A new look at the attestation standards.SSAE SSAE Statement on Standards for Attestation Engagements (auditing) SSAE Stamped Self-Addressed Envelope SSAE Standard South African English SSAE Society Of Senior Aerospace Executives (Washington, DC) no. 10 supersedes all previous statements on Attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as engagement standards. The Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public (ASB ASB Asbestos ASB Arbeiter Samariter Bund (German medical help organisation) ASB Anti-Social Behaviour ASB Accounting Standards Board (UK FRC) ASB Aarhus School of Business ) has issued Statement on Standards for Attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her Engagements (SSAE) no. 10, Attestation Standards The introduction to this article provides insufficient context for those unfamiliar with the subject matter. Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. : Revision and Recodification. Because of the growing market demand for different kinds of attest services, it is the ASB's aim in releasing the statement to clarify (company) Clarify - A software vendor, specialising in Customer Relationship Management software. Nortel Networks sold Clarify to Amdocs in 2002. http://amdocsclarify.com/. and broaden the applicability of the attestation standards and to provide guidance on practice issues. In the past, practitioners considered the line between consulting service Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.) service - work done by one person or group that benefits another; "budget separately for goods and services" engagements and attest engagements a somewhat blurry blur v. blurred, blur·ring, blurs v.tr. 1. To make indistinct and hazy in outline or appearance; obscure. 2. To smear or stain; smudge. 3. one. Thus, another goal of the SSAE no. 10 project is to remove that ambiguity Ambiguity Delphic oracle ultimate authority in ancient Greece; often speaks in ambiguous terms. [Gk. Hist.: Leach, 305] Iseult’s vow pledge to husband has double meaning. [Arth. (see "Drawing the Line," page 42). In 1986 the ASB issued the first SSAE, Attestation Standards, to capitalize on Cap´i`tal`ize on` v. t. 1. To turn (an opportunity) to one's advantage; to take advantage of (a situation); to profit from; as, to capitalize on an opponent's mistakes s>. existing CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. skills and to provide guidance on applying that expertise to information other than historical financial statements. Using those attestation standards and succeeding ones, practitioners began to render (1) To make visible; to draw. The term comes from the graphics world where a rendering is an artist's drawing of what a new structure would look like. In computer-aided design (CAD), a rendering is a particular view of a 3D model that has been converted into a realistic image. assurance on many new types of information and business systems (see "What Are SysTrust and WebTrust WebTrust is a seal of assurance service developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). ?" page 44). The new statement--SSAE no. 10--supersedes all previously issued SSAEs; the effective date is June June: see month. 1, 2001. Chapter 1, "Attest Engagements," of SSAE no. 10 provides a framework that establishes how practitioners are to conduct attest engagements and that can be used for developing guidance on specific services. (See "Official Releases, page 94). The ASB conformed the existing guidance on specific attest engagements, such as financial forecasts and projections and compliance with laws or regulations, and folded it into chapters 2 through 7. (See "A Guide to Services CPAs Can Offer and the Rules That Apply," page 43, for examples of attest engagements and relevant guidance.) WHAT IS AN ATTEST ENGAGEMENT? In an attest engagement, the practitioner practitioner /prac·ti·tion·er/ (prak-tish´un-er) one who has met the requirements of and is engaged in the practice of medicine, dentistry, or nursing. nurse practitioner see under nurse. is attesting to, or providing assurance on, subject matter that is the responsibility of another party. The attestation standards apply, therefore, whenever an independent CPA has been engaged to issue, or issues, an examination report, a review report or an agreed-upon procedures (AUP See acceptable use policy. AUP - acceptable use policy ) report on subject matter--or an assertion (programming) assertion - 1. An expression which, if false, indicates an error. Assertions are used for debugging by catching can't happen errors. 