AT 601: Compliance Attestation
EFFECTIVE DATE AND APPLICABILITY
| Original Pronouncements |
Statements on Standards for Attestation Engagements (SSAE) 10, Attestation Standards: Revision and Recodification. |
| Effective Date |
This statement currently is effective. |
| Applicability |
Applicable to agreed-upon procedures related to either of the following: |
|
1. Compliance with requirements of specified laws, regulations, rules, contracts, or grants (specified requirements)
2. The effectiveness of internal control over compliance with specified requirements
3. Or both items 1 and 2 |
|
Also applicable to engagements to examine the entity’s compliance with specified requirements or a written assertion thereon. |
|
The Statement does not apply to the following: |
|
1. Situations in which an auditor reports on specified compliance requirements based solely on an audit of financial statements (see AU Section 623, Special Reports).
2. Engagements for which the objective is to report in accordance with Government Auditing Standards, or the Single Audit Act, or Office of Management and Budget (OMB) circulars and releases (see AU Section 801, Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance).
3. Program-specific audits as addressed in Section 801 performed in accordance with federal audit guides issued prior to the effective date of this SSAE
4. Engagements covered by AU Section 634, Letters for Underwriters and Certain Other Requesting Parties (comfort letters)
5. The report that encompasses the internal control over compliance for a broker or dealer in securities as required by Rule 17a-5 of the Securities Exchange Act of 1934
6. Audits performed in accordance with generally accepted auditing standards (GAAS) |
|
NOTE: An accountant is discouraged from accepting an engagement to examine the effectiveness of internal control over compliance or an assertion thereon because reasonable criteria for evaluation are typically not available. If such an engagement is accepted, the appropriate guidance is in AT 101 in American Institute of Certified Public Accountants (AICPA) publications (AT Section 101 herein). Additionally, AT 601 (AT Section 601 herein) may be helpful, but it is intended for reporting on internal control over financial reporting, not over compliance.
|
DEFINITIONS OF TERMS
Attestation risk. The risk that the practitioner may unknowingly fail to modify appropriately his or her opinion. It is composed of inherent risk, control risk, and detection risk.
Control risk. The risk that material noncompliance that could occur will not be prevented or detected on a timely basis by the entity’s internal control.
Detection risk. The risk that the practitioner’s procedures will lead him or her to conclude that material noncompliance does not exist when, in fact, such noncompliance does exist.
Inherent risk. The risk that material noncompliance with specified requirements could occur, assuming there are no related controls.
Internal control over compliance. The process by which management obtains reasonable assurance of compliance with specified requirements.
Specified requirements. A term that is used to refer to an entity’s compliance with requirements of specified laws, regulations, rules, contracts, or grants.
OBJECTIVES OF AT SECTION 601
This SSAE provides guidance for engagements related to either (1) compliance with requirements of specified laws, regulations, rules, contracts, or grants (specified requirements) or (2) the effectiveness of internal control over compliance with specified requirements.
A practitioner may be engaged to perform agreed-upon procedures to assist users in evaluating management’s written assertion about an entity’s compliance with specified requirements, the effectiveness of internal control over compliance, or both. A practitioner also may be engaged to examine compliance with specified requirements or a written assertion thereon. For example, some electronic funds transfer associations or networks require their members who process transactions to complete a compliance exam.
In 2001, the Auditing Standards Board issued SSAE 10, Attestation Standards: Revision and Recodification. SSAE 10 superseded SSAEs 1 through 9 and renumbered the AT sections in the AICPA’s Codification. The revisions to this section include clarifying that:
- The responsible party’s refusal to furnish the required representations constitutes a limitation on the scope of the engagement.
- The responsible party’s refusal to provide a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement. (An exception exists if an examination of an entity’s compliance with specified requirements is required by law or regulation. In this case, the practitioner should disclaim an opinion on compliance unless he or she obtains evidential matter that warrants expressing an adverse opinion.)
- If the engagement is to perform agreed-upon procedures and:
- The client is the responsible party, that party’s refusal to provide an assertion requires that the practitioner withdraw from the engagement.
- The client is not the responsible party, the practitioner is not required to withdraw, but should consider the effects of the refusal on the engagement and report.
