Aud 2017 Q3 PDF

Miles CPA Review: AUD
Q3 2017 Updates & Errata for 2017 Edition
Summary of updates:
- New version CPA exam structure (w.e.f. April 2017)
- AUD-7.2: Attestation Engagements [Auditing Standards Board
(ASB) of the AICPA has issued clarified SSAE (AT-C) for clarity
and convergence with international standards]
- AUD-7.3: Governmental Auditing [Miles content revised &
updated; new mnemonics APPEND, AICPA CD-VCD, AICPA SCI-
Fi CD-VCD]
- AUD-7.4: Effect of I.T. on Audit - Also refer to Effect of I.T. on
Internal Controls from BEC-7.5
1
New version CPA exam structure (w.e.f. April 2017):
MCQ testlets TBS/WCT testlets
50% weightage 50% weightage
Recommended time: Recommended time:
Testlet #1: 50 mins Testlet #3: 30 mins
Testlet #2: 50 mins Testlet #4: 50 mins
Testlet #5: 60 mins
15 min
Break:
Testlet #1 Testlet #2 Testlet #3 Testlet #4 Testlet #5
FAR 33 MCQs 33 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
AUD 36 MCQs 36 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
REG 38 MCQs 38 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
BEC 31 MCQs 31 MCQs 2 TBSs 2 TBSs 3 WCTs
Old version vs. New version:

CPA exams (2011 March 2017) CPA exams w.e.f. April 2017
Skill-level Remembering & Understanding Remembering & Understanding
tested Application Application
Analysis
Evaluation (for AUD only)
Exam FAR: 90 MCQs (60%), 7 TBSs (40%) FAR: 66 MCQs (50%), 8 TBSs (50%)
structure AUD: 90 MCQs (60%), 7 TBSs (40%) AUD: 72 MCQs (50%), 8 TBSs (50%)
& scoring REG: 72 MCQs (60%), 6 TBSs (40%) REG: 76 MCQs (50%), 8 TBSs (50%)
weights BEC: 72 MCQs (85%), 3 WCTs (15%) BEC: 62 MCQs (50%), 4 TBSs (35%),
3 WCTs (15%)
# of 4 testlets: 5 testlets:
Testlets 3 MCQ testlets + 1 TBS/WCT testlet 2 MCQ testlets + 3 TBS/WCT testlets
Time FAR: 4 hours FAR: 4 hours
Allotment AUD: 4 hours AUD: 4 hours
REG: 3 hours REG: 4 hours
BEC: 3 hours BEC: 4 hours
Break Optional breaks (count against time) 15-min Standard break (after Testlet #3)
+ Optional breaks (count against time)
* MCQ - Multiple Choice Question | TBS - Task Based Simulation | WCT - Written Communication Task
2
AUD-7 Miles CPA Review
Attestation = ERA of other than historical F/S
7.2) Attestation Engagements (SSAE) SSAE (AT-C Code)

SSAE (Statements on Standards for Attestation Engagements)
Attestation engagements - Examination, review, or agreed-upon procedures engagement
(performed under SSAE) where the CPA practitioner is engaged to report on a subject matter,
or an assertion about the subject matter, that is the responsibility of another party
Subject matter may be based on
Historical or prospective performance or condition (e.g., historical or prospective financial
info, performance measurements, backlog data)
Physical characteristics (e.g., narrative descriptions, square footage of facilities)
Historical events (e.g., the price of a market basket of goods on a certain date)
Analyses (e.g., break-even analyses)
Systems and processes (e.g., I/C)
Behavior (e.g., corporate governance, compliance with laws & regulations, HR practices)
Assertion is a declaration about whether the subject matter is in accordance with certain
criteria. E.g., management asserts that I/C over compliance is effective based on given criteria
SSAE do not apply to:
Audit engagements - SAS applies for non-issuers and PCAOB for issuers {Audit is
examination of historical F/S; SSAE covers other examinations}
Compilation or Review of F/S of non-issuers - SSARS applies
Consulting Services - SSCS applies
Personal Financial Planning Services - PFP applies
Valuation Services - VS applies
Tax engagements - SSTS applies
Litigation services or expert witness services
Performance audits pursuant to Government Auditing Standards
SSAE No. 18 - Issued to clarify & revise SSAE effective for periods on or after May 1, 2017.
Attest standards are now codified with the prefix AT-C [where C stands for Clarity]
Key objective of AICPA Clarity projects have been to converge with international standards.
However, one major difference still exists between SSAE & international attest standards:
Under SSAE, a practitioner is required to obtain a written assertion (for examination &
review engagements) from the engaging party, except when engaging party is not the
responsible party
This is not a mandatory requirement under international standards (ISAE)
Few sample attestation engagements:
Prospective Financial Info (financial forecasts & projections)
Pro forma financial info
Compliance attestation (as a specific engagement)
Management discussion & analysis
I/C at a Service Organization
Trust Services criteria
As Relevant to User Entities ICFR
A7-16
Miles CPA Review AUD-7
Attestation standards
Extension of GAAS but conceptually different in the following ways:
SSAE do not refer to F/S Audit = Examination of historical F/S
SSAE do not refer to GAAP Attest = ERA of other than historical F/S
SSAE provide lower levels of assurance than a GAAS audit
11 Standards
5 General standards: {TIP where T includes Know Criteria}
T Training & proficiency
Know Knowledge of the subject matter
Criteria - subject matter should be capable of evaluation against criteria that is suitable
Criteria
& available to users; a suitable criteria is relevant, objective, measurable & complete
I Independence (independence is mandatory for audit & attestation)
Professional care in planning & performance
P
2 Fieldwork Standards {PIC without the I}
P Planning & supervision
Internal Controls
C Corroborative Audit Evidence
4 Reporting Standards {Identify Clean & Dirty Limits - Reporting standards are less specific
due to the wide variety of attestation engagements possible}
I Identify the subject matter or assertion being reported on and state the character of the
engagement
C Conclusions about the subject matter or assertion to be stated
D Disclose significant reservations about the engagement including unresolved problems
or concerns
L Limited use - Restrict use of report to specified parties if:
- Criteria is suitable for or available to limited number of parties,
- Written assertion not provided by the client (engaging party), or
- Reporting on an AUP engagement
Note:
- Traditionally, attest standards were classified as 11 basic standards as above with 3 groups - general, fieldwork and
reporting. Until April 30, 2017, these were authoritative standards and were directly reflected in the SSAE
- Effective May 1, 2017, the Auditing Standards Board (ASB) of the AICPA has issued clarified SSAE (AT-C) for clarity
and convergence with international standards. Though the above classification of attest standards has now been
incorporated into clarified SSAE and are still broadly applicable, the above classification is no longer authoritative
A7-17
Categories of Attestation engagements: {attest = new ERA for practitioners with engagements
beyond historical F/S!}
E Examination leading to opinion
R Review leading to assurance
A AUP (Agreed-upon procedures) engagements leading to findings
Examination Review AUP

