Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 ...€¦ · 1 Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 Edition Summary of updates: - New version CPA exa m structure

1

Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 Edition

Summary of updates:

- “New version” CPA exam structure (w.e.f. April 2017)

- AUD-7.2: Attestation Engagements [Auditing Standards Board

(ASB) of the AICPA has issued “clarified” SSAE (AT-C) for clarity

and convergence with international standards]

- AUD-7.3: Governmental Auditing [Miles’ content revised &

updated; new mnemonics – APPEND, AICPA CD-VCD, AICPA SCI-

Fi CD-VCD]

- AUD-7.4: Effect of I.T. on Audit - Also refer to Effect of I.T. on

Internal Controls from BEC-7.5

2

Old version vs. New version:

CPA exams (2011 – March 2017) CPA exams w.e.f. April 2017

Skill-level tested

Remembering & Understanding

Application

Remembering & Understanding

Application

Analysis

Evaluation (for AUD only)

Exam structure & scoring weights

FAR: 90 MCQs (60%), 7 TBSs (40%) AUD: 90 MCQs (60%), 7 TBSs (40%) REG: 72 MCQs (60%), 6 TBSs (40%) BEC: 72 MCQs (85%), 3 WCTs (15%)

FAR: 66 MCQs (50%), 8 TBSs (50%) AUD: 72 MCQs (50%), 8 TBSs (50%) REG: 76 MCQs (50%), 8 TBSs (50%) BEC: 62 MCQs (50%), 4 TBSs (35%), 3 WCTs (15%)

# of Testlets

4 testlets: 3 MCQ testlets + 1 TBS/WCT testlet

5 testlets: 2 MCQ testlets + 3 TBS/WCT testlets

Time Allotment

FAR: 4 hours AUD: 4 hours REG: 3 hours BEC: 3 hours

FAR: 4 hours AUD: 4 hours REG: 4 hours BEC: 4 hours

Break Optional breaks (count against time) 15-min Standard break (after Testlet #3) + Optional breaks (count against time)

* MCQ - Multiple Choice Question | TBS - Task Based Simulation | WCT - Written Communication Task

Testlet #1 36 MCQs

Testlet #3

2 TBSs

Testlet #2

36 MCQs

Testlet #4

3 TBSs Bre

ak:

15

min

Testlet #5

3 TBSs AUD

Testlet #1

33 MCQs Testlet #3

2 TBSs

Testlet #2

33 MCQs

Testlet #4

3 TBSs Bre

ak:

15

min

Testlet #5

3 TBSs FAR

MCQ testlets 50% weightage Recommended time:

Testlet #1: 50 mins Testlet #2: 50 mins

TBS/WCT testlets 50% weightage Recommended time:

Testlet #3: 30 mins Testlet #4: 50 mins Testlet #5: 60 mins

Testlet #1

38 MCQs Testlet #3

2 TBSs

Testlet #2

38 MCQs

Testlet #4

3 TBSs Bre

ak:

15

min

Testlet #5

3 TBSs REG

Testlet #1

31 MCQs Testlet #3

2 TBSs

Testlet #2

31 MCQs

Testlet #4

2 TBSs Bre

ak:

15

min

Testlet #5

3 WCTs BEC

“New version” CPA exam structure (w.e.f. April 2017):

AUD-7 Miles CPA Review

A7-16

7.2) Attestation Engagements (SSAE)

� SSAE (Statements on Standards for Attestation Engagements)

• Attestation engagements - Examination, review, or agreed-upon procedures engagement

(performed under SSAE) where the CPA practitioner is engaged to report on a subject matter,

or an assertion about the subject matter, that is the responsibility of another party

• Subject matter may be based on

� Historical or prospective performance or condition (e.g., historical or prospective financial

info, performance measurements, backlog data)

� Physical characteristics (e.g., narrative descriptions, square footage of facilities)

� Historical events (e.g., the price of a market basket of goods on a certain date)

� Analyses (e.g., break-even analyses)

� Systems and processes (e.g., I/C)

� Behavior (e.g., corporate governance, compliance with laws & regulations, HR practices)

• Assertion is a declaration about whether the subject matter is in accordance with certain

criteria. E.g., management asserts that I/C over compliance is effective based on given criteria

• SSAE do not apply to:

� Audit engagements - SAS applies for non-issuers and PCAOB for issuers {Audit is

examination of historical F/S; SSAE covers other examinations}

� Compilation or Review of F/S of non-issuers - SSARS applies

� Consulting Services - SSCS applies

� Personal Financial Planning Services - PFP applies

� Valuation Services - VS applies

� Tax engagements - SSTS applies

� Litigation services or expert witness services

� Performance audits pursuant to Government Auditing Standards

• SSAE No. 18 - Issued to clarify & revise SSAE effective for periods on or after May 1, 2017.

Attest standards are now codified with the prefix “AT-C” [where C stands for Clarity]

� Key objective of AICPA Clarity projects have been to converge with international standards.

However, one major difference still exists between SSAE & international attest standards:

⇒ Under SSAE, a practitioner is required to obtain a written assertion (for examination &

review engagements) from the engaging party, except when engaging party is not the

responsible party

⇒ This is not a mandatory requirement under international standards (ISAE)

• Few sample attestation engagements:

� Prospective Financial Info (financial forecasts & projections)

� Pro forma financial info

� Compliance attestation (as a specific engagement)

� Management discussion & analysis

� I/C at a Service Organization

⇒ Trust Services criteria

⇒ As Relevant to User Entities’ ICFR

Attestation = ERA of other than historical F/S

SSAE (AT-C Code)

Miles CPA Review AUD-7

A7-17

� Attestation standards

• Extension of GAAS but conceptually different in the following ways:

� SSAE do not refer to F/S

� SSAE do not refer to GAAP

� SSAE provide lower levels of assurance than a GAAS audit

• 11 Standards

� 5 General standards: {TIP where T includes Know Criteria}

⇒ Training & proficiency

⇒ Knowledge of the subject matter

⇒ Criteria - subject matter should be capable of evaluation against criteria that is suitable

& available to users; a suitable criteria is relevant, objective, measurable & complete

⇒ Independence (independence is mandatory for audit & attestation)

⇒ Professional care in planning & performance

� 2 Fieldwork Standards {PIC without the I}

⇒ Planning & supervision

⇒ Internal Controls

⇒ Corroborative Audit Evidence

� 4 Reporting Standards {Identify Clean & Dirty Limits - Reporting standards are less specific

due to the wide variety of attestation engagements possible}

⇒ Identify the subject matter or assertion being reported on and state the character of the

engagement

⇒ Conclusions about the subject matter or assertion to be stated

⇒ Disclose significant reservations about the engagement including unresolved problems

or concerns

⇒ Limited use - Restrict use of report to specified parties if:

- Criteria is suitable for or available to limited number of parties,

- Written assertion not provided by the client (engaging party), or

- Reporting on an AUP engagement

Note:

- Traditionally, attest standards were classified as 11 basic standards as above with 3 groups - general, fieldwork and

reporting. Until April 30, 2017, these were authoritative standards and were directly reflected in the SSAE

- Effective May 1, 2017, the Auditing Standards Board (ASB) of the AICPA has issued “clarified” SSAE (AT-C) for clarity

and convergence with international standards. Though the above classification of attest standards has now been

incorporated into clarified SSAE and are still broadly applicable, the above classification is no longer authoritative

T

Know

Audit = Examination of historical F/S Attest = ERA of other than historical F/S

I

P

C

P

I

C

D

L

Criteria


A7-18

� Categories of Attestation engagements: {attest = new ERA for practitioners with engagements

beyond historical F/S!}

• Examination leading to opinion

• Review leading to assurance

• AUP (Agreed-upon procedures) engagements leading to findings

Examination Review AUP

End result? Expression of opinion

based on reasonable

assurance

Expression of

conclusion based on

limited assurance

(negative assurance)

No assurance but

procedures & findings

are listed. Practitioner

disclaims any

responsibility for the

sufficiency of the

procedures

Work

performed?

Procedures comparable

to audits of historical

F/S

Inquiry & Analytical

procedures

As “agreed-upon” by

practitioner and client

Limited use? - Criteria not suitable/

available

- Written assertion not

provided if engaging

party (client) is not the

responsible party

- Criteria not suitable/

available

- Written assertion not

provided if engaging

party (client) is not the

responsible party

Mandatory

� Reporting options for few types of attestation services:

Attestation service Examination Review AUP

AUP Engagements √

Prospective F/S (forecast/projection) √ √

Pro-forma F/S √ √

Compliance √ √

Management discussion & analysis √ √

I/C at a Service Organization: Trust

Services

√

I/C at a Service Organization: Relevant

to User Entities’ ICFR

√

A

E

R


A7-19

� Few key requirements of attestation engagements:

• Written assertion required - An attest engagement is predicated on the concept that a

responsible party makes an assertion about whether the subject matter is measured or

evaluated in accordance with suitable criteria. Therefore, it is required for practitioner to

request a written assertion from the responsible party (ok if the written assertion is included

in an engagement letter, representation letter, alongside presentation of the subject matter or

in the notes, etc.)

