Most people have some degree of familiarity with contracts, but the nuances of contractual requirements related to an audit engagement are not always understood. If you are looking to engage an auditor, or if you have an existing engagement letter with an auditor, it is important to understand these nuances and the requirements for audit engagement terms. Today we will cover the circumstances under which an engagement letter should be issued, how an audit engagement letter is written, who prepares the engagement letter, and the required and recommended audit engagement terms to include.
What is an Audit Engagement?
An audit engagement is an agreement between a client and an independent third-party auditor to perform an audit of some element of the client’s business, such as accounting records, financial statements, internal controls, regulatory compliance, information systems, operational processes, etc. More information on what auditors do and the different types of audit engagements can be found in a previous post.
The purpose of engaging a third-party auditor is to obtain an unbiased and independent opinion on the organization’s ability to achieve the specified audit criteria. Your auditor should be a subject matter expert who provides value in delivering conclusions on the effectiveness of business processes and controls, while alerting the company of any risks identified.
Is an Engagement Letter Required For an Audit?
In any business arrangement, a contractual agreement is needed to specify the terms of engagement. For audit engagements, the contractual agreement is referred to as an engagement letter. The engagement letter is a legally binding document that:
- Defines the scope of services to be audited
- Specifies the timeline of the audit and related deliverables
- Defines the fee arrangement
- Communicates the limitations of the services provided
- Outlines each party’s responsibilities
The engagement letter should also clearly outline the Terms and Conditions of the agreement. As with all contracts, engagement letters are used to mitigate risk related to the business arrangement and the relationship between the parties involved in the arrangement.
Who Prepares an Audit Engagement Letter?
Audit engagement letter templates are issued by the American Institute of Certified Public Accountants (AICPA). As the governing body for public accounting, the AICPA has developed standards for audit engagements, including guidance for the terms of engagement and the required terms under which an audit engagement must be performed. Your designated audit firm will prepare the specific terms of engagement using the appropriate AICPA-issued engagement letter template.
It should be noted that there are many terms for audit engagements that are deemed required by the AICPA and therefore unable to be negotiated. Such requirements include terms specifying management’s obligation to submit assertions and representations relative to the control environment, inherent limitations of an examination engagement, responsibilities of each of the engaging parties, etc. Be aware that your company’s legal counsel will not be able to request that the engagement letter be prepared on the company’s own paper, and counsel will be limited in negotiating the terms of engagement.
What are the Major Elements of an Audit Engagement Letter?
The content of the engagement letter will vary based on the audit engagement, but all engagement letters will, at a minimum, include the scope of services and related deliverables, fee arrangement, and terms and conditions. The most common services Linford & Co. provides are SOC 1 and SOC 2 audits. For a SOC 2 audit, the scope of services will define the systems that comprise the services to be audited, as well as the relevant Trust Services Criteria to be included in the assessment.
Similarly, a SOC 1 engagement letter will define the system scope, as well as the Control Objectives to be included in the audit, including any financial, processing, or transaction-related control objectives. Because specific engagement letter content will vary by the audit engagement scope, it is recommended that organizations consult the AICPA’s website to review the available templates, ensuring your audit engagement letter has sufficiently defined the terms of engagement.
What Terms of Engagement Should be Included?
Audit engagements are required to be governed under terms of engagement as specified by the AICPA. It is important to review your engagement letter in detail to ensure it includes the relevant terms of engagement. Again, engagement letters will vary depending on the scope of services. For a SOC 1 / SOC 2 audit, the engagement letter should include the following, at a minimum, as specified by the AICPA as per Paragraph .08 of AT-C section 205:
- The objective and scope of the engagement
- The responsibilities of the service auditor
- A statement that the engagement will be conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants
- The responsibilities of the responsible party and the responsibilities of the engaging party, if different
- A statement about the inherent limitations of an examination engagement
- Identification of the criteria for the measurement, evaluation, or disclosure of the subject matter
- An acknowledgment that the engaging party agrees to provide the service auditor with a representation letter at the conclusion of the engagement
At Linford & Company, we believe the following elements are also critical to include in the engagement letter:
- Scope of services, including the suitable criteria the organization will be audited against
- Relevant systems that support the services under audit
- Fee arrangements and contract term (single year vs. multi-year)
- Whether the audit engagement includes a pre-audit readiness assessment
- Audit engagement timeline and associated deliverables
- Process for scope adjustments and associated incremental fees
- General Terms and Conditions for Liability Limitation, Confidentiality Commitments, Dispute Resolution, Electronic Data Management, etc.
Your audit engagement letter should be written with enough specificity and clarity to support an effective audit engagement, and while many of the terms are non-negotiable, you should push your auditor for more detail if any engagement terms are unclear or lacking.
You would never engage a critical vendor without first defining the terms of your business arrangement; likewise, the terms of engagement with your auditor are foundational to a successful audit engagement and business relationship. It’s not ideal to get to the end of your audit engagement and learn your audit report excludes one of the systems you assumed was included in the report scope, or is missing one of the Trust Services Criteria. Likewise, you don’t want to be surprised by additional audit engagement fees or expenses.
Surprises like these can result in strained business relationships and leave your clients disappointed. The worst-case scenario is an outright rejection of an audit report by your clients if the audit criteria or scope does not align with expectations. The AICPA has vast resources for composing audit engagement letters, and Linford & Company can help you navigate the process and identify the appropriate terms of engagement for your audit.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.