Nature and Scope of Engagements
CPAs perform a range of professional engagements, each with different objectives, levels of assurance, and applicable standards. Understanding the nature and scope of these engagements — and how they differ from one another — is foundational to the AUD exam. This section covers the standard-setting bodies, the purpose and limitations of an audit, the general GAAS requirements, and the full spectrum of engagement types from audits to compilations.
Professional Standards: Who Sets the Rules?
The standards that govern a CPA's work depend on the type of client and the type of engagement:
| Client / Engagement Type | Standard-Setter | Standards |
|---|---|---|
| Nonissuers — audits | AICPA Auditing Standards Board (ASB) | Statements on Auditing Standards (SASs), codified as AU-C sections |
| Issuers — audits | Public Company Accounting Oversight Board (PCAOB) | Auditing Standards (ASs) |
| Nonissuers — reviews, compilations, preparation | AICPA Accounting and Review Services Committee (ARSC) | Statements on Standards for Accounting and Review Services (SSARSs), codified as AR-C sections |
| Attestation engagements | AICPA ASB | Statements on Standards for Attestation Engagements (SSAEs), codified as AT-C sections |
Issuers are entities whose securities are registered with the SEC (public companies). Nonissuers are all other entities — private companies, nonprofits, government entities, and others. The CPA exam tests your ability to identify which standards apply to a given engagement.
Example: When Kingfisher Industries (a publicly traded company) engages an audit firm, the audit is performed under PCAOB standards (ASs). When Gies Co. (a private company) engages an auditor, the audit is performed under AICPA standards (SASs). If Gies Co. only needs a review or compilation, the engagement falls under SSARS (AR-C sections).
Purpose of an Audit Engagement
The fundamental purpose of a financial statement audit is to enhance the degree of confidence that intended users can place in the financial statements. The auditor accomplishes this by expressing an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework (such as U.S. GAAP or IFRS).
Key characteristics of an audit:
- Provides reasonable assurance — a high but not absolute level of assurance
- The opinion addresses fair presentation, not absolute accuracy
- The auditor evaluates whether the financial statements are free from material misstatement, whether caused by error or fraud
Example: MAS Inc. engages an audit firm to audit its annual financial statements. After performing risk assessment, testing internal controls, and executing substantive procedures, the auditor concludes the financial statements present fairly in all material respects. The auditor's opinion gives MAS Inc.'s lenders and investors confidence that the financial statements are reliable — but it does not guarantee that every single number is perfectly correct.
Inherent Limitations of an Audit
An audit provides reasonable assurance, not absolute assurance. Several inherent limitations prevent the auditor from guaranteeing the financial statements are completely free from misstatement:
| Limitation | Description |
|---|---|
| Nature of financial reporting | Financial statements involve management's judgments, estimates, and assumptions that are inherently uncertain |
| Nature of audit procedures | Auditors use sampling — they test a portion of transactions, not every transaction |
| Timeliness | There are practical limits on the time and cost an audit can consume |
| Fraud concealment | Fraud involving collusion, forgery, or intentional management override of controls may be extremely difficult to detect |
| Internal control limitations | Internal controls can be circumvented by management override or collusion among employees |
The CPA exam may test your understanding that an audit provides reasonable assurance — not absolute assurance. An auditor is not an insurer or guarantor of the financial statements. Even a properly planned and executed audit may fail to detect a material misstatement, particularly one involving sophisticated fraud.
Five General GAAS Requirements (SEJEC)
The AICPA's generally accepted auditing standards establish five overarching requirements for all audit engagements. A useful mnemonic is SEJEC:
| Letter | Requirement | Description |
|---|---|---|
| S | Professional Skepticism | The auditor must maintain a questioning mind and critically assess audit evidence. Skepticism means neither assuming management is dishonest nor assuming unquestioned honesty. |
| E | Ethical Requirements (including Independence) | The auditor must comply with relevant ethical requirements, including independence in both fact and appearance for attest engagements. |
| J | Professional Judgment | The auditor must apply training, knowledge, and experience to make informed decisions throughout the audit process. |
| E | Sufficient Appropriate Audit Evidence | The auditor must obtain enough evidence of sufficient quality to support the opinion. Evidence must be both sufficient (quantity) and appropriate (quality — relevance and reliability). |
| C | Compliance with Standards | The auditor must comply with all applicable SASs (for nonissuers) or ASs (for issuers) relevant to the engagement. |
The SEJEC mnemonic is heavily tested. Professional skepticism, in particular, appears in many AUD questions — the auditor must always maintain a questioning mind and cannot simply accept management's explanations at face value.