� Examination & Review Engagements - If responsible party refuses to provide a written

assertion, practitioner should withdraw

⇒ Need not withdraw if engaging party ≠ responsible party [in this case, disclose the

refusal in the attest report and restrict use of the report to the engaging party]

� For AUP engagements, responsible party’s refusal to provide a written assertion requires

the practitioner to disclose that refusal in the report

• Preconditions for an Attest Engagement

� Establish written understanding with engaging party (e.g., written engagement letter)

regarding the terms of the engagement, including practitioner’s reporting responsibilities

� Responsible party (e.g., management) takes responsibility for the subject matter

� Engagement exhibits all of the following characteristics

⇒ Subject matter is appropriate

⇒ Criteria to be applied in the preparation and evaluation of the subject matter is suitable

and will be available to the intended users

⇒ Practitioner expects to be able to obtain the evidence including

- Access to all relevant info of which the responsible party is aware of,

- Access to additional info that the practitioner may request, and

- Unrestricted access to persons within the appropriate party(ies)

⇒ Practitioner to issue a written report with opinion (for examination), conclusion (for

review) or findings (for AUP)

• Written representation letter required

� From responsible party

⇒ Not mandatory if engaging party ≠ responsible party, in which case, practitioner would

seek oral responses from responsible party and, if found ok, would restrict the use of

attest report to the engaging party [note: in case of AUP, the use of report is anyways

restricted]

� From engaging party (if engaging party ≠ responsible party) wherein the engaging party

acknowledges that the responsible party is responsible for the subject matter & assertion

• Engagement Documentation - To be assembled/filed within 60 days after report release date

� Thereafter, should not delete/discard any document before the end of the retention period

• Change in terms of the engagement - Practitioner to agree only if reasonable justification exists

� If the practitioner agrees to a downgrade of service (e.g., examination to review),

practitioner’s report should be issued on the lower level of service - with no reference to

the original engagement or scope limitations that resulted in the changed engagement

Engaging party = client who hires CPA Responsible party = responsible for subject matter (e.g., management)

May be same or different

Except: 1.

2.

Except:


A7-20

� Sample Reports on Examination engagements = Opinion

• Sample Report on Examination of a subject matter (e.g., schedule of investment returns):

• Sample Report on Examination of an assertion (e.g., schedule of investment returns presented

in accordance with XYZ criteria):

Independent Accountant’s Report

[Appropriate Addressee]

We have examined the accompanying schedule of investment returns of ABC Company for the year ended December

31, 20XX. ABC Company’s management is responsible for presenting the schedule of investment returns in accordance

with the XYZ criteria set forth in Note 1. Our responsibility is to express an opinion on the schedule of investment

returns based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of

Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable

assurance about whether the schedule of investment returns is in accordance with the criteria, in all material respects.

An examination involves performing procedures to obtain evidence about the schedule of investment returns. The

nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of

material misstatement of the schedule of investment returns, whether due to fraud or error. We believe that the

evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]

[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]

In our opinion, the schedule of investment returns referred to above is presented in accordance with the XYZ criteria

set forth in Note 1, in all material respects.

[Practitioner’s signature | City and State | Date of report]



We have examined management’s assertion that the accompanying schedule of investment returns of ABC Company

for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1. ABC Company’s

management is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion

based on our examination.



assurance about whether management's assertion is fairly stated, in all material respects. An examination involves

performing procedures to obtain evidence about management's assertion. The nature, timing, and extent of the

procedures selected depend on our judgment, including an assessment of the risks of material misstatement of

management's assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and

appropriate to provide a reasonable basis for our opinion.



In our opinion, management’s assertion that the accompanying schedule of investment returns of ABC Company for

the year ended December 31, 20XX, is presented in accordance with the XYZ criteria set forth in Note 1 is fairly stated,

in all material respects.


Intro

Scope

Opinion

Intro

Scope

Opinion


A7-21

� Sample Reports on Review engagements = Negative assurance

• Sample Report on Review of a subject matter (e.g., schedule of investment returns):

• Sample Report on Review of an assertion (e.g., schedule of investment returns presented in

accordance with XYZ criteria):

•

Independent Accountant’s Review Report


We have reviewed the accompanying schedule of investment returns of ABC Company for the year ended December

31, 20XX. ABC Company’s management is responsible for presenting the schedule of investment returns in accordance

with the XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment

returns based on our review.

Our review was conducted in accordance with attestation standards established by the American Institute of Certified

Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about

whether any material modifications should be made to the schedule of investment returns in order for it to be in

accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to

obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all

material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our

review provides a reasonable basis for our conclusion.



Based on our review, we are not aware of any material modifications that should be made to the accompanying

schedule of investment returns of ABC Company for the year ended December 31, 20XX in order for it be in accordance

with the XYZ criteria set forth in Note 1.


Independent Accountant’s Review Report


We have reviewed management of ABC Company’s assertion that the accompanying schedule of investment returns of

ABC Company for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1.

ABC Company’s management is responsible for presenting the schedule of investment returns in accordance with the

XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment returns based

on our review.

Our review was conducted in accordance with attestation standards established by the American Institute of Certified

Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about

whether any material modifications should be made to the schedule of investment returns in order for it to be in

accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to

obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all

material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our

review provides a reasonable basis for our conclusion.



Based on our review, we are not aware of any material modifications that should be made to management of ABC

Company's assertion in order for it to be fairly stated.


Intro

Scope

Conclusion

Intro

Scope

Conclusion


A7-22

I) Agreed-Upon Procedures (AUP) Engagements

� Practitioner engaged by client to report findings based on specific agreed-upon procedures

• Performed when specified parties require that findings be derived by an independent CPA

• May be performed on the subject matter, or assertion(s) about the subject matter

� May be performed provided following conditions exist: {ASSURE the practitioner that AUP is ok}

• General standards for all attestation engagements = TIP + Know Criteria

• Agreement of the Parties - Practitioner and specified parties must agree regarding

� Procedures to be performed

� Criteria to be used in the determination of the findings, and

� Any materiality limits to be applied for reporting purposes

• Subject Matter - Responsibility of specified parties or the specified parties are able to provide

evidence that a third party is responsible; however, written assertion is generally not required

� Procedures to be applied to the subject matter should be expected to result in reasonably

consistent findings using the criteria

• Sufficiency of the Procedures - Responsibility of specified parties

• Use of the Report is Restricted to the specified parties

• Responsibility of Practitioner - Practitioner responsible for performing agreed-upon

procedures and report findings (as per AICPA’s SSAE)

• Engagements relating to prospective F/S must include a summary of significant assumptions

� Sample Report on AUP engagement:

Independent Accountant’s Report on Applying Agreed-Upon Procedures

To the Audit Committees and Managements of ABC Company and XYZ Fund:

We have performed the procedures enumerated below, which were agreed to by the audit committees and

managements of ABC Company and XYZ Fund, on the accompanying Statement of Investment Performance Statistics of

XYZ Fund for the year ended December 31, 20XX. XYZ Fund’s management is responsible for the Statement of

Investment Performance Statistics for the year ended December 31, 20XX. The sufficiency of these procedures is solely

the responsibility of those parties specified in this report. Consequently, we make no representation regarding the

sufficiency of the procedures described below either for the purpose for which this report has been requested or for any

other purpose.

[Include paragraphs to enumerate procedures and findings.]

This agreed-upon procedures engagement was performed in accordance with attestation standards established by the

American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or

review, the objective of which would be the expression of an opinion or conclusion, respectively, on the accompanying

Statement of Investment Performance Statistics of XYZ Fund for the year ended December 31, 20XX. Accordingly, we do

not express such an opinion or conclusion. Had we performed additional procedures, other matters might have come to

our attention that would have been reported to you.

[Additional paragraph(s) may be added to describe other matters.]

This report is intended solely for the information and use of the audit committees and managements of ABC Company

and XYZ Fund, and is not intended to be, and should not be, used by anyone other than the specified parties.


A

S

S

U

R

E

Report intended for parties who prescribed procedures

Examination or Review = CPA decides procedures AUP = Client decides procedures. CPA performs these agreed procedures & reports findings

Client responsible for sufficiency, CPA for performance

CPA is responsible

Limited Use


A7-23

II) Prospective F/S (forecasts/projections)

� Prospective F/S present expected or hypothetical future results of an entity. 2 types:

• Forecast - Prospective F/S with expected future results; assumptions based on expected

conditions and expected courses of action

� Can be for either general or limited use

� E.g., Company XYZ has received an approval for its technology patent and prepares financial

“forecast” for the next few years based on expected future results

• Projection - Prospective F/S given one/more hypothetical assumptions (based on “what if”

scenarios)

� Based on hypothetical assumptions not necessarily expected; thus, only for limited use by:

⇒ Responsible party (i.e., entity)

⇒ Third parties with whom the responsible party is negotiating directly (e.g., bank with

which the entity is negotiating for a loan, a regulatory agency)

� E.g., To negotiate a loan to expand its plant, Company XYZ prepares financial “projection”

for the next few years using the hypothetical assumption that the requested loan has been

granted and the plant is expanded [i.e., a “what if” scenario]

� Practitioner may either examine or perform AUP on prospective F/S

• Examination - Obtain reasonable assurance and express an opinion as to whether

� prospective F/S conform to AICPA presentation guidelines, and

� underlying assumptions provide a reasonable basis for the forecast/projection

• Review of prospective F/S is NOT allowed

• AUP - Report findings from the procedures & summary of significant assumptions

� As applicable in AUP engagements, procedures performed by the practitioner are

established by the specified parties

⇒ Also, sufficiency of these procedures is solely the responsibility of the specified parties

(and practitioner makes no representation regarding the same)

� Can only result in a report for limited use whether it involves forecast or projection

� Reports also need to include:

• Warning (Caveat) that the prospective results may not be achieved

• Statement that the practitioner has no responsibility to update the report for events &

circumstances occurring after the report date

• Limited use paragraph in case of examination of projections (in case of AUP, both forecasts

and projections will lead to the limited use para)

� SSARS applies if CPA is engaged to compile prospective F/S

E R A

A S S U R E

Limited use para:

Forecast

Projection

Examination AUP

√

√ √

X

Warning #1 = Future is uncertain

Warning #2 = CPA may not revisit

General Rule: Attest = Follow SSAE (AT-C) Compile = Follow SSARS (AR-C) = non-issuers only


A7-24

� Sample Reports on Examination of Prospective F/S:



We have examined the accompanying forecast of XYZ Company, which comprises [identify the statements, for example, the

forecasted balance sheet as of December 31, 20XX, and the related forecasted statements of income, stockholders’ equity, and cash

flows for the year then ending], based on the guidelines for the presentation of a forecast established by the American Institute of

Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the forecast in accordance

with the guidelines for the presentation of a forecast established by the American Institute of Certified Public Accountants. Our responsibility is to express an opinion on the forecast based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the

forecast is presented in accordance with the guidelines for the presentation of a forecast established by the American Institute of

Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about the forecast. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of

material misstatement of the forecast, whether due to fraud or error. We believe that the evidence we obtained is sufficient and

appropriate to provide a reasonable basis for our opinion.

