AT Section 601

Compliance Attestation

Summary Table of Contents 
Source: SSAE No. 10.
Effective when the subject matter or assertion is as of or for a period ending on or after June 1, 2001. Earlier application is permitted.

Introduction and Applicability

.01

This section provides guidance for engagements related to either (a) an entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants or (b) the effectiveness of an entity's internal control over compliance with specified requirements.fn 1 Compliance requirements may be either financial or nonfinancial in nature. An attest engagement conducted in accordance with this section should comply with the general, fieldwork, and reporting standards in section 101, Attest Engagements, and the specific standards set forth in this section.

[The following note was added and is effective as of December 31, 2016. See  PCAOB Release No. 2015-002.]   

Note: In connection with an engagement performed in accordance with this attestation standard, whenever the practitioner is required to make reference in a report to attestation standards established by the American Institute of Certified Public Accountants, the practitioner must instead refer to "the standards of the Public Company Accounting Oversight Board (United States)." A practitioner must also include the city and state (or city and country, in the case of non-U.S. practitioners) from which the practitioner's report has been issued.

.02

This section does not—

  1. Affect the auditor's responsibility in an audit of financial statements performed in accordance with generally accepted auditing standards (GAAS).
    [The following items b - d are effective as of December 31, 2016. See PCAOB Release No. 2015-002. Items b - d effective before December 31, 2016, can be found  here.] 
  2. Apply to situations in which an auditor reports on specified compliance requirements based solely on an audit of financial statements, as addressed in paragraphs .19 through .21 of AS 3305, Special Reports
  3. Apply to engagements for which the objective is to report in accordance with AS 6110, Compliance Auditing Considerations in Audits of Recipients of Governmental Financial Assistance, unless the terms of the engagement specify an attest report under this section.
  4. Apply to engagements covered by AS 6101, Letters for Underwriters and Certain Other Requesting Parties.
    [The following item e is effective for audits of fiscal years ending on or after June 1, 2014. See PCAOB Release No. 2013-007. Item e effective for audits of fiscal years ending before June 1, 2014, can be found  here.]
  5. Apply to examination engagements of brokers and dealers covered by Attestation Standard No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers.[fn 2]

.03

A report issued in accordance with the provisions of this section does not provide a legal determination of an entity's compliance with specified requirements. However, such a report may be useful to legal counsel or others in making such determinations. 

Scope of Services

.04

The practitioner may be engaged to perform agreed-upon procedures to assist users in evaluating the following subject matter (or assertions related thereto)—

  1. The entity's compliance with specified requirements
  2. The effectiveness of the entity's internal control over compliancefn 3
  3. Both the entity's compliance with specified requirements and the effectiveness of the entity's internal control over compliance

The practitioner also may be engaged to examine the entity's compliance with specified requirements or a written assertion thereon.

.05

An important consideration in determining the type of engagement to be performed is expectations by users of the practitioner's report. Since the users decide the procedures to be performed in an agreed-upon procedures engagement, it often will be in the best interests of the practitioner and users (including the client) to have an agreed-upon procedures engagement rather than an examination engagement. When deciding whether to accept an examination engagement, the practitioner should consider the risks discussed in paragraphs .31 through .35.

[The following paragraph is effective for audits of fiscal years ending on or after June 1, 2014. See PCAOB Release No. 2013-007. The paragraph effective for audits of fiscal years ending before June 1, 2014, can be found  here.]

.06

A practitioner may be engaged to examine the effectiveness of the entity's internal control over compliance or an assertion thereon. However, in accordance with section 101, the practitioner cannot accept an engagement unless he or she has reason to believe that the subject matter is capable of reasonably consistent evaluation against criteria that are suitable and available to users.fn 4 If a practitioner determines that such criteria do exist for internal control over compliance, he or she should perform the engagement in accordance with section 101.

[The following paragraph is effective for audits of fiscal years ending on or after June 1, 2014. See PCAOB Release No. 2013-007. The paragraph for audits of fiscal years ending before June 1, 2014, can be found  here.]

.07

When a practitioner is engaged to perform a review of statements made by a broker or dealer in an exemption report that is prepared pursuant to SEC Rule 17a-5, the practitioner must conduct the review engagement pursuant to Attestation Standard No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers.

.08

The practitioner may be engaged to provide other types of services in connection with the entity's compliance with specified requirements or the entity's internal control over compliance. For example, management may engage the practitioner to provide recommendations on how to improve the entity's compliance or related internal control. A practitioner engaged to provide such nonattest services should refer to the guidance in CS section 100, Consulting Services: Definitions and Standards.

Conditions for Engagement Performance

.09

A practitioner may perform an agreed-upon procedures engagement related to an entity's compliance with specified requirements or the effectiveness of internal control over compliance if the following conditions are met.

  1. The responsible party accepts responsibility for the entity's compliance with specified requirements and the effectiveness of the entity's internal control over compliance.
  2. The responsible party evaluates the entity's compliance with specified requirements or the effectiveness of the entity's internal control over compliance.
  3. See also section 201, Agreed-Upon Procedures Engagements.

.10

A practitioner may perform an examination engagement related to an entity's compliance with specified requirements if the following conditions are met.

  1. The responsible party accepts responsibility for the entity's compliance with specified requirements and the effectiveness of the entity's internal control over compliance.
  2. The responsible party evaluates the entity's compliance with specified requirements.
  3. Sufficient evidential matter exists or could be developed to support management's evaluation.