FUNDAMENTAL REQUIREMENTS: GENERAL (APPLICABLE TO BOTH AGREED-UPON PROCEDURES AND EXAMINATION ENGAGEMENTS)
General
An engagement conducted in accordance with this section should comply with the general, fieldwork, and reporting standards in AT Section 101.
Criteria
The practitioner cannot accept an agreed-upon procedures or an examination engagement unless reasonable criteria have been established by a recognized body or are stated in or attached to the practitioner’s report.
Prohibited Engagements
A practitioner should not accept an engagement to perform a review (see AT Section 101) about compliance with specified requirements or about the effectiveness of internal control over compliance or assertions thereon.
Using the Work of a Specialist
The practitioner should follow the guidance of AU Section 336, Using the Work of a Specialist, if he or she decides that a specialist is necessary for an engagement covered by this section.
Management’s Representations
According to AT 601.68, for both an agreed-upon procedures engagement and an examination engagement, the practitioner should obtain the responsible party’s written representations that:
1. Acknowledge the responsible party’s responsibility for complying with the specified requirements
2. Acknowledge the responsible party’s responsibility for establishing and maintaining effective internal control over compliance
3. State that the responsible party has performed an evaluation of (1) the entity’s compliance with specified requirements, or (2) the entity’s internal controls for ensuring compliance and detecting noncompliance with requirements, as applicable
4. State the responsible party’s assertion about the entity’s compliance with the specified requirements or about the effectiveness of the internal control over compliance, as applicable, based on the stated or established criteria
5. State that the responsible party has disclosed to the practitioner all known noncompliance
6. State that the responsible party has made available all documentation related to compliance with specified requirements
7. State the responsible party’s interpretation of any compliance requirements that have varying interpretations
8. State that the responsible party has disclosed any communications from regulatory agencies, internal auditors, and other practitioners concerning possible noncompliance with the specified requirements, including communications received between the end of the period addressed in the written assertion and the date of the practitioner’s report
9. State that the responsible party has disclosed any known noncompliance occurring subsequent to the period for which, or date as of which, the responsible party selects to make its assertion
AU Section 333, Management Representations, provides guidance on the dating and signatories of the representation letter.
The responsible party’s refusal to furnish the required representations is a scope limitation. In an examination engagement, the practitioner ordinarily should disclaim an opinion or withdraw. However, based on the nature of the representations or circumstances, a qualified opinion may be appropriate.
In an agreed-upon procedures engagement in which the practitioner’s client is the responsible party, the responsible party’s refusal to provide written assertions is a scope limitation sufficient to cause the practitioner to withdraw. When the practitioner’s client is not the responsible party, the practitioner:
- Is not required to withdraw, but should consider the effects of the responsible party’s refusal on his or her report, as well as the ability to rely on other representations of the responsible party
- May also want to obtain written representations from the client (e.g., knowledge of any noncompliance)
Other Information in a Client-Prepared Document
The practitioner’s report on either compliance with specified requirements or the effectiveness of internal control over compliance or written assertions thereon may be included in a client-prepared document that includes other information. In those circumstances, the practitioner should read the other information and follow the procedures discussed in Section 101.
FUNDAMENTAL REQUIREMENTS: AGREED-UPON PROCEDURES ENGAGEMENT
Conditions for Acceptance
A practitioner may accept an agreed-upon procedures engagement related to an entity’s compliance with specified requirements or the effectiveness of internal control over compliance, if the responsible party:
1. Accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance
2. Evaluates the entity’s compliance with specified requirements or the effectiveness of the entity’s internal control over compliance
In addition, the conditions that apply to acceptance of all agreed-upon procedures engagements have to be met (see AT Section 201).
NOTE: A written management representation letter is required in agreed-upon procedure engagements relating to compliance matters.
The practitioner should obtain a written assertion about compliance with specified requirements or internal control over compliance from the responsible party. The written assertion may be provided in the representation letter or in a separate report accompanying the practitioner’s report. If the client is the responsible party, that party’s refusal to provide an assertion requires that the practitioner withdraw from the engagement. If the engagement is required by law or regulation withdrawal is not required. If the client is not the responsible party, the practitioner does not have to withdraw but should consider the effects of the refusal on the engagement and report.