In our opinion, the accompanying forecast is presented, in all material respects, in accordance with the guidelines for the

presentation of a forecast established by the American Institute of Certified Public Accountants, and the underlying assumptions are suitably supported and provide a reasonable basis for management’s forecast.

There will usually be differences between the forecasted and actual results because events and circumstances frequently do not occur as expected, and those differences may be material. We have no responsibility to update this report for events and

circumstances occurring after the date of this report.




We have examined the accompanying projection of XYZ Company, which comprises [identify the statements, for example, the

projected balance sheet as of December 31, 20XX, and the related projected statements of income, stockholders' equity, and cash

flows for the year then ending] based on the guidelines for the presentation of a projection established by the American Institute of

Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the projection based on

[identify the hypothetical assumption(s), for example, the granting of the requested loan as described in the summary of significant

assumptions] in accordance with the guidelines for the presentation of a projection established by the American Institute of Certified

Public Accountants. The projection was prepared for [describe the special purpose, for example, the purpose of negotiating a loan to

expand XYZ Company's plant]. Our responsibility is to express an opinion on the projection based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public

Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the projection is presented in accordance with the guidelines for the presentation of a projection established by the American Institute

of Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about

the projection. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of material misstatement of the projection, whether due to fraud or error. We believe that the evidence we obtained is

sufficient and appropriate to provide a reasonable basis for our opinion.

In our opinion, [describe the hypothetical assumption(s), for example, assuming the granting of the requested loan for the purpose of

expanding XYZ Company's plant as described in the summary of significant assumptions] the projection referred to above is

presented, in all material respects, in accordance with the guidelines for the presentation of a projection established by the American Institute of Certified Public Accountants, and the underlying assumptions are suitably supported and provide a reasonable

basis for management's projection given the hypothetical assumption(s).

Even if [identify the hypothetical assumption, for example, the loan is granted and the plant is expanded], there will usually be

differences between the projected and actual results because events and circumstances frequently do not occur as expected, and

those differences may be material. We have no responsibility to update this report for events and circumstances occurring after the date of this report.

The accompanying projection and this report are intended solely for the information and use of [identify specified parties, for

example, XYZ Company and DEF National Bank], and are not intended to be and should not be used by anyone other than these

specified parties.


Warnings

Warnings

Limited Use


A7-25

III) Pro-forma F/S

� Pro-forma F/S are used to show the significant effects of an event on historical F/S “if” the same

consummated/proposed event had occurred at an earlier date

• Pro-forma adjustments are applied to historical F/S based on management’s assumptions and

give effect to all significant effects directly attributable to the transaction/event

• Commonly used to show the effects of transactions/events such as the following:

� Business combination (e.g., what “if” the business combination had happened earlier?)

� Change in capitalization (e.g., what “if” the capitalization had been changed earlier?)

� Disposition of a portion of the business (e.g., what “if” the disposal had happened earlier?)

� Change in the form of business organization or status as an autonomous entity

� Proposed sale of securities and the application of the proceeds

• Pro-forma F/S should be labeled as such to distinguish it from historical F/S

� Need to describe the transaction/event that is reflected in the pro forma F/S, the source of

the historical F/S on which it is based, the significant assumptions used in developing the

pro forma adjustments, and any significant uncertainties about those assumptions

� Need to also indicate that pro-forma F/S should be read in conjunction with related

historical F/S and that the pro-forma F/S is not necessarily indicative of the results that

would have been attained had the transaction/event actually taken place earlier

� Practitioner may either examine or review pro-forma F/S


� Management’s assumptions provide a reasonable basis for presenting the significant effects

directly attributable to the underlying transaction/event,

� Related pro-forma adjustments give appropriate effect to those assumptions, and

� Pro-forma amounts reflect proper application of those adjustments to the historical F/S

• Review - Obtain limited assurance and express a conclusion as to the same 3 points as above


• Reference to the historical F/S from which historical financial info is derived and state if such

F/S were audited (and if audited by another auditor)

� Note: Level of service on the pro-forma F/S should not exceed that on related historical F/S

⇒ Examination of pro-forma F/S only if related historical F/S were audited

⇒ Review of pro-forma F/S only if the related historical F/S were audited/reviewed

• Statement that the pro forma adjustments are based on management’s assumptions

• Description of the objectives and limitations of pro-forma F/S

� SSARS applies if the CPA is engaged to compile pro-forma F/S

E R A


A7-26

� Sample Report on Examination of Pro-forma F/S:



We have examined the pro forma adjustments giving effect to the underlying transaction (or event) described in

Note 1 and the application of those adjustments to the historical amounts in the accompanying pro forma condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma condensed statement

of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical

condensed financial statements are derived from the historical financial statements of X Company, which were

audited by us, and of Y Company, which were audited by other accountants, appearing elsewhere herein [or "and

are readily available"]. The pro forma adjustments are based on management's assumptions described in Note 1. X

Company's management is responsible for the pro forma financial information. Our responsibility is to express an

opinion on the pro forma financial information based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain

reasonable assurance about whether, based on the criteria in Note 1, management's assumptions provide a

reasonable basis for presenting the significant effects directly attributable to the underlying transaction (or event),

and, in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and

the pro forma amounts reflect the proper application of those adjustments to the historical financial statement

amounts. An examination involves performing procedures to obtain evidence about management's assumptions, the

related pro forma adjustments, and the pro forma amounts in the pro forma condensed balance sheet of X Company

as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended. The

nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks

of material misstatement of the pro forma financial information, whether due to fraud or error. We believe that the


The objective of this pro forma financial information is to show what the significant effects on the historical financial

information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro

forma condensed financial statements are not necessarily indicative of the results of operations or related effects on

financial position that would have been attained had the above-mentioned transaction (or event) actually occurred

at such earlier date.

In our opinion, based on the criteria in Note 1, management's assumptions provide a reasonable basis for presenting

the significant effects directly attributable to the above-mentioned transaction (or event) described in Note 1, and,

in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and the pro

forma amounts reflect the proper application of those adjustments to the historical financial statement amounts in

the pro forma condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma

condensed statement of income for the year then ended.


Refer to historical F/S

Objective & Limitations


A7-27

� Sample Report on Review of Pro-forma F/S:

IV) Internal control over financial reporting: No longer attest

� Earlier: For non-issuers, the auditor could be engaged for an attest engagement on ICFR (per SSAE

standards) integrated with an audit of F/S (i.e., attest of ICFR + audit of F/S). No longer applicable

� Effective Dec 15, 2016: AU-C 940 applies if an auditor is engaged to perform an audit of ICFR

integrated with an audit of F/S

• Note again that the audit of ICFR is optional for non-issuers; but if the non-issuer wants to opt

for it, it needs to an integrated audit per GAAS



We have reviewed the pro forma adjustments giving effect to the transaction (or event) described in Note 1 and the

application of those adjustments to the historical amounts in the accompanying pro forma condensed balance sheet of X Company as of March 31, 20X2, and the related pro forma condensed statement of income for the three months

then ended (pro forma financial information), based on the criteria in Note 1. These historical condensed financial

statements are derived from the historical unaudited financial statements of X Company, which were reviewed by

us, and of Y Company, which were reviewed by other accountants, appearing elsewhere herein [or "and are readily

available"]. The pro forma adjustments are based on management's assumptions as described in Note 1. X

Company's management is responsible for the pro forma financial information. Our responsibility is to express a

conclusion based on our review.

Our review was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our review to obtain limited

assurance about whether, based on the criteria in Note 1, any material modifications should be made to

management's assumptions in order for them to provide a reasonable basis for presenting the significant effects

directly attributable to the underlying transaction (or event); the related pro forma adjustments, in order for them to

give appropriate effect to those assumptions; or the pro forma amounts, in order for them to reflect the proper

application of those adjustments to the historical financial statement amounts. A review is substantially less in scope

than an examination, the objective of which is to obtain reasonable assurance about whether, based on the criteria,

management's assumptions provide a reasonable basis for presenting the significant effects directly attributable to

the underlying transaction (or event), and, in all material respects, the related pro forma adjustments give

appropriate effect to those assumptions, and the pro forma amounts reflect the proper application of those

adjustments to the historical financial statement amounts, in order to express an opinion. Accordingly, we do not

express such an opinion. We believe that our review provides a reasonable basis for our conclusion.

The objective of this pro forma financial information is to show what the significant effects on the historical financial

information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro

forma condensed financial statements are not necessarily indicative of the results of operations or related effects on

financial position that would have been attained had the above-mentioned transaction (or event) actually occurred

at such earlier date.

Based on our review, we are not aware of any material modifications that should be made to management's

assumptions in order for them to provide a reasonable basis for presenting the significant effects directly

attributable to the above-mentioned transaction (or event) described in Note 1, the related pro forma adjustments

in order for them to give appropriate effect to those assumptions, or the pro forma amounts, in order for them to

reflect the proper application of those adjustments to the historical financial statement amounts in the pro forma

condensed balance sheet of X Company as of March 31, 20X2, and the related pro forma condensed statement of

income for the three months then ended, based on the criteria in Note 1.


If Integrated Audit for non-issuers, do Audit of F/S + Audit of ICFR [no longer attest]

Refer historical F/S

Objective & Limitations


A7-28

V) Compliance (as a specific engagement)

� Relates to an entity’s compliance with specified laws, regulations, rules, contracts, or grants

• Does not provide a legal determination of an entity’s compliance with specified requirements.

