In the past few years, attestation engagements have grown in popularity as the need for an independent party to provide assurance over topics other than financial statements has become required by laws, regulators, or service clients. This blog will include the basic definition, standards, and examples of attestation services.
What are Attestation Engagements? Definition.
In accounting, an attestation engagement is the process of engaging a CPA to provide assurance over the following services: examination, reviews, or agreed-upon procedures report. These services can be used to gain assurance over the following subject matters: agreed-upon procedures, prospective financial statements, compliance, Management Discussion and Analysis (MD&A), and service organization.
As the scope increases in attestation services, the governing standards continue to parallel those found within the generally accepted auditing standards (GAAS). These standards preserve core audit principles such as the need for technical competence, independence, due professional care, adequate planning and supervision, sufficient evidence, and appropriate reporting.
As attestation services have grown, the AICPA has had to create more formalized standards and in April 2016, released the Statement on Standards for Attestation Engagements (SSAE) 18, Attestation Standards: Clarification and Recodification. The goal of this project was to make standards clearer and easier to apply within engagements. Some of the major changes are discussed below.
All attestation engagements require that a management’s assertion be requested from the responsible party.
Assertion Breakdown: Management should understand what an assertion is before signing. An assertion helps readers gain assurance that the information within the report can be relied upon and management stands behind the information presented.
All attestation engagements require that a representation letter be requested.
Representation Letter Breakdown: The representation letter is not a section of the report but part of the accountant’s work papers. The representation letter confirms representations presented by the practitioner to the client. A few examples include: information provided was appropriate, records were relevant, and any known subsequent events have been disclosed.
Risk Based Approach
New standards will require the use of a risk assessment to understand internal controls of the information being reported on as well as an assessment of material misstatements over the information.
Risk Based Approach Breakdown: In the past, the majority of standards found within GAAS have been considered audit standards. The new standards under the SSAE 18 will now incorporate GAAS standards but will be less exhaustive. Some areas include materiality, estimates, sampling, and fraud.
What are the Attestation Standards?
The goal of attestation standards are to provide guidance, set boundaries around a growing service line, define a measure of quality, and outline the objectives that should be reached when performing attestation engagements.
As mentioned above, the SSAEs adopt many of the standards followed under GAAS but differ in two main ways. First, the SSAE, unlike GAAS, does not reference financial statements within the reports, since the reports are not centered around the fair presentation of them. Second, SSAEs differ as they do not reference GAAS within SSAE reports for the same reason.
Attestation engagements follow eight main standards, which are found in all attestation engagements. They are broken out below.
- Each engagement should consider all required standards and consider how they will be incorporated. Additionally, if a standard can not be followed, alternative measures should be identified so that the purpose of the requirement is met.
- A workpaper to document that the acceptance and the choice to continue working with a client should be created and maintained for each engagement.
- Certain preconditions exist before an engagement can be accepted.
- Independence should not be impaired.
- Client should understand that they are responsible for the subject matter and its completeness and accuracy.
- The engagement topic should be appropriate and sufficient evidence should be available to come to an opinion, conclusion, or findings developed.
- Certain preconditions exist before an engagement can be accepted.
- The firm performing the engagement should understand the standards that apply to adequate performance.
- Engagement changes
- Changes to the engagement terms should not be made unless they are reasonable and are not done as a way to mislead readers.
- Use of Other Practitioner’s Work
- This is allowed as long as proper due diligence is completed to ensure that the practitioner meets the same professional standards as the lead accounting firm.
- Quality Control
- The engagement partner is responsible for checking the work of all auditors to determine whether meets necessary quality control standards.
- Like all work where the objective of the engagement is to provide assurance, a healthy amount of skepticism is necessary in the planning and execution of attestation work.
What are Examples of Attestation Services & Engagements?
Attestation engagements comprise of providing assurance over the following services: agreed-upon procedures, prospective financial statements, compliance, management discussion and analysis (MD&A), and service organizations. Standards governing these services are issued by senior technical bodies of the AICPA.
An agreed-upon procedures engagement entails a client who engages an auditor to perform procedures to determine whether clients are meeting laws and regulations or internal procedures. Read the AICPA documentation.
Prospective Financial Statements
An attestation engagement over prospective financial statements is in the form of either an examination engagement or agreed-upon procedure. Per the AICPA, the definition of a prospective financial statement are “either financial forecasts or financial projections, including the summaries of significant assumptions and accounting policies. Although prospective financial statements may cover a period that has partially expired, statements for periods that have completely expired are not considered to be prospective financial statements.”
Under an examination of prospective financial statements, the objective is to obtain reasonable assurance about whether the prospective financial statements were presented in accordance with the AICPA and the assumptions are reasonable. And engagements completed as an agreed-upon procedure, are completed in accordance with the standard agreed-upon objectives. Read the AICPA documentation.
An attestation engagement over compliance is in the form of either an examination or agreed-upon procedure. Per the AICPA, the definition of compliance as it relates to specified requirements and over internal controls is “an entity’s compliance with specified laws, regulations, rules, contracts, or grants and an entity’s internal control over compliance with specified requirements.”
Under an examination of compliance, the objective is to obtain reasonable assurance about whether management accepts responsibility over the entity’s compliance and the internal controls that surround compliance. And engagements completed as an agreed-upon procedure, are completed in accordance with the standard agreed-upon objectives. Read the AICPA documentation.
An attestation engagement over MD&A is completed in the form of either a review or examination. The purpose of a MD&A report is to provide assurance that management’s discussion and analysis are presented in such a way that they meet SEC regulations which are offered to stakeholders. Under a review of MD&A, the objective is to gather evidence to determine if any required elements defined by the SEC have been left out in the presentation of the information, financial statement values are not accurate, and assumptions and estimates used to come up with the analysis presented are not reasonable.
Under an examination of MD&A, the objective is to gather evidence to determine if required elements defined by the SEC have been included in the presentation of the information, financial statement values are accurate, and assumptions and estimates used to come up with the analysis presented are reasonable. Read the AICPA documentation.
An attestation engagement over service organization is an examination of controls at service organizations, which provide services such as payroll or data storage, that may affect their clients controls over financial reporting, for SOC 1 reports. SOC 2 reports are also considered service organization attestation engagements but since they don’t report on controls that affect financial reporting, they are governed by two other attestation guidance.
The objective of both reports is to gather sufficient evidence to provide assurance that management’s description of the system of controls is fairly presented and the controls which make up of the system were designed and operated effectively throughout the period. Note: There are reports that only report on the design of the controls and are considered Type 1 reports.
As seen throughout our IT Audit & Compliance Blog, attestation engagements provide companies with the possibility of gaining assurance over an extensive amount of topics, other than historical financial statements. This is important because these guidelines provide the ability for companies to now gain comfort in the controls they are implementing in a fashion that is monitored by the AICPA.
More information about attestation services:
- SSAE 18 – Attestation Standards: Clarification and Recodification
- SOC 1 Reports – SSAE 18 Replaces SSAE 16
- SOC 2 Reporting: New 2017 Trust Services Criteria
- Are You Asking for a SOC Report?
- SOC 1 & 2: 7 Common Mistakes and How to Avoid Them
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.