Example: During the audit of Illini Entertainment, the auditor discovers that revenue increased 40% while the industry average was flat. Professional skepticism requires the auditor to question this trend, design additional procedures to investigate the increase, and not accept management's explanation without corroborating evidence.
Types of Professional Engagements
CPAs can perform several types of engagements, each providing a different level of assurance. The following table summarizes the key engagement types:
| Engagement Type | Level of Assurance | Standards | Opinion/Report Language | Applicable To |
|---|---|---|---|---|
| Audit | Reasonable (high) | SAS (AU-C) or AS | "In our opinion, the financial statements present fairly…" | Issuers and nonissuers |
| Review | Limited (moderate) | SSARS (AR-C) for nonissuers; SAS for interim reviews of issuers | "We are not aware of any material modifications…" (negative assurance) | Primarily nonissuers |
| Compilation | None | SSARS (AR-C) | "We did not audit or review…" (no assurance) | Nonissuers only |
| Preparation | None | SSARS (AR-C) | No report is required (but each page states "no assurance is provided") | Nonissuers only |
| Agreed-Upon Procedures (AUP) | None (findings only) | SSAE (AT-C) or SSARS (AR-C) | Report lists procedures performed and findings — users draw their own conclusions | Any entity |
| Examination (Attestation) | Reasonable (high) | SSAE (AT-C) | Opinion on subject matter or assertion | Any entity |
| Review (Attestation) | Limited (moderate) | SSAE (AT-C) | Negative assurance on subject matter or assertion | Any entity |
Audit Engagements
An audit provides the highest level of assurance — reasonable assurance — that the financial statements as a whole are free from material misstatement. The auditor performs:
- Risk assessment procedures to understand the entity and its environment
- Tests of controls (when relying on internal controls)
- Substantive procedures (tests of details and analytical procedures) to detect material misstatements
The auditor issues an opinion — unmodified, qualified, adverse, or disclaimer — based on the evidence obtained.
Example: BIF Partners engages an audit firm for an annual financial statement audit. The auditor plans the engagement, assesses risks of material misstatement, tests controls over revenue and cash, performs substantive procedures on all significant account balances, and ultimately issues an unmodified opinion stating that the financial statements present fairly in all material respects.
Review Engagements
A review provides limited assurance — substantially less than an audit but more than a compilation. The accountant performs:
- Inquiries of management and others within the entity
- Analytical procedures applied to the financial statements
The review report expresses negative assurance: the accountant states they are "not aware of any material modifications that should be made" to the financial statements. The accountant does not obtain an understanding of internal control, assess fraud risk, test controls, or perform substantive tests of details.
Example: Illini Security (a private company) needs reviewed financial statements to satisfy a bank loan covenant. The accountant performs analytical procedures and inquires of management about unusual transactions, significant estimates, and subsequent events. The report states: "Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements."
The key distinction between an audit and a review is the level of assurance and the nature of procedures. Audits use substantive testing and control testing; reviews rely on inquiry and analytical procedures only. Memorize this distinction — it appears in many exam questions.
Compilation Engagements
A compilation involves assisting management in presenting financial statements without providing any assurance. The accountant:
- Reads the financial statements and considers whether they are appropriate in form and free from obvious material errors
- Does not perform inquiries, analytical procedures, or any verification procedures
- Is not required to be independent (but must disclose a lack of independence in the compilation report)
The compilation report states that the accountant did not audit or review the financial statements and, accordingly, does not express an opinion or provide any assurance.