However, attest report may be useful to legal counsel or others in making such determinations

� Practitioner may either examine or perform AUP

• Examination - Obtain reasonable assurance and express an opinion on the entity’s compliance

with specified requirements (or, management’s assertion on compliance with specified

requirements if fairly stated)

• Review on compliance engagements is NOT allowed

• AUP - Subject matter of the engagement may be on:

� Entity’s compliance with specified requirements

� Entity’s I/C over compliance with specified requirements

� Few key requirements:

• Preconditions [for both Examination and AUP]

� Practitioner should determine if:

⇒ Management accepts responsibility for the entity’s compliance and I/C over compliance

⇒ Management evaluates the entity’s compliance with specified requirements

� Written assertion to be requested from management [required for Examination; not if AUP]

⇒ If management refuses to provide, practitioner should withdraw [for Examination only]

• Obtain an understanding of the specified requirements via [for both Examination & AUP]:

� Consideration of laws, regulations, rules, contracts, and grants that pertain to the specified

requirements, including published requirements

� Consideration of knowledge about the specified requirements obtained through prior

engagements and regulatory reports

� Discussion with appropriate individuals within the entity (e.g., CFO, internal auditors, legal

counsel, compliance officer, or grant or contract administrators)

• For Examination engagements [if AUP, need to perform procedures as agreed]

� Obtain an understanding of relevant portions of I/C over compliance sufficient to plan the

engagement and to assess control risk for compliance with specified requirements. In

planning the examination, such knowledge should be used to identify types of potential

non-compliance, to consider factors that affect the risk of material non-compliance, and to

design appropriate tests of compliance

� For engagements involving compliance with regulatory requirements, procedures should

include reviewing reports of relevant examinations & related communications between

regulatory agencies and the entity and, when appropriate, making inquiries of regulatory

agencies, including inquiries about examinations in progress

• Request written representation letter from management [for both Examination & AUP]

� Additional representations needed from management [for both Examination & AUP]:

⇒ Acknowledgement of management’s responsibility for establishing and maintaining

effective I/C over compliance

E R A


A7-29

⇒ Statement that management has performed an evaluation of the entity’s compliance

with specified requirements.

⇒ Management’s interpretation of any compliance requirements that have varying

interpretations

� In case of Examination engagement, required even if the client (engaging party) ≠

responsible party - i.e., the exception covered earlier is not permitted in this case

⇒ Management’s refusal to furnish the written representations constitutes a scope

limitation sufficient to preclude an unmodified opinion and may be sufficient to cause

the practitioner to withdraw from the Examination engagement

• Forming an opinion for Examination engagement - In evaluating whether the entity has

complied with the specified requirements, the practitioner should evaluate

� Nature and frequency of the non-compliance identified, and

� Whether such non-compliance is material relative to the nature of the compliance

requirements


• Identification of the specified requirements against which the entity's compliance (or I/C over

compliance) was measured/evaluated

• For Examination reports, statement that the examination does not provide a legal

determination on the entity's compliance with specified requirements

• For Examination reports, often the criteria is contained in the compliance requirements, in

which case, it is not necessary to repeat the criteria in the practitioner's report; however, if the

criteria are not included in the compliance requirement, the report should identify the criteria

� Sample Reports

• On Examination of an Entity’s Compliance:



We have examined XYZ Company's compliance with [identify the specified requirements, for example, the requirements

listed in Attachment 1] during the period January 1, 20X1, to December 31, 20X1. Management of XYZ Company is

responsible for XYZ Company's compliance with the specified requirements. Our responsibility is to express an opinion

on XYZ Company's compliance with the specified requirements based on our examination.



assurance about whether XYZ Company complied, in all material respects, with the specified requirements referenced

above. An examination involves performing procedures to obtain evidence about whether XYZ Company complied with

the specified requirements. The nature, timing, and extent of the procedures selected depend on our judgment,

including an assessment of the risks of material noncompliance, whether due to fraud or error. We believe that the


Our examination does not provide a legal determination on XYZ Company's compliance with specified requirements.

In our opinion, XYZ Company complied, in all material respects, with [identify the specified requirements, for example,

the requirements listed in Attachment 1] during the period January 1, 20X1 to December 31, 20X1.



A7-30

• On AUP engagement of an Entity’s Compliance:

• On AUP engagement of an Entity’s I/C over Compliance:


[Appropriate addressee]

We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for

example, the management and board of directors of XYZ Company], related to XYZ Company's compliance with [identify

the specified requirements, for example, the requirements listed in Attachment 1] during the period January 1, 20X1 to

December 31, 20X1. XYZ Company's management is responsible for its compliance with those requirements. The

sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we

make no representations regarding the sufficiency of the procedures enumerated below either for the purpose for

which this report has been requested or for any other purpose.


This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the


review, the objective of which would be the expression of an opinion or conclusion, respectively, on compliance with

specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we performed additional

procedures, other matters might have come to our attention that would have been reported to you.

This report is intended solely for the information and use of [identify the specified parties, for example, the management

and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the

specified parties.



[Appropriate addressee]

We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for

example, the management and board of directors of XYZ Company], related to XYZ Company's internal control over

compliance with [identify the specified requirements for example, the requirements listed in Attachment 1], as of

December 31, 20X1.7 XYZ Company’s management is responsible for its internal control over compliance with those

requirements. The sufficiency of these procedures is solely the responsibility of the parties specified in this report.

Consequently, we make no representations regarding the sufficiency of the procedures enumerated below either for the

purpose for which this report has been requested or for any other purpose.


This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the


review, the objective of which would be the expression of an opinion or conclusion, respectively, on internal control

over compliance with specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we

performed additional procedures, other matters might have come to our attention that would have been reported to

you.

This report is intended solely for the information and use of [identify the specified parties, for example, the management

and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the

specified parties.



A7-31

VI) Management discussion & analysis (MD&A)

� Relates to the performance of an attest engagement with respect to MD&A (presented in annual

reports and other documents) which are prepared pursuant to SEC rules & regulations

• May provide services to:

� Public entity that prepares MD&A in accordance with SEC rules & regulations

� Non-public entity that prepares MD&A and whose management provides a written

assertion that the presentation has been prepared using SEC rules & regulations

• The guidance of this section (AT-C 395) does NOT

� Change the auditor's responsibility in an audit of F/S

� Apply to situations in which the practitioner is requested to provide recommendations to

improve MD&A rather than to provide assurance (may be taken up as a Consulting service)

� Apply if practitioner is engaged to provide attest services with respect to MD&A prepared

based on criteria other than SEC rules and regulations (may be still taken up as an attest

engagement but the guidance of this section AT-C 395 will not apply)

• Note: In practical scenarios, practitioners rarely perform attest engagements to report on

MD&A prepared pursuant to SEC rules and regulations (so AT-C 395 rarely applies)

� Practitioner may either examine or review MD&A


� Presentation includes the required elements of SEC rules and regulations,

� Historical financial amounts have been accurately derived from the entity’s F/S, and

� Underlying info, determinations, estimates, and assumptions of the entity provide a

reasonable basis for the disclosures contained therein

• Review - Obtain limited assurance and express a conclusion as to the same 3 points as above

� Few key requirements:

• Pre-conditions

� Examination engagement - Practitioner audits the latest period F/S (and prior period F/S

have also been audited either by the same practitioner or a predecessor auditor)

� Review engagement -

⇒ MD&A is for annual period - Practitioner audits the latest period F/S (and prior period

F/S have also been audited either by the same practitioner or a predecessor auditor)

⇒ MD&A is for interim period - Practitioner reviews/audits the latest interim F/S (and

MD&A for the last fiscal year have been examined/reviewed either by the same

practitioner or a predecessor auditor)

• Obtain an understanding of the SEC rules & regulations, and management’s methodology for

the preparation of MD&A

E R A


A7-32

VII) Trust Services

� Relates to System and Organization Controls (SOC) for Service Organizations - Examination of I/C

at a service organization providing valuable info that users need to assess/address the risks

associated with an outsourced service

SOC 1 - SOC for Service

Organizations: ICFR


Organizations: Trust

Services Criteria


Organizations: Trust

Services Criteria for

General Use Report

Professional

Standard

Examination per SSAE Examination per SSAE Examination per SSAE

Subject

Matter

Controls at a service

organization relevant to

user entities’ ICFR



security, availability,

processing integrity,

confidentiality, or privacy



security, availability,

processing integrity,

confidentiality, or privacy

Report Type - Type 1 Report - Opinion

on design of I/C

- Type 2 Report - Opinion

on design & operating

effectiveness of I/C


on design of I/C


on design & operating

effectiveness of I/C

- Type 2 Report only -

Opinion on design &

operating effectiveness

of I/C

Use of Report

& Intended

Users

Restricted Use

(management of service

organization, user

entities, user auditors)

Restricted Use

(management of service

organization, user

entities, user auditors)

General Use,

Allows organization to

place a seal on their

website upon successful

completion

E R A

Trust Services Criteria


A7-33

� Trust Services - SOC 2 & SOC 3 attest engagements require the service organization’s controls meet

the specified Trust Service Criteria (TSC) as defined by the AICPA

• Trust Services Criteria (TSC) used to evaluate the controls SOC 2 and SOC 3 engagements:

� Security - Info & systems are protected against unauthorized access, unauthorized

disclosure of info, and damage to systems that could compromise the availability, integrity,

confidentiality, and privacy of info or systems that affect the entity’s ability to meet its

objectives

� Availability - Info & systems available for operation and use to meet the entity’s objectives

� Processing integrity - System processing is complete, valid, accurate, timely, and authorized

to meet the entity’s objectives

� Confidentiality - Info designated as confidential is protected to meet the entity’s objectives

� Privacy - Personal info is collected, used, retained, disclosed, and disposed to meet the

entity’s objectives

• SOC 2 vs. SOC 3

� SOC 2 Report - Restricted use report intended for specified parties (management of the

service organization and current/prospective users)

⇒ SOC 2 report is detailed; includes auditor’s opinion, management’s assertion, detailed

description of system & organizations controls, and results of auditor’s test of controls

� SOC 3 Report - General use report that is also fit to be displayed online

⇒ SOC 3 report is brief; includes auditor’s opinion, management assertion, brief

background on the service organization. No details on specific controls or results of

auditor’s test of controls

• SOC 2 reports are intended to meet the needs of users who need detailed info and assurance

about the controls at a service organization relevant to security, availability, and processing

integrity of the systems the service organization uses to process users’ data and the

confidentiality and privacy of the info processed by these systems. These reports can play an

important role in:

� Oversight of the organization

� Vendor management programs

� Internal corporate governance and risk management processes

� Regulatory oversight

• SOC 3 reports can be issued on one or multiple Trust Services Criteria and allow the service

organization to place a seal on their website as a representation of an unmodified opinion.

