Codification of Statements on Standards for Attestation Engagements, January 2018 E-Book

PREFACE

This publication, issued by the Accounting and Review Services Committee and the Auditing Standards Board (ASB), is a codification of Statements on Standards for Attestation Engagements (SSAEs) and the related attestation interpretations applicable to the preparation and issuance of attestation reports for all nonissuers. A nonissuer is any entity not subject to the Sarbanes-Oxley Act of 2002 or the rules of the SEC.

This publication contains the codified attestation standards issued through SSAE No. 18, Attestation Standards: Clarification and Recodification, and related attestation interpretations. Superseded portions have been deleted and all applicable amendments have been included.

SSAEs are issued by senior committees of the AICPA designated to issue pronouncements on attestation matters applicable to the preparation and issuance of attestation reports for entities that are nonissuers. The "Compliance With Standards Rule" (AICPA, Professional Standards, ET sec. 1.310.001) of the AICPA Code of Professional Conduct requires an AICPA member performing an attestation engagement for a nonissuer (a practitioner) to comply with standards promulgated by such senior committees. A practitioner must comply with an unconditional requirement in all cases in which such requirement is relevant.A practitioner also should comply with a presumptively mandatory requirement in all cases in which such requirement is relevant; however, in rare circumstances, the practitioner may depart from a presumptively mandatory requirement provided that the practitioner documents the justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement.

Exhibits and interpretations to SSAEs are interpretive publications, as defined in AT-C section 105, Concepts Common to All Attestation Engagements. AT-C section 105 requires the practitioner to consider applicable interpretive publications in planning and performing an attestation engagement. Interpretive publications are not attestation standards. Interpretive publications are recommendations on the application of the SSAEs in specific circumstances, including engagements for entities in specialized industries. An interpretive publication is issued under the authority of the relevant senior technical committee after all members of the committee have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the SSAEs. Attestation interpretations are included in the ATC sections of AICPA Professional Standards. AICPA Guides and Attestation Statements of Position are listed in AT-C appendix A, "AICPA Guides and Statements of Position," of AICPA Professional Standards.

ACCOUNTING AND REVIEW SERVICES COMMITTEE Mike Fleming, Chair Michael P. Glynn, Senior Technical Manager— Audit and Attest Standards

AUDITING STANDARDS BOARD Michael J. Santay, Chair Charles E. Landes, Vice President— Professional Standards and Services

WHAT'S NEW IN THIS EDITION

Section

Addition

AT-C 9105.31-.37

Addition of section as a result of the issuance of Interpretation No. 4, "Performing and Reporting on an Attestation Engagement Under Two Sets of Attestation Standards," of AT-C section 105,

Concepts Common to All Attestation Engagements.

Section

Change

AT-C 105

Revisions to better reflect the AICPA Council Resolution designating the PCAOB to promulgate technical standards.

AT-C 9215.01-.15

Superseded by Statement of Position 17-1,

Performing Agreed-Upon Procedures Related to Rated Exchange Act Asset-Backed Securities Third-Party Due Diligence Services as Defined by SEC Release No. 34-72936

(AICPA,

Professional Standards

, AUD sec. 60), effective for agreed-upon procedures attestation engagements that include covered services accepted subsequent to December 31, 2017.

AT-C 310

Revisions to better reflect the AICPA Council Resolution designating the PCAOB to promulgate technical standards.

DELETED SECTIONS

Attestation Standards [AT]

This section has been deleted due to the effective date of Statement on Standards for Attestation Engagements (SSAE) No. 18,

Attestation Standards, Clarification and Recodification

. SSAE No. 18 became effective May 1, 2017. Refer to individual AT-C sections for specific effective date language.

______________________________

TABLE OF CONTENTS

Cover

Title Page

Copyright

How This Publication Is Organized U.S. Attestation Standards—AICPA (Clarified) [AT-C]

AT-C Cross-References to SSAEs

AT-C Introduction

Foreword

Preface to the Attestation Standards

Glossary of Terms

AT-C 100 Common Concepts

105–Concepts Common to All Attestation Engagements

9105–Concepts Common to All Attestation Engagements: Attestation Interpretations of Section 105

AT-C 200 Level of Service

205–Examination Engagements

9205–Examination Engagements: Attestation Interpretations of Section 205

210–Review Engagements

215–Agreed-Upon Procedures Engagements

9215–Agreed-Upon Procedures Engagements: Attestation Interpretations of Section 215

AT-C 300 Subject Matter

305–Prospective Financial Information

310–Reporting on Pro Forma Financial Information

315–Compliance Attestation

320–Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

395–[Designated for AT Section 701, Management’s Discussion and Analysis]

AT-C Exhibits

AT-C Appendixes

EULA

Guide

Cover

Table of Contents

Chapter

Pages

29

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

191

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

365

366

367

368

371

373

00000

V

00000

1

ii

C1

iii

i

5

6

9

10

11

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

369

HOW THIS PUBLICATION IS ORGANIZED

U.S. Attestation Standards—AICPA (Clarified) [AT-C]

The AT-C sections include clarified accounting and review services standards issued by SSAE No. 18, Attestation Standards: Clarification and Recodification. These sections are arranged as follows:

AT-C Cross-References to SSAEs AT-C Introduction Common Concepts Level of Service Subject Matter Exhibits Appendixes AT-C Topical Index

The AT-C Cross-References to SSAEs to SSAEs lists all issued SSAEs and the sources of sections created by SSAE No. 18 in the current text.