.11

As part of engagement performance, the practitioner should obtain from the responsible party a written assertion about compliance with specified requirements or internal control over compliance. The responsible party may present its written assertion in either of the following:

  1. A separate report that will accompany the practitioner's report
  2. A representation letter to the practitioner

.12

The responsible party's written assertion about compliance with specified requirements or internal control over compliance may take many forms. Throughout this section, for example, the phrase "responsible party's assertion that W Company complied with [ specify compliance requirement] as of [date]," illustrates such an assertion. Other phrases may also be used. However, a practitioner should not accept an assertion that is so subjective (for example, "very effective" internal control over compliance) that people having competence in and using the same or similar criteria would not ordinarily be able to arrive at similar conclusions.

.13

Regardless of whether the practitioner's client is the responsible party, the responsible party's refusal to furnish a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement. However, an exception is provided if an examination of an entity's compliance with specified requirements is required by law or regulation. In that instance, the practitioner should disclaim an opinion on compliance unless he or she obtains evidential matter that warrants expressing an adverse opinion. If the practitioner expresses an adverse opinion and the responsible party does not provide an assertion, the practitioner's report should be restricted as to use. (See section 101.78-.81.) If, as part of an agreed-upon procedures engagement, the practitioner's client is the responsible party, a refusal by that party to provide an assertion requires the practitioner to withdraw from the engagement. However, withdrawal is not required if the engagement is required by law or regulation. If, in an agreed-upon procedures engagement, the practitioner's client is not the responsible party, the practitioner is not required to withdraw but should consider the effects of the responsible party's refusal on the engagement and his or her report.

.14

Additionally, at the beginning of the engagement, the practitioner may want to consider discussing with the client and the responsible party the need for the responsible party to provide the practitioner with a written representation letter at the conclusion of the examination engagement or an agreed-upon procedures engagement in which the client is the responsible party. In that letter, the responsible party will be asked to provide, among other possible items, an acknowledgment of their responsibility for establishing and maintaining effective internal control over compliance and their assertion stating their evaluation of the entity's compliance with specified requirements. The responsible party's refusal to furnish these representations (see paragraphs .68 through .70) will constitute a limitation on the scope of the engagement.

Responsible Party

.15

The responsible party is responsible for ensuring that the entity complies with the requirements applicable to its activities. That responsibility encompasses the following.

  1. Identify applicable compliance requirements.
  2. Establish and maintain internal control to provide reasonable assurance that the entity complies with those requirements.
  3. Evaluate and monitor the entity's compliance.
  4. Specify reports that satisfy legal, regulatory, or contractual requirements.

The responsible party's evaluation may include documentation such as accounting or statistical data, entity policy manuals, accounting manuals, narrative memoranda, procedural write-ups, flowcharts, completed questionnaires, or internal auditors' reports. The form and extent of documentation will vary depending on the nature of the compliance requirements and the size and complexity of the entity. The responsible party may engage the practitioner to gather information to assist it in evaluating the entity's compliance. Regardless of the procedures performed by the practitioner, the responsible party must accept responsibility for its assertion and must not base such assertion solely on the practitioner's procedures.

Agreed-Upon Procedures Engagement

.16

The objective of the practitioner's agreed-upon procedures is to present specific findings to assist users in evaluating an entity's compliance with specified requirements or the effectiveness of an entity's internal control over compliance based on procedures agreed upon by the users of the report. A practitioner engaged to perform agreed-upon procedures on an entity's compliance with specified requirements or about the effectiveness of an entity's internal control over compliance should follow the guidance set forth herein and in section 201.

.17

The practitioner's procedures generally may be as limited or as extensive as the specified users desire, as long as the specified users (a) agree upon the procedures performed or to be performed and (b) take responsibility for the sufficiency of the agreed-upon procedures for their purposes. (See section 201.15.)

.18

To satisfy the requirements that the practitioner and the specified users agree upon the procedures performed or to be performed and that the specified users take responsibility for the sufficiency of the agreed-upon procedures for their purposes, ordinarily the practitioner should communicate directly with and obtain affirmative acknowledgment from each of the specified users. For example, this may be accomplished by meeting with the specified users or by distributing a draft of the anticipated report or a copy of an engagement letter to the specified users and obtaining their agreement. If the practitioner is not able to communicate directly with all of the specified users, the practitioner may satisfy these requirements by applying any one or more of the following or similar procedures.

  • Compare the procedures to be applied to written requirements of the specified users.
  • Discuss the procedures to be applied with appropriate representatives of the specified users involved.
  • Review relevant contracts with or correspondence from the specified users.

The practitioner should not report on an engagement when specified users do not agree upon the procedures performed or to be performed and do not take responsibility for the sufficiency of the procedures for their purposes. See section 201.36 for guidance on satisfying these requirements when the practitioner is requested to add other parties as specified parties after the date of completion of the agreed-upon procedures.

.19

In an engagement to perform agreed-upon procedures on an entity's compliance with specified requirements or about the effectiveness of an entity's internal control over compliance, the practitioner is required to perform only the procedures that have been agreed to by users.fn 5 However, prior to performing such procedures, the practitioner should obtain an understanding of the specified compliance requirements, as discussed in paragraph .20. (See section 201.)

.20

To obtain an understanding of the specified compliance requirements, a practitioner should consider the following:

  1. Laws, regulations, rules, contracts, and grants that pertain to the specified compliance requirements, including published requirements
  2. Knowledge about the specified compliance requirements obtained through prior engagements and regulatory reports
  3. Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals within the entity (for example, the chief financial officer, internal auditors, legal counsel, compliance officer, or grant or contract administrators)
  4. Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals outside the entity (for example, a regulator or a third-party specialist)

.21

When circumstances impose restrictions on the scope of an agreed-upon procedures engagement, the practitioner should attempt to obtain agreement from the users for modification of the agreed-upon procedures. When such agreement cannot be obtained (for example, when the agreed-upon procedures are published by a regulatory agency that will not modify the procedures), the practitioner should describe such restrictions in his or her report or withdraw from the engagement.