Given the focus on e-commerce and online transactions, most common SOC 3 reports include:

� Websites (Webtrust) - Examination of website and effectiveness of info system controls

based on the trust services criteria

� Information systems (Sys Trust service) - Examination of info system controls based on the

trust services criteria


A7-34

VII) I/C at a Service Organization Relevant to User Entities’ ICFR

� Attest engagement applicable when “service auditor” is examining I/C at a “service organization”

that provides services to user entities

• May provide appropriate evidence required by the “user auditor” relating to the I/C of the

“service organization” when those I/C are likely to be relevant to user’s ICFR

� E.g., Payroll processing “service organization” (like ADP) I/C related to the timely remittance

of payroll deductions to government authorities may be relevant to a user entity as late

remittances could incur interest/penalties that would result in a liability to the user

� E.g., “Service organization” I/C over the acceptability of investment transactions from a

regulatory perspective may be considered relevant to a user entity’s ICFR

• Objective of the “service auditor” - Obtain reasonable assurance and express opinion regarding:

� Management’s description of the service organization’s system (if it is fairly presented)

� Design and implementation of I/C

� Operating effectiveness of I/C (only in Type 2 engagement)

• “Service auditor” engagement/report may be a Type 1 or Type 2

� Type 1 Report - Opinion on design/implementation of the service organization’s I/C

� Type 2 Report - Opinion on design/implementation AND operating effectiveness of the

service organization’s I/C

� “Service auditor” considerations

• Preconditions:

� Management of service organization acknowledges and accepts its responsibility for the

description of the service organization’s system and for I/C at the service organization

� Service auditor’s preliminary knowledge indicates that the scope of the engagement will not

be so limited that they are unlikely to be useful to user entities and their auditors

• Written assertion to be requested from management of the service organization

� If management refuses to provide, the service auditor should withdraw

• Assess suitability of the criteria used by the management of the service organization in

� Preparing its description of the service organization’s system,

� Evaluating design/implementation of I/C,

� Evaluating operating effectiveness of I/C (in the case of a type 2 engagement)

• Obtain an understanding of the service organization’s system and assess RMM

• Respond to assessed RMM - Perform further procedures and obtain evidence regarding:

� Management’s Description of the Service Organization’s System,

� Design/Implementation of I/C,

� Operating Effectiveness of I/C (Type 2 engagement only)

• Request written representation letter from management of the service organization

� Required even if the client (engaging party) ≠ responsible party - i.e., the exception

covered earlier is not permitted in a type 1 or type 2 engagement

� Refusal by management of the “service organization” (or by management of a subservice

organization that is being presented using the inclusive method) to furnish the written

representations constitutes a scope limitation sufficient to preclude an unmodified opinion

(and the service auditor may withdraw from the engagement)

E R A


A7-35

� Sample Type 2 Service Auditor’s Report:

Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its [type or name of] System and

the Suitability of the Design and Operating Effectiveness of Controls

To: XYZ Service Organization

Scope

We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service

Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of

the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the

design and operating effectiveness of the controls included in the description to achieve the related control objectives

stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion" (assertion). The

controls and control objectives included in the description are those that management of XYZ Service Organization

believes are likely to be relevant to user entities' internal control over financial reporting, and the description does not

include those aspects of the [type or name of] system that are not likely to be relevant to user entities' internal control

over financial reporting.

[Add additional statement(s) in one/more of the below situation(s):

� information that is not covered by the report is included in the description of the service organization's system

� the service organization uses a subservice organization, the carve-out method is used to present the subservice

organization (i.e., management’s description of the service organization's system identifies services performed

by the subservice organization BUT subservice organization’s I/C excluded from scope of service auditor’s

engagement), and complementary subservice organization controls are required to meet the control objectives

� complementary user entity controls are required to meet the control objectives]

Service Organization's Responsibilities

In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the

fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to

achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the

description and assertion, including the completeness, accuracy, and method of presentation of the description and

assertion, providing the services covered by the description, specifying the control objectives and stating them in the

description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in

the assertion, and designing, implementing, and documenting controls that are suitably designed and operating

effectively to achieve the related control objectives stated in the description.

Service Auditor's Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of

the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,




assurance about whether, in all material respects, based on the criteria in management's assertion, the description is

fairly presented and the controls were suitably designed and operating effectively to achieve the related control

objectives stated in the description throughout the period [date] to [date]. We believe that the evidence we obtained is

sufficient and appropriate to provide a reasonable basis for our opinion.

An examination of a description of a service organization's system and the suitability of the design and operating

effectiveness of controls involves

• performing procedures to obtain evidence about the fairness of the presentation of the description and the

suitability of the design and operating effectiveness of the controls to achieve the related control objectives

stated in the description, based on the criteria in management's assertion.

• assessing the risks that the description is not fairly presented and that the controls were not suitably designed

or operating effectively to achieve the related control objectives stated in the description.

• testing the operating effectiveness of those controls that management considers necessary to provide

reasonable assurance that the related control objectives stated in the description were achieved.

• evaluating the overall presentation of the description, suitability of the control objectives stated in the

description, and suitability of the criteria specified by the service organization in its assertion.


A7-36

Inherent Limitations

The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit

and report on user entities' financial statements and may not, therefore, include every aspect of the system that each

individual user entity may consider important in its own particular environment. Because of their nature, controls at a

service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or

identification of the function performed by the system]. Also, the projection to the future of any evaluation of the

fairness of the presentation of the description, or conclusions about the suitability of the design or operating

effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service

organization may become ineffective.

Description of Tests of Controls

The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the

description of tests of controls is presented].

Opinion

In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion

a. the description fairly presents the [type or name of] system that was designed and implemented throughout

the period [date] to [date].

b. the controls related to the control objectives stated in the description were suitably designed to provide

reasonable assurance that the control objectives would be achieved if the controls operated effectively

throughout the period [date] to [date] and subservice organizations and user entities applied the

complementary controls assumed in the design of XYZ Service Organization’s controls throughout the period

[date] to [date].

c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the

description were achieved throughout the period [date] to [date] if complementary subservice organization and

user entity controls assumed in the design of XYZ Service Organization’s controls operated effectively

throughout the period [date] to [date].

Restricted Use

This report, including the description of tests of controls and results thereof in [section number where the description of

tests of controls is presented], is intended solely for the information and use of management of XYZ Service

Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]

to [date], and their auditors who audit and report on such user entities' financial statements or internal control over

financial reporting and have a sufficient understanding to consider it, along with other information, including

information about controls implemented by user entities themselves, when assessing the risks of material misstatement

of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the

specified parties.

[Service auditor's signature]

[Service auditor's city and state]

[Date of the service auditor's report]


A7-37

� Sample Type 1 Service Auditor’s Report:

[Note that the Type 2 Service Report template has been taken and modified to the Type 1 Service

Report - all edits are highlighted in grey to appreciate the differences between the two reports]

Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its [type or name of] System and

the Suitability of the Design and Operating Effectiveness of Controls

To: XYZ Service Organization

Scope

We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service

Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of

the function performed by the system] throughout the period [date] to [date] as of [date] (description) and the

suitability of the design and operating effectiveness of the controls included in the description to achieve the related

control objectives stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion"

(assertion). The controls and control objectives included in the description are those that management of XYZ Service

Organization believes are likely to be relevant to user entities' internal control over financial reporting, and the

description does not include those aspects of the [type or name of] system that are not likely to be relevant to user

entities' internal control over financial reporting.

[Add additional statement(s) in one/more of the below situation(s):

� information that is not covered by the report is included in the description of the service organization's system

� the service organization uses a subservice organization, the carve-out method is used to present the subservice

organization, and complementary subservice organization controls are required to meet the control objectives

� complementary user entity controls are required to meet the control objectives]

Service Organization's Responsibilities

In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the

fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to

achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the

description and assertion, including the completeness, accuracy, and method of presentation of the description and

assertion, providing the services covered by the description, specifying the control objectives and stating them in the

description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in

the assertion, and designing, implementing, and documenting controls that are suitably designed and operating

effectively to achieve the related control objectives stated in the description.

Service Auditor's Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of

the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,



Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management's assertion, the description is

fairly presented and the controls were suitably designed and operating effectively to achieve the related control

objectives stated in the description throughout the period [date] to [date] as of [date]. We believe that the evidence we

obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

An examination of a description of a service organization's system and the suitability of the design and operating

effectiveness of controls involves

• performing procedures to obtain evidence about the fairness of the presentation of the description and the

suitability of the design and operating effectiveness of the controls to achieve the related control objectives

stated in the description, based on the criteria in management's assertion.

• assessing the risks that the description is not fairly presented and that the controls were not suitably designed

or operating effectively to achieve the related control objectives stated in the description.

• testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved.

• evaluating the overall presentation of the description, suitability of the control objectives stated in the

description, and suitability of the criteria specified by the service organization in its assertion.

Type 1 Report - Design of I/C as of [date] Type 2 Report - Design and Operating Effectiveness of I/C for the period [date] to [date]


A7-38

Inherent Limitations

The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit and report on user entities' financial statements and may not, therefore, include every aspect of the system that each

individual user entity may consider important in its own particular environment. Because of their nature, controls at a

service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or

identification of the function performed by the system]. Also, the projection to the future of any evaluation of the

fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service

organization may become ineffective.