The AT-C Introduction describes the Auditing Standards Board project to revise and clarify all existing attestation standards in the Codification of Statements on Standards for Attestation Engagements.

The standards are divided into sections, each with its own section number. Each paragraph within a section is decimally numbered.

Attestation interpretations are numbered in the 9000 series with the last three digits indicating the section to which the interpretation relates. Interpretations immediately follow their corresponding section. For example, interpretations related to section 105 are numbered 9105, which directly follows section 105.

There is one exhibit relating to attestation standards as follows:

The exhibit provides a list of AT-C sections designated by SSAE No. 18 cross referenced to a list of AT sections.

There are two appendixes relating to attestation standards as follows:

Appendix A provides a list of AICPA attestation guides and Statements of Position.

Appendix B identifies other attestation publications published by the AICPA that have been reviewed by the AICPA Audit and Attest Standards staff.

The AT-C topical index uses the keyword method to facilitate reference to the pronouncements. The index is arranged alphabetically by topic and refers to major divisions, sections, and paragraph numbers.

______________________

AT-C Cross-References to SSAEs

TABLE OF CONTENTS

AT-C Cross-References to SSAEs

Part I — Statements on Standards for Attestation Engagements and Sources of Sections in Current Text

Part II — List of Statement on Standards for Attestation Engagements Nos. 1–17

AT-C Cross-References to SSAEs

Part I — Statements on Standards for Attestation Engagements and Sources of Sections in Current Text

Statements on Standards for Attestation Engagements*

No.

Date Issued

Title

AT-C Section

18

April 2016

Attestation Standards: Clarification and Recodification

1

Sources of Sections in Current Text

AT-C Section

Contents

Source

100

Common Concepts

105

Concepts Common to All Attestation Engagements

SSAE No. 18

200

Level of Service

205

Examination Engagements

SSAE No. 18

210

Review Engagements

SSAE No. 18

215

Agreed-Upon Procedures Engagements

SSAE No. 18

300

Subject Matter

305

Prospective Financial Information

SSAE No. 18

310

Reporting on Pro Forma Financial Information

SSAE No. 18

315

Compliance Attestation

SSAE No. 18

320

Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

SSAE No. 18

395

Designated for AT Section 701,

Management’s Discussion and Analysis

SSAE No. 10

2

Part II — List of Statement on Standards for Attestation Engagements Nos. 1–17

No.

Date Issued

Title

1

Mar. 1986

Attestation Standards

1

Dec. 1987

Attest Services Related to MAS Engagements

1

Oct. 1985

Financial Forecasts and Projections

1

Sept. 1988

Reporting on Pro Forma Financial Information

2

May 1993

Reporting on an Entity's Internal Control Over Financial Reporting

3

Dec. 1993

Compliance Attestation

4

Sept. 1995

Agreed-Upon Procedures Engagements

5

Nov. 1995

Amendment to Statement on Standards for Attestation Engagements No. 1,

Attestation Standards

6

Dec. 1995

Reporting on an Entity's Internal Control Over Financial Reporting: An Amendment to Statement on Standards for Attestation Engagements No. 2

7

Oct. 1997

Establishing an Understanding With the Client

8

Mar. 1998

Management's Discussion and Analysis

9

Jan. 1999

Amendments to Statement on Standards for Attestation Engagements Nos. 1, 2, and 3

10

Jan. 2001

Attestation Standards: Revision and Recodification

11

Jan. 2002

Attest Documentation

12

Sept. 2002

Amendment to Statement on Standards for Attestation Engagements No. 10,

Attestation Standards: Revision and Recodification

13

Dec. 2005

Defining Professional Requirements in Statements on Standards for Attestation Engagements

14

Nov. 2006

SSAE Hierarchy

15

Sept. 2008

An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

16

April 2010

Reporting on Controls at a Service Organization

17

Dec. 2010

Reporting on Compiled Prospective Financial Statements When the Practitioner’s Independence Is Impaired

Notes

*

This table lists Statements on Standards for Attestation Engagements (SSAEs) issued subsequent to SSAE No. 18,

Attestation Standards: Clarification and Recodification

, which was issued in April 2016. Refer to

part II

, "List of Statement on Standards for Attestation Engagements Nos. 1–17," of this section for SSAEs issued prior to SSAE No. 18.

1

SSAE No. 18 created various sections throughout

U.S. Attestation Standards—AICPA (Clarified)

. See the following section, “

Sources of Sections in Current Text

,” for a full list.

2

SSAE No. 18 does not supersede chapter 7, “Management’s Discussion and Analysis,” of SSAE No. 10,

Attestation Standards: Revision and Recodification

, which is currently codified as AT section 701. The Auditing Standards Board (ASB) has not clarified AT section 701 because practitioners rarely perform attest engagements to report on management’s discussion and analysis prepared pursuant to the rules and regulations adopted by the SEC. Therefore, the ASB decided that it would retain AT section 701 in its current unclarified format as

AT-C section 395

until further notice.