End result? Expression of opinion Expression of No assurance but
based on reasonable conclusion based on procedures & findings
assurance limited assurance are listed. Practitioner
(negative assurance) disclaims any
responsibility for the
sufficiency of the
procedures
Work Procedures comparable Inquiry & Analytical As agreed-upon by

performed? to audits of historical procedures practitioner and client
F/S
Limited use? - Criteria not suitable/ - Criteria not suitable/ Mandatory

available available
- Written assertion not - Written assertion not
provided if engaging provided if engaging
party (client) is not the party (client) is not the
responsible party responsible party
Reporting options for few types of attestation services:

Attestation service Examination Review AUP
AUP Engagements
Prospective F/S (forecast/projection)
Pro-forma F/S
Compliance
Management discussion & analysis
I/C at a Service Organization: Trust
Services
I/C at a Service Organization: Relevant
to User Entities ICFR
A7-18
May be same Engaging party = client who hires CPA
or different Responsible party = responsible for subject matter (e.g., management)
Few key requirements of attestation engagements:
Written assertion required - An attest engagement is predicated on the concept that a
responsible party makes an assertion about whether the subject matter is measured or
evaluated in accordance with suitable criteria. Therefore, it is required for practitioner to
request a written assertion from the responsible party (ok if the written assertion is included
in an engagement letter, representation letter, alongside presentation of the subject matter or
in the notes, etc.)
Examination & Review Engagements - If responsible party refuses to provide a written
assertion, practitioner should withdraw
Except: 1. Need not withdraw if engaging party responsible party [in this case, disclose the
refusal in the attest report and restrict use of the report to the engaging party]
2. For AUP engagements, responsible partys refusal to provide a written assertion requires
the practitioner to disclose that refusal in the report
Preconditions for an Attest Engagement

Establish written understanding with engaging party (e.g., written engagement letter)
regarding the terms of the engagement, including practitioners reporting responsibilities
Responsible party (e.g., management) takes responsibility for the subject matter
Engagement exhibits all of the following characteristics
Subject matter is appropriate
Criteria to be applied in the preparation and evaluation of the subject matter is suitable
and will be available to the intended users
Practitioner expects to be able to obtain the evidence including
- Access to all relevant info of which the responsible party is aware of,
- Access to additional info that the practitioner may request, and
- Unrestricted access to persons within the appropriate party(ies)
Practitioner to issue a written report with opinion (for examination), conclusion (for
review) or findings (for AUP)
Written representation letter required

From responsible party
Except: Not mandatory if engaging party responsible party, in which case, practitioner would
seek oral responses from responsible party and, if found ok, would restrict the use of
attest report to the engaging party [note: in case of AUP, the use of report is anyways
restricted]
From engaging party (if engaging party responsible party) wherein the engaging party
acknowledges that the responsible party is responsible for the subject matter & assertion
Engagement Documentation - To be assembled/filed within 60 days after report release date

Thereafter, should not delete/discard any document before the end of the retention period
Change in terms of the engagement - Practitioner to agree only if reasonable justification exists
If the practitioner agrees to a downgrade of service (e.g., examination to review),
practitioners report should be issued on the lower level of service - with no reference to
the original engagement or scope limitations that resulted in the changed engagement
A7-19
Sample Reports on Examination engagements = Opinion

Sample Report on Examination of a subject matter (e.g., schedule of investment returns):
Independent Accountants Report
[Appropriate Addressee]
We have examined the accompanying schedule of investment returns of ABC Company for the year ended December
Intro
31, 20XX. ABC Companys management is responsible for presenting the schedule of investment returns in accordance
with the XYZ criteria set forth in Note 1. Our responsibility is to express an opinion on the schedule of investment
returns based on our examination.
Scope Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether the schedule of investment returns is in accordance with the criteria, in all material respects.
An examination involves performing procedures to obtain evidence about the schedule of investment returns. The
nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of
material misstatement of the schedule of investment returns, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
Opinion In our opinion, the schedule of investment returns referred to above is presented in accordance with the XYZ criteria
set forth in Note 1, in all material respects.
[Practitioners signature | City and State | Date of report]
Sample Report on Examination of an assertion (e.g., schedule of investment returns presented

in accordance with XYZ criteria):
We have examined managements assertion that the accompanying schedule of investment returns of ABC Company
Intro for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1. ABC Companys
management is responsible for its assertion. Our responsibility is to express an opinion on managements assertion
based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Scope Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether management's assertion is fairly stated, in all material respects. An examination involves
performing procedures to obtain evidence about management's assertion. The nature, timing, and extent of the
procedures selected depend on our judgment, including an assessment of the risks of material misstatement of
management's assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and
appropriate to provide a reasonable basis for our opinion.
our opinion, managements assertion that the accompanying schedule of investment returns of ABC Company for
Opinion In
the year ended December 31, 20XX, is presented in accordance with the XYZ criteria set forth in Note 1 is fairly stated,
in all material respects.
A7-20
Sample Reports on Review engagements = Negative assurance

Sample Report on Review of a subject matter (e.g., schedule of investment returns):
Independent Accountants Review Report
We have reviewed the accompanying schedule of investment returns of ABC Company for the year ended December
Intro 31, 20XX. ABC Companys management is responsible for presenting the schedule of investment returns in accordance
with the XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment
returns based on our review.
Our review was conducted in accordance with attestation standards established by the American Institute of Certified
Scope Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about
whether any material modifications should be made to the schedule of investment returns in order for it to be in
accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to
obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all
material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our
review provides a reasonable basis for our conclusion.
Based on our review, we are not aware of any material modifications that should be made to the accompanying
Conclusion schedule of investment returns of ABC Company for the year ended December 31, 20XX in order for it be in accordance
with the XYZ criteria set forth in Note 1.
Sample Report on Review of an assertion (e.g., schedule of investment returns presented in