Description of Tests of Controls

The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the

description of tests of controls is presented].

Other Matter

We did not perform any procedures regarding the operating effectiveness of controls stated in the description and,

accordingly, do not express an opinion thereon.

Opinion

In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion

a. the description fairly presents the [type or name of] system that was designed and implemented throughout

the period [date] to [date] as of [date].

b. the controls related to the control objectives stated in the description were suitably designed to provide

reasonable assurance that the control objectives would be achieved if the controls operated effectively

throughout the period [date] to [date] as of [date] and subservice organizations and user entities applied the

complementary controls assumed in the design of XYZ Service Organization’s controls throughout the period

[date] to [date] as of [date].

c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the

description were achieved throughout the period [date] to [date] if complementary subservice organization and user entity controls assumed in the design of XYZ Service Organization’s controls operated effectively

throughout the period [date] to [date].

Restricted Use

This report, including the description of tests of controls and results thereof in [section number where the description of

tests of controls is presented], is intended solely for the information and use of management of XYZ Service Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]

to [date] as of [date], and their auditors who audit and report on such user entities' financial statements or internal

control over financial reporting and have a sufficient understanding to consider it, along with other information,

including information about controls implemented by user entities themselves, when assessing the risks of material

misstatement of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the specified parties.

[Service auditor's signature] [Service auditor's city and state]

[Date of the service auditor's report]


A7-39

(This page is left blank for any reference notes on

Attestation Engagements)


A7-40

7.3) Governmental Auditing

I) Government Auditing Standards

� GAGAS (Generally Accepted Government Auditing Standards) - Standards for use by auditors of

government entities, entities that receive government awards and audit organizations performing

GAGAS audits

• Also known as the “Yellow Book”

� Issued by the Comptroller General of the US who is the director of the Governmental

Accountability Office (GAO)

� Comprises of:

⇒ Auditing Standards

⇒ Professional Responsibilities & Ethics

• Types of GAGAS Audits and Attestation Engagements

� Financial Audits - Incorporate SAS (US GAAS) along with additional requirements. Include:

⇒ F/S Audits - Opinion on F/S + Reports on ICFR & Compliance

⇒ Other types of financial audits - Single F/S, Specified elements/accounts/items of F/S,

letter for underwriters, auditing compliance relating to one/more government programs

� Attestation Engagements - Incorporate SSAE along with additional requirements

⇒ May be Examination, Review or AUP engagement {ERA}

⇒ Can cover a broad range of financial or non-financial objectives about the subject matter

or assertion depending on the users’ needs

� Performance Audits - Audits that provide findings/conclusions based on an evaluation of

sufficient, appropriate evidence against criteria; may have one/more of below objectives

{Performance Audits are nothing short of an EPIC!}:

⇒ Effectiveness, economy & efficiency - Assess extent to which a program is achieving its

goals & objectives, or address the costs & resources used to achieve program results

⇒ Prospective analysis - Analysis or conclusions about info that is based on assumptions

about events that may occur in the future, along with possible actions that the entity

may take in response to the future events

⇒ Internal control - Assessment of one or more components of I/C

⇒ Compliance - Assessment of compliance with criteria established by provisions of laws,

regulations, contracts, or grant agreements, or other requirements

E

P

I

C

GAAS++

SSAE++


A7-41

• GAGAS incorporates GAAS (SAS AU-C by AICPA), and details additional requirements that apply

� General Standards - TIP + Q {Question - Will the same TIP work for GAGAS?}

� Fieldwork Standards - PIC + APPEND {Need to APPEND the Yellow Book to the Field PIC!}

� Reporting Standards - ACDE + AICPA CD-VCD {Remember you still are AICPA’s auditors

albeit with CDs & VCDs!}

GeneralStandards

•TIP + Q

•Quality Control

Fieldwork Standards

•PIC + APPEND

•Additional Considerations

•Pertinent info

•Previous audits

•Elements of a finding

•Non-compliance, Fraud & Abuse

•Documentation

Reporting Standards

•ACDE + AICPA CD-VCD

•Audit Report per GAGAS

• ICFR Report

•Compliance Report -Provisions & Agreements

•Communicating Deficiencies

•Views of entity officials

•Confidential & Sensitive Info

•Distribution of reports


A7-42

� GAGAS - Auditing Standards:

General Standards - TIP + Q {Question is - Will the same TIP work for GAGAS?}

• Quality Control - Audit firm must establish & maintain a system of quality control (designed to

provide reasonable assurance that the firm and its personnel comply with professional

standards and applicable legal/regulatory requirements). Audit firm should obtain an external

peer review at least once every 3 years

Fieldwork Standards - PIC + APEND {Need to APPEND the Yellow Book to the Field PIC!}

where, APPEND = few requirements in addition to GAAS when performing financial audits:

• Additional auditor considerations for GAGAS financial audits -

� Materiality - Considerations in addition to GAAS may apply. E.g., In GAGAS audits, auditor

may find it appropriate to use lower materiality levels due to public accountability of the

entity, legal/regulatory requirements, and visibility/sensitivity of government programs

� Early Communication of Deficiencies - Especially for matters which are relatively significant

and corrective follow-up action is urgent (e.g., when a control deficiency results in non-

compliance or abuse). Additional GAGAS Reporting requirements {AICPA CD-VCD} still apply

• Pertinent info to be communicated - In addition to GAAS requirements, auditor should

communicate pertinent info (per auditor’s professional judgment) to individuals contracting for

or requesting the audit, and to cognizant legislative committees when auditor performs the

audit pursuant to a law/regulation, or conducts the work for the legislative committee

� This requirement does not apply if the law/regulation requiring an audit of F/S does not

specifically identify the entities to be audited (e.g., single audits)

• Previous audits/attest engagements - Auditor should evaluate whether the entity has taken

appropriate corrective action to address findings & recommendations from previous

audit/attest engagements that could have a material effect on the F/S

� Auditor should identify such info when planning the audit, and use it to assess audit risk and

determine the nature, extent and timing of current audit work

• Elements of a finding to be developed - Auditor should plan & perform procedures to develop

the following elements of findings (e.g., I/C deficiency, non-compliance):

� Condition - Situation that exists

� Criteria - Required/desired state. E.g., I/C standards, laws/regulations, benchmarks

� Cause - Reason for difference between “condition” & “criteria”. E.g., Poorly designed I/C

� Effect or potential effect - Impact or potential impact of the difference between

“condition” & “criteria”. Demonstrates need for corrective action

• Non-compliance, Fraud & Abuse - Auditor should extend GAAS requirements to:

� Consider compliance with contracts or grant agreements (not just with laws/regulation)

� Consider occurrence of abuse - e.g., misuse of authority for personal financial interests. Not

required to detect abuse as these are subjective; however, if auditor becomes aware of

abuse that could be material to F/S, need to perform additional testing

� Avoid interference with or compromising an ongoing investigative or legal proceeding

• Documentation - Auditor should comply with the following additional requirements:

� Document supervisory review, before the report release date, of the evidence that supports

the findings, conclusions, and recommendations in the auditor’s report

� Document any departures from GAGAS requirements (due to laws/regulation, scope

limitation, etc.) and the impact of the same on the audit & on auditor’s conclusions

A

P

E

N

D

Q

P


A7-43

Reporting Standards = ACDE + AICPA CD-VCD

{Remember you still are AICPA’s auditors albeit with CDs & VCDs!}

where, AICPA = reports required per GAGAS

• Audit Report per GAGAS - Opinion on F/S; include a statement in the auditor’s report that audit

was performed in accordance with GAGAS

• Report on ICFR (Internal Control over Financial Reporting)

� Report any significant deficiencies or materials weaknesses in I/C identified by the auditor

� Note:

⇒ GAAS audit - Report on ICFR “only” when auditor identified significant deficiencies &

material weaknesses in I/C

⇒ GAGAS audit - Report on ICFR is always required whether or not auditor identifies such

deficiencies

� Maybe included along with the Report on Compliance {CPA of AICPA}, or a separate report;

if separate, need to refer to the Report on Compliance

� No opinion required - Does not require auditor to express opinion on ICFR (as would be

required in an integrated audit per GAAS / PCAOB AS)

⇒ Auditor only needs to describe the scope of auditor’s testing and any findings

• Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements

� Report on:

⇒ Fraud & non-compliance with provisions of laws/regulations that have a material effect

on F/S and any other instances that warrant attention of TCWG

⇒ Non-compliance with provisions of contracts or grant agreements that has a material

effect on F/S

⇒ Abuse that is material (quantitatively/qualitatively)

� Report on Compliance is always required whether or not auditor identifies non-compliance

� Maybe included along with the Report on ICFR {I of AICPA}, or a separate report; if separate,

need to refer to the Report on ICFR

� No opinion required - Does not require auditor to express opinion on compliance

⇒ Auditor only needs to describe the scope of auditor’s testing and any findings

No opinion on ICFR

No opinion on Compliance

A

I

CPA

Auditor Reporting Requirements

GAAS Audit

• Audit Report on F/S (opinion)

• No Report on I/C unless significant deficiencies are identified

• No Report on Compliance

GAGAS Audit = GAAS++


• Report on ICFR (no opinion required)

• Report on Compliance (no opinion required)


A7-44

where, CD-VCD = additional reporting requirements per GAGAS

• Communicating Deficiencies in Internal Control / Non-compliance, Fraud & Abuse

� Communicate I/C significant deficiencies & material weaknesses on ICFR Report {AICPA}

Communicate material Non-compliance, Fraud & Abuse in Compliance Report {AICPA}

ICFR Report /

Compliance

Report

Communicate

in writing

(required)