.22

The practitioner has no obligation to perform procedures beyond the agreed-upon procedures. However, if noncompliance comes to the practitioner's attention by other means, such information ordinarily should be included in his or her report.

.23

The practitioner may become aware of noncompliance that occurs subsequent to the period addressed by the practitioner's report but before the date of the practitioner's report. The practitioner should consider including information regarding such noncompliance in his or her report. However, the practitioner has no responsibility to perform procedures to detect such noncompliance other than obtaining the responsible party's representation about noncompliance in the subsequent period, as described in paragraph .68.

.24

The practitioner's report on agreed-upon procedures on an entity's compliance with specified requirements (or the effectiveness of an entity's internal control over compliance) should be in the form of procedures and findings. The practitioner's report should contain the following elements:

  1. A title that includes the word independent
  2. Identification of the specified parties
  3. Identification of the subject matter of the engagement (or management's assertion thereon), including the period or point in time addressed and a reference to the character of the engagementfn 6
  4. An identification of the responsible party
  5. A statement that the subject matter is the responsibility of the responsible party
  6. A statement that the procedures, which were agreed to by the specified parties identified in the report, were performed to assist the specified parties in evaluating the entity's compliance with specified requirements or the effectiveness of its internal control over compliance
  7. A statement that the agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants
  8. A statement that the sufficiency of the procedures is solely the responsibility of the specified parties and a disclaimer of responsibility for the sufficiency of those procedures
  9. A list of the procedures performed (or reference thereto) and related findings (The practitioner should not provide negative assurance. See section 201.24.)
  10. Where applicable, a description of any agreed-upon materiality limits (See section 201.25.)
  11. A statement that the practitioner was not engaged to and did not conduct an examination of the entity's compliance with specified requirements (or the effectiveness of an entity's internal control over compliance), a disclaimer of opinion thereon, and a statement that if the practitioner had performed additional procedures, other matters might have come to his or her attention that would have been reported
  12. A statement restricting the use of the report to the specified parties
  13. Where applicable, reservations or restrictions concerning procedures or findings as discussed in section 201.33, .35, .39, and .40
  14. Where applicable, a description of the nature of the assistance provided by the specialist as discussed in section 201.19-.21
  15. The manual or printed signature of the practitioner's firm
  16. The date of the report

.25

The following is an illustration of an agreed-upon procedures report on an entity's compliance with specified requirements in which the procedures and findings are enumerated rather than referenced.

Independent Accountant's Report on Applying Agreed-Upon Procedures

We have performed the procedures enumerated below, which were agreed to by [list specified parties], solely to assist the specified parties in evaluating [name of entity]'s compliance with [list specified requirements] during the [period] ended [date].fn 7 Management is responsible for [name of entity]'s compliance with those requirements. This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose.

[Include paragraphs to enumerate procedures and findings.]

We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on compliance. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you.

This report is intended solely for the information and use of [list or refer to specified parties] and is not intended to be and should not be used by anyone other than these specified parties.

[Signature]

[Date]

.26

Evaluating compliance with certain requirements may require interpretation of the laws, regulations, rules, contracts, or grants that establish those requirements. In such situations, the practitioner should consider whether he or she is provided with the suitable criteria required to evaluate an assertion under the third general attestation standard. If these interpretations are significant, the practitioner may include a paragraph stating the description and the source of interpretations made by the entity's management. An example of such a paragraph, which should precede the procedures and findings paragraph(s), follows.

We have been informed that, under [name of entity]'s interpretation of [identify the compliance requirement], [explain the nature and source of the relevant interpretation].

.27

The following is an illustration of an agreed-upon procedures report on the effectiveness of an entity's internal control over compliance in which the procedures and findings are enumerated rather than referenced.

Independent Accountant's Report on Applying Agreed-Upon Procedures

We have performed the procedures enumerated below, which were agreed to by [list specified parties], solely to assist the specified parties in evaluating the effectiveness of [name of entity]'s internal control over compliance with [list specified requirements] as of [date].fn 8 Management is responsible for [name of entity]'s internal control over compliance with those requirements. This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose.

[Include paragraphs to enumerate procedures and findings.]

We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you.

This report is intended solely for the information and use of [list or refer to specified parties] and is not intended to be and should not be used by anyone other than these specified parties.

[Signature]

[Date]

.28

In some agreed-upon procedures engagements, procedures may relate to both compliance with specified requirements and the effectiveness of internal control over compliance. In these engagements, the practitioner may issue one report that addresses both. For example, the first sentence of the introductory paragraph would state the following.

We have performed the procedures enumerated below, which were agreed to by [list users of report], solely to assist the users in evaluating [name of entity]'s compliance with [list specified requirements] during the [period] ended [date] and the effectiveness of [name of entity]'s internal control over compliance with the aforementioned compliance requirements as of [date].

.29

The date of completion of the agreed-upon procedures should be used as the date of the practitioner's report.

Examination Engagement

.30

The objective of the practitioner's examination procedures applied to an entity's compliance with specified requirements is to express an opinion on an entity's compliance (or assertion related thereto), based on the specified criteria. To express such an opinion, the practitioner accumulates sufficient evidence about the entity's compliance with specified requirements, thereby restricting attestation risk to an appropriately low level.

Attestation Risk

[The following paragraph is effective for fiscal years beginning on or after December 15, 2024. See PCAOB Release No. 2024-004. The paragraph effective for fiscal years beginning before December 15, 2024 can be found here.]

