Attestation Engagements
Attestation engagements allow CPAs to provide assurance on subject matter beyond traditional financial statement audits. The AICPA's Statements on Standards for Attestation Engagements (SSAEs) establish the framework for these engagements, which can cover a wide range of subject matters—from internal control effectiveness to compliance with regulations to prospective financial information. Understanding the types, assurance levels, and reporting requirements for attestation engagements is essential for the AUD exam.
Attestation engagements are governed by the AT-C sections of AICPA professional standards (codified from the SSAEs). These are distinct from auditing standards (AU-C sections) and review/compilation standards (AR-C sections).
Three Types of Attestation Engagements
The SSAEs define three types of attestation engagements, each providing a different level of assurance:
| Type | Level of Assurance | Nature of Procedures | Report Expression |
|---|---|---|---|
| Examination | Reasonable (high) assurance | Extensive procedures similar to an audit—inspection, confirmation, observation, inquiry, analytical procedures | Positive opinion: "In our opinion, the subject matter is presented fairly…" |
| Review | Limited (moderate) assurance | Primarily inquiry and analytical procedures | Negative assurance: "We are not aware of any material modifications that should be made…" |
| Agreed-upon procedures (AUP) | No assurance (findings only) | Specific procedures agreed to by the practitioner and the engaging party | Report of factual findings only—no opinion or conclusion |
The assurance hierarchy is a favorite CPA exam topic. Remember: Examination = reasonable assurance (like an audit), Review = limited assurance (like a review of financial statements), AUP = no assurance (just findings). The practitioner never provides assurance in an AUP engagement.
Subject Matter and Criteria
Every attestation engagement involves two essential components:
- Subject matter — The information or condition being evaluated (e.g., an entity's internal controls, a compliance assertion, or a forecast)
- Suitable criteria — The benchmarks against which the subject matter is evaluated (e.g., COSO framework for internal controls, regulatory requirements for compliance)
The criteria must be:
- Objective — Free from bias
- Measurable — Capable of consistent evaluation
- Complete — Cover all relevant aspects of the subject matter
- Relevant — Related to the subject matter in a meaningful way
Example: Gies Co. engages a CPA to examine the effectiveness of its cybersecurity controls. The subject matter is Gies Co.'s cybersecurity risk management program; the criteria are the AICPA's cybersecurity reporting framework. The CPA performs an examination and issues an opinion on whether Gies Co.'s cybersecurity controls are effective based on those criteria.
Examination Engagements
An examination engagement provides the highest level of assurance available in an attestation engagement—reasonable assurance. The practitioner:
- Obtains sufficient appropriate evidence through a variety of procedures
- Forms an opinion on the subject matter (or on management's assertion about the subject matter)
- Issues a report with a positive form of expression (e.g., "In our opinion…")
Examination Report Elements
The examination report includes:
- A title that includes the word "Independent"
- Identification of the subject matter or management's assertion
- A description of the nature of the engagement (examination)
- A statement that the examination was conducted in accordance with attestation standards established by the AICPA
- A statement about the practitioner's responsibility and the nature of the procedures
- The practitioner's opinion
- The date of the report and the signature of the practitioner's firm
Example: BIF Partners engages a CPA firm to examine whether BIF Partners' description of its system and the suitability of the design and operating effectiveness of its controls meet the criteria in the AICPA's trust services criteria (a SOC 2 engagement). The CPA firm issues an examination report with an opinion on the subject matter.
Agreed-Upon Procedures (AUP) Engagements
In an AUP engagement, the practitioner performs only the specific procedures that the engaging party (and, if applicable, other specified parties) has agreed to. Key characteristics:
- No opinion or conclusion is expressed—only factual findings
- The report is restricted to the specified parties who agreed to the procedures, unless the engagement is performed under AT-C 215 (which allows for general-use AUP reports)
- The specified parties are responsible for determining whether the procedures are sufficient for their purposes
- The practitioner must be independent (but can still perform AUP while not independent under AT-C 215 if disclosed)
AUP Report Content
| Element | Description |
|---|---|
| Title | Includes "Independent" (unless independence exception applies) |
| Subject matter | Identifies what was tested |
| Procedures performed | Lists each procedure in sufficient detail |
| Findings | Reports factual results of each procedure |
| Use restriction | Limits use to specified parties (unless general use under AT-C 215) |
| No opinion | Explicitly states that no opinion or conclusion is expressed |
Example: MSA Records is applying for a loan and the bank requires a CPA to verify that MSA Records' accounts receivable aging schedule is mathematically accurate and that a sample of receivables can be confirmed directly with customers. The CPA performs only these two agreed-upon procedures and reports the findings. The CPA does not express an opinion on MSA Records' accounts receivable.
