue a general-use report. As Key grows, it plans to enhance its procedures to be able to provide an assertion with a reasonable basis and thus engage Jones to perform an assertion-based examination of compliance with regulations.
CHOOSING THE APPROPRIATE SERVICE
We have summarized the decision-making process for attestation services. The first decision is whether the engaging party primarily wants advice or assurance. If a client believes that it needs help to design or improve its procedures, the CPA can offer a consulting service. Although the practitioner may provide advice as a byproduct of an attestation engagement, it is not the engagement's primary purpose.
In deciding which attestation service should be performed, the engaging party (which is usually the responsible party) should determine whether it has a reasonable basis for, and will provide, an assertion. What constitutes a reasonable basis for the responsible party's assertion depends on the nature of the subject matter and other engagement circumstances. In some cases, a formal process with extensive internal control may be needed to provide the responsible party with a reasonable basis for making its assertion. The fact that the practitioner will report on the subject matter is not a substitute for the responsible party's own processes to have a reasonable basis for its assertion. The practitioner and engaging party should next consider (1) whether, because of the subject matter, the standards prohibit the practitioner from performing a review or direct examination; (2) what services best meet the report users' needs; and (3) the costs.
About the authors
Abraham Akresh, CPA, is owner of the firm Abraham D. Akresh CPA in Potomac, Md. Alan Reinstein, CPA, CGMA, DBA, is the George R. Husband Professor of Accounting at the School of Business Administration at Wayne State University in Detroit. Thomas Weirich, CPA, Ph.D., is a professor of accounting at Central Michigan University in Mount Pleasant, Mich. To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com or 919-402-4125.
"New Attestation Standard Clarifies Work Effort of Review Engagements," JofA, Dec. 9, 2020
"Direct Examination' Engagement Created by SSAE No. 21," JofA, Sept. 30, 2020
"New Standard Adds Flexibility for Agreed-Upon Procedures," JofA, Dec. 5, 2019
Your complete guide to the authoritative standards and interpretations applicable to attestation engagements.
Get up to speed with current regulations, plus real-world examples, practice exercises, and case studies. This guide will help ensure your firm's long-term success in engagements related to prospective financial information.
For more information or to make a purchase, go to aicpa.org/cpe-learning or call the Institute at 888-777-7077.