2. In logic programming, a new fact or rule added to the database by the program at run time. about the subject matter--that is the responsibility of another party. However, chapter 1 of SSAE no. 10 specifically identifies certain engagements, such as a financial statement audit, that are not subject to the attestation standards. Consequently, when performing engagements under professional standards other than those governing gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. attest engagements, practitioners should take steps to ensure that readers of their reports do not mistake them for attest reports. They can accomplish this by not drawing conclusions similar to those in an examination or a review attest report. For example, a client may engage a practitioner to make recommendations for improvements in its internal control. If, in his or her report, the practitioner were to state that the client's internal control was adequate or effective, a reader might mistakenly mis·tak·en v. Past participle of mistake. adj. 1. Wrong or incorrect in opinion, understanding, or perception. 2. Based on error; wrong: a mistaken view of the situation. assume that statement is an attest report. Whether or not the practitioner intended such an interpretation, the attestation standards still would apply. THE RESPONSIBLE PARTY--A MUST-HAVE The practitioner and the responsible party have distinctly different roles in an attest engagement. The latter--who often is the client--is responsible or accountable for the subject matter and typically provides the practitioner with a written assertion about it. The responsible party, for example, might be a corporate officer charged with overseeing his or her company's compliance with a law or regulation. In contrast, the practitioner acts as an objective, independent attester at·test v. at·test·ed, at·test·ing, at·tests v.tr. 1. To affirm to be correct, true, or genuine: The date of the painting was attested by the appraiser. 2. by performing the attest engagement and providing the examination, review or agreed-upon procedures attest report. He or she is not responsible for the subject matter or selecting the criteria criteria (krītēr´ē  ),n. . While the practitioner can identify the responsible party in most attest engagements, in a few instances the subject matter precludes the existence of one. For example, a resort community's chamber of commerce may want to publicize pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. publicize or -cise Verb [-cizing, -cized] the town's 300 days of sunny weather in the past year. Since no one is responsible for the weather, the client may make an assertion, assuming it has a reasonable basis for doing so. CRITERIA--JUST RIGHT AND EASY TO GET AT The ASB recognized that, for an attest service to be meaningful and useful, the criteria for evaluating the underlying subject matter have to be solid. Thus, the general attestation standards specify that for practitioners to be able to perform and report on an attest engagement, the criteria for evaluating the subject matter of the engagement must be suitable and available to users of the engagement report. Suitability. SSAE no. 10 specifically acknowledges that some criteria, such as the COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) criteria for evaluating internal control over financial reporting, are "suitable." Ordinarily or·di·nar·i·ly adv. 1. As a general rule; usually: ordinarily home by six. 2. In the commonplace or usual manner: ordinarily dressed pedestrians on the street. , criteria are considered suitable if established by groups of experts that follow due process--for example, exposing the proposed criteria for public comment. But if groups that do not follow due process procedures or do not clearly represent the public interest developed the client's criteria for evaluation, the practitioner should determine whether those criteria have the following required attributes of suitability: objectivity, measurability meas·ur·a·ble adj. 1. Possible to be measured: measurable depths. 2. Of distinguished importance; significant: a measurable figure in literature. , completeness and relevance. If the practitioner does not find the criteria to be suitable, he or she should decline the engagement. Availability. The availability test is very clear-cut; the criteria are considered to be "available" if they are any of the following: * Published. * Posted to a Web site. * Included with the client's presentation of the subject matter (or assertion about the subject matter) and the practitioner's attest report.
