Compliance Attestation StandardA practitioner may be engaged to perform agreed-upon procedures to assist users in evaluatingmanagement’s written assertion about an entity’s compliance with specified requirements, the effectiveness of internal control over compliance, or both.

Advertisement

A practitioner also may be engaged to examine compliance with specified requirements or a written assertion thereon. For example, some electronic funds transfer associations or networks require their members who process transactions to complete a compliance exam.

This post provides guidance for engagements related to either (1) compliance with requirements of specified laws, regulations, rules, contracts, or grants (specified requirements) or (2) the effectiveness of internal control over compliance with specified requirements. It’s adapted from SSAE 10 (In AICPA publications this section is codified as AT 601).

The Auditing Standards Board issued SSAE 10, “Attestation Standards: Revision and Re codification.” SSAE 10 superseded SSAEs 1 through 9 and renumbered the AT sections in the AICPA’s Codification. The revisions to this section include clarifying that:

  • The responsible party’s refusal to furnish the required representations constitutes a limitation on the scope of the engagement.
  • The responsible party’s refusal to provide a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement. (An exception exists if an examination of an entity’s compliance with specified requirements is required by law or regulation. In this case, the practitioner should disclaim an opinion on compliance unless he or she obtains evidential matter that warrants expressing an adverse opinion.)
  • If the engagement is to perform agreed-upon procedures and
  • The client is the responsible party, that party’s refusal to provide an assertion requires that the practitioner withdraw from the engagement.
  • The client is not the responsible party, the practitioner is not required to withdraw, but should consider the effects of the refusal on the engagement and report.

 

Requirements for Compliance Attestation In General

1. Criteria – The practitioner cannot accept an agreed-upon procedures or an examination engagement unless reasonable criteria have been established by a recognized body or are stated in or attached to the practitioner’s report.

2. Prohibited Engagements – A practitioner should not accept an engagement to perform a review about compliance with specified requirements or about the effectiveness of internal control over compliance or assertions thereon.

3. Using The Work Of A Specialist – The practitioner should follow the guidance of Section 336, “Using the Work of a Specialist,” if he or she decides that a specialist is necessary for an engagement covered by this section.

4. Management’s Representations – According to AT 601.68, for both an agreed-upon procedures engagement and an examination engagement, the practitioner should obtain the responsible party’s written representations that:

  • Acknowledge the responsible party’s responsibility for complying with the specified requirements.
  • Acknowledge the responsible party’s responsibility for establishing and maintaining effective internal control over compliance.
  • State that the responsible party has performed an evaluation of (1) the entity’s compliance with specified requirements, or (2) the entity’s internal controls for ensuring compliance and detecting noncompliance with requirements, as applicable.
  • State the responsible party’s assertion about the entity’s compliance with the specified requirements or about the effectiveness of the internal control over compliance, as applicable, based on the stated or established criteria.
  • State that the responsible party has disclosed to the practitioner all known noncompliance.
  • State that the responsible party has made available all documentation related to compliance with specified requirements.
  • State the responsible party’s interpretation of any compliance requirements that have varying interpretations.
  • State that the responsible party has disclosed any communications from regulatory agencies, internal auditors, and other practitioners concerning possible noncompliance with the specified requirements, including communications received between the end of the period addressed in the written assertion and the date of the practitioner’s report.
  • State that the responsible party has disclosed any known noncompliance occurring subsequent to the period for which, or date as of which, the responsible party selects to make its assertion.

The responsible party’s refusal to furnish the required representations is a scope limitation. In an examination engagement, the practitioner ordinarily should disclaim an opinion or withdraw. However, based on the nature of the representations or circumstances, a qualified opinion may be appropriate.

In an agreed-upon procedures engagement in which the practitioner’s client is the responsible party, the responsible party’s refusal to provide written assertions is a scope limitation sufficient to cause the practitioner to withdraw. When the practitioner’s client is not the responsible party, the practitioner:

  • Is not required to withdraw, but should consider the effects of the responsible party’s refusal on his or her report, as well as the ability to rely on other representations of the responsible party.
  • May also want to obtain written representations from the client (e.g., knowledge of any noncompliance).