Understanding with Specified Parties
The specified parties should participate in establishing the procedures to be performed and take responsibility for the adequacy of those procedures. The practitioner should determine whether the specified parties understand the procedures to be performed by discussing the nature of management’s assertion and the procedures with the specified parties (see “Techniques for Application”).
Understanding the Specified Compliance Requirements
The practitioner should obtain an understanding of the specified compliance requirements stated in management’s assertion. To obtain this understanding, the practitioner should consider the following:
1. Laws, regulations, rules, contracts, and grants relevant to the specified compliance requirements.
2. Knowledge about the specified compliance requirements obtained from the following:
a. Prior engagements and regulatory reports
b. Discussions with appropriate individuals within the entity
c. Discussions with appropriate individuals outside the entity, such as regulators or specialists
Scope Restrictions
The practitioner should attempt to obtain agreement from the specified parties for modification of the agreed-upon procedures if circumstances impose restrictions on the scope of those procedures. If an agreement for modification cannot be obtained, the practitioner should describe the restrictions in the attestation report or withdraw from the engagement.
Subsequent Events
If the practitioner becomes aware of noncompliance related to management’s assertion that occurs after the period addressed by that assertion but before the date of the report, he or she should consider including that information in the report. According to AT 601.24, the practitioner has no obligation to perform procedures to detect noncompliance in the subsequent period.
Practitioner’s Report
The practitioner’s report on agreed-upon procedures on an entity’s compliance with specified requirements or about the effectiveness of an entity’s internal control over compliance should be in the form of procedures and findings. The report should be dated as of the date of completion of the agreed-upon procedures. According to AT 601.24, the practitioner’s report should contain the following elements:
1. A title that includes the word independent
2. Identification of the specified parties
3. Identification of the subject matter of the engagement (or management’s assertion thereon), including the period or point in time addressed,
and a reference to the character of the engagement
4. An identification of the responsible party
5. A statement that the subject matter is the responsibility of responsible party
6. A statement that the procedures, which were agreed to by the specified parties identified in the report, were performed to assist the specified parties in evaluating the entity’s compliance with the specified requirements or the effectiveness of its internal control over compliance
7. A statement that the agreed-upon procedures engagement was conducted in accordance with attestation standards established by the AICPA
8. A statement that the sufficiency of the procedures is solely the responsibility of the specified parties and a disclaimer of responsibility for the sufficiency of those procedures
9. A list of the procedures performed (or reference thereto) and related findings. The practitioner should not provide negative assurance
10. Where applicable, a description of any agreed-upon materiality limits
11. A statement that the practitioner was not engaged to and did not conduct an examination of the entity’s compliance with specified requirements or about the effectiveness of an entity’s internal control over compliance, a disclaimer of opinion thereon, and a statement that if the practitioner had performed additional procedures, other matters might have come to his or her attention that would have been reported
12. A statement restricting the use of the report to the specified parties (however, if the report is a matter of public record, the practitioner should include the following sentence: “However, this report is a matter of public record and its distribution is not limited.”)
13. Where applicable, reservations or restrictions concerning procedures or findings
14. Where applicable, a description of the nature of the assistance provided by the specialist
15. The manual or printed signature of the practitioner’s firm
16. The date of the report
FUNDAMENTAL REQUIREMENTS: EXAMINATION ENGAGEMENT
Conditions for Engagement Performance
According to AT 601.10, a practitioner may accept an examination engagement related to an entity’s compliance with specified requirements if the following conditions are met:
1. The responsible party accepts responsibility for the entity’s compliance with specified requirements and the effectiveness of the entity’s internal control over compliance.
2. The responsible party evaluates the entity’s compliance with specified requirements.
3. Sufficient evidential matter exists or could be developed to support the responsible party’s evaluation.
A practitioner may examine the effectiveness of the entity’s internal control over compliance or an assertion thereon only if he or she has reason to believe that the subject matter is capable of reasonably consistent evaluation against criteria that are suitable and available to users. If such criteria exist for internal control over compliance, the practitioner should perform the engagement in accordance with AT Section 101. AT Section 501 may also be helpful on such an engagement.