A Guide to Services CPAs Can Offer and the Rules That Apply
Examples of attest services Examination Review
Financial forecasts and projections Yes Prohibited
Pro forma financial information Yes Yes
Internal control over financial reporting Yes Prohibited
Internal control over operations Yes Yes
Compliance with laws and regulations Yes Prohibited
Management's discussion and analysis
(MD&A) presented in accordance with
SEC rules and regulations Yes Yes
MD&A presented in accordance with
rules other than SEC rules and
regulations (for example, GASB or
state insurance department rules
for insurers) Yes Yes
WebTrust and SysTrust Yes N/A
Attest engagements for the U.S. N/A N/A
Department of Housing and Urban
Development (AU P for electronic
submission of financial data)
Agreed-upon
Examples of attest services procedures (AUP)
Financial forecasts and projections Yes
Pro forma financial information Yes
Internal control over financial reporting Yes
Internal control over operations Yes
Compliance with laws and regulations Yes
Management's discussion and analysis
(MD&A) presented in accordance with
SEC rules and regulations Yes
MD&A presented in accordance with
rules other than SEC rules and
regulations (for example, GASB or
state insurance department rules
for insurers) Yes
WebTrust and SysTrust N/A
Attest engagements for the U.S. Yes
Department of Housing and Urban
Development (AUP for electronic
submission of financial data)
Examples of attest services Relevant guidance
Financial forecasts and projections SSAE no, 10, chapter 3
Pro forma financial information SSAE no. 10, chapters 2
and 4
Internal control over financial reporting SSAE no. 10, chapters 2
and 5
Internal control over operations SSAE no. 10, chapters 1
and 2
Compliance with laws and regulations SSAE no. 10, chapter 6
Management's discussion and analysis
(MD&A) presented in accordance with
SEC rules and regulations SSAE no, 10, chapters 2
and 7
MD&A presented in accordance with
rules other than SEC rules and
regulations (for example, GASB or
state insurance department rules
for insurers) SSAE no. 10, chapters 1
and 2
WebTrust and SysTrust www.aicpa.org/assurance/
index.html
Attest engagements for the U.S. www.hud.gov/reac/products/
Department of Housing and Urban fass/mf_doc.html
Development (AU P for electronic and
submission of financial data) www.hud.gov/mac/products/
fass/pha_doc.html
Source: AICPA and U.S. Department of Housing and Urban Development.
Sometimes, however, the criteria are contained in a contract, and one or more parties to the engagement prefer notto make the contract's terms public. In that case, only parties to the contract--who also would be specified in the attest report--would be able to use the report. IS THE CLIENT ALWAYS RESPONSIBLE? In developing the new attest guidance, the ASB considered not only engagements in which the client is the responsible party but also those in which it is not. An example of the latter type of engagement is a situation in which a client engages a practitioner to perform an examination of another entity's compliance with certain laws or regulations prior to a merger or acquisition. In considering its guidance for these types of engagements, and especially when the responsible party does not provide a written assertion, the ASB makes some important distinctions: The Holy Grail Holy Grail: see Grail, Holy. A very desired object or outcome that borders on a sacred quest. There are several Holy Grails in the computer business. : the written assertion. Ordinarily, as part of an attest engagement, the practitioner will obtain from the responsible party a written assertion--that is, any written declaration(s) that party makes about whether the subject matter is based on or in conformity with the criteria: for example, company management's written statement that, as of a certain date, the company had effective internal control over financial reporting (based on the COSO criteria). In broadening broad·en tr. & intr.v. broad·ened, broad·en·ing, broad·ens To make or become broad or broader. broad the availability of attest services, the ASB recognizes that the practitioner might not be able to obtain a written assertion in all cases. In an attest engagement where the responsible party is not the client, he or she may have little motivation to provide the practitioner with a written assertion. To enable practitioners to conduct such engagements but, at the same time, to help protect them from legal liability, the ASB concluded that * Examination and review attest reports should contain a statement that a written assertion about the subject matter was not provided. * Use of the report should be restricted solely to the client. * When the client is the responsible party and refuses to provide the practitioner with a written assertion, SSAE no. 10 specifically identifies the refusal as a client-imposed limitation on the scope of the engagement, requiring a modification to the examination report. On a review engagement, such a restriction restriction - A bug or design error that limits a program's capabilities, and which is sufficiently egregious that nobody can quite work up enough nerve to describe it as a feature. would be sufficient cause for the practitioner to withdraw. The bottom line: If the responsible party refuses to