Most people have some degree of familiarity with contracts, but the nuances of contractual requirements related to an audit engagement are not always understood. If you are looking to engage an auditor, or if you have an existing engagement letter with an auditor, it is important to understand these nuances and the requirements for audit engagement terms. This article will cover the circumstances under which an engagement letter should be issued, how an audit engagement letter is written, who prepares the engagement letter, and the required and recommended audit engagement terms to include.
What is an Audit Engagement?
An audit engagement is an agreement between a client and an independent third-party auditor to perform an audit of some element of the client’s business, such as accounting records, financial statements, internal controls, regulatory compliance, information systems, operational processes, etc. More information on what auditors do and the different types of audit engagements can be found in a previous post.
The purpose of engaging a third-party auditor is to obtain an unbiased and independent opinion on the organization’s ability to achieve the specified audit criteria. Your auditor should be a subject matter expert who provides value in delivering conclusions on the effectiveness of business processes and controls, while alerting the company of any risks identified.
Is an Engagement Letter Required For an Audit?
Why is the engagement letter necessary before the start of an audit? In any business arrangement, a contractual agreement is needed to specify the terms of engagement. For audit engagements, the contractual agreement is referred to as an engagement letter. The engagement letter is a legally binding document and the purpose of the engagement letter is to:
- Specify the parties of the audit engagement.
- Define the scope of the audit, including the in-scope services and systems.
- Specify the timeline of the audit and related deliverables.
- Define the fee arrangement for the audit.
- Communicate the limitations of the services provided.
- Outline the auditor’s and management’s responsibilities.
- The expected duration of the audit, and often the expected completion date of the audit.
The engagement letter will also describe the limitations of the audit engagement, and it should include the terms and conditions of the agreement. As with all contracts, engagement letters are used to mitigate risk related to the business arrangement and the relationship between the parties involved in the arrangement, including the risk of misunderstandings between the parties.
Who Prepares an Audit Engagement Letter?
Audit engagement letter templates are issued by the American Institute of Certified Public Accountants (AICPA). As the governing body for public accounting, the AICPA has developed standards for audit engagements, including guidance for the terms of engagement and the required terms under which an audit engagement must be performed. Your designated audit firm will prepare the specific terms of engagement using the appropriate AICPA-issued engagement letter template.
It should be noted that there are many terms for audit engagements that are deemed required by the AICPA and therefore unable to be negotiated. Such requirements include terms specifying management’s obligation to submit assertions and representations relative to the control environment, inherent limitations of an examination engagement, responsibilities of each of the engaging parties, etc. Be aware that your company’s legal counsel may not be able to request that the engagement letter be prepared on the company’s own paper, and counsel may be limited in negotiating the terms of engagement.
What are the Major Elements of an Audit Engagement Letter?
The content of the engagement letter will vary based on the audit engagement, but all engagement letters will, at a minimum, include the scope of services and related deliverables, the fee arrangement, and terms and conditions. For a SOC 2 audit, the scope of services will define the systems that comprise the services to be audited, as well as the relevant Trust Services Criteria to be included in the assessment.
Similarly, a SOC 1 engagement letter will define the system scope, as well as the Control Objectives to be included in the audit, including any financial, processing, or transaction-related control objectives. Because specific engagement letter content will vary by the audit engagement scope, it is recommended that organizations consult the AICPA’s website to review the available templates, ensuring your audit engagement letter has defined the terms of engagement and includes sufficient details relative to how the engagement will be executed.
What Terms of Engagement Should be Included?
The AICPA requires that all audit engagements are to be governed with respect to their terms of engagement. You must review your engagement letter carefully to make sure it includes the terms of engagement. Engagement letter contents will differ based on the scope of services. For a SOC 1 / SOC 2 audit, the engagement letter should include the following, at a minimum, as specified by the AICPA as per Paragraph .08 of AT-C section 205:
- “The objective and scope of the engagement
- The responsibilities of the service auditor
- A statement that the engagement will be conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants
- The responsibilities of the responsible party and the responsibilities of the engaging party, if different
- A statement about the inherent limitations of an examination engagement
- Identification of the criteria for the measurement, evaluation, or disclosure of the subject matter
- An acknowledgment that the engaging party agrees to provide the service auditor with a representation letter at the conclusion of the engagement”
The following considerations are also important to include in the engagement letter:
- Scope of services, including the suitable criteria the organization will be audited against
- Relevant systems that support the services under audit
- Fee arrangements and contract term (single year vs. multi-year)
- Whether the audit engagement includes a pre-audit readiness assessment
- Audit engagement timeline and associated deliverables
- Process for scope adjustments and associated incremental fees
- General Terms and Conditions for Liability Limitation, Confidentiality Commitments, Dispute Resolution, Electronic Data Management, etc.
Your audit engagement letter should be written with enough specificity and clarity to support an effective audit engagement, and while many of the terms are non-negotiable, you should push your auditor for more detail if any engagement terms are unclear or lacking.
Who Signs the Engagement Letter for an Audit?
As with any contract, it is important that the appropriate signatories are tasked with executing the engagement letter. The engagement letter is required to be signed by those that are deemed authorized representatives of the engaging party. For an audit firm, the engagement letter should be signed by one of the partners of the firm. Management’s signatory should be someone with sufficient authority and insight into the company’s internal controls. Often, the management signatory will be the Chief Executive Officer, Chief Technology Officer, Chief Information Security Officer, or Chief Financial Officer.
You would never engage a critical vendor without first defining the terms of your business arrangement; likewise, the terms of engagement with your auditor are foundational to a successful audit engagement and business relationship. It’s not ideal to get to the end of your audit engagement and learn your audit report excludes one of the systems you assumed was included in the report scope, or is missing one of the Trust Services Criteria. Likewise, you don’t want to be surprised by additional audit engagement fees or expenses.
Surprises like these can result in strained business relationships and leave your clients disappointed. The worst-case scenario is an outright rejection of an audit report by your clients if the audit criteria or scope does not align with expectations. The AICPA has vast resources for composing audit engagement letters, and Linford & Company can help you navigate the process and identify the appropriate terms of engagement for your audit. Please contact us if you would like to learn more about our many audit services.
This article was originally published on 8/25/2020 and was updated on 3/29/2023.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.