accordance with XYZ criteria):
Independent Accountants Review Report
We have reviewed management of ABC Companys assertion that the accompanying schedule of investment returns of
Intro ABC Company for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1.
ABC Companys management is responsible for presenting the schedule of investment returns in accordance with the
XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment returns based
on our review.
Scope Our review was conducted in accordance with attestation standards established by the American Institute of Certified
Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about
whether any material modifications should be made to the schedule of investment returns in order for it to be in
accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to
obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all
material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our
review provides a reasonable basis for our conclusion.
Conclusion Based on our review, we are not aware of any material modifications that should be made to management of ABC
Company's assertion in order for it to be fairly stated.
A7-21
Examination or Review = CPA decides procedures
AUP = Client decides procedures. CPA performs these agreed procedures & reports findings
I) Agreed-Upon Procedures (AUP) Engagements
Practitioner engaged by client to report findings based on specific agreed-upon procedures
Performed when specified parties require that findings be derived by an independent CPA
May be performed on the subject matter, or assertion(s) about the subject matter
May be performed provided following conditions exist: {ASSURE the practitioner that AUP is ok}
General standards for all attestation engagements = TIP + Know Criteria
A Agreement of the Parties - Practitioner and specified parties must agree regarding
Procedures to be performed
Criteria to be used in the determination of the findings, and
Any materiality limits to be applied for reporting purposes
S Subject Matter - Responsibility of specified parties or the specified parties are able to provide
evidence that a third party is responsible; however, written assertion is generally not required
Procedures to be applied to the subject matter should be expected to result in reasonably
consistent findings using the criteria
S Sufficiency of the Procedures - Responsibility of specified parties Report intended for parties
U Use of the Report is Restricted to the specified parties who prescribed procedures
R Responsibility of Practitioner - Practitioner responsible for performing agreed-upon
procedures and report findings (as per AICPAs SSAE)
E Engagements relating to prospective F/S must include a summary of significant assumptions
Sample Report on AUP engagement:

Independent Accountants Report on Applying Agreed-Upon Procedures
To the Audit Committees and Managements of ABC Company and XYZ Fund:
We have performed the procedures enumerated below, which were agreed to by the audit committees and
managements of ABC Company and XYZ Fund, on the accompanying Statement of Investment Performance Statistics of
XYZ Fund for the year ended December 31, 20XX. XYZ Funds management is responsible for the Statement of
Investment Performance Statistics for the year ended December 31, 20XX. The sufficiency of these procedures is solely
the responsibility of those parties specified in this report. Consequently, we make no representation regarding the
sufficiency of the procedures described below either for the purpose for which this report has been requested or for any
other purpose. Client responsible for sufficiency, CPA for performance
[Include paragraphs to enumerate procedures and findings.]
CPA is responsible
This agreed-upon procedures engagement was performed in accordance with attestation standards established by the
American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or
review, the objective of which would be the expression of an opinion or conclusion, respectively, on the accompanying
Statement of Investment Performance Statistics of XYZ Fund for the year ended December 31, 20XX. Accordingly, we do
not express such an opinion or conclusion. Had we performed additional procedures, other matters might have come to
our attention that would have been reported to you.
[Additional paragraph(s) may be added to describe other matters.]
Limited This report is intended solely for the information and use of the audit committees and managements of ABC Company
Use and XYZ Fund, and is not intended to be, and should not be, used by anyone other than the specified parties.
A7-22
II) Prospective F/S (forecasts/projections) E R A
Prospective F/S present expected or hypothetical future results of an entity. 2 types:

Forecast - Prospective F/S with expected future results; assumptions based on expected
conditions and expected courses of action
Can be for either general or limited use
E.g., Company XYZ has received an approval for its technology patent and prepares financial
forecast for the next few years based on expected future results
Projection - Prospective F/S given one/more hypothetical assumptions (based on what if
scenarios)
Based on hypothetical assumptions not necessarily expected; thus, only for limited use by:
Responsible party (i.e., entity)
Third parties with whom the responsible party is negotiating directly (e.g., bank with
which the entity is negotiating for a loan, a regulatory agency)
E.g., To negotiate a loan to expand its plant, Company XYZ prepares financial projection
for the next few years using the hypothetical assumption that the requested loan has been
granted and the plant is expanded [i.e., a what if scenario]
Practitioner may either examine or perform AUP on prospective F/S

Examination - Obtain reasonable assurance and express an opinion as to whether
prospective F/S conform to AICPA presentation guidelines, and
underlying assumptions provide a reasonable basis for the forecast/projection
Review of prospective F/S is NOT allowed
ASSURE
AUP - Report findings from the procedures & summary of significant assumptions
As applicable in AUP engagements, procedures performed by the practitioner are
established by the specified parties
Also, sufficiency of these procedures is solely the responsibility of the specified parties
(and practitioner makes no representation regarding the same)
Can only result in a report for limited use whether it involves forecast or projection
Reports also need to include: Warning #1 =

Warning (Caveat) that the prospective results may not be achieved Future is uncertain
Statement that the practitioner has no responsibility to update the report for events &
circumstances occurring after the report date Warning #2 = CPA may not revisit
Limited use paragraph in case of examination of projections (in case of AUP, both forecasts
and projections will lead to the limited use para)
Limited use para:
SSARS applies if CPA is engaged to compile prospective F/S
General Rule: Examination AUP
Attest = Follow SSAE (AT-C) Forecast X
Compile = Follow SSARS (AR-C) = non-issuers only
Projection
A7-23
Sample Reports on Examination of Prospective F/S:

We have examined the accompanying forecast of XYZ Company, which comprises [identify the statements, for example, the
forecasted balance sheet as of December 31, 20XX, and the related forecasted statements of income, stockholders equity, and cash
flows for the year then ending], based on the guidelines for the presentation of a forecast established by the American Institute of
Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the forecast in accordance
with the guidelines for the presentation of a forecast established by the American Institute of Certified Public Accountants. Our
responsibility is to express an opinion on the forecast based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public
Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the
forecast is presented in accordance with the guidelines for the presentation of a forecast established by the American Institute of
Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about the
forecast. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of
material misstatement of the forecast, whether due to fraud or error. We believe that the evidence we obtained is sufficient and
appropriate to provide a reasonable basis for our opinion.
In our opinion, the accompanying forecast is presented, in all material respects, in accordance with the guidelines for the
presentation of a forecast established by the American Institute of Certified Public Accountants, and the underlying assumptions are
suitably supported and provide a reasonable basis for managements forecast.
There will usually be differences between the forecasted and actual results because events and circumstances frequently do not
occur as expected, and those differences may be material. We have no responsibility to update this report for events and
Warnings
circumstances occurring after the date of this report.

We have examined the accompanying projection of XYZ Company, which comprises [identify the statements, for example, the
projected balance sheet as of December 31, 20XX, and the related projected statements of income, stockholders' equity, and cash
flows for the year then ending] based on the guidelines for the presentation of a projection established by the American Institute of
Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the projection based on
[identify the hypothetical assumption(s), for example, the granting of the requested loan as described in the summary of significant
assumptions] in accordance with the guidelines for the presentation of a projection established by the American Institute of Certified
Public Accountants. The projection was prepared for [describe the special purpose, for example, the purpose of negotiating a loan to
expand XYZ Company's plant]. Our responsibility is to express an opinion on the projection based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public
Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the
projection is presented in accordance with the guidelines for the presentation of a projection established by the American Institute
of Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about
the projection. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the
risks of material misstatement of the projection, whether due to fraud or error. We believe that the evidence we obtained is
sufficient and appropriate to provide a reasonable basis for our opinion.
In our opinion, [describe the hypothetical assumption(s), for example, assuming the granting of the requested loan for the purpose of
expanding XYZ Company's plant as described in the summary of significant assumptions] the projection referred to above is
presented, in all material respects, in accordance with the guidelines for the presentation of a projection established by the
American Institute of Certified Public Accountants, and the underlying assumptions are suitably supported and provide a reasonable
basis for management's projection given the hypothetical assumption(s).
Even if [identify the hypothetical assumption, for example, the loan is granted and the plant is expanded], there will usually be Warnings
differences between the projected and actual results because events and circumstances frequently do not occur as expected, and
those differences may be material. We have no responsibility to update this report for events and circumstances occurring after the
date of this report.
The accompanying projection and this report are intended solely for the information and use of [identify specified parties, for Limited
example, XYZ Company and DEF National Bank], and are not intended to be and should not be used by anyone other than these
specified parties.
Use
A7-24
III) Pro-forma F/S E R A

