The AICPA’s AT 601 compliance attestation standard allows a CPA firm to attest to an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants or the effectiveness of an entity’s internal control over compliance with specified requirements. The compliance requirements may be either financial or nonfinancial in nature.
What is the purpose of an AT 601 attestation?
A firm may be engaged to perform agreed-upon procedures to assist users or entities in evaluating the following subject matter:
- An entity’s compliance with specified requirements, e.g., HIPAA, GLBA, FISMA, NERC.
- The effectiveness of an entity’s internal control over compliance
- Both an entity’s compliance with specified requirements and the effectiveness of an entity’s internal control over compliance
When can a firm perform an AT 601 attestation?
A firm may perform an examination related to an entity’s compliance with specified requirements if the following conditions are met:
- The responsible party accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance.
- The responsible party evaluates the entity’s compliance with specified requirements.
- Sufficient evidential matter exists or could be developed to support management’s evaluation.
An AT 601 does not provide a legal determination of an entity’s compliance with speciﬁed requirements. However, such a report may be useful to legal counsel or others in making such determinations.
What is an entity’s responsibility in obtaining an AT 601 report?
The responsible party must accept responsibility for the entity’s compliance with the specified requirements. This is accomplished by presenting a written assertion that the entity is in compliance with specified requirements or internal control over compliance. The assertion may be provided in a separate report to accompany the AT 601 or a letter of representation to the firm performing the attestation.
Why would an entity consider getting an AT 601 report?
There are a myriad of requirements and regulations that entities must comply with in today’s world. Fines associated with non-compliance to requirements and regulations can be significant. As a result, individuals who are responsible for ensuring that their entity is in compliance with all applicable regulations have their work cut out for them. An AT 601 attestation can assist entities by providing an independent look at their compliance with specified requirements. The report can also be provided to potential customers, business associates, and company stakeholders to demonstrate compliance with a requirement or regulation.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.