Communicate

per Auditor’s

Judgment

Deficiencies in ICFR

Material Weaknesses �

Significant Deficiencies �

Other Deficiencies �

Fraud & Non-compliance with Provisions of laws/regulation

Material Effect on F/S �

Not material but warrants TCWG’s attention �

Does not warrant TCWG’s attention �

Noncompliance with provisions of contracts and grant agreements

Material Effect on F/S �



Abuse

Material �



⇒ Note: If there is an ongoing investigative or legal proceeding - Consult with authorities

or legal counsel and limit public reporting to matters that would not compromise the

proceeding (e.g., report only on info that is already a part of the public record)

� Findings to be presented in the Auditor’s Report(s) on ICFR & Compliance (or the Report(s)

may refer to a separate schedule of findings). Include:

⇒ Previous year’s engagements’ findings/deficiencies not yet remediated

⇒ Elements of the findings

⇒ Description of the nature & extent of issues being reported (e.g., $ value) and extent of

work performed that resulted in the finding

� Pertinent info/findings to be communicated directly to parties outside the entity:

⇒ If management fails to report such info to external parties per law/regulation - Auditor

first communicates failure to report to TCWG. If entity still does not do the needful, then

auditor should report directly to specified external parties

⇒ If management fails to respond timely & appropriately to non-compliance, fraud or

abuse and involves funding received directly/indirectly from a government agency -

Auditor first communicates failure to report to TCWG. If entity still does not do the

needful, then auditor should report directly to the funding agency

CD

A P P E N D

A P P E N D A P P E N D

A P

P E

N D


A7-45

• Views/comments from responsible officials of the entity to be reported - � If Report on ICFR discloses deficiencies in I/C and/or Report on Compliance discloses non-

compliance, fraud or abuse, auditor should have:

⇒ Provided a draft report with findings to the responsible officials of the entity

⇒ Obtained their views/comments on auditor’s findings, conclusions & recommendations,

as well as any planned corrective actions. Written is preferred; but sometimes oral is ok

(e.g., reporting deadline, officials already know, auditor expects officials to agree)

⇒ Included the views/comments on the auditor’s report along with auditor’s evaluation of

comments (as appropriate)

� Few scenarios in terms of views/comments of responsible officials:

⇒ Written comments received - Include in the auditor’s report (as a copy or summary)

⇒ Oral comments received - Auditor should prepare a summary of the comments and provide a copy of the same to the responsible officials (to verify accuracy)

⇒ Comments are inconsistent or in conflict with auditor’s findings, conclusions or

recommendations - Auditor should evaluate the validity of the entity’s comments, and

- If auditor disagrees with entity’s comments, explain reasons on the auditor’s report

- If auditor agrees with entity’s comments, modify the auditor’s report as necessary

⇒ Comments not received (e.g., entity refused or was unable to provide it timely) - Auditor

may issue the report without the comments but should indicate in the report that the

entity did not provide comments

• Confidential and Sensitive Info - If needed to be excluded from auditor’s report, auditor should

disclose in the report that certain info has been omitted (along with reasons)

� Auditor may issue a separate limited use report containing such info and distribute the

report only to persons authorized by law or regulation to receive it

� When circumstances call for omission of certain info, auditors should evaluate whether this

omission could distort the audit results or conceal improper or illegal practices

• Distributing Reports -

� Auditors of government entities should distribute auditor’s reports to:

⇒ appropriate entity officials,

⇒ TCWG,

⇒ appropriate oversight bodies or organizations requiring or arranging for the audits,

⇒ other officials who have legal oversight authority or who may be responsible for acting

on audit findings and recommendations, and

⇒ others authorized to receive such reports

� Auditor should clarify report distribution responsibilities with the engaging party

� Auditors should document any limitation on report distribution

� Internal audit organizations in government entities may also follow the Institute of Internal

Auditors (IIA) International Standards for the Professional Practice of Internal Auditing

⇒ Head of internal audit should communicate results to the parties who can ensure that

the results are given due consideration

⇒ If the above is not otherwise mandated by statutory/ regulatory requirements, prior to

releasing results to parties outside the organization, the head of internal audit should:

- Assess the potential risk to the entity,

- Consult with senior management or legal counsel (as appropriate), and

- Control dissemination by indicating the intended users in the report

V

C

D


A7-46

� Sample GAGAS Reports:

• Report on F/S Audit {A of AICPA}

A I CPA

Independent Auditor’s Report


Report on the Financial Statements

We have audited the accompanying financial statements of the governmental activities, the business-type activities,

the aggregate discretely presented component units, each major fund, and the aggregate remaining fund

information of the City of XYZ, Any State, as of and for the year ended June 30, 20X1, and the related notes to the

financial statements, which collectively comprise the City of XYZ’s basic financial statements as listed in the table of

contents.

Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements in accordance

with accounting principles generally accepted in the United States of America; this includes the design,

implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial

statements that are free from material misstatement, whether due to fraud or error.

Auditor’s Responsibility

Our responsibility is to express opinions on these financial statements based on our audit. We conducted our audit in

accordance with auditing standards generally accepted in the United States of America and the standards applicable

to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United

States. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether

the financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial

statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of

material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments,

the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial

statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of

expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of

significant accounting estimates made by management, as well as evaluating the overall presentation of the financial

statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit

opinions.

Opinions

In our opinion, the financial statements referred to above present fairly, in all material respects, the respective

financial position of the governmental activities, the business-type activities, the aggregate discretely presented

component units, each major fund, and the aggregate remaining fund information of the City of XYZ, Any State, as of

June 30, 20X1, and the respective changes in financial position and, where applicable, cash flows thereof for the year

then ended in accordance with accounting principles generally accepted in the United States of America.

Other Matters

[E.g., Relating to Required Supplementary Information]

Other Reporting Required by Government Auditing Standards

In accordance with Government Auditing Standards, we have also issued our report dated [date of report] on our

consideration of the City of XYZ's internal control over financial reporting and on our tests of its compliance with

certain provisions of laws, regulations, contracts, and grant agreements and other matters. The purpose of that

report is solely to describe the scope of our testing of internal control over financial reporting and compliance and

the results of that testing, and not to provide an opinion on the effectiveness of the City of XYZ's internal control over

financial reporting or on compliance. That report is an integral part of an audit performed in accordance with

Government Auditing Standards in considering City of XYZ’s internal control over financial reporting and compliance.

[Auditor’s signature | Auditor’s City & State | Date of auditor’s report]


A7-47

• Report on ICFR & Compliance {ICPA of AICPA}



We have audited, in accordance with the auditing standards generally accepted in the United States of America and

the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller

General of the United States, the financial statements of the governmental activities, the business-type activities, the

aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of

XYZ Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which

collectively comprise XYZ Entity’s basic financial statements, and have issued our report thereon dated August 15,

20X1.

Internal Control Over Financial Reporting

In planning and performing our audit of the financial statements, we considered XYZ Entity's internal control over

financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for

the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion

on the effectiveness of XYZ Entity’s internal control. Accordingly, we do not express an opinion on the effectiveness

of XYZ Entity’s internal control.

A deficiency in internal control exists when the design or operation of a control does not allow management or

employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,

misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal

control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements

will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a

combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to

merit attention by those charged with governance.

Our consideration of internal control was for the limited purpose described in the first paragraph of this section and

was not designed to identify all deficiencies in internal control that might be material weaknesses or significant

deficiencies. Given these limitations, during our audit we did not identify any deficiencies in internal control that we

consider to be material weaknesses. However, material weaknesses may exist that have not been identified.

Compliance and Other Matters

As part of obtaining reasonable assurance about whether XYZ Entity's financial statements are free from material

misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant

agreements, noncompliance with which could have a direct and material effect on the determination of financial

statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our

audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of

noncompliance or other matters that are required to be reported under Government Auditing Standards

Purpose of this Report

The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the

results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on

compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards

in considering the entity’s internal control and compliance. Accordingly, this communication is not suitable for any

other purpose


A I CPA

A I CPA

= No opinions required ^

GAGAS


A7-48

II) Single Audit

� “Single Audit” - Applicable to non-federal entities (includes state/local governments, not-for-profit

entities, etc.) that expend $750,000 or more of federal awards in a fiscal year

• Audit conducted pursuant to the Single Audit Act (as amended) which gives authority to the

Director of the Office of Management and Budget (OMB) to set the guideless for single audits.

� Most recent OMB regulation issued for this purpose is Title 2 U.S. Code of Federal

Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and

Audit Requirements for Federal Awards (“Uniform Guidance”)

• Requires a “single” audit (instead of multiple audits of various programs)

� Ensures consistency and uniformity for such audits

� Improves effectiveness of audits of federal awards (and reduces audit burden)

• Applies to both recipients (e.g., City receives funds from Fed) and sub-recipients (e.g., City

receives funds from State which receives funds from Fed)

• Scope of the Single Audit in addition to GAGAS:

� SEFA (Schedule of Expenditures of Federal Awards) - Must be for the same period as F/S

� Compliance - In addition to GAGAS requirements, auditor must determine whether the

entity has complied with Federal statutes, regulations, and the terms & conditions of

Federal awards that may have a direct & material effect on each of its major programs.

