Reporting on Compliance
Auditors are frequently engaged to report on an entity's compliance with specific requirements—whether those requirements arise from contracts, regulations, grant agreements, or other authoritative sources. Compliance reporting may be the principal objective of an engagement or incidental to a financial statement audit. Understanding the different types of compliance reports, the standards that govern them, and the opinions that may be expressed is important for the AUD exam.
Compliance engagements can be performed under multiple frameworks: AT-C 315 (AICPA attestation standards for compliance), AU-C 806 (compliance reporting in connection with audited financial statements), or Uniform Guidance (for entities receiving federal awards). The applicable standard depends on the nature of the engagement and the entity.
Compliance as a Principal Objective
When compliance is the principal objective of the engagement, the practitioner is specifically engaged to opine on or report on the entity's compliance with stated requirements. This type of engagement is governed by AT-C 315 (Compliance Attestation).
Common Scenarios
- A bank requires a CPA to report on whether a borrower is in compliance with debt covenants
- A regulatory agency requires an entity to have a CPA examine its compliance with specific regulations
- A grantor requires a report on a grantee's compliance with grant terms and conditions
Example: BIF Partners has a revolving credit facility with a $10 million limit. The lending agreement requires BIF Partners to engage an independent CPA to examine BIF Partners' compliance with certain financial covenants (minimum current ratio, maximum debt-to-equity ratio, and restrictions on capital expenditures). The CPA performs an examination and issues an opinion on whether BIF Partners complied with these requirements.
Compliance Incidental to a Financial Statement Audit
When the auditor is engaged to audit financial statements and the audit also requires consideration of compliance, the compliance reporting is considered incidental to the audit. This occurs in several contexts:
- GAGAS audits: The auditor issues a report on compliance with laws and regulations that could have a direct and material effect on the financial statements (as part of the Yellow Book reporting requirements)
- Single audits: The auditor reports on compliance for each major federal program under the Uniform Guidance
- AU-C 806: The auditor may issue a report on compliance with contractual agreements or regulatory requirements based on the financial statement audit
In these cases, the compliance report relies on evidence obtained during the financial statement audit rather than a separately planned compliance engagement.
Example: During the annual audit of Gies Co., the auditor notes that Gies Co.'s loan agreement requires it to maintain a minimum net worth of $5 million. Based on the audited financial statements, Gies Co.'s net worth is $6.2 million. The auditor issues a separate report (under AU-C 806) stating that nothing came to the auditor's attention that caused the auditor to believe Gies Co. was not in compliance with the net worth covenant. This report is incidental to the financial statement audit.
Key distinction: When compliance is the principal objective, the CPA plans and performs specific compliance procedures. When compliance is incidental to an audit, the CPA relies on work already performed during the financial statement audit. The nature of the report differs accordingly.
Compliance Attestation Under AT-C 315
AT-C 315 governs compliance attestation engagements when compliance is the principal objective. The CPA may perform an examination or agreed-upon procedures on the entity's compliance with specified requirements.
Examination of Compliance
In an examination engagement, the CPA:
- Obtains management's written assertion about the entity's compliance with specified requirements
- Plans and performs procedures to obtain reasonable assurance about whether the entity complied in all material respects
- Issues an opinion on compliance (positive assurance)
Agreed-Upon Procedures on Compliance
In an AUP engagement, the CPA:
- Performs only the specific procedures agreed to by the specified parties
- Reports factual findings without expressing an opinion or conclusion
- Issues a report that is generally restricted to the specified parties
| Engagement Type | Assurance Level | Report Expression |
|---|---|---|
| Examination | Reasonable (high) | "In our opinion, [entity] complied, in all material respects, with [requirements]…" |
| Agreed-upon procedures | None (findings only) | Factual findings; no opinion or conclusion |
A review of compliance is not an available engagement type under AT-C 315. The CPA can only perform an examination or agreed-upon procedures for compliance attestation.
Management's Assertion on Compliance
In an examination engagement, management must provide a written assertion about the entity's compliance with the specified requirements. This assertion:
- Is the subject matter of the examination (the CPA examines the assertion or examines compliance directly)
- Acknowledges management's responsibility for compliance
- States whether the entity has complied, in all material respects, with the specified requirements
- Is provided as of a point in time or for a period of time, depending on the nature of the requirements
If management refuses to provide the written assertion, the CPA should:
- Consider the effect on the engagement
- Ordinarily withdraw from the engagement
Example: Illini Security is required by a government contract to comply with specific cybersecurity standards. Management provides a written assertion stating: "Illini Security complied, in all material respects, with the cybersecurity requirements of Contract No. 2024-1234 during the year ended December 31, 20X4." The CPA examines this assertion and issues an opinion.
