Using an independent third-party to perform auditing, attestation and assurance services can ensure that you receive unbiased reports and informative opinions in regards to the procedures, protocols, internal systems and accounting data used throughout your organization. Partners, LLC is a certified public accountant firm who offers these services to a range of organizations so they can better manage operational risks and stay in compliance with regulations so the business can increase their profits. An attestation engagement over service organization is an examination of controls at service organizations, which provide services such as payroll or data storage, that may affect their clients controls over financial reporting, for SOC 1 reports. SOC 2 reports are also considered service organization attestation engagements but since they don’t report on controls that affect financial reporting, they are governed by two other attestation guidance. If, in the auditor’s judgment, an engagement does not fit the definition of a consulting service and does not qualify as an agreed-upon procedures (attestation) engagement, an acceptable alternative format is a third-party verification letter (not “report”).
The practitioner is responsible for compliance with the American Institute of Certified Public Accountants’ (AICPA’s) Statements on Standards for Attestation Engagements (SSAEs) in an attest engagement. Rule 202,Compliance With Standards, of the Code of Professional Conduct [ET section 202.01], requires members to comply with such standards when conducting professional services.
Review vs audit – what you need to know
All attestation engagements require that a management’s assertion be requested from the responsible party. The responsible party are those individuals who represent the information presented within an attestation report.
In an examination, the practitioner should modify the report for the scope limitation. In a review engagement, such a scope limitation results in an incomplete review and the practitioner should withdraw from the engagement. fn 7 The practitioner performing an attest engagement should beindependent pursuant to Rule 101,Independence, of the Code of Professional Conduct [ET section 101.01].
This review report is restricted as to use since a written assertion has not been provided by the responsible party. (See paragraph .78.) The subject matter pertains to criteria that are suitable and are available to the client. This is an examination report on subject matter that is the responsibility of a party other than the client. The report is restricted as to use since a written assertion has not been provided by the responsible party.
This does not necessarily require that the services be classified as attest services. In fact, such an evaluation or related conclusion would be prohibited in an agreed-upon procedures report that is limited by attestation standards to reporting only procedures and objective findings (AT 215.25, and .35h). A consulting report, however, may contain no conclusion or recommendation and is limited to reporting procedures employed and findings. The most significant distinction between consulting services and agreed-upon procedures is that an agreed-upon procedures engagement, as an attest service, results in a written report that is typically intended to add credibility to an assertion of the responsible party, usually management, to benefit a third-party user. Management is not a “third-party” user, although a consulting engagement is usually conducted for the primary benefit of the client and need not result in a written report.
Verification letters are not products of attestation or consulting services, and accordingly are not governed by any specific categorical standards, but only by the requirement to protect client confidentiality and the general requirements of the Code of Professional Conduct. TheExhibitillustrates the significant differences between the two types of engagements. Accordingly, it is necessary that the proper classification of the engagement be recognized and the accountant or consultant comply with the appropriate professional standards. Distinguishing between attest and consulting services can be complex; these two services not only require compliance with different professional standards, but also affect engagement planning, staffing, fieldwork, evaluation criteria, and perhaps most significantly, reporting.
This section establishes a framework for attestfn 3 engagements performed by practitioners and for the ongoing development of related standards. For certain subject matter, specific attestation standards have been developed to provide additional requirements for engagement performance and reporting. In the past few years, attestation services have grown in popularity as the need for an independent party to provide assurance over topics other than financial statements has become required by laws, regulators, or service clients.
For instance, a company might request an attest service on its consumer privacy statement. fn 19 For certain subject matter, specific subsequent event standards have been developed to provide additional requirements for engagement performance and reporting. Additionally, a practitioner engaged to examine the design or effectiveness of internal control over items not covered by section 501,Reporting on an Entity’s Internal Control Over Financial Reporting, or section 601,Compliance Attestation, should consider the subsequent events guidance set forth in sections 501.65-.68 and 601.50-.52.
The report pertains to subject matter for which suitable criteria exist and are available to all users through inclusion in a clear manner in the presentation of the subject matter. (See paragraphs .78 to .83 for guidance on restricting the use of the report when criteria are available only to specified parties.) A written assertion has been obtained from the responsible party. The practitioner’s decision to provide a qualified opinion, to disclaim an opinion, or to withdraw because of a scope limitation in an examination engagement depends on an assessment of the effect of the omitted procedure(s) on his or her ability to express assurance. This assessment will be affected by the nature and magnitude of the potential effects of the matters in question, and by their significance to the subject matter or the assertion.
When expressing an opinion, the practitioner should clearly state whether, in his or her opinion, (a) the subject matter is based on (or in conformity with) the criteria in all material respects or (b) the assertion is presented (or fairly stated), in all material respects, based on the criteria. Reports expressing an opinion may be qualified or modified for some aspect of the subject matter, the assertion or the engagement (see the third reporting standard). In addition, such reports may emphasize certain matters relating to the attest engagement, the subject matter, or the assertion. The form of the practitioner’s report will depend on whether the practitioner opines on the subject matter or the assertion.