Pro-forma F/S are used to show the significant effects of an event on historical F/S if the same
consummated/proposed event had occurred at an earlier date
Pro-forma adjustments are applied to historical F/S based on managements assumptions and
give effect to all significant effects directly attributable to the transaction/event
Commonly used to show the effects of transactions/events such as the following:
Business combination (e.g., what if the business combination had happened earlier?)
Change in capitalization (e.g., what if the capitalization had been changed earlier?)
Disposition of a portion of the business (e.g., what if the disposal had happened earlier?)
Change in the form of business organization or status as an autonomous entity
Proposed sale of securities and the application of the proceeds
Pro-forma F/S should be labeled as such to distinguish it from historical F/S
Need to describe the transaction/event that is reflected in the pro forma F/S, the source of
the historical F/S on which it is based, the significant assumptions used in developing the
pro forma adjustments, and any significant uncertainties about those assumptions
Need to also indicate that pro-forma F/S should be read in conjunction with related
historical F/S and that the pro-forma F/S is not necessarily indicative of the results that
would have been attained had the transaction/event actually taken place earlier
Practitioner may either examine or review pro-forma F/S

Managements assumptions provide a reasonable basis for presenting the significant effects
directly attributable to the underlying transaction/event,
Related pro-forma adjustments give appropriate effect to those assumptions, and
Pro-forma amounts reflect proper application of those adjustments to the historical F/S
Review - Obtain limited assurance and express a conclusion as to the same 3 points as above
Reports also need to include:

Reference to the historical F/S from which historical financial info is derived and state if such
F/S were audited (and if audited by another auditor)
Note: Level of service on the pro-forma F/S should not exceed that on related historical F/S
Examination of pro-forma F/S only if related historical F/S were audited
Review of pro-forma F/S only if the related historical F/S were audited/reviewed
Statement that the pro forma adjustments are based on managements assumptions
Description of the objectives and limitations of pro-forma F/S
SSARS applies if the CPA is engaged to compile pro-forma F/S
A7-25
Sample Report on Examination of Pro-forma F/S:

We have examined the pro forma adjustments giving effect to the underlying transaction (or event) described in
Note 1 and the application of those adjustments to the historical amounts in the accompanying pro forma
condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma condensed statement
of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical Refer to
condensed financial statements are derived from the historical financial statements of X Company, which were historical
audited by us, and of Y Company, which were audited by other accountants, appearing elsewhere herein [or "and
are readily available"]. The pro forma adjustments are based on management's assumptions described in Note 1. X
F/S
Company's management is responsible for the pro forma financial information. Our responsibility is to express an
opinion on the pro forma financial information based on our examination.
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain
reasonable assurance about whether, based on the criteria in Note 1, management's assumptions provide a
reasonable basis for presenting the significant effects directly attributable to the underlying transaction (or event),
and, in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and
the pro forma amounts reflect the proper application of those adjustments to the historical financial statement
amounts. An examination involves performing procedures to obtain evidence about management's assumptions, the
related pro forma adjustments, and the pro forma amounts in the pro forma condensed balance sheet of X Company
as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended. The
nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks
of material misstatement of the pro forma financial information, whether due to fraud or error. We believe that the
The objective of this pro forma financial information is to show what the significant effects on the historical financial
information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro
forma condensed financial statements are not necessarily indicative of the results of operations or related effects on
financial position that would have been attained had the above-mentioned transaction (or event) actually occurred
at such earlier date. Objective & Limitations
In our opinion, based on the criteria in Note 1, management's assumptions provide a reasonable basis for presenting
the significant effects directly attributable to the above-mentioned transaction (or event) described in Note 1, and,
in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and the pro
forma amounts reflect the proper application of those adjustments to the historical financial statement amounts in
the pro forma condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma
condensed statement of income for the year then ended.
A7-26
Sample Report on Review of Pro-forma F/S:

We have reviewed the pro forma adjustments giving effect to the transaction (or event) described in Note 1 and the
application of those adjustments to the historical amounts in the accompanying pro forma condensed balance sheet
of X Company as of March 31, 20X2, and the related pro forma condensed statement of income for the three months
then ended (pro forma financial information), based on the criteria in Note 1. These historical condensed financial Refer
statements are derived from the historical unaudited financial statements of X Company, which were reviewed by
us, and of Y Company, which were reviewed by other accountants, appearing elsewhere herein [or "and are readily historical
available"]. The pro forma adjustments are based on management's assumptions as described in Note 1. X F/S
Company's management is responsible for the pro forma financial information. Our responsibility is to express a
conclusion based on our review.
Our review was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform our review to obtain limited
assurance about whether, based on the criteria in Note 1, any material modifications should be made to
management's assumptions in order for them to provide a reasonable basis for presenting the significant effects
directly attributable to the underlying transaction (or event); the related pro forma adjustments, in order for them to
give appropriate effect to those assumptions; or the pro forma amounts, in order for them to reflect the proper
application of those adjustments to the historical financial statement amounts. A review is substantially less in scope
than an examination, the objective of which is to obtain reasonable assurance about whether, based on the criteria,
management's assumptions provide a reasonable basis for presenting the significant effects directly attributable to
the underlying transaction (or event), and, in all material respects, the related pro forma adjustments give
appropriate effect to those assumptions, and the pro forma amounts reflect the proper application of those
adjustments to the historical financial statement amounts, in order to express an opinion. Accordingly, we do not
express such an opinion. We believe that our review provides a reasonable basis for our conclusion.
The objective of this pro forma financial information is to show what the significant effects on the historical financial
information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro
forma condensed financial statements are not necessarily indicative of the results of operations or related effects on
financial position that would have been attained had the above-mentioned transaction (or event) actually occurred
at such earlier date. Objective & Limitations
Based on our review, we are not aware of any material modifications that should be made to management's
assumptions in order for them to provide a reasonable basis for presenting the significant effects directly
attributable to the above-mentioned transaction (or event) described in Note 1, the related pro forma adjustments
in order for them to give appropriate effect to those assumptions, or the pro forma amounts, in order for them to
reflect the proper application of those adjustments to the historical financial statement amounts in the pro forma
condensed balance sheet of X Company as of March 31, 20X2, and the related pro forma condensed statement of
income for the three months then ended, based on the criteria in Note 1.
IV) Internal control over financial reporting: No longer attest