Example: MSA Records (a small private company) needs basic financial statements for internal use. The accountant compiles the financial statements from information provided by management. The report states: "We did not audit or review the financial statements and, accordingly, do not express an opinion or provide any assurance about whether the financial statements are in accordance with the applicable financial reporting framework."
Preparation Engagements
A preparation engagement is the least involved service. The accountant assists management in preparing financial statements but:
- Issues no report and provides no assurance
- Each page of the prepared financial statements must include a legend such as "no assurance is provided on these financial statements"
- The accountant need not be independent, but there is no required independence disclosure
Example: Gies Co. asks its CPA to prepare monthly financial statements for internal management use. The CPA prepares the statements from Gies Co.'s trial balance and supporting schedules. Each page includes the required legend, and no report is issued.
Agreed-Upon Procedures (AUP) Engagements
In an AUP engagement, the practitioner performs specific procedures agreed to by the engaging party and reports the findings without providing an opinion or any assurance. Key characteristics:
- The procedures are specified by the engaging party (and, under current standards, the report is no longer restricted to specified parties)
- The practitioner reports findings only — users draw their own conclusions
- No opinion or assurance is expressed
Example: Kingfisher Industries' lender wants to verify that Kingfisher's debt-to-equity ratio meets loan covenant requirements. The lender and Kingfisher agree with the CPA on specific procedures: recalculate the ratio from the financial statements, trace the components to the general ledger, and confirm debt balances with third parties. The CPA performs only these procedures and reports the factual findings without expressing an opinion on whether the covenant was met.
Attestation Engagements
Attestation engagements are a broad category in which a practitioner is engaged to issue a report on subject matter or an assertion that is the responsibility of another party. Attestation engagements follow the SSAEs and can take three forms:
| Form | Level of Assurance | Report Expression |
|---|---|---|
| Examination | Reasonable (high) | Opinion on subject matter or assertion |
| Review | Limited (moderate) | Negative assurance |
| Agreed-Upon Procedures | None (findings only) | Procedures and findings |
Common examples of attestation subject matter include prospective financial statements, compliance with specified requirements, internal controls (for non-SEC entities), and sustainability/ESG metrics.
Example: MAS Inc. asserts that its internal controls over customer data privacy comply with the AICPA Trust Services Criteria. An independent CPA performs an examination-level attestation engagement, tests the controls, and issues an opinion on whether MAS Inc.'s assertion is fairly stated.
SSARS vs. SAS: When Each Applies
| Standard | Applies To | Engagement Types |
|---|---|---|
| SAS (AU-C) | Audits of nonissuers | Audit engagements only |
| SSARS (AR-C) | Compilation, review, and preparation engagements for nonissuers | Compilations, reviews, preparations, and certain AUP engagements |
| AS (PCAOB) | Audits of issuers | Audit engagements for public companies |
| SSAE (AT-C) | Attestation engagements | Examinations, reviews, and AUP on subject matter other than financial statements |
A common mistake is confusing SAS (audit standards) with SSARS (accounting and review services standards). Remember: SAS = audits, SSARS = reviews, compilations, and preparations. Both apply only to nonissuers. Issuers follow PCAOB standards for audits.
Levels of Assurance: A Visual Summary
The following table arranges engagement types by their level of assurance, from highest to lowest:
| Level of Assurance | Engagement Type | Expression |
|---|---|---|
| Reasonable (highest) | Audit / Examination | Positive opinion ("In our opinion…") |
| Limited (moderate) | Review | Negative assurance ("We are not aware of…") |
| None | Compilation | No assurance; disclaimer statement |
| None | Preparation | No assurance; legend on each page |
| None (findings only) | Agreed-Upon Procedures | Procedures and findings; no opinion |
A common AUD exam question presents a scenario and asks what level of assurance is provided, or what type of report is appropriate. Always match the engagement type to the assurance level: audits and examinations provide reasonable assurance (positive opinion), reviews provide limited assurance (negative assurance), and compilations, preparations, and AUPs provide no assurance. Knowing this hierarchy is essential.