__________________________

AT-C Introduction

TABLE OF CONTENTS

AT-C Introduction

Foreword

AT-C Preface to the Attestation Standards

AT-C Glossary of Terms

AT-C Introduction

Foreword

Attestation Clarity Project

To address concerns over the clarity, length, and complexity of its standards, the Auditing Standards Board (ASB) established clarity drafting conventions and undertook a project to redraft all the standards it issues in clarity format. The redrafting of Statements on Standards for Attestation Engagements (SSAEs or attestation standards) in SSAE No. 18, Attestation Standards: Clarification and Recodification, represents the culmination of that process. This section redrafts all SSAEs, except for the following:

Chapter 7, "Management’s Discussion and Analysis," of SSAE No. 10,

Attestation Standards: Revision and Recodification

(AT sec. 701)The ASB decided not to clarify AT section 701 because practitioners rarely perform attestation engagements to report on management’s discussion and analysis prepared pursuant to the rules and regulations adopted by the U.S. Securities and Exchange Commission. Therefore, the ASB decided that AT section 701 should be retained in its current unclarified format as

section 395

until further notice.

SSAE No. 15,

An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

, and related Attestation Interpretation No. 1, "Reporting Under Section 112 of the Federal Deposit Insurance Corporation Improvement Act" (AT sec. 501 and 9501)The ASB concluded that because engagements performed under AT section 501 are required to be integrated with an audit of financial statements, the content of AT section 501 should be moved to the Statements on Auditing Standards (SASs). As a result, in October 2015, the ASB issued SAS No. 130,

An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements

(AU-C sec. 940). AT section 501 and the related interpretation will be withdrawn when SAS No. 130 becomes effective; the effective date for SAS No. 130 is for integrated audits for periods ending on or after December 15, 2016.

The attestation standards are developed and issued in the form of SSAEs and are codified into sections. This section recodifies the "AT" section numbers designated by SSAE Nos. 10–17 using the identifier "AT-C" to differentiate the sections of the clarified attestation standards ("AT-C sections") from the attestation standards that are superseded by SSAE No. 18 ("AT sections"). The AT sections remain effective through April 2017, by which time substantially all engagements for which the AT sections were still effective are expected to be completed.

The attestation standards have been redrafted in accordance with the clarity drafting conventions, which include the following:

Establishing objectives for each AT-C section

Including a definitions section, where relevant, in each AT-C section

Separating requirements from application and other explanatory material

Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section

Using formatting techniques, such as bulleted lists, to enhance readability

Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within the text of the AT-C section

Including, when appropriate, special considerations relevant to examination, review, or agreed-upon procedures engagements for governmental entities within the text of the AT-C section

Convergence

It is the ASB’s general strategy to converge its standards with those of the International Auditing and Assurance Standards Board. Accordingly, the foundation for section 105, Concepts Common to All Attestation Engagements; section 205, Examination Engagements; and section 210, Review Engagements, is International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. Many of the paragraphs in this section have been converged with the related paragraphs in ISAE 3000 (Revised), with certain changes made to reflect U.S. professional standards. Other content included in this section is derived from the extant SSAEs.

The ASB decided not to adopt certain provisions of ISAE 3000 (Revised), for example, in this section, a practitioner is not permitted to issue an examination or review report if the practitioner has not obtained a written assertion from the responsible party, except when the engaging party is not the responsible party. In the ISAEs, an assertion (or representation about the subject matter against the criteria) is not required in order for the practitioner to report.

Section 215, Agreed-Upon Procedures Engagements, is based on a redrafting of extant AT section 201, Agreed-Upon Procedures Engagements, in clarified format. ISAE 3000 (Revised) does not address agreed-upon procedures engagements.

Authority of the SSAEs

SSAEs are issued by senior committees of the AICPA designated to issue pronouncements on attestation matters applicable to the preparation and issuance of attestation reports for entities that are nonissuers.1 The "Compliance With Standards Rule" (ET sec. 1.310.001) of the AICPA Code of Professional Conduct requires an AICPA member performing an attestation engagement for a nonissuer (a practitioner) to comply with standards promulgated by the ASB. A practitioner must comply with an unconditional requirement in all cases in which such requirement is relevant. A practitioner also must comply with a presumptively mandatory requirement in all cases in which such requirement is relevant. However, if, in rare circumstances, a practitioner judges it necessary to depart from a relevant presumptively mandatory requirement, the practitioner must document the justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement.

Exhibits and interpretations to SSAEs are interpretive publications, as defined in section 105. Section 105 requires the practitioner to consider applicable interpretive publications in planning and performing the attestation engagement. Interpretive publications are not attestation standards. Interpretive publications are recommendations on the application of the SSAEs in specific circumstances, including engagements for entities in specialized industries. An interpretive publication is issued under the authority of the relevant senior technical committee after all members of the committee have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the SSAEs. Attestation interpretations are included in AT-C sections. AICPA Guides and Attestation Statements of Position are listed in AT-C appendix A, "AICPA Guides and Statements of Position."

AUDITING STANDARDS BOARD

Michael J. Santay, Chair

Charles E. Landes, Vice President— Professional Standards and Services

Notes

1

See the definition of the term

nonissuer

in the AU-C Glossary. [Footnote added, February 2017, to better reflect the AICPA Council Resolution designating the PCAOB to promulgate technical standards.]