Earlier: For non-issuers, the auditor could be engaged for an attest engagement on ICFR (per SSAE
standards) integrated with an audit of F/S (i.e., attest of ICFR + audit of F/S). No longer applicable
Effective Dec 15, 2016: AU-C 940 applies if an auditor is engaged to perform an audit of ICFR
integrated with an audit of F/S
Note again that the audit of ICFR is optional for non-issuers; but if the non-issuer wants to opt
for it, it needs to an integrated audit per GAAS
If Integrated Audit for non-issuers, do
A7-27
Audit of F/S + Audit of ICFR [no longer attest]
E R A
V) Compliance (as a specific engagement)
Relates to an entitys compliance with specified laws, regulations, rules, contracts, or grants
Does not provide a legal determination of an entitys compliance with specified requirements.
However, attest report may be useful to legal counsel or others in making such determinations
Practitioner may either examine or perform AUP

Examination - Obtain reasonable assurance and express an opinion on the entitys compliance
with specified requirements (or, managements assertion on compliance with specified
requirements if fairly stated)
Review on compliance engagements is NOT allowed
AUP - Subject matter of the engagement may be on:
Entitys compliance with specified requirements
Entitys I/C over compliance with specified requirements
Few key requirements:

Preconditions [for both Examination and AUP]
Practitioner should determine if:
Management accepts responsibility for the entitys compliance and I/C over compliance
Management evaluates the entitys compliance with specified requirements
Written assertion to be requested from management [required for Examination; not if AUP]
If management refuses to provide, practitioner should withdraw [for Examination only]
Obtain an understanding of the specified requirements via [for both Examination & AUP]:
Consideration of laws, regulations, rules, contracts, and grants that pertain to the specified
requirements, including published requirements
Consideration of knowledge about the specified requirements obtained through prior
engagements and regulatory reports
Discussion with appropriate individuals within the entity (e.g., CFO, internal auditors, legal
counsel, compliance officer, or grant or contract administrators)
For Examination engagements [if AUP, need to perform procedures as agreed]
Obtain an understanding of relevant portions of I/C over compliance sufficient to plan the
engagement and to assess control risk for compliance with specified requirements. In
planning the examination, such knowledge should be used to identify types of potential
non-compliance, to consider factors that affect the risk of material non-compliance, and to
design appropriate tests of compliance
For engagements involving compliance with regulatory requirements, procedures should
include reviewing reports of relevant examinations & related communications between
regulatory agencies and the entity and, when appropriate, making inquiries of regulatory
agencies, including inquiries about examinations in progress
Request written representation letter from management [for both Examination & AUP]
Additional representations needed from management [for both Examination & AUP]:
Acknowledgement of managements responsibility for establishing and maintaining
effective I/C over compliance
A7-28
Statement that management has performed an evaluation of the entitys compliance

with specified requirements.
Managements interpretation of any compliance requirements that have varying
interpretations
In case of Examination engagement, required even if the client (engaging party)
responsible party - i.e., the exception covered earlier is not permitted in this case
Managements refusal to furnish the written representations constitutes a scope
limitation sufficient to preclude an unmodified opinion and may be sufficient to cause
the practitioner to withdraw from the Examination engagement
Forming an opinion for Examination engagement - In evaluating whether the entity has
complied with the specified requirements, the practitioner should evaluate
Nature and frequency of the non-compliance identified, and
Whether such non-compliance is material relative to the nature of the compliance
requirements
Reports also need to include:

Identification of the specified requirements against which the entity's compliance (or I/C over
compliance) was measured/evaluated
For Examination reports, statement that the examination does not provide a legal
determination on the entity's compliance with specified requirements
For Examination reports, often the criteria is contained in the compliance requirements, in
which case, it is not necessary to repeat the criteria in the practitioner's report; however, if the
criteria are not included in the compliance requirement, the report should identify the criteria
Sample Reports
On Examination of an Entitys Compliance:
We have examined XYZ Company's compliance with [identify the specified requirements, for example, the requirements
listed in Attachment 1] during the period January 1, 20X1, to December 31, 20X1. Management of XYZ Company is
responsible for XYZ Company's compliance with the specified requirements. Our responsibility is to express an opinion
on XYZ Company's compliance with the specified requirements based on our examination.
assurance about whether XYZ Company complied, in all material respects, with the specified requirements referenced
above. An examination involves performing procedures to obtain evidence about whether XYZ Company complied with
the specified requirements. The nature, timing, and extent of the procedures selected depend on our judgment,
including an assessment of the risks of material noncompliance, whether due to fraud or error. We believe that the
Our examination does not provide a legal determination on XYZ Company's compliance with specified requirements.
In our opinion, XYZ Company complied, in all material respects, with [identify the specified requirements, for example,
the requirements listed in Attachment 1] during the period January 1, 20X1 to December 31, 20X1.
A7-29
On AUP engagement of an Entitys Compliance:

[Appropriate addressee]
We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for
example, the management and board of directors of XYZ Company], related to XYZ Company's compliance with [identify
the specified requirements, for example, the requirements listed in Attachment 1] during the period January 1, 20X1 to
December 31, 20X1. XYZ Company's management is responsible for its compliance with those requirements. The
sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we
make no representations regarding the sufficiency of the procedures enumerated below either for the purpose for
which this report has been requested or for any other purpose.
This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the
review, the objective of which would be the expression of an opinion or conclusion, respectively, on compliance with
specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we performed additional
procedures, other matters might have come to our attention that would have been reported to you.
This report is intended solely for the information and use of [identify the specified parties, for example, the management
and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the
specified parties.
On AUP engagement of an Entitys I/C over Compliance:

[Appropriate addressee]
We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for
example, the management and board of directors of XYZ Company], related to XYZ Company's internal control over
compliance with [identify the specified requirements for example, the requirements listed in Attachment 1], as of
December 31, 20X1.7 XYZ Companys management is responsible for its internal control over compliance with those
requirements. The sufficiency of these procedures is solely the responsibility of the parties specified in this report.
Consequently, we make no representations regarding the sufficiency of the procedures enumerated below either for the
purpose for which this report has been requested or for any other purpose.
This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the
review, the objective of which would be the expression of an opinion or conclusion, respectively, on internal control
over compliance with specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we
performed additional procedures, other matters might have come to our attention that would have been reported to
you.
This report is intended solely for the information and use of [identify the specified parties, for example, the management
and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the
specified parties.
A7-30
VI) Management discussion & analysis (MD&A) E R A
Relates to the performance of an attest engagement with respect to MD&A (presented in annual
reports and other documents) which are prepared pursuant to SEC rules & regulations
May provide services to:
Public entity that prepares MD&A in accordance with SEC rules & regulations
Non-public entity that prepares MD&A and whose management provides a written
assertion that the presentation has been prepared using SEC rules & regulations
The guidance of this section (AT-C 395) does NOT
Change the auditor's responsibility in an audit of F/S
Apply to situations in which the practitioner is requested to provide recommendations to
improve MD&A rather than to provide assurance (may be taken up as a Consulting service)
Apply if practitioner is engaged to provide attest services with respect to MD&A prepared
based on criteria other than SEC rules and regulations (may be still taken up as an attest
engagement but the guidance of this section AT-C 395 will not apply)
Note: In practical scenarios, practitioners rarely perform attest engagements to report on
MD&A prepared pursuant to SEC rules and regulations (so AT-C 395 rarely applies)
Practitioner may either examine or review MD&A

Presentation includes the required elements of SEC rules and regulations,
Historical financial amounts have been accurately derived from the entitys F/S, and
Underlying info, determinations, estimates, and assumptions of the entity provide a
reasonable basis for the disclosures contained therein
Review - Obtain limited assurance and express a conclusion as to the same 3 points as above
Few key requirements:

Pre-conditions
Examination engagement - Practitioner audits the latest period F/S (and prior period F/S
have also been audited either by the same practitioner or a predecessor auditor)
Review engagement -
MD&A is for annual period - Practitioner audits the latest period F/S (and prior period
F/S have also been audited either by the same practitioner or a predecessor auditor)
MD&A is for interim period - Practitioner reviews/audits the latest interim F/S (and
MD&A for the last fiscal year have been examined/reviewed either by the same
practitioner or a predecessor auditor)
Obtain an understanding of the SEC rules & regulations, and managements methodology for
the preparation of MD&A
A7-31
VII) Trust Services E R A
Relates to System and Organization Controls (SOC) for Service Organizations - Examination of I/C
at a service organization providing valuable info that users need to assess/address the risks
associated with an outsourced service
SOC 1 - SOC for Service SOC 2 - SOC for Service SOC 3 - SOC for Service
Organizations: ICFR Organizations: Trust Organizations: Trust
Services Criteria Services Criteria for
General Use Report
Professional Examination per SSAE Examination per SSAE Examination per SSAE
Standard
Subject Controls at a service Controls at a service Controls at a service
Matter organization relevant to organization relevant to organization relevant to
user entities ICFR security, availability, security, availability,
processing integrity, processing integrity,
confidentiality, or privacy confidentiality, or privacy
Trust Services Criteria
Report Type - Type 1 Report - Opinion - Type 1 Report - Opinion - Type 2 Report only -
on design of I/C on design of I/C Opinion on design &
- Type 2 Report - Opinion - Type 2 Report - Opinion operating effectiveness
on design & operating on design & operating of I/C
effectiveness of I/C effectiveness of I/C
Use of Report Restricted Use Restricted Use General Use,

& Intended (management of service (management of service Allows organization to
Users organization, user organization, user place a seal on their
entities, user auditors) entities, user auditors) website upon successful
completion
A7-32
Trust Services - SOC 2 & SOC 3 attest engagements require the service organizations controls meet
the specified Trust Service Criteria (TSC) as defined by the AICPA
Trust Services Criteria (TSC) used to evaluate the controls SOC 2 and SOC 3 engagements:
Security - Info & systems are protected against unauthorized access, unauthorized
disclosure of info, and damage to systems that could compromise the availability, integrity,
confidentiality, and privacy of info or systems that affect the entitys ability to meet its
objectives
Availability - Info & systems available for operation and use to meet the entitys objectives
Processing integrity - System processing is complete, valid, accurate, timely, and authorized
to meet the entitys objectives
Confidentiality - Info designated as confidential is protected to meet the entitys objectives
Privacy - Personal info is collected, used, retained, disclosed, and disposed to meet the
entitys objectives
SOC 2 vs. SOC 3
SOC 2 Report - Restricted use report intended for specified parties (management of the
service organization and current/prospective users)
SOC 2 report is detailed; includes auditors opinion, managements assertion, detailed
description of system & organizations controls, and results of auditors test of controls
SOC 3 Report - General use report that is also fit to be displayed online
SOC 3 report is brief; includes auditors opinion, management assertion, brief
background on the service organization. No details on specific controls or results of
auditors test of controls
SOC 2 reports are intended to meet the needs of users who need detailed info and assurance
about the controls at a service organization relevant to security, availability, and processing
integrity of the systems the service organization uses to process users data and the
confidentiality and privacy of the info processed by these systems. These reports can play an
important role in:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
Regulatory oversight
SOC 3 reports can be issued on one or multiple Trust Services Criteria and allow the service
organization to place a seal on their website as a representation of an unmodified opinion.
Given the focus on e-commerce and online transactions, most common SOC 3 reports include:
Websites (Webtrust) - Examination of website and effectiveness of info system controls
based on the trust services criteria
Information systems (Sys Trust service) - Examination of info system controls based on the
trust services criteria
A7-33
E R A
VII) I/C at a Service Organization Relevant to User Entities ICFR
Attest engagement applicable when service auditor is examining I/C at a service organization
that provides services to user entities
May provide appropriate evidence required by the user auditor relating to the I/C of the
service organization when those I/C are likely to be relevant to users ICFR
E.g., Payroll processing service organization (like ADP) I/C related to the timely remittance
of payroll deductions to government authorities may be relevant to a user entity as late
remittances could incur interest/penalties that would result in a liability to the user
E.g., Service organization I/C over the acceptability of investment transactions from a
regulatory perspective may be considered relevant to a user entitys ICFR
Objective of the service auditor - Obtain reasonable assurance and express opinion regarding:
Managements description of the service organizations system (if it is fairly presented)
Design and implementation of I/C
Operating effectiveness of I/C (only in Type 2 engagement)
Service auditor engagement/report may be a Type 1 or Type 2
Type 1 Report - Opinion on design/implementation of the service organizations I/C
Type 2 Report - Opinion on design/implementation AND operating effectiveness of the
service organizations I/C
Service auditor considerations

Preconditions:
Management of service organization acknowledges and accepts its responsibility for the
description of the service organizations system and for I/C at the service organization
Service auditors preliminary knowledge indicates that the scope of the engagement will not
be so limited that they are unlikely to be useful to user entities and their auditors
Written assertion to be requested from management of the service organization
If management refuses to provide, the service auditor should withdraw
Assess suitability of the criteria used by the management of the service organization in
Preparing its description of the service organizations system,
Evaluating design/implementation of I/C,
Evaluating operating effectiveness of I/C (in the case of a type 2 engagement)
Obtain an understanding of the service organizations system and assess RMM
Respond to assessed RMM - Perform further procedures and obtain evidence regarding:
Managements Description of the Service Organizations System,
Design/Implementation of I/C,
Operating Effectiveness of I/C (Type 2 engagement only)
Request written representation letter from management of the service organization
Required even if the client (engaging party) responsible party - i.e., the exception
covered earlier is not permitted in a type 1 or type 2 engagement
Refusal by management of the service organization (or by management of a subservice
organization that is being presented using the inclusive method) to furnish the written
representations constitutes a scope limitation sufficient to preclude an unmodified opinion
(and the service auditor may withdraw from the engagement)
A7-34
Sample Type 2 Service Auditors Report:

Independent Service Auditors Report on XYZ Service Organizations Description of Its [type or name of] System and
the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service
Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of
the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the
design and operating effectiveness of the controls included in the description to achieve the related control objectives
stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion" (assertion). The
controls and control objectives included in the description are those that management of XYZ Service Organization
believes are likely to be relevant to user entities' internal control over financial reporting, and the description does not
include those aspects of the [type or name of] system that are not likely to be relevant to user entities' internal control
over financial reporting.
[Add additional statement(s) in one/more of the below situation(s):
information that is not covered by the report is included in the description of the service organization's system
the service organization uses a subservice organization, the carve-out method is used to present the subservice
organization (i.e., managements description of the service organization's system identifies services performed
by the subservice organization BUT subservice organizations I/C excluded from scope of service auditors
engagement), and complementary subservice organization controls are required to meet the control objectives
complementary user entity controls are required to meet the control objectives]
Service Organization's Responsibilities
In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the
fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the
description and assertion, including the completeness, accuracy, and method of presentation of the description and
assertion, providing the services covered by the description, specifying the control objectives and stating them in the
description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in
the assertion, and designing, implementing, and documenting controls that are suitably designed and operating
effectively to achieve the related control objectives stated in the description.
Service Auditor's Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of
the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,
assurance about whether, in all material respects, based on the criteria in management's assertion, the description is
fairly presented and the controls were suitably designed and operating effectively to achieve the related control
objectives stated in the description throughout the period [date] to [date]. We believe that the evidence we obtained is
sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of a description of a service organization's system and the suitability of the design and operating
effectiveness of controls involves
performing procedures to obtain evidence about the fairness of the presentation of the description and the
suitability of the design and operating effectiveness of the controls to achieve the related control objectives
stated in the description, based on the criteria in management's assertion.
assessing the risks that the description is not fairly presented and that the controls were not suitably designed
or operating effectively to achieve the related control objectives stated in the description.
testing the operating effectiveness of those controls that management considers necessary to provide
reasonable assurance that the related control objectives stated in the description were achieved.
evaluating the overall presentation of the description, suitability of the control objectives stated in the
description, and suitability of the criteria specified by the service organization in its assertion.
A7-35
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Description of Tests of Controls

The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the
description of tests of controls is presented].
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organizations controls throughout the period
[date] to [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and
user entity controls assumed in the design of XYZ Service Organizations controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service
Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date], and their auditors who audit and report on such user entities' financial statements or internal control over
financial reporting and have a sufficient understanding to consider it, along with other information, including
information about controls implemented by user entities themselves, when assessing the risks of material misstatement
of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the
specified parties.
[Service auditor's signature]

[Service auditor's city and state]
[Date of the service auditor's report]
A7-36
Type 1 Report - Design of I/C as of [date]
Type 2 Report - Design and Operating Effectiveness of I/C for the period [date] to [date]
Sample Type 1 Service Auditors Report:
[Note that the Type 2 Service Report template has been taken and modified to the Type 1 Service
Report - all edits are highlighted in grey to appreciate the differences between the two reports]
Independent Service Auditors Report on XYZ Service Organizations Description of Its [type or name of] System and
the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service
Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of
the function performed by the system] throughout the period [date] to [date] as of [date] (description) and the
suitability of the design and operating effectiveness of the controls included in the description to achieve the related
control objectives stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion"
(assertion). The controls and control objectives included in the description are those that management of XYZ Service
Organization believes are likely to be relevant to user entities' internal control over financial reporting, and the
description does not include those aspects of the [type or name of] system that are not likely to be relevant to user
entities' internal control over financial reporting.
[Add additional statement(s) in one/more of the below situation(s):
information that is not covered by the report is included in the description of the service organization's system
the service organization uses a subservice organization, the carve-out method is used to present the subservice
organization, and complementary subservice organization controls are required to meet the control objectives
complementary user entity controls are required to meet the control objectives]
Service Organization's Responsibilities

In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the
fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the
description and assertion, including the completeness, accuracy, and method of presentation of the description and
assertion, providing the services covered by the description, specifying the control objectives and stating them in the
description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in
the assertion, and designing, implementing, and documenting controls that are suitably designed and operating
effectively to achieve the related control objectives stated in the description.
Service Auditor's Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of
the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,
assurance about whether, in all material respects, based on the criteria in management's assertion, the description is
fairly presented and the controls were suitably designed and operating effectively to achieve the related control
objectives stated in the description throughout the period [date] to [date] as of [date]. We believe that the evidence we
obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of a description of a service organization's system and the suitability of the design and operating
effectiveness of controls involves
performing procedures to obtain evidence about the fairness of the presentation of the description and the
suitability of the design and operating effectiveness of the controls to achieve the related control objectives
stated in the description, based on the criteria in management's assertion.
assessing the risks that the description is not fairly presented and that the controls were not suitably designed
or operating effectively to achieve the related control objectives stated in the description.
testing the operating effectiveness of those controls that management considers necessary to provide
reasonable assurance that the related control objectives stated in the description were achieved.
evaluating the overall presentation of the description, suitability of the control objectives stated in the
description, and suitability of the criteria specified by the service organization in its assertion.
A7-37
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Description of Tests of Controls

The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the
description of tests of controls is presented].
Other Matter
We did not perform any procedures regarding the operating effectiveness of controls stated in the description and,
accordingly, do not express an opinion thereon.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date] as of [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] as of [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organizations controls throughout the period
[date] to [date] as of [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and
user entity controls assumed in the design of XYZ Service Organizations controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service
Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date] as of [date], and their auditors who audit and report on such user entities' financial statements or internal
control over financial reporting and have a sufficient understanding to consider it, along with other information,
including information about controls implemented by user entities themselves, when assessing the risks of material
misstatement of user entities' financial statements. This report is not intended to be, and should not be, used by anyone
other than the specified parties.
[Service auditor's signature]

[Service auditor's city and state]
[Date of the service auditor's report]
A7-38
(This page is left blank for any reference notes on