.31

In an engagement to examine compliance with specified requirements, the practitioner seeks to obtain reasonable assurance that the entity complied, in all material respects, based on the specified criteria. This includes designing the examination to detect both intentional and unintentional material noncompliance. Absolute assurance is not attainable because of factors such as the need for judgment,fn 8A the use of sampling, and the inherent limitations of internal control over compliance and because much of the evidence available to the practitioner is persuasive rather than conclusive in nature. Also, procedures that are effective for detecting noncompliance that is unintentional may be ineffective for detecting noncompliance that is intentional and concealed through collusion between personnel of the entity and a third party or among management or employees of the entity. Therefore, the subsequent discovery that material noncompliance exists does not, in and of itself, evidence inadequate planning, performance, or judgment on the part of the practitioner.

.32

Attestation risk is the risk that the practitioner may unknowingly fail to modify appropriately his or her opinion. It is composed of inherent risk, control risk, and detection risk. For purposes of a compliance examination, these components are defined as follows:

  1. Inherent risk—The risk that material noncompliance with specified requirements could occur, assuming there are no related controls
  2. Control risk—The risk that material noncompliance that could occur will not be prevented or detected on a timely basis by the entity's controls
  3. Detection risk—The risk that the practitioner's procedures will lead him or her to conclude that material noncompliance does not exist when, in fact, such noncompliance does exist

Inherent Risk

.33

In assessing inherent risk, the practitioner should consider factors affecting risk similar to those an auditor would consider when planning an audit of financial statements. Such factors are discussed in AS 2401, Consideration of Fraud in a Financial Statement Audit. In addition, the practitioner should consider factors relevant to compliance engagements, such as the following:

  • The complexity of the specified compliance requirements
  • The length of time the entity has been subject to the specified compliance requirements
  • Prior experience with the entity's compliance
  • The potential impact of noncompliance

Control Risk

.34

The practitioner should assess control risk as discussed in paragraphs .45 and .46. Assessing control risk contributes to the practitioner's evaluation of the risk that material noncompliance exists. The process of assessing control risk (together with assessing inherent risk) provides evidential matter about the risk that such noncompliance may exist. The practitioner uses this evidential matter as part of the reasonable basis for his or her opinion.

Detection Risk

.35

In determining an acceptable level of detection risk, the practitioner assesses inherent risk and control risk and considers the extent to which he or she seeks to restrict attestation risk. As assessed inherent risk or control risk decreases, the acceptable level of detection risk increases. Accordingly, the practitioner may alter the nature, timing, and extent of compliance tests performed based on the assessments of inherent risk and control risk.

Materiality

.36

In an examination of an entity's compliance with specified requirements, the practitioner's consideration of materiality differs from that of an audit of financial statements in accordance with GAAS. In an examination of an entity's compliance with specified requirements, the practitioner's consideration of materiality is affected by (a) the nature of the compliance requirements, which may or may not be quantifiable in monetary terms, (b) the nature and frequency of noncompliance identified with appropriate consideration of sampling risk, and (c) qualitative considerations, including the needs and expectations of the report's users.

.37

In a number of situations, the terms of the engagement may provide for a supplemental report of all or certain noncompliance discovered. Such terms should not change the practitioner's judgments about materiality in planning and performing the engagement or in forming an opinion on an entity's compliance with specified requirements or on the responsible party's assertion about such compliance.

Performing an Examination Engagement

.38

The practitioner should exercise (a) due care in planning, performing, and evaluating the results of his or her examination procedures and (b) the proper degree of professional skepticism to achieve reasonable assurance that material noncompliance will be detected.

.39

In an examination of the entity's compliance with specified requirements, the practitioner should—

  1. Obtain an understanding of the specified compliance requirements. (See paragraph .40.)
  2. Plan the engagement. (See paragraphs .41 through .44.)
  3. Consider relevant portions of the entity's internal control over compliance. (See paragraphs .45 through .47.)
  4. Obtain sufficient evidence including testing compliance with specified requirements. (See paragraphs .48 and .49.)
  5. Consider subsequent events. (See paragraphs .50 through .52.)
  6. Form an opinion about whether the entity complied, in all material respects, with specified requirements (or whether the responsible party's assertion about such compliance is fairly stated in all material respects), based on the specified criteria. (See paragraph .53.)

Obtaining an Understanding of the Specified Compliance Requirements

.40

A practitioner should obtain an understanding of the specified compliance requirements. To obtain such an understanding, a practitioner should consider the following:

  1. Laws, regulations, rules, contracts, and grants that pertain to the specified compliance requirements, including published requirements
  2. Knowledge about the specified compliance requirements obtained through prior engagements and regulatory reports
  3. Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals within the entity (for example, the chief financial officer, internal auditors, legal counsel, compliance officer, or grant or contract administrators)
  4. Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals outside the entity (for example, a regulator or third-party specialist)

Planning the Engagement

General Considerations

.41

Planning an engagement to examine an entity's compliance with specified requirements involves developing an overall strategy for the expected conduct and scope of the engagement. The practitioner should consider the planning matters discussed in section 101.42-.47.

Multiple Components

.42

In an engagement to examine an entity's compliance with specified requirements when the entity has operations in several components (for example, locations, branches, subsidiaries, or programs), the practitioner may determine that it is not necessary to test compliance with requirements at every component. In making such a determination and in selecting the components to be tested, the practitioner should consider factors such as the following:

  1. The degree to which the specified compliance requirements apply at the component level
  2. Judgments about materiality
  3. The degree of centralization of records
  4. The effectiveness of the control environment, particularly management's direct control over the exercise of authority delegated to others and its ability to supervise activities at various locations effectively
  5. The nature and extent of operations conducted at the various components
  6. The similarity of operations over compliance for different components

Using the Work of a Specialist

[The following paragraph is effective for audits of financial statements for fiscal years ending on or after December 15, 2020. See  PCAOB Release No. 2018-006. The paragraph effective for audits of financial statements for fiscal years ending before December 15, 2020, can be found here.]     

