Deconstructing the AT 601 Compliance Attestation Report

The AICPA’s AT 601 compliance attestation standard allows a CPA firm to attest to an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants or the effectiveness of an entity’s internal control over compliance with specified requirements. The compliance requirements may be either financial or nonfinancial in nature.

What is the purpose of an AT 601 attestation?

A firm may be engaged to perform agreed-upon procedures to assist users or entities in evaluating the following subject matter:

  • An entity’s compliance with specified requirements, e.g., HIPAA, GLBA, FISMA, NERC.
  • The effectiveness of an entity’s internal control over compliance
  • Both an entity’s compliance with specified requirements and the effectiveness of an entity’s internal control over compliance

When can a firm perform an AT 601 attestation?

A firm may perform an examination related to an entity’s compliance with specified requirements if the following conditions are met:

  • The responsible party accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance.
  • The responsible party evaluates the entity’s compliance with specified requirements.
  • Sufficient evidential matter exists or could be developed to support management’s evaluation.

An AT 601 does not provide a legal determination of an entity’s compliance with specified requirements. However, such a report may be useful to legal counsel or others in making such determinations.

What is an entity’s responsibility in obtaining an AT 601 report?

The responsible party must accept responsibility for the entity’s compliance with the specified requirements. This is accomplished by presenting a written assertion that the entity is in compliance with specified requirements or internal control over compliance. The assertion may be provided in a separate report to accompany the AT 601 or a letter of representation to the firm performing the attestation.

Why would an entity consider getting an AT 601 report?
There are a myriad of requirements and regulations that entities must comply with in today’s world. Fines associated with non-compliance to requirements and regulations can be significant. As a result, individuals who are responsible for ensuring that their entity is in compliance with all applicable regulations have their work cut out for them. An AT 601 attestation can assist entities by providing an independent look at their compliance with specified requirements. The report can also be provided to potential customers, business associates, and company stakeholders to demonstrate compliance with a requirement or regulation.