The practitioner should obtain a written assertion about compliance with specified requirements or internal control over compliance from the responsible party. The written assertion may be provided in a representation letter to the practitioner or in a separate report accompanying the practitioner’s report. The responsible party’s written assertion may take various forms but should be specific enough that users having competence in and using the same or similar measurement and disclosure criteria ordinarily would be able to arrive at materially similar conclusions.
The responsible party’s refusal to provide a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement, regardless of whether the client is the responsible party. An exception exists if an examination of an entity’s compliance with specified requirements is required by law or regulation. In this case, the practitioner should disclaim an opinion on compliance unless he or she obtains evidential matter that warrants expressing an adverse opinion. If the practitioner expresses an adverse opinion and the responsible party does not provide an assertion, the practitioner’s report should be restricted.
Extent of Evidence
To express an opinion on an entity’s compliance (or assertion related thereto), the practitioner should accumulate sufficient evidence about the entity’s compliance with specified requirements and limit attestation risk to an appropriately low level.
Assessment of Inherent Risk
The practitioner should consider factors affecting inherent risk similar to the factors an auditor would consider when planning an audit of financial statements (see AU Section 316, Consideration of Fraud in a Financial Statement Audit). According to AT 601.33, in addition, the practitioner should consider the following factors:
1. The complexity of the specified compliance requirements
2. The length of time the entity has been subject to the specified compliance requirements
3. Prior experience with the entity’s compliance
4. Potential impact of noncompliance
Assessment of Control Risk
The practitioner should assess control risk. To assess control risk for compliance with specified requirements and to plan the engagement, the practitioner should obtain an understanding of those parts of the internal control related to compliance.
Engagement Procedures
According to AT 601.39, in an examination of the entity’s compliance with specified requirements, the practitioner should do the following:
1. Obtain an understanding of the specified compliance requirements
2. Plan the engagement
3. Consider relevant portions of the entity’s internal control over compliance
4. Obtain sufficient evidence including testing compliance with specified requirements
5. Consider subsequent events
6. Form an opinion about whether the entity complied, in all material respects, with specified requirements (or whether the responsible party’s assertion about such compliance is fairly stated in all material respects) based on the specified criteria
Subsequent Events
The practitioner should consider information about subsequent events that comes to his or her attention between the end of the period addressed by the practitioner’s report and prior to the issuance of the report.
The practitioner has no responsibility to detect noncompliance after the period being reported on but before the date of the report. However, if the practitioner becomes aware of this type of noncompliance, and its nature and significance may make management’s assertion misleading, the practitioner should include in the report an explanatory paragraph describing the nature of the noncompliance.
Practitioner’s Report
According to AT 601.55, the practitioner’s report on an examination, which is ordinarily addressed to the entity, should include the following:
1. A title that includes the word independent
2. An identification of the specified compliance requirements, including the period covered, and of the responsible party
3. A statement that compliance with the specified requirements is the responsibility of the entity’s management
4. A statement that the practitioner’s responsibility is to express an opinion on the entity’s compliance with those requirements based on his or her examination
5. A statement that the examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included examining, on a test basis, evidence about the entity’s compliance with those requirements and performing such other procedures as the practitioner considered necessary in the circumstances
6. A statement that the practitioner believes the examination provides a reasonable basis for his or her opinion
7. A statement that the examination does not provide a legal determination on the entity’s compliance
8. The practitioner’s opinion on whether the entity complied, in all material respects, with specified requirements based on the specified criteria
9. A statement restricting the use of the report to the specified parties when the criteria used to evaluate compliance:
a. Are determined by the practitioner to be appropriate only for a limited number of parties who either participated in establishing the criteria or who can be assumed to have an adequate understanding of the criteria
b. Are available only to specified parties
10. The manual or printed signature of the practitioner’s firm
11. The date of the examination report
The practitioner’s report should be dated as of the date of completion of the examination procedures.
Report Modifications
The practitioner should modify the standard report whenever any one of the following conditions exist:
1. There is material noncompliance with specified requirements (qualified or adverse opinion)
2. The scope of the engagement is restricted (qualified or disclaimer of opinion)
3. The practitioner refers to the report of another practitioner as the basis, in part, for the report (see Illustration 5 in AT Section 501)
INTERPRETATIONS
There are no interpretations for this section.