.43

In some compliance engagements, the nature of the specified compliance requirements may require specialized skill or knowledge in a particular field other than accounting or auditing. In such cases, the practitioner may use the work of a specialist and should comply with the requirements for using the work of specialists as set forth in PCAOB auditing standards.

Internal Audit Function

[The following paragraph is effective as of December 31, 2016. See PCAOB Release No. 2015-002. The paragraph effective before December 31, 2016, can be found here.]     

.44

Another factor the practitioner should consider when planning the engagement is whether the entity has an internal audit function and the extent to which internal auditors are involved in monitoring compliance with the specified requirements. A practitioner should consider the guidance in AS 2605, Consideration of the Internal Audit Function, when addressing the competence and objectivity of internal auditors, the nature, timing, and extent of work to be performed, and other related matters.

Consideration of Internal Control Over Compliance

.45

The practitioner should obtain an understanding of relevant portions of internal control over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. In planning the examination, such knowledge should be used to identify types of potential noncompliance, to consider factors that affect the risk of material noncompliance, and to design appropriate tests of compliance.

.46

A practitioner generally obtains an understanding of the design of specific controls by performing the following:

  1. Inquiries of appropriate management, supervisory, and staff personnel
  2. Inspection of the entity's documents
  3. Observation of the entity's activities and operations

The nature and extent of procedures a practitioner performs vary from entity to entity and are influenced by factors such as the following:

  • The newness and complexity of the specified requirements
  • The practitioner's knowledge of internal control over compliance obtained in previous professional engagements
  • The nature of the specified compliance requirements
  • An understanding of the industry in which the entity operates
  • Judgments about materiality

When seeking to assess control risk below the maximum, the practitioner should perform tests of controls to obtain evidence to support the assessed level of control risk.

[The following paragraph is effective as of December 31, 2016. See PCAOB Release No. 2015-002. The paragraph effective before December 31, 2016, can be found here.]     

.47

During the course of an examination engagement, the practitioner may become aware of significant deficiencies in the design or operation of internal control over compliance that could adversely affect the entity's ability to comply with specified requirements. A practitioner's responsibility to communicate these deficiencies in an examination of an entity's compliance with specified requirements is similar to the auditor's responsibility described in AS 1305, Communications About Control Deficiencies in an Audit of Financial Statements. If, in a multiple-party arrangement, the practitioner's client is not the responsible party, the practitioner has no responsibility to communicate reportable conditions to the responsible party. For example, if the practitioner is engaged by his or her client to examine the compliance of another entity, the practitioner has no obligation to communicate any reportable conditions that he or she becomes aware of to the other entity. However, the practitioner is not precluded from making such a communication.

Obtaining Sufficient Evidence

[The following paragraph is effective as of December 31, 2016. See PCAOB Release No. 2015-002. The paragraph effective before December 31, 2016, can be found here.]     

.48

The practitioner should apply procedures to provide reasonable assurance of detecting material noncompliance. Determining these procedures and evaluating the sufficiency of the evidence obtained are matters of professional judgment. When exercising such judgment, practitioners should consider the guidance contained in section 101.51-.54 and AS 2315, Audit Sampling.

.49

For engagements involving compliance with regulatory requirements, the practitioner's procedures should include reviewing reports of significant examinations and related communications between regulatory agencies and the entity and, when appropriate, making inquiries of the regulatory agencies, including inquiries about examinations in progress.

Consideration of Subsequent Events

[The following paragraph is effective as of December 31, 2016. See PCAOB Release No. 2015-002. The paragraph effective before December 31, 2016, can be found here.]      

.50

The practitioner's consideration of subsequent events in an examination of an entity's compliance with specified requirements is similar to the auditor's consideration of subsequent events in a financial statement audit, as outlined in AS 2801, Subsequent Events. The practitioner should consider information about such events that comes to his or her attention after the end of the period addressed by the practitioner's report and prior to the issuance of his or her report.

.51

Two types of subsequent events require consideration by the responsible party and evaluation by the practitioner. The first consists of events that provide additional information about the entity's compliance during the period addressed by the practitioner's report and may affect the practitioner's report. For the period from the end of the reporting period (or point in time) to the date of the practitioner's report, the practitioner should perform procedures to identify such events that provide additional information about compliance during the reporting period. Such procedures should include but may not be limited to inquiring about and considering the following information:

  • Relevant internal auditors' reports issued during the subsequent period
  • Other practitioners' reports identifying noncompliance, issued during the subsequent period
  • Regulatory agencies' reports on the entity's noncompliance, issued during the subsequent period
  • Information about the entity's noncompliance, obtained through other professional engagements for that entity

.52

The second type consists of noncompliance that occurs subsequent to the period being reported on but before the date of the practitioner's report. The practitioner has no responsibility to detect such noncompliance. However, should the practitioner become aware of such noncompliance, it may be of such a nature and significance that disclosure of it is required to keep users from being misled. In such cases, the practitioner should include in his or her report an explanatory paragraph describing the nature of the noncompliance.

Forming an Opinion

.53

In evaluating whether the entity has complied in all material respects (or whether the responsible party's assertion about such compliance is stated fairly in all material respects), the practitioner should consider (a) the nature and frequency of the noncompliance identified and (b) whether such noncompliance is material relative to the nature of the compliance requirements, as discussed in paragraph .36.

Reporting

.54

The practitioner may examine and report directly on an entity's compliance (see paragraphs .55 and .56) or he or she may examine and report on the responsible party's written assertion (see paragraphs .57, .58, and .61), except as described in paragraph .64.

