In the past few years, attestation services have grown in popularity as the need for an independent party to provide assurance over topics other than financial statements has become required by laws, regulators, or service clients. This blog will include the basic definition, standards, and examples of attestation services.
In accounting, an attestation service or engagement is the process of engaging a CPA to provide assurance or attestation audits over services such as: examinations, reviews, or agreed-upon procedure reports. These services can be used to gain assurance over the following subject matters: agreed-upon procedures, prospective financial statements, compliance, Management Discussion and Analysis (MD&A), and service organizations.
The answer is nothing. An attestation is a type of audit as it provides an opinion.
As the scope increases in attestation services, the governing standards continue to parallel those found within the generally accepted auditing standards (GAAS). These standards preserve core audit principles such as the need for technical competence, independence, due professional care, adequate planning and supervision, sufficient evidence, and appropriate reporting.
As attestation services have grown, the AICPA has had to create more formalized standards and in April 2016, released the Statement on Standards for Attestation Engagements (SSAE) 18, Attestation Standards: Clarification and Recodification. The goal of this project was to make standards clearer and easier to apply within engagements. Some of the major changes are discussed below.
All attestation engagements require that a management’s assertion be requested from the responsible party. The responsible party are those individuals who represent the information presented within an attestation report. This information is the basis for the auditor’s opinion. The responsible party and attestor or auditor can never be the same person as that would be a conflict of interest. The responsible party should have intimate knowledge of the evidence provided during the course of the audit.
Assertion Breakdown: Management should understand what an assertion is before signing. An assertion helps readers gain assurance that the information within the report can be relied upon and management stands behind the information presented.
All attestation engagements require that a representation letter be requested by the responsible party.
A letter of attestation is the same thing as a letter of representation. Read on for more information.
Representation Letter Breakdown: The representation letter is not a section of the report but part of the accountant’s work papers. The representation letter confirms representations presented by the practitioner to the client. A few examples include: information provided was appropriate, records were relevant, and any known subsequent events have been disclosed.
New standards will require the use of a risk assessment to understand internal controls of the information being reported on as well as an assessment of material misstatements over the information.
Risk Based Approach Breakdown: In the past, the majority of standards found within GAAS have been considered audit standards. The new standards under the SSAE 18 will now incorporate GAAS standards but will be less exhaustive. Some areas include materiality, estimates, sampling, and fraud.
Attestation Risk: Another risk to consider is what is known as attestation risk. This is the risk that the auditor may fail to modify the report because the information provided was inaccurate or not complete. To combat this type of risk, auditors are required to consider what is considered material to the accuracy of the opinion provided. Based on what is considered material, additional audit steps may be required to gain the appropriate amount of assurance.
The goal of attestation standards are to provide guidance, set boundaries around a growing service line, define a measure of quality, and outline the objectives that should be reached when performing attestation engagements.
As mentioned above, the SSAEs adopt many of the standards followed under GAAS but differ in two main ways. First, the SSAE, unlike GAAS, does not reference financial statements within the reports, since the reports are not centered around the fair presentation of them. Second, SSAEs differ as they do not reference GAAS within SSAE reports for the same reason.
Attestation engagements follow eight main standards, which are found in all attestation engagements. They are broken out below.
The purpose of attestation engagements is to provide assurance. Attestation engagements include the following services or forms: agreed-upon procedures, historical or future performance or financial data, compliance, physical characteristics such as the size of a facility that is important in the sale of business, an analysis of sorts, functioning of internal controls, governance at an organization, or service organizations. Standards governing these services are issued by senior technical bodies of the AICPA. A few of these examples are further defined below.
An agreed-upon procedures engagement entails a client who engages an auditor to perform procedures to determine whether clients are meeting laws and regulations or internal procedures. Read the AICPA documentation.
An attestation engagement over prospective financial statements is in the form of either an examination engagement or agreed-upon procedure. Per the AICPA, the definition of a prospective financial statement are “either financial forecasts or financial projections, including the summaries of significant assumptions and accounting policies. Although prospective financial statements may cover a period that has partially expired, statements for periods that have completely expired are not considered to be prospective financial statements.”
Under an examination of prospective financial statements, the objective is to obtain reasonable assurance about whether the prospective financial statements were presented in accordance with the AICPA and the assumptions are reasonable. And engagements completed as an agreed-upon procedure, are completed in accordance with the standard agreed-upon objectives. Read the AICPA documentation.
An attestation engagement over compliance is in the form of either an examination or agreed-upon procedure. Per the AICPA, the definition of compliance as it relates to specified requirements and over internal controls is “an entity’s compliance with specified laws, regulations, rules, contracts, or grants and an entity’s internal control over compliance with specified requirements.”
Under an examination of compliance, the objective is to obtain reasonable assurance about whether management accepts responsibility over the entity’s compliance and the internal controls that surround compliance. And engagements completed as an agreed-upon procedure, are completed in accordance with the standard agreed-upon objectives. Read the AICPA documentation.
An attestation engagement over MD&A is completed in the form of either a review or examination. The purpose of a MD&A report is to provide assurance that management’s discussion and analysis are presented in such a way that they meet SEC regulations which are offered to stakeholders. Under a review of MD&A, the objective is to gather evidence to determine if any required elements defined by the SEC have been left out in the presentation of the information, financial statement values are not accurate, and assumptions and estimates used to come up with the analysis presented are not reasonable.
Under an examination of MD&A, the objective is to gather evidence to determine if required elements defined by the SEC have been included in the presentation of the information, financial statement values are accurate, and assumptions and estimates used to come up with the analysis presented are reasonable. Read the AICPA documentation.
An attestation engagement over service organization is an examination of controls at service organizations, which provide services such as payroll or data storage, that may affect their clients controls over financial reporting, for SOC 1 reports. SOC 2 reports are also considered service organization attestation engagements but since they don’t report on controls that affect financial reporting, they are governed by two other attestation guidance.
The objective of both reports is to gather sufficient evidence to provide assurance that management’s description of the system of controls is fairly presented and the controls which make up of the system were designed and operated effectively throughout the period. Note: There are reports that only report on the design of the controls and are considered Type 1 reports.
How long an attestation report is valid for depends on a number of factors. As mentioned above a Type I report only provides its users with assurance that the design of a control was in place at the time of the audit while a Type II report provides assurance that controls were designed and operated consistently over a certain period of time. Generally, a report user can obtain what’s known as a bridge letter. This letter is from the management of the organization and certifies that there have been no major changes to system description and the controls have continued to operate as expected. Note that this is not an auditor’s opinion. In general, a bridge letter should not be accepted for a report that is more than a year old unless additional monitoring procedures are in place to allow for an organization to gain assurance of the design and operation of controls.
As seen throughout our IT Audit & Compliance Blog, attestation engagements provide companies with the possibility of gaining assurance over an extensive amount of topics, other than historical financial statements. This is important because these guidelines provide the ability for companies to now gain comfort in the controls they are implementing in a fashion that is monitored by the AICPA.
More information about attestation services:
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.