TECHNIQUES FOR APPLICATION
Planning the Engagement—General
For either an agreed-upon procedures engagement or an examination, the practitioner should properly plan the engagement. In planning the engagement, the practitioner should consider doing the following:
1. Discuss the purpose of the engagement with management
2. Read or obtain an understanding of relevant laws and documents
3. Obtain an engagement letter
4. Design a program of procedures to be applied
Agreed-Upon Procedures Engagement
In this type of engagement, the practitioner should try to meet with the specified parties or a representative of the specified parties to establish the procedures. If a meeting is not possible, the practitioner should do one of the following:
1. Compare the procedures to be applied to written requirements of the specified parties
2. Review relevant contracts with or correspondence from the specified parties
3. Distribute a draft of the anticipated report or a copy of a proposed engagement letter to the specified parties with a request for their comments
4. Discuss the procedures to be applied with appropriate representatives of the specified parties involved
The manner in which the procedures are established should be documented in the practitioner’s workpapers.
At the conclusion of this type of engagement, the practitioner should obtain a management representation letter. If the management refuses, the practitioner should withdraw from the engagement.
Planning the Examination Engagement
The practitioner should consider the following when planning the engagement:
1. For an entity with multiple components, determine if it is necessary to examine all components for compliance. In making this determination, consider:
a. To what degree do the specified compliance requirements apply at the component level?
b. What are our judgments about materiality?
c. How centralized are the records?
d. How effective is the control environment, particularly management’s direct control over the exercise of authority delegated to others and its ability to supervise activities at various locations effectively?
e. What are the nature and extent of operations conducted at the various components?
f. How similar are controls over compliance for different components?
2. Determine the need to use the work of a specialist (see AU Section 336, Using the Work of a Specialist).
3. Identify the existence of an internal audit function and the extent to which internal auditors are involved in monitoring compliance with specified requirements (see AU Section 322, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements).
4. Obtain an understanding of the parts of the internal control related to compliance with the specified requirements. This understanding may be obtained by:
a. Inquiries
b. Inspection of documents
c. Observation of activities
5. Identify types of potential noncompliance.
6. Assess control risk. If the practitioner wishes to assess control risk below the maximum, he or she should perform tests of controls.
Examination Procedures
The nature of procedures and the sufficiency of evidence are matters of practitioner judgment. Procedures to be considered include the following:
1. For engagements involving regulatory requirements:
a. Review communication between regulatory agencies and the entity.
b. Review examination reports of the regulatory agencies.
c. If appropriate, make inquiries of regulatory agencies including inquiries about examinations in progress.
d. Make inquiries of entity’s outside and inside counsel responsible for such matters.
2. Identify subsequent events for the period from the reporting period to the date of the report that would provide evidence about compliance during the period under examination. Information concerning subsequent events would be obtained from the following sources:
a. Relevant internal auditors’ reports issued during the subsequent period.
b. Other practitioners’ reports identifying noncompliance, issued during the subsequent period.
c. Regulatory agencies’ reports on the entity’s noncompliance, issued during the subsequent period.
d. Information about the entity’s noncompliance, obtained through other professional engagements for that entity.
3. If the specified requirements relate to financial statement matters, compare the relevant parts of these statements with the specified requirements.
4. Obtain a management representation letter. If management refuses, the practitioner should consider issuing a qualified opinion or a disclaimer of opinion.
Materiality
Materiality in an examination of compliance differs from materiality in an audit. In an examination, the practitioner should consider the
1. Nature of the compliance requirements, which may or may not be quantifiable in monetary terms
2. Nature and frequency of noncompliance, including sampling risks
3. Qualitative considerations, including user needs and expectations
ILLUSTRATIONS
The following illustrations are adapted from SSAE 10 (AT Section 601).
Illustration 1. Agreed-Upon Procedures Report in Which the Procedures and Findings Concerning Compliance with Specified Requirements Are Enumerated
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report on Applying Agreed-Upon Procedures
We have performed the procedures enumerated below, which were agreed to by [list specified parties], solely to assist the specified parties in evaluating Widget Company’s compliance with [list specified requirements] during the year ended December 31, 20X1. Management is responsible for Widget Company’s compliance with those requirements. This agreed-upon procedures engagement was performed in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of the parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose.