5. Other Information In A Client-Prepared Document – The practitioner’s report on either compliance with specified requirements or the effectiveness of internal control over compliance or written assertions thereon may be included in a client-prepared document that includes other information. In those circumstances, the practitioner should read the other information.

Agreed-Upon Procedures Engagement

1. Conditions For Acceptance – A practitioner may accept an agreed-upon procedures engagement related to an entity’s compliance with specified requirements or the effectiveness of internal control over compliance, if the responsible party:

  • Accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance.
  • Evaluates the entity’s compliance with specified requirements or the effectiveness of the entity’s internal control over compliance.
  • In addition, the conditions that apply to acceptance of all agreed-upon procedures engagements have to be met.

Note: A written management representation letter is required in agreed-upon procedure engagements relating to compliance matters.

The practitioner should obtain a written assertion about compliance with specified requirements or internal control over compliance from the responsible party. The written assertion may be provided in the representation letter or in a separate report accompanying the practitioner’s report. If the client is the responsible party, that party’s refusal to provide an assertion requires that the practitioner withdraw from the engagement. If the engagement is required by law or regulation withdrawal is not required. If the client is not the responsible party, the practitioner does not have to withdraw but should consider the effects of the refusal on the engagement and report.

2. Understanding With Specified Parties – The specified parties should participate in establishing the procedures to be performed and take responsibility for the adequacy of those procedures. The practitioner should determine whether the specified parties understand the procedures to be performed by discussing the nature of management’s assertion and the procedures with the specified parties.

3. Understanding The Specified Compliance Requirements – The practitioner should obtain an understanding of the specified compliance requirements stated in management’s assertion. To obtain this understanding, the practitioner should consider the following:

  • Laws, regulations, rules, contracts, and grants relevant to the specified compliance requirements.
  • Knowledge about the specified compliance requirements obtained from the following: (a) Prior engagements and regulatory reports; (b)Discussions with appropriate individuals within the entity; (c) Discussions with appropriate individuals outside the entity, such as regulators or specialists.

4. Scope Restrictions – The practitioner should attempt to obtain agreement from the specified parties for modification of the agreed-upon procedures if circumstances impose restrictions on the scope of those procedures. If an agreement for modification cannot be obtained, the practitioner should describe the restrictions in the attestation report or withdraw from the engagement.

5. Subsequent Events – If the practitioner becomes aware of noncompliance related to management’s assertion that occurs after the period addressed by that assertion but before the date of the report, he or she should consider including that information in the report. According to AT 601.24, the practitioner has no obligation to perform procedures to detect noncompliance in the subsequent period.

6. Practitioner’s Report – The practitioner’s report on agreed-upon procedures on an entity’s compliance with specified requirements or about the effectiveness of an entity’s internal control over compliance should be in the form of procedures and findings. The report should be dated as of the date of completion of the agreed-upon procedures. According to AT 601.24 (of AICPA), the practitioner’s report should contain the following elements:

  • A title that includes the word independent.
  • Identification of the specified parties.
  • Identification of the subject matter of the engagement (or management’s assertion thereon), including the period or point in time addressed,3 and a reference to the character of the engagement.
  • An identification of the responsible party.
  • A statement that the subject matter is the responsibility of responsible party.
  • A statement that the procedures, which were agreed to by the specified parties identified in the report, were performed to assist the specified parties in evaluating the entity’s compliance with the specified requirements or the effectiveness of its internal control over compliance.
  • A statement that the agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants.
  • A statement that the sufficiency of the procedures is solely the responsibility of the specified parties and a disclaimer of responsibility for the sufficiency of those procedures.
  • A list of the procedures performed (or reference thereto) and related findings. The practitioner should not provide negative assurance.
  • Where applicable, a description of any agreed-upon materiality limits.
  • A statement that the practitioner was not engaged to and did not conduct an examination of the entity’s compliance with specified requirements or about the effectiveness of an entity’s internal control over compliance, a disclaimer of opinion thereon, and a statement that if the practitioner had performed additional procedures, other matters might have come to his or her attention that would have been reported.
  • A statement restricting the use of the report to the specified parties. (However, if the report is a matter of public record, the practitioner should include the following sentence: “However, this report is a matter of public record and its distribution is not limited.”)
  • Where applicable, reservations or restrictions concerning procedures or findings.
  • Where applicable, a description of the nature of the assistance provided by the specialist.
  • The manual or printed signature of the practitioner’s firm.
  • The date of the report

 

Examination Engagement

1. Conditions For Engagement Performance – According to AT 601.10, a practitioner may accept an examination engagement related to an entity’s compliance with specified requirements if the following conditions are met:

  • The responsible party accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance.
  • The responsible party evaluates the entity’s compliance with specified requirements.
  • Sufficient evidential matter exists or could be developed to support the responsible party’s evaluation.
    A practitioner may examine the effectiveness of the entity’s internal control over compliance or an assertion thereon only if he or she has reason to believe that the subject matter is capable of reasonably consistent evaluation against criteria that are suitable and available to users.
  • The practitioner should obtain a written assertion about compliance with specified requirements or internal control over compliance from the responsible party. The written assertion may be provided in a representation letter to the practitioner or in a separate report accompanying the practitioner’s report. The responsible party’s written assertion may take various forms but should be specific enough that users having competence in and using the same or similar measurement and disclosure criteria ordinarily would be able to arrive at materially similar conclusions.
  • The responsible party’s refusal to provide a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement, regardless of whether the client is the responsible party. An exception exists if an examination of an entity’s compliance with specified requirements is required by law or regulation. In this case, the practitioner should disclaim an opinion on compliance unless he or she obtains evidential matter that warrants expressing an adverse opinion. If the practitioner expresses an adverse opinion and the responsible party does not provide an assertion, the practitioner’s report should be restricted.

2. Extent Of Evidence – To express an opinion on an entity’s compliance (or assertion related thereto), the practitioner should accumulate sufficient evidence about the entity’s compliance with specified requirements and limit attestation risk to an appropriately low level.

3. Assessment Of Inherent Risk – The practitioner should consider factors affecting inherent risk similar to the factors an auditor would consider when planning an audit of financial statements. According to AT 601.33, in addition, the practitioner should consider the following factors:

  • The complexity of the specified compliance requirements.
  • The length of time the entity has been subject to the specified compliance requirements.
  • Prior experience with the entity’s compliance.
  • Potential impact of noncompliance.

4. Assessment Of Control Risk – The practitioner should assess control risk. To assess control risk for compliance with specified requirements and to plan the engagement, the practitioner should obtain an understanding of those parts of the internal control related to compliance.

5. Engagement Procedures – According to AT 601.39, in an examination of the entity’s compliance with specified requirements, the practitioner should do the following:

  • Obtain an understanding of the specified compliance requirements.
  • Plan the engagement.
  • Consider relevant portions of the entity’s internal control over compliance.
  • Obtain sufficient evidence including testing compliance with specified requirements.
  • Consider subsequent events.
  • Form an opinion about whether the entity complied, in all material respects, with specified requirements (or whether the responsible party’s assertion about such compliance is fairly stated in all material respects) based on the specified criteria.

6. Subsequent Events – The practitioner should consider information about subsequent events that comes to his or her attention between the end of the period addressed by the practitioner’s report and prior to the issuance of the report. The practitioner has no responsibility to detect noncompliance after the period being reported on but before the date of the report. However, if the practitioner becomes aware of this type of noncompliance and its nature and significance may make management’s assertion misleading, the practitioner should include in the report an explanatory paragraph describing the nature of the noncompliance.

7. Practitioner’s Report – According to AT 601.55, the practitioner’s report on an examination, which is ordinarily addressed to the entity, should include the following:

  • A title that includes the word independent.
  • An identification of the specified compliance requirements, including the period covered, and of the responsible party.
  • A statement that compliance with the specified requirements is the responsibility of the entity’s management.
  • A statement that the practitioner’s responsibility is to express an opinion on the entity’s compliance with those requirements based on his or her examination.
  • A statement that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about the entity’s compliance with those requirements and performing such other procedures as the practitioner considered necessary in the circumstances.
  • A statement that the practitioner believes the examination provides a reasonable basis for his or her opinion.
  • A statement that the examination does not provide a legal determination on the entity’s compliance.
  • The practitioner’s opinion on whether the entity complied, in all material respects, with specified requirements based on the specified criteria.
  • A statement restricting the use of the report to the specified parties when the criteria used to evaluate compliance (a) are determined by the practitioner to be appropriate only for a limited number of parties who either participated in establishing the criteria or who can be assumed to have an adequate understanding of the criteria; (b) are available only to specified parties.
  • The manual or printed signature of the practitioner’s firm.
  • The date of the examination report. The practitioner’s report should be dated as of the date of completion of the examination procedures.