__________________________

AT-C Preface*

Preface to the Attestation Standards

.01 The Statements on Standards for Attestation Engagements (SSAEs or attestation standards) establish requirements and provide application guidance for performing and reporting on examination, review, and agreed-upon procedures engagements (attestation engagements). Examples of subject matter for attestation engagements are a schedule of investment returns, the effectiveness of an entity’s controls over the security of a system, or a statement of greenhouse gas emissions.

.02 The attestation standards are issued under the "Compliance With Standards Rule" (ET section 1.310.001) of the AICPA Code of Professional Conduct, which requires an AICPA member who performs an attestation engagement to comply with standards promulgated by bodies designated by AICPA council. AICPA council has granted the Auditing Standards Board authority to promulgate the attestation standards, which are issued through a due process that includes deliberation in meetings open to the public, public exposure of proposed attestation standards, and a formal vote by an authorized standard-setting body.

.03 This preface provides an overview of the attestation standards but does not establish requirements and does not carry any authority. It is intended to be helpful in understanding attestation engagements.

.04 The attestation standards are developed and issued in the form of SSAEs and are codified into sections. The identifier "AT-C" is used to differentiate the sections of the clarified attestation standards issued in April 2016 (AT-C sections) from the sections of the attestation standards they supersede (identified as AT sections).

Structure of the Attestation Standards

.05 The attestation standards apply to three levels of service—examination, review, and agreed-upon procedures—and can be applied to innumerable types of subject matter. The applicability of specific AT-C sections to an engagement depends on both the level of service provided and the subject matter on which the practitioner is engaged to report.

.06Section 105, Concepts Common to All Attestation Engagements, contains concepts that are relevant to any attestation engagement. The level of service sections are section 205, Examination Engagements; section 210, Review Engagements; and section 215, Agreed-Upon Procedures Engagements, which contain additional requirements and application guidance specific to examination, review, or agreed-upon procedures engagements, respectively. Under the attestation standards, the applicable requirements and application guidance for any attestation engagement are contained in at least two sections: section 105 and section 205, 210, or 215, depending on the level of service being provided. In addition, incremental performance and reporting requirements and application guidance unique to specific subject matters, such as prospective financial information or compliance with laws and regulations, are contained in the subject-matter sections. The applicable requirements and application guidance for a subject-matter-specific engagement is contained in three sections: section 105; section 205, 210, or 215, as applicable; and the applicable subject-matter section.

Purpose of the Engagement and Premise on Which an Attestation Engagement Is Conducted

.07 The purpose of an attestation engagement is to provide users of information, generally third parties, with an opinion, conclusion, or findings regarding the reliability of subject matter or an assertion about the subject matter, as measured against suitable and available criteria. (An examination engagement results in an opinion; a review engagement results in a conclusion; and an agreed-upon procedures engagement results in findings.) The practitioner’s report is intended to enhance the degree of confidence that intended users can place in the subject matter.

Responsibilities

.08 An engagement in accordance with the attestation standards is conducted on the premise that the responsible party is responsible for

the subject matter (and, if applicable, the preparation and presentation of the subject matter) in accordance with (or based on) the criteria

its assertion about the subject matter;

measuring, evaluating, and, when applicable, presenting subject matter that is free from material misstatement, whether due to fraud or error; and

providing the practitioner with

—  access to all information of which the responsible party is aware that is relevant to the measurement, evaluation, or disclosure of the subject matter;

—  access to additional information that the practitioner may request from the responsible party for the purpose of the engagement; and

—  unrestricted access to persons within the appropriate party(ies) from whom the practitioner determines it is necessary to obtain evidence.

.09 Practitioners are responsible for complying with the relevant performance and reporting requirements established in the attestation standards when they are engaged to issue, or do issue, an examination, review, or agreed-upon procedures report on subject matter or an assertion about subject matter that is the responsibility of another party (the responsible party). Although a practitioner may assist the responsible party in developing or presenting the subject matter, the responsible party remains responsible for the subject matter.

Performance

.10 In all services provided under the attestation standards, practitioners are responsible for

having the appropriate competence and capabilities to perform the engagement,

complying with relevant ethical requirements,

maintaining professional skepticism, and

exercising professional judgment throughout the planning and performance of the engagement.

.11 To express an opinion in an examination, the practitioner obtains reasonable assurance about whether the subject matter, or an assertion about the subject matter, is free from material misstatement, whether due to fraud or error. To obtain reasonable assurance, which is a high but not absolute level of assurance, the practitioner

plans the work and properly supervises other members of the engagement team.

identifies and assesses the risks of material misstatement, whether due to fraud or error, based on an understanding of the subject matter, its measurement or evaluation, the criteria, and other engagement circumstances.

obtains sufficient appropriate evidence about whether material misstatements exist by designing and implementing appropriate responses to the assessed risks. Examination procedures may involve inspection, observation, analysis, inquiry, reperformance, recalculation, or confirmation with outside parties.