.55

The practitioner's examination report on compliance, which is ordinarily addressed to the entity, should include the following:

  1. A title that includes the word independent
  2. Identification of the specified compliance requirements, including the period covered, and of the responsible partyfn 9
  3. A statement that compliance with the specified requirements is the responsibility of the entity's management
  4. A statement that the practitioner's responsibility is to express an opinion on the entity's compliance with those requirements based on his or her examination
  5. A statement that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about the entity's compliance with those requirements and performing such other procedures as the practitioner considered necessary in the circumstances
  6. A statement that the examination does not provide a legal determination on the entity's compliance
  7. The practitioner's opinion on whether the entity complied, in all material respects, with specified requirements based on the specified criteriafn 10 (See paragraph .64 for reporting on material noncompliance.)
  8. A statement restricting the use of the report to the specified parties (see the fourth reporting standard)fn 11 under the following circumstances (See also paragraph .13.):
    • When the criteria used to evaluate compliance are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria.
    • When the criteria used to evaluate compliance are available only to the specified parties
    • The manual or printed signature of the practitioner's firm
    • The date of the examination report

.56

The following is the form of report a practitioner should use when he or she is expressing an opinion on an entity's compliance with specified requirements during a period of time.

Independent Accountant's Report

[Introductory paragraph]

We have examined [name of entity]'s compliance with [list specified compliance requirements] during the [period] ended [date]. Management is responsible for [name of entity]'s compliance with those requirements. Our responsibility is to express an opinion on [name of entity]'s compliance based on our examination.

[Scope paragraph]

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about [name of entity]'s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on [name of entity]'s compliance with specified requirements.

[Opinion paragraph]

In our opinion, [name of entity] complied, in all material respects, with the aforementioned requirements for the year ended December 31, 20XX.fn 12

[Signature]

[Date]

.57

The practitioner's examination report on an entity's assertion about compliance with specified requirements, which is ordinarily addressed to the entity, should include the following:

  1. A title that includes the word independent
  2. Identification of the responsible party's assertion about the entity's compliance with specified requirements, including the period covered by the responsible party's assertion, and of the responsible party (When the responsible party's assertion does not accompany the practitioner's report, the first paragraph of the report should also contain a statement of the responsible party's assertion.)fn 13
  3. A statement that compliance with the requirements is the responsibility of the entity's management
  4. A statement that the practitioner's responsibility is to express an opinion on the responsible party's assertion on the entity's compliance with those requirements based on his or her examination
  5. A statement that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about the entity's compliance with those requirements and performing such other procedures as the practitioner considered necessary in the circumstances
  6. A statement that the practitioner believes the examination provides a reasonable basis for his or her opinion
  7. A statement that the examination does not provide a legal determination on the entity's compliance
  8. The practitioner's opinion on whether the responsible party's assertion about compliance with specified requirements is fairly stated in all material respects based on the specified criteriafn 14 (See paragraph .64 for reporting on material noncompliance.)
  9. A statement restricting the use of the report to the specified parties (see the fourth reporting standard) fn 15fn 16 under the following circumstances:
    • When the criteria used to evaluate compliance are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria
    • When the criteria used to evaluate compliance are available only to the specified parties
  10. The manual or printed signature of the practitioner's firm
  11. The date of the examination report

.58

Independent Accountant's Report

The following is the form of report that a practitioner should use when expressing an opinion on management's assertion about compliance with specified requirements.

[Introductory paragraph]

We have examined management's assertion, included in the accompanying [title of management report], that [name of entity] complied with [list specified compliance requirements] during the [period] ended [date]. fn 17fn 18 Management is responsible for [name of entity]'s compliance with those requirements. Our responsibility is to express an opinion on management's assertion about [name of entity]'s compliance based on our examination.

[Standard scope paragraph]

[Opinion paragraph]

In our opinion, management's assertion that [name of entity] complied with the aforementioned requirements during the [period] ended [date] is fairly stated, in all material respects.fn 19

[Signature]

[Date]

.59

Evaluating compliance with certain requirements may require interpretation of the laws, regulations, rules, contracts, or grants that establish those requirements. In such situations, the practitioner should consider whether he or she is provided with the suitable criteria required to evaluate compliance under the third general attestation standard. If these interpretations are significant, the practitioner may include a paragraph stating the description and the source of interpretations made by the entity's management. The following is an example of such a paragraph, which should directly follow the scope paragraph:

We have been informed that, under [name of entity]'s interpretation of [identify the compliance requirement], [explain the source and nature of the relevant interpretation].

.60

The date of completion of the examination procedures should be used as the date of the practitioner's report.

.61

Nothing precludes the practitioner from examining an assertion but opining directly on compliance.

.62

Section 101.78-.83 provide guidance on restricting the use of an attest report. Nothing in this section precludes the practitioner from restricting the use of the report. For example, if the practitioner is asked by a client to examine another entity's compliance with certain regulations, he or she may want to restrict the use of the report to the client since the practitioner has no control over how the report may be used by the other entity.

Report Modifications

.63

The practitioner should modify the standard report described in paragraphs .55 and .57, if any of the following conditions exist.

  • There is material noncompliance with specified requirements (paragraphs .64 through .67).
  • There is a restriction on the scope of the engagement.fn 20
  • The practitioner decides to refer to the report of another practitioner as the basis, in part, for the practitioner's report.fn 21

Material Noncompliance

.64

When an examination of an entity's compliance with specified requirements discloses noncompliance with the applicable requirements that the practitioner believes have a material effect on the entity's compliance, the practitioner should modify the report and, to most effectively communicate with the reader of the report, should state his or her opinion on the entity's specified compliance requirements, not on the responsible party's assertion.

.65

The following is the form of report, modified with explanatory language, that a practitioner should use when he or she has concluded that a qualified opinion is appropriate under the circumstances. It has been assumed that the practitioner has determined that the specified compliance requirements are both suitable for general use and available to users as discussed in section 101.23-.33, and, therefore, that a restricted use paragraph is not required.

