Attestation Engagements on Compliance

Article excerpt

Reporting on the safety and sound requirements under the Federal Deposit Insurance Corporation Improvement Act of 1991 is one recent example of a regulatory trend toward seeking assurances from an independent source on management's compliance with laws and regulations. The ASB has now issued the necessary guidance to satisfy certain aspects of FDICIA by using the attestation standards.

The AICPA's Auditing Standards Board (ASB) recently issued Statement on Standards for Attestation Engagements No. 3. Compliance Attestation (the "Statement"). The Statement gives guidance for reporting on management's representation on compliance with laws, regulations, rules, contracts, and grants and on the internal control structure over compliance with those matters. The effective date for the Statement is for engagements as of or for a period ending June 15, 1994, or thereafter. Early adoption is encouraged.

Before the Statement, a practitioner seeking to provide assurances about compliance with laws, regulations, and the like had to refer to several relevant, but not directly applicable sources for guidance. For example, for the practitioner to report on specified compliance requirements based soley on an audit of the client's financial statements, the practitioner would follow the guidance of SAS No. 62, Special Reports. However, there are many compliance engagements for which there has been no guidance. A recent example would be an engagement to report on S&L management's assertion regarding compliance with the safety and soundness requirements under the Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991. (The requirement for reporting on compliance under FDICIA is for periods ending December 31, 1993, or thereafter.) The Statement is designed to provide the means to satisfy FDICIA requirements.

ATTESTATION ENGAGEMENTS

The framework for the performance and reporting on attest engagements was established with an unnumbered statement, Attestation Standards (AT 100) issued by the AICPA in 1986. In April 1993, those standards (along with AT 200 and 300 dealing with forecasts and projections and pro forma financial information) became Statement on Standards for Attestation Engagements (SSAE) No. 1, Attestation Standards.

According to SSAE No. 1, an attestation engagement "is one in which a practitioner is engaged to issue or does issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party." The attestation standards do not supersede GAAS. Also, the differ from GAAS in several fundamental ways:

* They encourage low-risk attest services designed for specified users using "agreed-upon procedures" which usually involve "summary of findings" reports that usually provide a lower assurance level than that given in traditional financial statement audits.

* They broaden the attest function beyond financial statements.

Given the above, they are particularly suitable for operating effectiveness/efficiency and compliance engagements.

SSAE No. 2. Reporting on an Entity's Internal Control Structure Over Financial Reporting was issued in May 1993 in response to the growing need for effective and meaningful assurances about the effectiveness of internal control structures over financial reporting. An article on SSAE No. 2 is presented in the August 1993 issue of The CPA Journal.

SSAE No. 3 is et another example of the AICPA's action to "fill the gap" for a class of non-audit attest services.

Due to the many common elements shared by traditional financial statement audits and attestation engagements, new SSAEs parallel and refer to SASs to a large extent. Exhibit 1 lists the Statement's references to other SSAEs and SASs.

COMPLIANCE ATTESTATION

The Statement applies when a practitioner is engaged to report on management's written assertion about an entity's compliance with specified requirements (laws, regulations, rules, contracts, or grants) or the effectiveness of the entity's internal control structure over compliance with specified requirements. …