.12 To express a conclusion in a review, the practitioner obtains limited assurance about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to an assertion about the subject matter in order for it to be fairly stated. In a review, the nature and extent of the procedures are substantially less than in an examination. To obtain limited assurance in a review, the practitioner

plans the work and properly supervises other members of the engagement team.

focuses procedures in those areas in which the practitioner believes increased risks of misstatements exist, whether due to fraud or error, based on the practitioner’s understanding of the subject matter, its measurement or evaluation, the criteria, and other engagement circumstances.

obtains review evidence, through the application of inquiry and analytical procedures or other procedures as appropriate, to obtain limited assurance that no material modifications should be made to the subject matter in order for it to be in accordance with (or based on) the criteria.

.13 To report on the application of agreed-upon procedures, the practitioner applies procedures determined by the specified parties who are the intended users of the practitioner’s report and who are responsible for the sufficiency of the procedures for their purposes. As a result of the engagement, the practitioner reports on the results of the engagement but does not provide an opinion or conclusion on the subject matter or assertion. In an agreed-upon procedures engagement, the practitioner

plans the work and properly supervises other members of the engagement team.

applies the procedures agreed to by the specified parties and reports on their results.

Reporting

.14 Based on evidence obtained, the practitioner expresses an opinion in an examination, expresses a conclusion in a review, or reports findings in an agreed-upon procedures engagement. In the case of an examination, the practitioner’s report provides an opinion about whether the subject matter, as measured against the criteria, is in accordance with (or based on) the criteria (or whether the assertion about the subject matter is fairly stated), in all material respects. In a review, the report expresses a conclusion about whether, based on the limited procedures, the practitioner is aware of any material modification that should be made to the subject matter in order for it to be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. In an agreed-upon procedures report, the practitioner describes the specified procedures that were applied to the subject matter and the results of those procedures.

Notes

*

This section contains an "AT-C" identifier, instead of an "AT" identifier, to avoid confusion with references to existing "AT" sections, which remain effective through April 2017.

__________________________

AT-C Glossary

Glossary of Terms1

Appropriate party. Reference to this term should be read as the responsible party or the engaging party, as appropriate. Also see engaging party and responsible party.

Appropriateness of evidence (in the context of section 205, Examination Engagements). The measure of the quality of evidence, that is, its relevancy and reliability in providing support for the practitioner’s opinion. Also see evidence.

Appropriateness of review evidence (in the context of section 210, Review Engagements). The measure of the quality of review evidence, that is, its relevancy and reliability in providing support for the practitioner’s conclusion. Also see review evidence.

Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the criteria.

Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of attestation engagements:

Examination engagement

. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner’s opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects.

Review engagement

. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated.

Agreed-upon procedures engagement

. An attestation engagement in which a practitioner performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to the engagement (

specified parties

) agree upon and are responsible for the sufficiency of the procedures for their purposes.

  Also see specified party and attestation standards.

Attestation risk. In an examination or review engagement, the risk that the practitioner expresses an inappropriate opinion or conclusion, as applicable, when the subject matter or assertion is materially misstated.

Attestation standards. The Statements on Standards for Attestation Engagements (SSAEs), which are also known as the attestation standards, establish requirements and provide guidance for performing and reporting on examination, review, and agreed-upon procedures engagements (attestation engagements). Examples of subject matter for attestation engagements are a schedule of investment returns, the effectiveness of an entity’s controls over the security of a system, or a statement of greenhouse gas emissions. The SSAEs apply only to attestation engagements performed under the SSAEs. They are issued under the "Compliance With Standards Rule" (ET sec. 1.310.001) of the AICPA Code of Professional Conduct, which requires an AICPA member who performs an attestation engagement to comply with standards promulgated by bodies designated by AICPA Council. AICPA Council has granted the Auditing Standards Board authority to promulgate the attestation standards, which are issued through a due process that includes deliberation in meetings open to the public, public exposure of proposed attestation standards, and a formal vote by an authorized standard-setting body. Also see attestation engagement.

Carve-out method (in the context of section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting). Method of addressing the services provided by a subservice organization, whereby management’s description of the service organization’s system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor’s engagement the subservice organization’s relevant control objectives and related controls.

Complementary subservice organization controls (in the context of section 320). Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.

Complementary user entity controls (in the context of section 320). Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.

Compliance with specified requirements (in the context of section 315, Compliance Attestation). An entity’s compliance with specified laws, regulations, rules, contracts, or grants.

Control objectives (in the context of section 320). The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.

Controls at a service organization (in the context of section 320). The policies and procedures at a service organization likely to be relevant to user entities’ internal control over financial reporting. These policies and procedures are designed, implemented, and documented by the service organization to provide reasonable assurance about the achievement of the control objectives relevant to the services covered by the service auditor’s report.

  In the context of section 320, the policies and procedures include aspects of the information and communications component of user entities’ internal control maintained by the service organization and control activities related to the information and communications component and may also include aspects of one or more of the other components of internal control at a service organization. For example, the definition of controls at a service organization may include aspects of the service organization’s control environment, risk assessment, monitoring activities, and control activities when they relate to the services provided. Such definition does not, however, include controls at a service organization that are not related to the achievement of the control objectives stated in management’s description of the service organization’s system, for example, controls related to the preparation of the service organization’s own financial statements.

Criteria. The benchmarks used to measure or evaluate the subject matter.

Criteria for the preparation of pro forma financial information (in the context of section 310, Reporting on Pro Forma Financial Information). The basis disclosed in the pro forma financial information that management used to develop the pro forma financial information, including the assumptions underlying the pro forma financial information. Paragraph .11 of section 310 contains the attributes of suitable criteria for an examination or review of pro forma financial information.

Documentation completion date. The date on which the practitioner has assembled for retention a complete and final set of documentation in the engagement file.

Engagement circumstances. The broad context defining the particular engagement, which includes the terms of the engagement; whether it is an examination, review, or agreed-upon procedures engagement; the characteristics of the subject matter; the criteria; the information needs of the intended users; relevant characteristics of the responsible party and, if different, the engaging party and their environment; and other matters, for example, events, transactions, conditions and practices, and relevant laws and regulations, that may have a significant effect on the engagement.

Engagement documentation. The record of procedures performed, relevant evidence obtained, and, in an examination or review engagement, conclusions reached by the practitioner, or in an agreed-upon procedures engagement, findings of the practitioner. (Terms such as working papers or workpapers are also sometimes used).

Engagement partner. The partner or other person in the firm who is responsible for the attestation engagement and its performance and for the practitioner’s report that is issued on behalf of the firm and who, when required, has the appropriate authority from a professional, legal, or regulatory body. Engagement partner, partner, and firm refer to their governmental equivalents when relevant. Also see firm and practitioner.

Engagement team. All partners and staff performing the engagement and any individuals engaged by the firm or a network firm who perform attestation procedures on the engagement. This excludes a practitioner’s external specialist and engagement quality control reviewer engaged by the firm or a network firm. The term engagement team also excludes individuals within the client’s internal audit function who provide direct assistance.

Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. Also see appropriate party and responsible party.

Entity (in the context of section 305, Prospective Financial Information). Any unit, existing or to be formed for which financial statements could be prepared in accordance with generally accepted accounting principles or special purpose frameworks. For example, an entity can be an individual, partnership, corporation, trust, estate, association, or governmental unit.

Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner’s report is based. Also see appropriateness of evidence and sufficiency of evidence.

Financial forecast (in the context of section 305). Prospective financial statements that present, to the best of the responsible party’s knowledge and belief, an entity’s expected financial position, results of operations, and cash flows. A financial forecast is based on the responsible party’s assumptions reflecting conditions it expects to exist and the course of action it expects to take. A financial forecast may be expressed in specific monetary amounts as a single-point estimate of forecasted results or as a range, when the responsible party selects key assumptions to form a range within which it reasonably expects, to the best of its knowledge and belief, the item or items subject to the assumptions to actually fall. If a forecast contains a range, the range is not selected in a biased or misleading manner (for example, a range in which one end is significantly less expected than the other).

Financial projection (in the context of section 305). Prospective financial statements that present, to the best of the responsible party’s knowledge and belief, given one or more hypothetical assumptions, an entity’s expected financial position, results of operations, and cash flows. A financial projection is sometimes prepared to present one or more hypothetical courses of action for evaluation, as in response to a question such as, "What would happen if...?" A financial projection is based on the responsible party’s assumptions reflecting conditions it expects would exist and the course of action it expects would be taken, given one or more hypothetical assumptions. A projection, like a forecast, may contain a range.

Firm. A form of organization permitted by law or regulation whose characteristics conform to resolutions of the Council of the AICPA and that is engaged in the practice of public accounting. Also see engagement partner and practitioner.

Forecast (in the context of section 305). Used alone, this term means forecasted information, which can be either a full presentation (a financial forecast) or a partial presentation. Also see financial forecast.

Fraud. An intentional act involving the use of deception that results in a misstatement in the subject matter or the assertion.

General use. Use of a practitioner’s report that is not restricted to specified parties.

General use of prospective financial statements (in the context of section 305). Refers to the use of the statements by persons with whom the responsible party is not negotiating directly, for example, in an offering statement of an entity’s debt or equity interests. Also see limited use of prospective financial statements and prospective financial statements.

Guide (in the context of section 305). The AICPA Guide Prospective Financial Information.

Hypothetical assumption (in the context of section 305). An assumption used in a financial projection or in a partial presentation of projected information to present a condition or course of action that is not necessarily expected to occur but is consistent with the purpose of the projection.

Inclusive method (in the context of section 320). Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls.

Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes.

Internal control over compliance (in the context of section 315). An entity’s internal control over compliance with specified requirements. The internal control addressed in section 315 may include part of, but is not the same as, internal control over financial reporting.

Interpretive publications. Interpretive publications are not attestation standards. Interpretive publications are recommendations on the application of the attestation standards in specific circumstances, including engagements for entities in specialized industries. An interpretive publication is issued under the authority of the relevant senior technical committee after all members of the committee have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the attestation standards. Examples of interpretive publications are interpretations of the attestation standards, exhibits to the attestation standards, attestation guidance included in AICPA guides and attestation Statements of Position (SOPs). Interpretations of the attestation standards and exhibits are included within the sections of the attestation standards. AICPA guides and attestation SOPs are listed in AT-C appendix A, "AICPA Guides and Statements of Position," of the attestation standards. Also see other attestation publications.

Key factors (in the context of section 305). The significant matters on which an entity’s future results are expected to depend. Such factors are basic to the entity’s operations and, thus, encompass matters that affect, among other things, the entity’s sales, production, service, and financing activities. Key factors serve as a foundation for prospective financial information and are the bases for the assumptions.

Limited use of prospective financial statements (in the context of section 305). Refers to the use of prospective financial statements by the responsible party alone or by the responsible party and third parties with whom the responsible party is negotiating directly. Examples include use in negotiations for a bank loan, submission to a regulatory agency, and use solely within the entity. Also see general use of prospective financial statements and prospective financial statements.

Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls (referred to in the context of section 320 as a type 1 report). A service auditor’s report that comprises the following:

i.  Management’s description of the service organization’s system

ii.  A written assertion by management of the service organization about whether, based on the criteria

(1)  management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date

(2)  the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date

iii.  A service auditor’s report that expresses an opinion on the matters in (ii)(1)–(ii)(2)

Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls (referred to in the context of section 320 as a type 2 report). A service auditor’s report that comprises the following:

i.  Management’s description of the service organization’s system

ii.  A written assertion by management of the service organization about whether, based on the criteria

(1)  management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented throughout the specified period

(2)  the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period to achieve those control objectives

(3)  the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives

iii.  A service auditor’s report that

(1)  expresses an opinion on the matters in (ii)(1)–(ii)(3)

(2)  includes a description of the tests of controls and the results thereof

Material noncompliance (in the context of section 315). A failure to follow compliance requirements or a violation of prohibitions included in the specified requirements that results in noncompliance that is quantitatively or qualitatively material, either individually or when aggregated with other noncompliance.

Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance. Also see risk of material misstatement.

Modified opinion (in the context of section 205). A qualified opinion, an adverse opinion, or a disclaimer of opinion.

Monitoring of controls(in the context of section 320). A process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls on a timely basis, identifying and reporting deficiencies to appropriate individuals within the service organization, and taking necessary corrective actions.

Network firm. A firm or other entity that belongs to a network, as defined in ET section 0.400, Definitions.

Noncompliance with laws or regulations. Acts of omission or commission by the entity, either intentional or unintentional, that are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the subject matter) by those charged with governance, management, or employees of the entity.

Nonparticipant party (in the context of section 215, Agreed-Upon Procedures Engagements). An additional specified party the practitioner is requested to add as a user of the report subsequent to the completion of the agreed-upon procedures engagement. Also see specified party.

Other attestation publications. Publications other than interpretive publications. These include AICPA attestation publications not defined as interpretive publications; attestation articles in the Journal of Accountancy and other professional journals; continuing professional education programs and other instruction materials, textbooks, guidebooks, attestation programs, and checklists; and other attestation publications from state CPA societies, other organizations, and individuals. Other attestation publications have no authoritative status; however, they may help the practitioner understand and apply the attestation standards. The practitioner is not expected to be aware of the full body of other attestation publications. Also see interpretive publications.

Other practitioner. An independent practitioner who is not a member of the engagement team who performs work on information that will be used as evidence by the practitioner performing the attestation engagement. An other practitioner may be part of the practitioner’s firm, a network firm, or another firm.

Partial presentation (in the context of section 305). A presentation of prospective financial information that excludes one or more of the applicable items required for prospective financial statements as described in chapter 8, "Presentation Guidelines," of the AICPA Guide Prospective Financial Information.

Pervasive (in the context of section 205). Describes the effects on the subject matter of misstatements or the possible effects on the subject matter of misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate evidence. Pervasive effects on the subject matter are those that, in the practitioner’s professional judgment

a.  are not confined to specific aspects of the subject matter;

b.  if so confined, represent or could represent a substantial proportion of the subject matter; or

c.  in relation to disclosures, are fundamental to the intended users’ understanding of the subject matter.

Practitioner. The person or persons conducting the attestation engagement, usually the engagement partner or other members of the engagement team, or, as applicable, the firm. When a section of the attestation standards expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the term engagement partner, rather than practitioner, is used. Engagement partner and firm are to be read as referring to their governmental equivalents when relevant. Also see engagement partner and firm.

Practitioner’s specialist. An individual or organization possessing expertise in a field other than accounting or attestation, whose work in that field is used by the practitioner to assist the practitioner in obtaining evidence for the service being provided. A practitioner’s specialist may be either a practitioner’s internal specialist (who is a partner or staff, including temporary staff, of the practitioner’s firm or a network firm) or a practitioner’s external specialist. Partner and firm refer to their governmental equivalents when relevant.

Presentation guidelines (in the context of section 305). The criteria for the presentation and disclosure of prospective financial information.

Presumptively mandatory requirements. The category of professional requirements with which the practitioner must comply in all cases in which such a requirement is relevant, except in rare circumstances discussed in paragraph .20 of section 105, Concepts Common to All Attestation Engagements. The attestation standards use the word should to indicate a presumptively mandatory requirement. Also see attestation standards and unconditional requirements.

Pro forma financial information (in the context of section 310). A presentation that shows what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an earlier date.

Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the circumstances of the attestation engagement.

Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of evidence.

Projection (in the context of section 305). This term can refer to either a financial projection or a partial presentation of projected information. Also see financial projection.

Prospective financial information(in the context of section 305). Any financial information about the future. The information may be presented as complete financial statements or limited to one or more elements, items, or accounts.