provide the practitioner with a written assertion in an examination engagement, the practitioner's report must refer to that scope limitation and its use must be restricted to specified parties. Do you need an assertion? Although the ASB eliminated the requirement for the practitioner to obtain a written assertion to perform an agreed-upon procedures attest engagement, SSAE no. 10 retains that requirement for performing an AUP engagement on compliance or internal control over compliance (in chapter 6, "Compliance Attestation"). By omitting the assertion requirement in an AUP attest engagement, the ASB cleared the way to withdraw SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 75 (see SAS no. 93, Omnibus omnibus: see bus. Statement on Auditing Standards--2000) and fold into SSAE no. 10 relevant guidance on performing agreed-upon procedures for an element, account or item of a financial statement. What about a representation letter? During an attest engagement, the client and the responsible party make many oral and written representations to the practitioner. A representation letter from the client or responsible party ordinarily confirms representations explicitly or implicitly im·plic·it adj. 1. Implied or understood though not directly expressed: an implicit agreement not to raise the touchy subject. 2. given to the practitioner, indicates and documents their continuing appropriateness and reduces the possibility of misunderstanding about matters involving such representations. The ASB believes practitioners should consider obtaining a representation letter in an attest engagement. But because of the complexity of practice issues raised by the broadened availability of attest services, the ASB does not require a representation letter on every attest engagement. Before agreeing to perform such an engagement, a practitioner should carefully review the requirements of SSAE no. 10. However, in an examination or a review engagement, even when a representation letter is not required, the practitioner should consider obtaining one. MORE OPTIONS IN REPORTING SSAE no. 10 enables true direct reporting: For example, it permits the practitioner to state, in the introductory paragraph of an examination report, that he or she has examined the subject matter (which might consist of the effectiveness of the company's internal control, in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with the COSO criteria, over financial reporting as of a particular date) and then to express an opinion on that subject matter. It also provides the practitioner with the option of structuring the report to address the written assertion. However, if conditions exist that individually or together result in one or more material misstatements or deviations from the criteria (such as the COSO criteria for internal control), the practitioner--in order to most effectively communicate with the reader of the report--should modify the report and express his or her opinion or conclusion directly on the subject matter, not the assertion. STANDARDS FOR TODAY AND TOMORROW Since existing interpretations of the attestation standards '(in particular, AT sections 100 and 400 of AICPA AICPA See American Institute of Certified Public Accountants (AICPA). Professional Standards) were affected by the changes reflected in SSAE no. 10, the ASB revised and reissued them (in the January January: see month. 2001 edition). A practice aid on attest engagements subject to the guidance in chapter 1 of SSAE no. 10 is in development and will be available later this year. The new statement is effective when the subject matter or assertion is as of or for a period ending after June 1, 2001. Earlier application is permitted. In developing and issuing SSAE no. 10, the ASB aims to give practitioners the evaluative and reporting capabilities they need to meet businesses' growing demand for increasingly diverse assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. . Observers believe the changes the new SSAE introduces will help practitioners effectively respond not only to clients' current assurance needs but also to their future ones. Key Factors in an Attest Engagement * Subject matter. The topic to which the engagement or that which is being tested pertains--for example, the effectiveness of a company's internal control over financial reporting. * Responsible party. The individual(s) accountable for the subject matter, either personally or as the representative(s) of an entity. * Criteria. The specific standards or benchmarks chosen by the client or responsible party to evaluate the subject matter--for example, the Committee of Sponsoring Organizations (COSO)'s Internal Control--Integrated Framework. Since there may be more than one set of criteria for evaluating a particular subject matter, the client or responsible party must select those criteria. However, the client alone determines whether the criteria are appropriate for its purposes. Drawing the Line In developing more specific guidance on the applicability of attestation standards, the ASB considered the differences between attest and consulting services engagements. One of the primary issues for a CPA in deciding whether an attest or a consulting services engagement is appropriate is the client's objective in requesting