8. Report Modifications – The practitioner should modify the standard report whenever any one of the following conditions exist:

There is material noncompliance with specified requirements (qualified or adverse opinion).

The scope of the engagement is restricted (qualified or disclaimer of opinion).

The practitioner refers to the report of another practitioner as the basis, in part, for the report.

 

Techniques For Application

For either an agreed-upon procedures engagement or an examination, the practitioner should properly plan the engagement. In planning the engagement, the practitioner should consider doing the following:

  • Discuss the purpose of the engagement with management.
  • Read or obtain an understanding of relevant laws and documents.
  • Obtain an engagement letter.
  • Design a program of procedures to be applied.

 

1. Agreed-Upon Procedures Engagement – In this type of engagement, the practitioner should try to meet with the specified parties or a representative of the specified parties to establish the procedures. If a meeting is not possible, the practitioner should do one of the following:

  • Compare the procedures to be applied to written requirements of the specified parties.
  • Review relevant contracts with or correspondence from the specified parties.
  • Distribute a draft of the anticipated report or a copy of a proposed engagement letter to the specified parties with a request for their comments.
  • Discuss the procedures to be applied with appropriate representatives of the specified parties involved.
    The manner in which the procedures are established should be documented in the practitioner’s workpapers.
  • At the conclusion of this type of engagement, the practitioner should obtain a management representation letter. If the management refuses, the practitioner should withdraw from the engagement.

A. Planning The Examination Engagement – The practitioner should consider the following when planning the engagement:

1. For an entity with multiple components, determine if it is necessary to examine all components for compliance. In making this determination, consider:

  • To what degree do the specified compliance requirements apply at the component
    level?
  • What are our judgments about materiality?
  • How centralized are the records?
  • How effective is the control environment, particularly management’s direct control over the exercise of authority delegated to others and its ability to supervise activities at various locations effectively.
  • What are the nature and extent of operations conducted at the various components?
  • How similar are controls over compliance for different components?

2. The need to use the work of a specialist.

3. The existence of an internal audit function and the extent to which internal auditors are involved in monitoring compliance with specified requirements (see Section

4. Obtain an understanding of the parts of the internal control related to compliance with the specified requirements. This understanding may be obtained by (a) Inquiries; (b) Inspection of documents; (c) Observation of activities.

5. Identify types of potential noncompliance.

6. Assess control risk. If the practitioner wishes to assess control risk below the maximum, he or she should perform tests of controls.

B. Examination Procedures – The nature of procedures and the sufficiency of evidence are matters of practitioner judgment. Procedures to be considered include the following:

1. For engagements involving regulatory requirements

  • Review communication between regulatory agencies and the entity.
  • Review examination reports of the regulatory agencies.
  • If appropriate, make inquiries of regulatory agencies including inquiries about examinations in progress.
  • Make inquiries of entity’s outside and inside counsel responsible for such matters.

2. Identify subsequent events for the period from the reporting period to the date of the report that would provide evidence about compliance during the period under examination. Information concerning subsequent events would be obtained from the following sources:

  • Relevant internal auditors’ reports issued during the subsequent period.
  • Other practitioners’ reports identifying noncompliance, issued during the subsequent period.
  • Regulatory agencies’ reports on the entity’s noncompliance, issued during the subsequent period.
  • Information about the entity’s noncompliance, obtained through other professional engagements for that entity.

3. If the specified requirements relate to financial statement matters, compare the relevant parts of these statements with the specified requirements.

4. Obtain a management representation letter. If management refuses, the practitioner\ should consider issuing a qualified opinion or a disclaimer of opinion.

 

C. Materiality – Materiality in an examination of compliance differs from materiality in an audit. In an examination, the practitioner should consider the:

1. Nature of the compliance requirements, which may or may not be quantifiable in monetary terms

2. Nature and frequency of noncompliance, including sampling risks

3. Qualitative considerations, including user needs and expectations