Independent Accountant's Report

[Introductory paragraph]

We have examined [name of entity]'s compliance with [list specified compliance requirements] for the [period] ended [date]. Management is responsible for compliance with those requirements. Our responsibility is to express an opinion on [name of entity]'s compliance based on our examination.

[Standard scope paragraph]

[Explanatory paragraph]

Our examination disclosed the following material noncompliance with [type of compliance requirement] applicable to [name of entity] during the [period] ended [date]. [Describe noncompliance.]

[Opinion paragraph]

In our opinion, except for the material noncompliance described in the third paragraph, [name of entity] complied, in all material respects, with the aforementioned requirements for the [period] ended [date].

[Signature]

[Date]

.66

The following is the form of report, modified with explanatory language, that a practitioner should use when he or she concludes that an adverse opinion is appropriate in the circumstances. The practitioner has determined that the specified compliance requirements are both suitable for general use and available to users as discussed in section 101.23-.33.

Independent Accountant's Report

[Introductory paragraph]

We have examined [name of entity]'s compliance with [list specified compliance requirements] for the [period] ended [date]. Management is responsible for compliance with those requirements. Our responsibility is to express an opinion on [name of entity]'s compliance based on our examination.

[Standard scope paragraph]

[Explanatory paragraph]

Our examination disclosed the following material noncompliance with [type of compliance requirement] applicable to [name of entity] during the [period] ended [date]. [Describe noncompliance.]

[Opinion paragraph]

In our opinion, because of the effect of the noncompliance described in the third paragraph, [name of entity] has not complied with the aforementioned requirements for the [period] ended [date].

[Signature]

[Date]

.67

If the practitioner's report on his or her examination of the entity's compliance with specified requirements is included in a document that also includes his or her audit report on the entity's financial statements, the following sentence should be included in the paragraph of an examination report that describes material noncompliance.

These conditions were considered in determining the nature, timing, and extent of audit tests applied in our audit of the 20XX financial statements, and this report does not affect our report dated [date of report] on those financial statements.

The practitioner also may include the preceding sentence when the two reports are not included within the same document.

Representation Letter

.68

In an examination engagement or an agreed-upon procedures engagement, the practitioner should obtain written representations from the responsible party—fn 22

  1. Acknowledging the responsible party's responsibility for complying with the specified requirements.
  2. Acknowledging the responsible party's responsibility for establishing and maintaining effective internal control over compliance.
  3. Stating that the responsible party has performed an evaluation of (1) the entity's compliance with specified requirements or (2) the entity's controls for ensuring compliance and detecting noncompliance with requirements, as applicable.
  4. Stating the responsible party's assertion about the entity's compliance with the specified requirements or about the effectiveness of internal control over compliance, as applicable, based on the stated or established criteria.
  5. Stating that the responsible party has disclosed to the practitioner all known noncompliance.
  6. State that the responsible party has made available all documentation related to compliance with the specified requirements.
  7. Stating the responsible party's interpretation of any compliance requirements that have varying interpretations.
  8. State that the responsible party has disclosed any communications from regulatory agencies, internal auditors, and other practitioners concerning possible noncompliance with the specified requirements, including communications received between the end of the period addressed in the written assertion and the date of the practitioner's report.
  9. Stating that the responsible party has disclosed any known noncompliance occurring subsequent to the period for which, or date as of which, the responsible party selects to make its assertion.

.69

The responsible party's refusal to furnish all appropriate written representations in an examination engagement constitutes a limitation on the scope of the engagement sufficient to preclude an unqualified opinion and is ordinarily sufficient to cause the practitioner to disclaim an opinion or withdraw from the engagement. However, based on the nature of the representations not obtained or the circumstances of the refusal, the practitioner may conclude in an examination engagement that a qualified opinion is appropriate. When the practitioner is performing agreed-upon procedures and the practitioner's client is the responsible party, the responsible party's refusal to furnish all appropriate written representations constitutes a limitation on the scope of the engagement sufficient to cause the practitioner to withdraw. When the practitioner's client is not the responsible party, the practitioner is not required to withdraw but should consider the effects of the responsible party's refusal on his or her report. Further, the practitioner should consider the effects of the responsible party's refusal on his or her ability to rely on other representations of the responsible party.

.70

When the practitioner's client is not the responsible party, the practitioner may also want to obtain written representations from the client. For example, when a practitioner's client has entered into a contract with a third party (responsible party) and the practitioner is engaged to examine the responsible party's compliance with that contract, the practitioner may want to obtain written representations from his or her client as to their knowledge of any noncompliance.

Other Information in a Client-Prepared Document Containing Management's Assertion About the Entity's Compliance With Specified Requirements or the Effectiveness of the Internal Control Over Compliance

.71

An entity may publish various documents that contain information (referred to as other information) in addition to the practitioner's attest report on either (a) the entity's compliance with specified requirements or (b) the effectiveness of the entity's internal control over compliance or written assertion thereon. Section 101.91-.94 provide guidance to the practitioner if the other information is contained in either of the following:

  1. Annual reports to holders of securities or beneficial interests, annual reports of organizations for charitable or philanthropic purposes distributed to the public, and annual reports filed with regulatory authorities under the 1934 Act
  2. Other documents to which the practitioner, at the client's request, devotes attention

Effective Date

.72

This section is effective when the subject matter or assertion is as of or for a period ending on or after June 1, 2001. Early application is permitted.

Footnotes (AT Section 601—Compliance Attestation):

fn 1 Throughout this section—

  1. An entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants is referred to as compliance with specified requirements.
  2. An entity's internal control over compliance with specified requirements is referred to as its internal control over compliance. The internal control addressed in this section may include parts of but is not the same as internal control over financial reporting.

[fn 2] [Footnote deleted, effective for audits of fiscal years ending on or after June 1, 2014. See PCAOB Release No. 2013-007. The footnote for audits of fiscal years ending before June 1, 2014, can be found  here.] 

fn 3 An entity's internal control over compliance is the process by which management obtains reasonable assurance of compliance with specified requirements. Although the comprehensive internal control may include a wide variety of objectives and related policies and procedures, only some of these may be relevant to an entity's compliance with specified requirements. (See footnote 1b.) The components of internal control over compliance vary based on the nature of the compliance requirements. For example, internal control over compliance with a capital requirement would generally include accounting procedures, whereas internal control over compliance with a requirement to practice nondiscriminatory hiring may not include accounting procedures.

fn 4 Criteria issued by regulatory agencies and other groups composed of experts that follow due-process procedures, including exposure of the proposed criteria for public comment, ordinarily should be considered suitable criteria for this purpose. For example, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Report, Internal Control—Integrated Framework, provides suitable criteria against which management may evaluate and report on the effectiveness of the entity's internal control. However, more detailed criteria relative to specific compliance requirements may have to be developed and an appropriate threshold for measuring the severity of control deficiencies needs to be developed in order to apply the concepts of the COSO report to internal control over compliance.

Criteria established by a regulatory agency that does not follow such due-process procedures also may be considered suitable criteria for use by the regulatory agency. The practitioner should determine whether such criteria are suitable for general use reporting by evaluating them against the attributes in section 101.24. If the practitioner determines that such criteria are suitable for general use reporting, those criteria should also be available to users as discussed in section 101.33.

If the practitioner concludes that the criteria are appropriate only for a limited number of parties or are available only to specified parties, the practitioner's report shall state that the use of the report is restricted to those parties specified in the report. (See section 101.30, .34, and .78-.83.)

[The following footnote is effective as of December 31, 2016. See  PCAOB Release No. 2015-002. The footnote effective before December 31, 2016, can be found here.]

fn 5 AS 2605, Consideration of the Internal Audit Function, does not apply to agreed-upon procedures engagements.

fn 6 Generally, management's assertion about compliance with specified requirements will address a period of time, whereas an assertion about internal control over compliance will address a point in time.

fn 7 If the agreed-upon procedures have been published by a third-party user (for example, a regulator in regulatory policies or a lender in a debt agreement), this sentence might begin, “We have performed the procedures included in [title of publication or other document] and enumerated below, which were agreed to by [list specified parties], solely to assist the specified parties in evaluating ....”

fn 8 If the agreed-upon procedures have been published by a third-party user (for example, a regulator in regulatory policies or a lender in a debt agreement), this sentence might begin, “We have performed the procedures included in [title of publication or other document] and enumerated below, which were agreed to by [list specified parties], solely to assist the specified parties in evaluating the effectiveness of [name of entity]'s internal control over compliance ....”

fn 8A Reference to the judgment of the practitioner throughout this standard has the same meaning as “professional judgment” as described in AS 1000, General Responsibilities of the Auditor in Conducting an Audit.

fn 9 A practitioner also may be engaged to report on an entity's compliance with specified requirements as of point in time. In this case, the illustrative reports in this section should be adapted as appropriate.

fn 10 Frequently, criteria will be contained in the compliance requirements, in which case it is not necessary to repeat the criteria in the practitioner's report; however, if the criteria are not included in the compliance requirement, the practitioner's report should identify the criteria. For example, if a compliance requirement is to “maintain $25,000 in capital,” it would not be necessary to identify the $25,000 in the report; however, if the requirement is to “maintain adequate capital,” the practitioner should identify the criteria used to define adequate.

fn 11 In certain situations, however, criteria that have been specified by management and other report users may be suitable for general use.

fn 12 If it is necessary to identify criteria (see footnote 10), the criteria should be identified in the opinion paragraph (for example, “... in all material respects, based on the criteria set forth in Attachment 1”).

fn 13 A practitioner also may be engaged to report on the responsible party's assertion about an entity's compliance with specified requirements as of a point in time. In this case, the illustrative reports in this section should be adapted as appropriate.

fn 14 Frequently, criteria will be contained in the compliance requirements, in which case it is not necessary to repeat the criteria in the practitioner's report; however, if the criteria are not included in the compliance requirement, the practitioner's report should identify the criteria. For example, if a compliance requirement is to “maintain $25,000 in capital,” it would not be necessary to identify the $25,000 in the report; however, if the requirement is to “maintain adequate capital,” the practitioner should identify the criteria used to define adequate.

fn 15 Although a practitioner's report may be appropriate for general use, the practitioner is not precluded from restricting the use of the report.

fn 16 In certain situations, however, criteria that have been specified by management and other report users may be suitable for general use.

fn 17 The practitioner should identify the management report examined by reference to the report title used by management in its report. Further, he or she should use the same description of compliance requirements as management uses in its report.

fn 18 If management's assertion is stated in the practitioner's report and does not accompany the practitioner's report, the phrase “included in the accompanying [title of management report]” would be omitted.

fn 19 If it is necessary to identify criteria (see footnote 10), the criteria should be identified in the opinion paragraph (for example, “...in all material respects, based on the criteria set forth in Attachment 1”).

fn 20 The practitioner should refer to section 101.73 and .74 for guidance on scope restrictions.

fn 21 The practitioner should refer to section 501.63 and .64 for guidance on an opinion based in part on the report of another practitioner and adapt such guidance to the standard reports in this section.

[The following footnote is effective as of December 31, 2016. See  PCAOB Release No. 2015-002. The footnote effective before December 31, 2016, can be found here.]  

fn 22 Paragraph .09 of AS 2805, Management Representations, provides guidance on the date as of which the representation letter should be signed and who should sign it.

Copyright © 2001, 2002, 2004, American Institute of Certified Public Accountants, Inc.