the engagement. If the client seeks recommendations or advice on a certain matter, a consulting engagement is likely the more appropriate. But if the client wants a written report providing assurance about a specific subject, such as the entity's internal control over financial reporting, then an attest engagement is called for. Although some may see little distinction between a consulting engagement and an agreed-upon procedures (AUP) attest engagement, there are significant differences between the two. A written report is not required for a consulting services engagement, but it is mandated for an AUP attest engagement. In addition, in an AUP attest engagement, the practitioner must obtain the specified parties' agreement on the procedures to be performed. In a consulting engagement, although the client will likely discuss its objectives for the engagement with the practitioner, there is no requirement to obtain agreement on the detailed procedures he or she will perform. EXECUTIVE SUMMARY * CHANGES IN THE BUSINESS WORLD are creating more opportunities for CPAs to provide assurance on nonfinancial Adj. 1. nonfinancial - not involving financial matters financial, fiscal - involving financial matters; "fiscal responsibility" information. Practitioners are expanding their services by trading on the skills they've they've Contraction of they have. they've have traditionally used to provide assurance on historical financial statements. * TO BROADEN THE APPLICABILITY of the attestation standards, the Auditing Standards Board is issuing SSAE no. 10, a revision and recodification of its attestation standards. The statement also will help CPAs distinguish between attest engagements and consulting engagements. * SSAE NO. 10 ENABLES PRACTITIONERS to provide direct reporting on an attest engagement's subject matter, thus making attest reports clearer and more practical for those using them. * THE ATTESTATION STANDARDS APPLY whenever an independent CPA has been engaged to issue, or issues, an examination report, a review report or an agreed-upon procedures report on subject matter--or an assertion about the subject matter--for which another party is responsible. * FOR PRACTITIONERS TO BE ABLE TO PERFORM and report on an attest engagement, the criteria for evaluating the subject matter of the engagement must be "suitable" and "available" to anyone using the engagement report. * ALTHOUGH THE PRACTITIONER MUST EVALUATE whether criteria are suitable under the general attestation standards, the client or responsible party must select the criteria. The client alone makes the determination that the criteria are appropriate for its purposes. What Are SysTrust and WebTrust? Independent practitioners participating in SysTrust and WebTrust apply these programs' standards to assurance engagements for business systems and Web sites, respectively. Under the SysTrust program (www.aicpa.org/assurance/systrust/index.htm), a participating practitioner tests and evaluates a business system's ability to operate without material error, fault or failure during a certain period in a specific computing computing - computer environment. Companies whose systems earn a SysTrust report can offer their customers and business partners objective evidence of their systems' reliability. A practitioner participating in the WebTrust program (http://webtrust.org/) evaluates a Web site's practices and controls and issues an unqualified opinion Unqualified opinion An independent auditor's opinion that a company's financial statements comply with accepted accounting procedures. Antithesis of qualified opinion. unqualified opinion See clean opinion. on them. The AICPA and the Canadian Institute of Chartered Accountants The Canadian Institute of Chartered Accountants (CICA) is the umbrella body for the Chartered Accountant profession in Canada and Bermuda. Membership of the CICA totals 70,000 Chartered Accountants and 8,500 students. jointly award a seal to Web sites whose business and information privacy practices, transaction integrity and protection of their customers' e-commerce e-commerce, commerce conducted over the Internet, most often via the World Wide Web. E-commerce can apply to purchases made through the Web or to business-to-business activities such as inventory transfers. information meet WebTrust standards. JANE M. MANCINO, CPA, is a technical manager and CHARLES Charles, archduke of Austria Charles, 1771–1847, archduke of Austria; brother of Holy Roman Emperor Francis II. Despite his epilepsy, he was the ablest Austrian commander in the French Revolutionary and Napoleonic wars; however, he was handicapped by E. LANDES Landes, department, France Landes, department (1990 pop. 313,100), SW France, in Gascony, on the Atlantic coast. Mont-de-Marsan is the capital. Landes, region, France Landes (läNd), region, SW France. , CPA, is the director of the AICPA's audit and attest standards team. Their views, as expressed in this article, do not necessarily represent the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation deliberation n. the act of considering, discussing, and, hopefully, reaching a conclusion, such as a jury's discussions, voting and decision-making. DELIBERATION, contracts, crimes. . |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion