Reporting on the safety and soundness requirements under the Federal Deposit Insurance Corporation Improvement Act of 1991 is one recent example of a regulatory trend toward seeking assurances from an independent source on management's compliance with laws and regulations. The ASB has now issued the necessary guidance to satisfy certain aspects of FDICIA by using the attestatio standards.

The AICPA's Auditing Standards Board (ASB) recently issued Statement on Standards for Attestation Engagements No. 3, Compliance Attestation (the "Statement"). The Statement gives guidance for reporting on management's representation on compliance with laws, regulations, rules, contracts, and grants and on the internal control structure over compliance with those matters The effective date for the Statement is for engagements as of or for a period ending June 15, 1994, or thereafter. Early adoption is encouraged.

Before the Statement, a practitioner seeking to provide assurances about compliance with laws, regulations, and the like had to refer to several relevant, but not directly applicable, sources for guidance. For example, for the practitioner to report on specified compliance requirements based solely on an audit of the client's financial statements, the practitioner would follow th guidance of SAS No. 62, Special Reports. However, there are many compliance engagements for which there has been no guidance. A recent example would be an engagement to report on an S&L management's assertion regarding compliance with the safety and soundness requirements under the Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991. (The requirement for reporting on compliance under FDICIA is for periods ending December 31, 1993, or thereafter. The Statement is designed to provide the means to satisfy FDICIA requirements.

Attestation Engagements

The framework for the performance and reporting on attest engagements was established with an unnumbered statement, Attestation Standards (AT 100) issued by the AICPA in 1986. In April 1993, those standards (along with AT 200 and 300 dealing with forecasts and projections and pro forma financial information) became Statement on Standards for Attestation Engagements (SSAE) No. 1, Attestation Standards.

According to SSAE No. 1, an attestation engagement "is one in which a practitioner is engaged to issue or does issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party." The attestation standards do not supersede GAAS. Also, they differ from GAAS in several fundamental ways:

* They encourage low-risk attest services designed for specified users using "agreed-upon procedures" which usually involve "summary of findings" reports that usually provide a lower assurance level than that given in traditional financial statement audits.

* They broaden the attest function beyond financial statements.

Given the above, they are particularly suitable for operating effectiveness/efficiency and compliance engagements.

SSAE No. 2, Reporting on an Entity's Internal Control Structure Over Financial Reporting, was issued in May 1993 in response to the growing need for effective and meaningful assurances about the effectiveness of internal control structure over financial reporting. An article on SSAE No. 2 is presented in the August 1993 issue of The CPA Journal.

SSAE No. 3 is yet another example of the AICPA's action to "fill the gap" for a class of non-audit attest services.

Due to the many common elements shared by traditional financial statement audit and attestation engagements, new SSAEs parallel and refer to SASs to a large extent. Exhibit 1 lists the Statement's references to other SSAEs and SASs.

Compliance Attestation

The Statement applies when a practitioner is engaged to report on management's written assertion about an entity's compliance with specified requirements (laws, regulations, rules, contracts, or grants) or the effectiveness of the entity's internal control structure over compliance with specified requirements The compliance requirements can be either financial or operational in nature, and the internal control structure over compliance may include parts of, but no be the same as, an internal control structure over financial reporting. Reporting on internal control structure over compliance under the Statement, however, is limited to agreed-upon-procedures engagements. In the unlikely even sufficient criteria exists as the basis for an examination engagement of the internal control structure over compliance, such reporting would, fall under th general attestation standards. SSAE No. 2 applies to reporting on the internal structure over financial reporting and not compliance.

The Statement provides general guidelines, but is not applicable to all compliance attestation engagements. For example, for reporting on compliance with laws and regulations in governmental and not-for-profit engagements under OMB Circulars A-128 and A-133, the practitioner should refer to SAS No. 68. Exhibit 2 outlines the applicable standards for various types of compliance engagements.

Of the three types of attestation engagements defined by SSAE No. 1-- examination, review, and agreed-upon procedures--the Statement only allows examination and agreed-upon-procedures engagements and categorically proscribes review engagements. However, the practitioner can be engaged to provide certain non-attest services in connection with a compliance engagement, e.g., to provid recommendations on how to improve the client's compliance or the related internal control structure. The Statement encourages agreed-upon-procedures engagements over examinations because it will often be in the best interest of the practitioner, the client, or third-party users to have the users decide the procedures to be performed.

Conditions for Accepting Engagements

For examination and agreed-upon-procedures engagements, management must make a written assertion about compliance or the effectiveness of the internal control structure over compliance. The assertions should be expressed in management's written representations stating the entity's compliance with specified requirements, or, in the case of internal control structure over compliance, th effectiveness of the internal control structure over compliance based on procedures agreed upon by those who would be using the report.

Management's assertions about compliance or about the internal control structur over compliance must be capable of evaluation against criteria that either have been established by a recognized body or are stated in the representation of th assertion in a sufficiently clear and comprehensive manner for a knowledgeable reader to understand them. Management's assertions also must be capable of reasonably consistent estimation or measurement using such criteria.

In an agreed-upon-procedures engagement where the assertion is not measurable against reasonable criteria (possibly because the assertion is too broad or because such criteria do not exist), it is the specific subject matter of the assertion that must be capable of evaluation against reasonable criteria and of reasonably consistent estimation or measurement using such criteria. An example of such an engagement is when the assertion relates to compliance with an entir contract while the agreed-upon procedures are to be performed on only one aspec of the contract. For examination engagements, the written management assertion must be specific enough so that users having competence in and using the same o similar measurement and criteria would be able to reach materially similar conclusions. The practitioner should not examine an assertion that is too broad or subjective (e.g., "X Company complied with all applicable laws and regulations" or "X Company sufficiently complied.")

If management's representation is only in a representation letter and not in a report designed to accompany the practitioner's report, the use of the practitioner's report must be restricted to those within the entity and a specified user typically a regulatory agency. When general distribution is expected, both a representation letter and a separate management report that will accompany the practitioner's report are required.

Besides the assertion, the management representation should also state that management--

* accepts responsibility for complying with the specified requirements and fo establishing and maintaining an effective internal control structure over compliance;

* has performed an evaluation of the entity's compliance with specified requirements or the effectiveness of the entity's internal control structure over compliance.

Sufficient evidential matter must exist or could be developed to support management's evaluation for an examination engagement.

The form and extent of such evidential matter will vary depending on the nature of the compliance requirements and the size and complexity of the entity. Management may engage the practitioner to gather information to assist it in evaluating the entity's compliance, but management must accept responsibility for its assertion and must not base such assertion solely on the practitioner's procedures.

After the engagement acceptance conditions are satisfied, the practitioner can then plan, perform, and report on the engagement. Since the nature and extent o agreed-upon and examination engagements are quite different, they are briefly discussed separately below.

Agreed-Upon-Procedures Engagements

The objective of the practitioner's agreed-upon procedures is to present specific findings to assist users in evaluating management's assertion about an entity's compliance with specified requirements or about the effectiveness of a entity's internal control structure over compliance based on procedures agreed on by the users of the report.

The practitioner has no obligation to perform procedures beyond those agreed upon by the users. The procedures may be as limited or extensive as the users desire as long as the users take part in establishing the procedures to be performed and take responsibility for the adequacy of such procedures. The Statement does not require TABULAR DATA OMITTED that an agreed-upon-procedures engagement achieve a low level of attestation risk. However, the Statement does require the report of an agreed-upon-procedures engagement to be in the form of only "procedures and findings." The practitioner should not provide negative assurance about whether management's assertion is fairly stated.

The Statement also requires the practitioner, prior to performing the procedures, to obtain an understanding of the specified requirements and plan the engagement following the first standard of field work described in SSAE No. 1. An understanding of the specified compliance requirements can be obtained by considering the following:

* Laws, regulations, rules, contracts, and grants pertaining to the specified requirements;

* Experience from prior engagements and regulatory reports;

* Inquiries of appropriate client employees such as the entity's chief financial officer, internal auditors, legal counsel, compliance officer, or grant or contract administrators; and

* Inquiries of regulators or other third-party specialists.