Prospectivefinancial statements (in the context of section 305). Either financial forecasts or financial projections, including the summaries of significant assumptions and accounting policies. Although prospective financial statements may cover a period that has partially expired, statements for periods that have completely expired are not considered to be prospective financial statements. Pro forma financial statements and partial presentations are not considered to be prospective financial statements. Also see general use of prospective financial statements and limited use prospective financial statements.

Reasonable assurance. A high but not absolute level of assurance.

Report release date. The date on which the practitioner grants the engaging party permission to use the practitioner’s report.

Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the responsible party. Also see appropriate party and engaging party.

Review evidence (in the context of section 210). Information used by the practitioner in obtaining limited assurance on which the practitioner’s review report is based. Also see appropriateness of review evidence and sufficiency of review evidence.

Risk of material misstatement (in the context of section 205). The risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated, in all material respects. Also see misstatement.

Service auditor (in the context of section 320). A practitioner who reports on controls at a service organization.

Service organization (in the context of section 320). An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over financial reporting.

Service organization’s assertion (in the context of section 320). A written assertion about the matters referred to in item ii of the definition of Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.

Service organization’s system (in the context of section 320). The policies and procedures designed, implemented, and documented by management of the service organization to provide user entities with the services covered by the service auditor’s report. Management’s description of the service organization’s system identifies the services covered, the period to which the description relates (or in the case of a type 1 report, the date to which the description relates), the control objectives specified by management or an outside party, the party specifying the control objectives (if not specified by management), and the related controls.

  In the context of section 320, the policies and procedures refer to the guidelines and activities for providing transaction processing and other services to user entities and include the infrastructure, software, people, and data that support the policies and procedures.

Specified party. The intended user(s) to whom use of the practitioner’s written report is limited. Also see nonparticipant party.

Statements on Standards for Attestation Engagements (SSAEs). See attestation standards.

Subject matter. The phenomenon that is measured or evaluated by applying criteria.

Subservice organization (in the context of section 320). A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.

Sufficiency of evidence (in the context of section 205). The measure of the quantity of evidence. The quantity of the evidence needed is affected by the risks of material misstatement and also by the quality of such evidence. Also see evidence.

Sufficiency of review evidence (in the context of section 210). The measure of the quantity of review evidence. The quantity of the review evidence needed is affected by the risks of material misstatement and also by the quality of such evidence. Also see review evidence.

Suitable criteria. Criteria that exhibit all the following characteristics:

Relevance

. Criteria are relevant to the subject matter.

Objectivity

. Criteria are free from bias.

Measurability

. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.

Completeness

. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.

Test of controls (in the context of section 205). A procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements in the subject matter.

Test of controls (in the context of section 320). A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.

Type 1 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.

Type 2 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls.

Unconditional requirements. The category of professional requirements with which the practitioner must comply in all cases in which such requirement is relevant. The attestation standards use the word must to indicate an unconditional requirement. Also see attestation standards and presumptively mandatory requirements.

User auditor (in the context of section 320). An auditor who audits and reports on the financial statements of a user entity.

User entity (in the context of section 320). An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity’s internal control over financial reporting.

Working papers or workpapers. See engagement documentation.

Notes

1

This glossary lists terms defined in the "Definitions" sections of the attestation standards as well as certain terms defined or explained in other sections of the attestation standards. Terms defined for purposes of a specific section are denoted as such. Terms may appear in more than one section.

__________________________

AT-C Section 100

COMMON CONCEPTS

The following is a Codification of Statements on Standards for Attestation Engagements (SSAEs) resulting from the Auditing Standards Board’s (ASB) project to clarify the SSAEs and related attestation interpretations. SSAEs are issued by senior committees of the AICPA designated to issue pronouncements on attestation matters applicable to the preparation and issuance of attestation reports for entities that are nonissuers.1 The “Compliance With Standards Rule” (ET sec. 1.310.001) of the AICPA Code of Professional Conduct requires an AICPA member performing an attestation engagement for a nonissuer (a practitioner) to comply with standards promulgated by the ASB. A practitioner must comply with an unconditional requirement in all cases in which such requirement is relevant. A practitioner also must comply with a presumptively mandatory requirement in all cases in which such requirement is relevant; however, if, in rare circumstances, a practitioner judges it necessary to depart from a relevant presumptively mandatory requirement, the practitioner must document the justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement.

Attestation interpretations are interpretive publications, as defined in section 105, Concepts Common to All Attestation Engagements. Section 105 requires the practitioner to consider applicable interpretive publications in planning and performing the attestation engagement. Interpretive publications are not attestation standards. Interpretive publications are recommendations on the application of the SSAEs in specific circumstances, including engagements for entities in specialized industries. An interpretive publication is issued under the authority of the relevant senior technical committee after all members of the committee have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the SSAEs. Attestation interpretations are included in AT-C sections. AICPA Guides and Attestation Statements of Position are listed in AT-C appendix A, “AICPA Guides and Statements of Position.”

TABLE OF CONTENTS

105  Concepts Common to All Attestation Engagements

Introduction

Compliance With the Attestation Standards

Relationship of Attestation Standards to Quality Control Standards

Effective Date

Objectives

Definitions

Requirements