A common exam trap: the practitioner performing an AUP engagement must not express an opinion or provide any form of assurance. Even if the findings suggest no problems, the practitioner's report must state that no opinion is being given. The users of the report draw their own conclusions.
Prospective Financial Statements
Prospective financial statements are forward-looking and come in two forms:
| Type | Definition | Distribution |
|---|---|---|
| Forecast | Prospective statements that present an entity's expected financial position, results, and cash flows based on assumptions reflecting conditions the responsible party expects to exist and the course of action it expects to take | General use — may be distributed to any third party |
| Projection | Prospective statements that present an entity's expected financial position, results, and cash flows based on one or more hypothetical assumptions (i.e., "what if" scenarios) | Limited use — restricted to the responsible party and third parties with whom the responsible party is negotiating directly |
Engagements on Prospective Financial Statements
- A forecast may be the subject of an examination, a compilation, or an AUP engagement
- A projection may be the subject of an examination, a compilation, or an AUP engagement, but distribution is restricted
- A review of prospective financial statements is not permitted under the SSAEs
You cannot perform a review engagement on prospective financial statements—only examination, compilation, or agreed-upon procedures are available. This is a frequently tested point on the CPA exam.
Example: Kingfisher Industries prepares a financial forecast projecting revenue growth of 8% per year over the next three years based on current market conditions. Kingfisher engages a CPA to examine the forecast. The CPA evaluates whether the assumptions are reasonable and whether the forecast is presented in conformity with AICPA guidelines, then issues an examination report with an opinion.
Pro Forma Financial Information
Pro forma financial information shows the significant effects of a transaction or event on historical financial statements as if the transaction had occurred at an earlier date. Common examples include mergers, acquisitions, or divestitures.
A practitioner may perform an examination or a review of pro forma financial information under AT-C 310. Key considerations:
- The underlying historical financial statements must have been audited or reviewed
- The practitioner must understand the transaction and its pro forma adjustments
- The report identifies the pro forma adjustments and their basis
Example: Illini Entertainment acquires a competing media company and prepares pro forma financial statements showing combined operations as if the acquisition occurred at the beginning of the year. Illini Entertainment engages a CPA to review the pro forma financial information. The CPA performs inquiry and analytical procedures and issues a review report providing limited assurance.
Compliance Attestation
Under AT-C 315, a practitioner may be engaged to examine or perform agreed-upon procedures related to an entity's compliance with specified requirements—such as contractual agreements, regulatory requirements, or conditions of a grant.
- An examination of compliance results in an opinion on whether the entity complied, in all material respects, with the specified requirements
- An AUP engagement results in a report of factual findings related to compliance
- A review of compliance is not a defined engagement type under AT-C 315
Example: Illini Security holds a government contract that requires compliance with specific data handling and security protocols. The contracting agency requires an independent examination of Illini Security's compliance with those requirements. The CPA examines the relevant controls and procedures and issues an opinion on whether Illini Security complied with the specified data handling requirements.
Summary
| Engagement Type | Assurance Level | Report Expression | Key Restriction |
|---|---|---|---|
| Examination | Reasonable (high) | Positive opinion | None |
| Review | Limited (moderate) | Negative assurance | Not available for prospective FS or compliance |
| Agreed-upon procedures | None (findings only) | Factual findings | Restricted use (unless general-use AUP) |
| Prospective FS — Forecast | Exam/compilation/AUP only | Varies | No review permitted; general use |
| Prospective FS — Projection | Exam/compilation/AUP only | Varies | No review permitted; limited use |
| Pro forma | Exam or review | Varies | Historical FS must be audited or reviewed |
| Compliance | Exam or AUP | Varies | No review engagement available |