Guidance on preparing standard and modified reports is provided in the Statement. Several points on these reports unique to agreed-upon- procedures engagements should be noted. The practitioner's report should indicate the sufficiency of the procedures is solely the responsibility of the parties specifying the procedures and should include a disclaimer of responsibility for the sufficiency of those procedures. All the procedures performed and their related findings should be either enumerated or referenced in the report. The report should also include a statement of limitations on the use of the report even if the report is part of a public record. However, in such a case, a sentence would be added stating the report is a matter of public record and its distribution is not limited. The Statement provides separate sample agreed-upon-procedures reports on management assertions addressing compliance with specified requirements, effectiveness of internal control structure over compliance, and both.

Examination Engagements

The objective of the practitioner's examination procedures applied to management's assertion about an entity's compliance with specified requirements is to express an opinion about whether management's assertion is fairly stated in all material respects based on established or, agreed-upon, criteria. As noted earlier, the Statement does not apply to examination engagements on management's assertions on the effectiveness of internal control structure over compliance with specified requirements.

A practitioner engaged to examine and report on an entity's compliance with specified requirements should exercise due care and a proper degree of professional skepticism when planning, performing, and evaluating the results o the examination procedures. Specifically, the practitioner should--

* obtain an understanding of the specified compliance requirements;

* plan the engagement;

* consider relevant portions of the entity's internal control structure over compliance;

* obtain sufficient evidence, including testing compliance with specified requirements;

* consider subsequent events; and

* form an opinion about whether management's assertion about the entity's compliance with specified requirements is fairly stated in all material respect based on the established or agreed-upon criteria.

Understanding the Compliance Requirements. The Statement specifies the same set of considerations for a practitioner to understand the specified compliance requirements for examination engagements as those discussed earlier for agreed-upon-procedures engagements.

Plan the Engagement. For purposes of planning a compliance engagement, the Statement refers the practitioner to SSAE No. 1 for some general considerations that involve developing an "overall strategy" for the expected conduct and scop of the engagement. A preliminary consideration of the overall engagement attestation risk and materiality is an important part of this overall strategy.

Attestation Risk. Reasonable assurance implies the practitioner gathered sufficient evidence to support his or her opinion of management's assertion, thereby limiting attestation risk to an appropriately low level. Attestation risk is the risk that the practitioner may unknowingly fail to appropriately modify his or her opinion on management's assertion. It is composed of inherent risk, control risk, and detection risk. The concepts behind these risks in an attestation engagement are the same as TABULAR DATA OMITTED those behind a financial audit. However, in addition to factors considered in assessing inherent risk when planning a financial statement audit, the practitioner shoul also consider the complexity and the length of time the entity has been subject to the specified compliance requirements, any prior experience with the entity' compliance, and the potential impact of noncompliance.

Materiality. In a compliance examination engagement, the practitioner's consideration of materiality differs from that in a financial statement audit and is affected by the following:

* The nature of management's assertion and the compliance requirements, which may or may not be quantifiable in monetary terms;

* The nature and frequency of noncompliance identified with appropriate consideration of sampling risk; and

* Qualitative considerations, including the needs and expectations of users o the report.

As is the case with materiality as set forth in other professional standards, i will be up to practice units to operationalize materiality considerations. Sinc it may be difficult to assign a dollar amount for materiality and the Statement refers to frequency of noncompliance requirements, some practitioners may think in terms of the rate of deviation as the measure of materiality. For example, they might establish an acceptable deviation or exception rate, such as five or 10% in appropriate circumstances and design their tests of compliance accordingly. Other practitioners may make their materiality assessments based o more subjective considerations.

Other Considerations. If the entity has operations in several components (e.g., locations, branches, subsidiaries, or programs), the practitioner may determine it is not necessary to test compliance with requirements at every component. Th Statement provides a list of factors to consider when making such determination and in selecting components to be tested.

Another factor the practitioner should consider is whether the entity has an internal audit function and the extent to which internal auditors are involved in monitoring compliance with the specified requirements. The Statement refers to SAS No. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, for related guidelines. One related matter worth noting is that the ASB is addressing internal auditors' participation in agreed-upon-procedures engagements as part of a separate project. The Board has however, concluded a practitioner may not use internal auditors for direct assistance in an agreed-upon-procedures engagement to satisfy the safety and soundness requirements in the FDICIA of 1991.

Consideration of the Internal Control Structure over Compliance. The practitioner should obtain an understanding of relevant portions of the interna control structure over compliance sufficient to plan the engagement and to assess control risk for compliance. Such knowledge should then be used to identify types of potential noncompliance, to consider factors that affect the risk of material noncompliance, and to design appropriate tests of compliance.

A practitioner can obtain an understanding of the internal control structure by performing inquiries of client employees, inspection of client documents, and observation of client operations. The nature and extent of procedures a practitioner performs vary from engagement to engagement depending on: the newness and complexity of the requirements; knowledge from prior engagements; the nature of the requirements; knowledge of the industry; and judgments about materiality.

Obtaining Sufficient Evidence. The practitioner should exercise professional judgment in determining examination procedures and the sufficiency of evidence obtained. The Statement refers to SSAE No. 1 and SAS No. 39, Audit Sampling, fo specific guidance. For engagements involving compliance with regulatory requirements, the practitioner's procedures should include a review of reports of significant examinations and related communications between regulatory agencies and the entity and, when appropriate, inquiries of the regulatory agencies, including inquiries concerning examinations in progress.

Subsequent Events. Two types of subsequent events require management consideration and the practitioner's evaluation. The first type consists of those events that provide additional information about the entity's compliance during the reporting period, and may affect management's assertion and the practitioner's report. For the period from the end of the reporting period to the date of the practitioner's report, the practitioner should identify such events and provide additional information about the report period by inquiring about and considering relevant internal auditors' reports, other practitioners' reports identifying noncompliance, and regulatory agencies' reports on the entity's noncompliance.

The second type consists of noncompliance that occurs subsequent to the report period but before the date of the practitioner's report, in which case, the practitioner is not responsible to detect such noncompliance. However, if the practitioner becomes aware of the noncompliance, and not disclosing it may make management's assertion misleading, the practitioner should include a paragraph in his or her report describing the noncompliance, if not already disclosed in management's assertion.

Forming Opinion and Reporting. Throughout the engagement, the practitioner should analyze and document the results of procedures performed. In evaluating whether management's assertion is fairly stated in all material respects, the practitioner should further consider the nature and frequency of the noncompliance identified and whether it is material relative to the compliance requirements.

There are two different basic forms of practitioner's reports for examination engagements, depending on whether the management's assertion is presented only in a representation letter, or, in both a representation letter and a separate report accompanying the practitioner's report. In the former case, the practitioner should modify his or her report to include management's assertion about the entity's compliance and add a paragraph that limits the distribution of the report to specified parties.

Except for several statements unique to compliance examinations, reports greatl resemble the standard reports used in traditional financial statement audits which include three paragraphs (introductory, scope, and opinion). One such statement should indicate the examination does not provide a legal determinatio of the entity's compliance. In addition to illustrative reports, the Statement also provides guidance for the practitioner to modify the standard reports due to material noncompliance, material uncertainty, restriction on the scope of th engagement, and the practitioner's decision to refer to another practitioner's report as partial basis for his (her) own report.

More Regulations, More Attestation Engagements

The Statement is the newest specific, interpretive SSAE derived from SSAE No. 1 Attestation Standards, to guide practitioners engaged to attest to management assertions about an entity's compliance with specified requirements or to repor on agreed-upon procedures concerning the effectiveness of its internal control structure over compliance. Given the broad definition of compliance attestation engagements in the Statement and the seemingly ever-growing number of regulations, it is likely practitioners will frequently be engaged to report on a wide variety of compliance. The new SSAE surely will be their most important source of guidance.

Simon C. Dzeng, PhD, is an Assistant Professor at Bernard M. Baruch College, City University of New York