- Assurance services are independent professional services that improve the quality of information for decision makers.
- Assurance services include attestation services, which are any service in which the CPA firm issues a report that expresses a conclusion about the reliability of an assertion that is the responsibility of another party.
What is the difference between attestation engagement and direct engagement?
An attestation engagement is an arrangement with a client where an independent third party investigates and reports on subject matter created by a client. Examples of attestation engagements are: Reporting on financial projections made by a client.
What is the difference between an audit and an attestation?
An attestation basically takes all the data and information that has been gathered and checks its validity based upon agreed-upon procedure engagements. An organization can also request attestation to be performed regarding compliance procedures, reviews on internal control functions, and reporting on financial forecasts, projections or pro forma data. fn 11 When the client is the responsible party, it is presumed that the client will be capable of providing the practitioner with a written assertion regarding the subject matter. Failure to provide the written assertion in this circumstance is a client-imposed limitation on the practitioner’s evidence-gathering efforts.
How is a compilation an attest engagement?
Assurance services are independent professional services that improve the quality of information for decision makers. Assurance services include attestation services, which are any service in which the CPA firm issues a report that expresses a conclusion about the reliability of an assertion that is the responsibility of another party. The four categories of attestation services are audits of historical financial statements, attestation on the effectiveness of internal control over financial reporting, reviews of historical financial statements, and other attestation services. Certified public accountants also can perform attestations for organizations in addition to audit reporting, or provide it as a separate service.
As part of the attestation procedures, the practitioner considers the written assertion ordinarily provided by the responsible party. If a written assertion cannot be obtained from the responsible party, the practitioner should consider the effects on his or her ability to obtain sufficient evidence to form a conclusion about the subject matter. Because the practitioner’s role in an attest engagement is that of anattester, the practitioner should not take on the role of the responsible party in an attest engagement. Therefore, the need to clearly identify a responsible party is a prerequisite for an attest engagement. A practitioner may accept an engagement to perform an examination, a review or an agreed-upon procedures engagement on subject matter or an assertion related thereto provided that one of the following conditions is met.
It is the accounting firm’s responsibility to determine which service is most appropriate, since clients’ management and users cannot generally be expected to be aware of the significant differences. As part of the research supporting a conclusion and recommendation, a reporting accountant or consultant might incidentally evaluate written assertions of another party.
This blog will include the basic definition, standards, and examples of attestation services. The standards for attestation services are developed and published by a professional services group, the American Institute of Certified Public Accountants (AICPA). In recent years, the standards have been updated to reflect a wider range of attest services unrelated to financial reports.
fn 12 Specific written representations will depend on the circumstances of the engagement (for example, whether the client is the responsible party) and the nature of the subject matter and the criteria. For example, when the client is not the responsible party but has selected the criteria, the practitioner might obtain the representation regarding responsibility for selection of the criteria from the client rather than the responsible party (see paragraph .61). Although suitable criteria exist for the subject matter, the report is restricted as to use since the criteria are available only to specified parties; if the criteria are available as described in paragraph .33 (a) to (d), the paragraph restricting the use of the report would be omitted. This is an examination report for general use; the introductory paragraph states the practitioner has examined management’s assertion but the practitioner opines directly on the subject matter (see paragraph .87).
If the potential effects are pervasive to the subject matter or the assertion, a disclaimer or withdrawal is more likely to be appropriate. When restrictions that significantly limit the scope of the engagement are imposed by the client or the responsible party, the practitioner generally should disclaim an opinion or withdraw from the engagement. The reasons for a qualification or disclaimer should be described in the practitioner’s report.
The responsible party and attestor or auditor can never be the same person as that would be a conflict of interest. The responsible party should have intimate knowledge of the evidence provided during the course of the audit. fn 14 Specific standards may require that the practitioner express his or her conclusion directly on the subject matter. For example, if management states in its assertion that a material weakness exists in the entity’s internal control over financial reporting, the practitioner should state his or her opinion directly on the effectiveness of internal control, not on management’s assertion related thereto.
A practitioner may perform and report on an attestation engagement in accordance with AICPA attestation standards in addition to another set of attestation standards, as long as both sets of attestation standards are followed in their entirety. fn 4 When the practitioner is unable to perform the inquiry and analytical or other procedures that he or she considers necessary to achieve the limited assurance contemplated by a review, or when the client is the responsible party and does not provide the practitioner with a written assertion, the review will be incomplete. A review that is incomplete is not an adequate basis for issuing a review report and, accordingly, the practitioner should withdraw from the engagement. This is an examination report with a qualified opinion because conditions exist that, individually or in combination, result in one or more material misstatements or deviations from the criteria; the report is for general use.
Agreed-upon procedures engagements are a special type of attest services that differ significantly from consulting services in purpose and reporting and performance requirements. As acknowledged in the consulting standard, however, “the nature and scope of [consulting] work are determined solely by agreement with the client” (CS 100.05). Therefore, the difference between agreed-upon procedures and certain similar types of consulting engagements is often a source of confusion among accountants. This is a review report on subject matter that is the responsibility of a party other than the client.