[Include paragraphs to enumerate procedures and findings.]
We were not engaged to, and did not, perform an examination, the objective of which would be the expression of an opinion on compliance. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you.
This report is intended solely for the information and use of [list or refer to specified parties] and is not intended to be and should not be used by anyone other than these specified parties.
Smith and Jones
February 15, 20X2
Illustration 2. Agreed-Upon Procedures Report in Which the Procedures and Findings Concerning the Effectiveness of Internal Control Over Compliance Are Enumerated
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report on Applying Agreed-Upon Procedures
We have performed the procedures enumerated below, which were agreed to by [list specified parties of report], solely to assist the specified parties in evaluating the effectiveness of Widget Company’s internal control over compliance with [list specified requirements] as of December 31, 20X1. Management is responsible for Widget Company’s internal control over compliance with those requirements. This agreed-upon procedures engagement was performed in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of the parties specified in the report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose.
[Include paragraphs to enumerate procedures and findings.]
We were not engaged to, and did not, perform an examination, the objective of which would be the expression of an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you.
This report is intended solely for the information and use of [list or refer to specified parties] and is not intended to be and should not be used by anyone other than these specified parties.
Smith and Jones
February 15, 20X2
Illustration 3. Examination Report Expressing an Opinion on Compliance with Specified Requirements
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report
We have examined Widget Company’s compliance with [list specified compliance requirements] during the year ended December 31, 20X1. Management is responsible for Widget Company’s compliance with those requirements. Our responsibility is to express an opinion on Widget Company’s compliance based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about Widget Company’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on Widget Company’s compliance with specified requirements.
In our opinion, Widget Company complied in all material respects with the aforementioned requirements for the year ended December 31, 20X1.
Smith and Jones
February 15, 20X2
Illustration 4. Examination Report When Expressing an Opinion on Management’s Assertion about Compliance with Specified Requirements
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report
We have examined management’s assertion, included in the accompanying [title of management report], that Widget Company complied with [list specified compliance requirements] during the year ended December 31, 20X1. Management is responsible for Widget Company’s compliance with those requirements. Our responsibility is to express an opinion on management’s assertion about Widget Company’s compliance based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about Widget Company’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on Widget Company’s compliance with specified requirements.
In our opinion, management’s assertion that Widget Company complied with the aforementioned requirements during the year ended December 31, 20X1 is fairly stated, in all material respects.
Smith and Jones
February 15, 20X2
Illustration 5. Modified Report When Practitioner Has Identified Material Noncompliance and Management Has Appropriately Modified Its Assertion
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report
We have examined Widget Company’s compliance with [list specified compliance requirements] for the year ended December 31, 20X1. Management is responsible for compliance with those requirements. Our responsibility is to express an opinion on Widget Company’s compliance based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about Widget Company’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on Widget Company’s compliance with specified requirements.
Our examination disclosed the following material noncompliance with [type of compliance requirement] applicable to Widget Company during the year ended December 31, 20X1. [Describe noncompliance.]
In our opinion, except for the material noncompliance described in the third paragraph, Widget Company complied, in all material respects, with the aforementioned requirements for the year ended December 31, 20X1.
Smith and Jones
February 15, 20X2
Illustration 6. Adverse Report When Practitioner Has Identified Material Noncompliance and Management Has Appropriately Modified Its Assertion
To the Board of Directors of Widget Company
Main City, USA
Independent Accountant’s Report
We have examined Widget Company’s compliance with [list of specified compliance requirements] for the [period] ended [date]. Management is responsible for compliance with these requirements. Our responsibility is to express an opinion on Widget Company’s compliance based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about Widget Company’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on Widget Company’s compliance with specified requirements.
Our examination disclosed the following material noncompliance with [type of compliance requirement] applicable to Widget Company during the [period] ended [date]. [Describe noncompliance].
In our opinion, because of the effect of the noncompliance described in the third paragraph, Widget Company has not complied with the aforementioned requirements for the [period] ended [date].
Smith and Jones
February 15, 20X2