Types of Compliance Reports
Compliance reports vary based on the engagement type and the context:
| Report Type | Context | Key Feature |
|---|---|---|
| Examination report on compliance (AT-C 315) | Compliance is the principal objective | Positive opinion on compliance |
| AUP report on compliance (AT-C 315) | Compliance is the principal objective | Factual findings only; restricted use |
| Report on compliance incidental to audit (AU-C 806) | Compliance reporting as part of a financial statement audit | Negative assurance; restricted to specified parties |
| GAGAS compliance report | Yellow Book financial audit | Report on compliance with applicable laws/regulations |
| Single audit compliance report | Uniform Guidance | Opinion on compliance for each major program |
Qualified and Adverse Opinions on Compliance
When the CPA performs an examination of compliance, the opinion may be modified if noncompliance is identified:
Unqualified (Unmodified) Opinion
- Issued when the entity complied, in all material respects, with the specified requirements
- Minor or immaterial instances of noncompliance do not affect an unqualified opinion
Qualified Opinion
- Issued when the CPA identifies material noncompliance that is limited to specific requirements, and the overall compliance is not pervasive enough to warrant an adverse opinion
- The opinion states: "Except for [specific noncompliance], the entity complied, in all material respects…"
Adverse Opinion
- Issued when noncompliance is so material and pervasive that the entity did not comply with the specified requirements in all material respects
- The opinion states: "The entity did not comply, in all material respects…"
Disclaimer of Opinion
- Issued when the CPA is unable to obtain sufficient appropriate evidence to form an opinion on compliance (scope limitation)
Example: MAS Inc. undergoes an examination of its compliance with a regulatory agency's environmental reporting requirements. The CPA finds that MAS Inc. failed to submit two of six required quarterly reports, and the unreported emissions data represents a significant portion of total reportable emissions. The CPA issues an adverse opinion on compliance because the noncompliance is both material and pervasive.
The framework for modifying compliance opinions mirrors the framework for financial statement audit opinions: qualified for material but not pervasive issues, adverse for material and pervasive issues, and disclaimer for scope limitations. Apply the same logic you use for audit opinion modifications.
Government Compliance Reporting Requirements
Government entities and recipients of federal awards face additional compliance reporting requirements:
GAGAS (Yellow Book) Compliance Reporting
- Required for all financial audits conducted under Government Auditing Standards
- The auditor reports on compliance with laws, regulations, provisions of contracts, and grant agreements that could have a direct and material effect on the financial statements
- This report is issued in addition to the standard audit report on the financial statements
- Noncompliance is reported even if the amounts are not material to the financial statements but are material to the compliance requirement itself
Single Audit Compliance Reporting (Uniform Guidance)
- Required for entities expending $750,000 or more in federal awards
- The auditor issues an opinion on compliance for each major program
- Compliance is tested against the types of requirements identified in the Compliance Supplement (activities allowed, cash management, eligibility, procurement, reporting, etc.)
- The auditor also reports on internal control over compliance for each major program
| Reporting Framework | When Required | Scope |
|---|---|---|
| GAGAS compliance report | All Yellow Book financial audits | Compliance related to financial statements |
| Single audit compliance | Entities with ≥ $750,000 federal expenditures | Compliance for each major program |
Example: Kingfisher Industries, a nonprofit receiving $3 million in federal awards, undergoes a single audit. The auditor identifies two major programs and tests compliance for each. For the first program (a workforce training grant), the auditor issues an unqualified compliance opinion. For the second program (a research grant), the auditor finds that Kingfisher Industries failed to meet the cost-sharing requirements, resulting in $180,000 in questioned costs. The auditor issues a qualified opinion on compliance for that program, noting the material noncompliance in the cost-sharing requirement.
In a single audit, the auditor issues a separate compliance opinion for each major program. It is possible to have an unqualified opinion on one program and a qualified or adverse opinion on another. Each major program is evaluated independently.
Summary
| Topic | Key Point |
|---|---|
| Principal objective | CPA is specifically engaged to report on compliance (AT-C 315) |
| Incidental to audit | Compliance reporting based on work done during the financial statement audit |
| AT-C 315 engagements | Examination or AUP only (no review) |
| Management's assertion | Required for examination engagements |
| Unqualified opinion | Entity complied in all material respects |
| Qualified opinion | Material but not pervasive noncompliance |
| Adverse opinion | Material and pervasive noncompliance |
| GAGAS | Reports on compliance with laws/regulations affecting financial statements |
| Single audit | Separate compliance opinion for each major program |