⇒ Compliance testing must include tests of transactions and such other auditing

procedures necessary to provide the auditor sufficient appropriate audit evidence to

support an opinion on compliance

� I/C - In addition to GAGAS requirements, auditor must obtain an understanding of I/C over

major Federal programs, test I/C over compliance for major programs and report any

significant deficiency or material weakness in I/C

⇒ Auditor not required to test I/C likely to be ineffective, but must consider if additional

compliance tests are required

� Materiality - Consider separately for each major program, not just for F/S taken as a whole

(per GAAS/GAGAS, materiality considered in relation to F/S taken as a whole)

� Previous audits engagements - Entity is responsible for follow-up and corrective action on

all audit findings; and must prepare a summary schedule of prior audit findings to report

status of all audit findings included in prior audit’s Schedule of Findings & Questioned Costs

⇒ Auditor follow-up - Required on this summary schedule of prior audit findings and need

to report if the same was materially misrepresented by the entity

• Audit Documentation - Auditor must retain audit documentation & reports for a minimum of 3

years after the date of issuance of the auditor’s report(s)

� Alternative to Single Audit: Program-specific audit -

• Auditor audits F/S of Federal program per GAGAS (and not F/S of the entity taken as a whole)

� Program-specific audit guides available to provide specific guidance to the auditor with

respect to I/C, compliance requirements, suggested audit procedures, and audit reporting

requirements. If a program-specific guide is not available, auditor has basically the same

responsibilities for the Federal program as for an audit of a major program in a single audit

• Allowed when:

� Entity expends Federal awards under only one Federal program (excluding R&D), and

� Terms of the Federal award does not require a F/S audit

“Single” Audit for entity & major programs if Fed assistance > $750K


A7-49

� Reporting requirements for “Single Audits” {AICPA’s auditors now with SCI-Fi CDs & VCDs!}

Reports required per GAGAS: {AICPA}

• Audit Report per GAGAS

• Report on ICFR (Internal Control over Financial Reporting)

� Refer to “Fi” (Schedule of Findings & Questioned Costs)

• Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements -


Additional Reports required for Single Audits: {SCI-Fi}

• Schedule of Expenditures of Federal Awards (SEFA Report)

� Opinion as to whether the schedule is fairly stated in relation to the F/S as a whole

• Report on Compliance for each major program and a report on I/C over compliance

� Compliance for each major program - Opinion required on compliance with Federal

statutes, regulations, and terms & conditions of Federal awards which could have a direct &

material effect on each major program

� I/C over compliance - No opinion required; auditor only needs to describe the scope of

auditor’s testing and report any significant deficiencies or material weaknesses


• Schedule of Findings & Questioned Costs

� Summary of Auditor’s results

� Findings relating to the Audit of F/S per GAGAS

� Findings & Questioned costs for Federal awards

I

CPA

Auditor Reporting Requirements

GAAS Audit


• No Report on I/C unless significant deficiencies or material weaknesses are identified

• No Report on Compliance

GAGAS Audit = GAAS++


• ICFR Report (no opinion required)

• Compliance Report (no opinion required)

Single Audit = GAGAS++


• ICFR Report (no opinion required)

• Compliance Report (no opinion required)

• Schedule of Expenditures of Federal Awards (opinion)

• Compliance Report for each major program (opinion) +

I/C over Compliance Report (no opinion required)

• Findings & Questioned Costs Schedule

A

S

C I

Fi

S C I Fi

A

I CPA


A7-50

� Major Program determination - Auditor to use “risk-based approach” to determine which Federal

programs are “major” programs

• Considerations:

� Current and prior audit experience

� Oversight by Federal agencies and pass-through entities

� Inherent risk of the Federal program

• 4-step process to be followed:

� Step 1: Identify Type A programs (generally, if $750K or more expended); all others labeled

Type B programs

� Step 2: Identify Type A programs which are “low-risk programs” if

⇒ Audited as a major program in at least one of the last 2 audit periods, and

⇒ In the most recent audit period, the program had unmodified opinion on compliance, no

material weaknesses in I/C over compliance, and known/likely questioned costs of <=5%

of award expended

� Step 3: Identify Type B programs which are “high risk programs” using professional

judgment & specified criteria

� Step 4: At a minimum, the auditor must audit all of the following as major programs:

⇒ All Type A programs not identified as low risk under Step 2

⇒ All Type B programs identified as high-risk under Step 3

• Percentage of coverage rule -

� If the entity meets the criteria for a “low-risk auditee”, auditor needs to audit only the

major programs identified in Step 4 (and any additional Federal programs) such that all

major programs encompass at least 20% of total Federal awards expended

⇒ For other entities, all major programs need to encompass at least 40% of total Federal

awards expended

� Criteria for a “low-risk auditee”

⇒ Single audits were performed on an annual basis for 2 years

⇒ Opinion on F/S and SEFA = Unmodified opinion

⇒ No material weaknesses in ICFR identified per GAGAS

⇒ No going concern issues reported by auditor

⇒ Type A programs had unmodified opinion on compliance, no material weaknesses in I/C

over compliance, and known/likely questioned costs of <= 5% of award expended

Compliance of each “Major” program = AICPA S C I - Fi

Else


A7-51

� Sample Single Audit Report on Compliance for each major program & Report on I/C over compliance:



Report on Compliance for Each Major Federal Program

We have audited XYZ Entity’s compliance with the types of compliance requirements described in the OMB Compliance

Supplement that could have a direct and material effect on each of XYZ Entity’s major federal programs for the year ended

June 30, 20X1. XYZ Entity’s major federal programs are identified in the summary of auditor’s results section of the

accompanying schedule of findings and questioned costs.

Management’s Responsibility

Management is responsible for compliance with federal statutes, regulations, and the terms and conditions of its federal

awards applicable to its federal programs.

Auditor’s Responsibility

Our responsibility is to express an opinion on compliance for each of XYZ Entity’s major federal programs based on our

audit of the types of compliance requirements referred to above. We conducted our audit of compliance in accordance

with auditing standards generally accepted in the United States of America; the standards applicable to financial audits

contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the audit

requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles,

and Audit Requirements for Federal Awards (Uniform Guidance). Those standards and the Uniform Guidance require that

we plan and perform the audit to obtain reasonable assurance about whether noncompliance with the types of compliance

requirements referred to above that could have a direct and material effect on a major federal program occurred. An audit

includes examining, on a test basis, evidence about XYZ Entity’s compliance with those requirements and performing such

other procedures as we considered necessary in the circumstances.

We believe that our audit provides a reasonable basis for our opinion on compliance for each major federal program.

However, our audit does not provide a legal determination of XYZ Entity’s compliance.

Opinion on Each Major Federal Program

In our opinion, XYZ Entity complied, in all material respects, with the types of compliance requirements referred to above

that could have a direct and material effect on each of its major federal programs for the year ended June 30, 20X1.

Report on Internal Control Over Compliance

Management of XYZ Entity is responsible for establishing and maintaining effective internal control over compliance with

the types of compliance requirements referred to above. In planning and performing our audit of compliance, we

considered XYZ Entity’s internal control over compliance with the types of requirements that could have a direct and

material effect on each major federal program to determine the auditing procedures that are appropriate in the

circumstances for the purpose of expressing an opinion on compliance for each major federal program and to test and

report on internal control over compliance in accordance with the Uniform Guidance, but not for the purpose of expressing

an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express an opinion on the

effectiveness of XYZ Entity’s internal control over compliance.

A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not

allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and

correct, noncompliance with a type of compliance requirement of a federal program on a timely basis. A material weakness

in internal control over compliance is a deficiency, or a combination of deficiencies, in internal control over compliance,

such that there is a reason-able possibility that material noncompliance with a type of compliance requirement of a federal

program will not be prevented, or detected and corrected, on a timely basis. A significant deficiency in internal control over

compliance is a deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance

requirement of a federal program that is less severe than a material weakness in internal control over compliance, yet

important enough to merit attention by those charged with governance.

Our consideration of internal control over compliance was for the limited purpose described in the first paragraph of this

section and was not designed to identify all deficiencies in internal control over compliance that might be material

weaknesses or significant deficiencies. We did not identify any deficiencies in internal control over compliance that we

consider to be material weaknesses. However, material weaknesses may exist that have not been identified.

The purpose of this report on internal control over compliance is solely to describe the scope of our testing of internal

control over compliance and the results of that testing based on the requirements of the Uniform Guidance. Accordingly,

this report is not suitable for any other purpose


AICPA S C I - Fi

AICPA S C I - Fi


A7-52

� Schedule of findings and questioned costs - Must include:

• Summary of the auditor’s results

� Audit of F/S - type of opinion issued

� ICFR Report - if audit detected any significant deficiencies or material weaknesses in I/C

� Compliance Report - if audit detected any non-compliance that is material to F/S

� Regarding Major programs:

⇒ Identification/listing of major programs; however in case of cluster of programs, only

the cluster name as shown on Schedule of Expenditures of Federal Awards is required

⇒ Dollar threshold used to distinguish between Type A and Type B programs

⇒ Compliance Report on each major program - Type of opinion issued

⇒ I/C over Compliance - if audit detected significant deficiencies or material weaknesses

in I/C over compliance for major programs

⇒ Statement as to whether the auditee qualified as a low-risk auditee

� Statement as to whether the audit disclosed any Findings & Questioned costs for Federal

awards that the auditor is required to report

• Findings relating to the Audit of F/S per GAGAS

• Findings & Questioned costs for Federal awards - Include findings in sufficient detail/clarity

� Relating to Compliance of each major program and I/C over compliance:

⇒ Material non-compliance with provisions of Federal statutes, regulations, or terms &

conditions of Federal awards related to a major program

⇒ Also, circumstances concerning why the auditor’s report on compliance for each major

program is other than an unmodified opinion, if applicable

⇒ Known or likely fraud affecting a Federal award

⇒ Significant deficiencies and material weaknesses in I/C over major programs and

significant instances of abuse relating to major programs

� Questioned costs:

⇒ Known questioned costs > $25K for any compliance requirement for a major program

- Known questioned costs are those specifically identified by the auditor. However,

note that in evaluating the effect of questioned costs on the opinion on compliance,

the auditor considers the best estimate of total costs questioned (likely questioned

costs), not just the questioned costs specifically identified (known questioned costs)

⇒ Known questioned costs > $25K for a Federal program not audited as a major program

- Except for Audit follow-up, auditor is not required to perform audit procedures for a

program that is not audited as a major program; therefore, less chances of the

auditor finding questioned costs for such programs

� Previous audit engagements - Instances where the auditor detects that the summary

schedule of prior audit findings prepared by the entity was materially misrepresented

AICPA SCI-Fi


A7-53

(This page is left blank for any reference notes on

Governmental Auditing)

Documents

Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 ...€¦ · 1 Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 Edition Summary of updates: - New version CPA exa m structure