The AICPA’s Auditing Standard Board (ASB), recently issued clarifying Statements on Standards for Attestation Engagements (SSAE). The ASB is issuing the clarified attestation standards as SSAE 18. The old AT sections in AICPA Professional Standards remains effective through April 2017. The updated statement by the ASB redrafts all SSAEs and are related to attestation engagements other than financial statement attestations. The attestation standards establish requirements for performing and reporting on examination, review and agreed-upon procedures engagements. Engagements assessing companies’ compliance with various laws and regulations (e.g., SOC 2, HIPAA, CJIS) are impacted by the revisions.
To facilitate understanding and adoption, the ASB has changed the naming convention of the attestation standards impacted by the changes made in SSAE 18 to an “AT-C” prefix. The applicability of the updated AT-C standards depends on the type of service provided and the subject matter of the engagement.
Changes include the following clarity drafting conditions:
- Establishing objectives for each AT-C section.
- Including a definitions section, where relevant, in each AT-C section.
- Separating requirements from application and other explanatory material.
- Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section.
- Using formatting techniques, such as bulleted lists, to enhance readability.
- Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within the text of the AT-C section.
- Including, when appropriate, special considerations relevant to examination, review or agreed-upon procedures engagements for governmental entities within the text of the AT-C section.
One of the main focuses of SSAE 18 is to allow the practitioner the ability to create a framework for engagements that meet client needs. The clarifications now allow the practitioner to report on almost any subject matter provided:
- The party responsible for the subject matter is someone other than the practitioner and takes responsibility for the subject matter.
- The subject matter is appropriate.
- The criteria to be used in evaluating the subject matter are suitable and available.
- The practitioner expects to be able to obtain evidence needed to arrive at the practitioner’s opinion, conclusion or findings through access to information and unrestricted access to people who can provide such evidence.
- The practitioner’s opinion, conclusion or findings are to be contained in a written practitioner’s report.
What’s new? – In addition to the restructuring of the SSAEs, the following are some of the changes introduced by SSAE 18:
- Separate discussion of review engagements – SSAE 18 separates the detailed procedural and reporting requirements for review engagements from their counterparts for examination requirements.
- Required representation letters – SSAE 18 requires the practitioner to obtain a representation letter for all engagements. This is different than AT section 101 which discusses representation letters, but does not require them.
- Risk assessment for examination engagements – SSAE 18 requires practitioners to obtain a more in-depth understanding of the development of the subject matter than was required in the past in order to better identify the risks of material misstatement.
- Incorporation of detailed requirements – SSAE 18 incorporates a number of detailed requirements (e.g., representation letters) that are similar to those contained in Statements on Auditing Standards (SASs).
- Scope limitation imposed by the engaging party or the responsible party – SSAE 18 indicates that based on the practitioner’s assessment of the effect of the scope limitation, the practitioner should express a qualified opinion, disclaim an opinion or withdraw from the engagement. The current AT section 101 standard requires that a practitioner should disclaim an opinion or withdraw from the engagement altogether.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.