Attestation Engagements)
A7-39
7.3) Governmental Auditing

I) Government Auditing Standards
GAGAS (Generally Accepted Government Auditing Standards) - Standards for use by auditors of
government entities, entities that receive government awards and audit organizations performing
GAGAS audits
Also known as the Yellow Book
Issued by the Comptroller General of the US who is the director of the Governmental
Accountability Office (GAO)
Comprises of:
Auditing Standards
Professional Responsibilities & Ethics
Types of GAGAS Audits and Attestation Engagements

Financial Audits - Incorporate SAS (US GAAS) along with additional requirements. Include:
F/S Audits - Opinion on F/S + Reports on ICFR & Compliance GAAS++
Other types of financial audits - Single F/S, Specified elements/accounts/items of F/S,
letter for underwriters, auditing compliance relating to one/more government programs
Attestation Engagements - Incorporate SSAE along with additional requirements SSAE++

May be Examination, Review or AUP engagement {ERA}
Can cover a broad range of financial or non-financial objectives about the subject matter
or assertion depending on the users needs
Performance Audits - Audits that provide findings/conclusions based on an evaluation of

sufficient, appropriate evidence against criteria; may have one/more of below objectives
{Performance Audits are nothing short of an EPIC!}:
E Effectiveness, economy & efficiency - Assess extent to which a program is achieving its
goals & objectives, or address the costs & resources used to achieve program results
P Prospective analysis - Analysis or conclusions about info that is based on assumptions
about events that may occur in the future, along with possible actions that the entity
may take in response to the future events
I Internal control - Assessment of one or more components of I/C
C Compliance - Assessment of compliance with criteria established by provisions of laws,
regulations, contracts, or grant agreements, or other requirements
A7-40
GAGAS incorporates GAAS (SAS AU-C by AICPA), and details additional requirements that apply
General Standards - TIP + Q {Question - Will the same TIP work for GAGAS?}
Fieldwork Standards - PIC + APPEND {Need to APPEND the Yellow Book to the Field PIC!}
Reporting Standards - ACDE + AICPA CD-VCD {Remember you still are AICPAs auditors
albeit with CDs & VCDs!}
General Fieldwork Reporting

Standards Standards Standards
TIP + PIC + ACDE +
Q APPEND AICPA CD-VCD
Quality Control Additional Audit Report per

Considerations GAGAS
Pertinent info ICFR Report
Previous audits Compliance Report -
Elements of a Provisions &
finding Agreements
Non-compliance,
Fraud & Abuse Communicating
Documentation Deficiencies
Views of entity
officials
Confidential &
Sensitive Info
Distribution of
reports
A7-41
GAGAS - Auditing Standards:

General Standards - TIP + Q {Question is - Will the same TIP work for GAGAS?}
Q Quality Control - Audit firm must establish & maintain a system of quality control (designed to
provide reasonable assurance that the firm and its personnel comply with professional
standards and applicable legal/regulatory requirements). Audit firm should obtain an external
peer review at least once every 3 years
Fieldwork Standards - PIC + APEND {Need to APPEND the Yellow Book to the Field PIC!}
where, APPEND = few requirements in addition to GAAS when performing financial audits:
A Additional auditor considerations for GAGAS financial audits -
Materiality - Considerations in addition to GAAS may apply. E.g., In GAGAS audits, auditor
may find it appropriate to use lower materiality levels due to public accountability of the
entity, legal/regulatory requirements, and visibility/sensitivity of government programs
Early Communication of Deficiencies - Especially for matters which are relatively significant
and corrective follow-up action is urgent (e.g., when a control deficiency results in non-
compliance or abuse). Additional GAGAS Reporting requirements {AICPA CD-VCD} still apply
P Pertinent info to be communicated - In addition to GAAS requirements, auditor should
communicate pertinent info (per auditors professional judgment) to individuals contracting for
or requesting the audit, and to cognizant legislative committees when auditor performs the
audit pursuant to a law/regulation, or conducts the work for the legislative committee
This requirement does not apply if the law/regulation requiring an audit of F/S does not
specifically identify the entities to be audited (e.g., single audits)
P Previous audits/attest engagements - Auditor should evaluate whether the entity has taken
appropriate corrective action to address findings & recommendations from previous
audit/attest engagements that could have a material effect on the F/S
Auditor should identify such info when planning the audit, and use it to assess audit risk and
determine the nature, extent and timing of current audit work
E Elements of a finding to be developed - Auditor should plan & perform procedures to develop
the following elements of findings (e.g., I/C deficiency, non-compliance):
Condition - Situation that exists
Criteria - Required/desired state. E.g., I/C standards, laws/regulations, benchmarks
Cause - Reason for difference between condition & criteria. E.g., Poorly designed I/C
Effect or potential effect - Impact or potential impact of the difference between
condition & criteria. Demonstrates need for corrective action
N Non-compliance, Fraud & Abuse - Auditor should extend GAAS requirements to:
Consider compliance with contracts or grant agreements (not just with laws/regulation)
Consider occurrence of abuse - e.g., misuse of authority for personal financial interests. Not
required to detect abuse as these are subjective; however, if auditor becomes aware of
abuse that could be material to F/S, need to perform additional testing
Avoid interference with or compromising an ongoing investigative or legal proceeding
D Documentation - Auditor should comply with the following additional requirements:
Document supervisory review, before the report release date, of the evidence that supports
the findings, conclusions, and recommendations in the auditors report
Document any departures from GAGAS requirements (due to laws/regulation, scope
limitation, etc.) and the impact of the same on the audit & on auditors conclusions
A7-42
Reporting Standards = ACDE + AICPA CD-VCD

{Remember you still are AICPAs auditors albeit with CDs & VCDs!}
where, AICPA = reports required per GAGAS
A Audit Report per GAGAS - Opinion on F/S; include a statement in the auditors report that audit
was performed in accordance with GAGAS
I Report on ICFR (Internal Control over Financial Reporting) No opinion on ICFR

Report any significant deficiencies or materials weaknesses in I/C identified by the auditor
Note:
GAAS audit - Report on ICFR only when auditor identified significant deficiencies &
material weaknesses in I/C
GAGAS audit - Report on ICFR is always required whether or not auditor identifies such
deficiencies
Maybe included along with the Report on Compliance {CPA of AICPA}, or a separate report;
if separate, need to refer to the Report on Compliance
No opinion required - Does not require auditor to express opinion on ICFR (as would be
required in an integrated audit per GAAS / PCAOB AS)
Auditor only needs to describe the scope of auditors testing and any findings
CPA Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements

Report on: No opinion on Compliance
Fraud & non-compliance with provisions of laws/regulations that have a material effect
on F/S and any other instances that warrant attention of TCWG
Non-compliance with provisions of contracts or grant agreements that has a material
effect on F/S
Abuse that is material (quantitatively/qualitatively)
Report on Compliance is always required whether or not auditor identifies non-compliance
Maybe included along with the Report on ICFR {I of AICPA}, or a separate report; if separate,
need to refer to the Report on ICFR
No opinion required - Does not require auditor to express opinion on compliance
Auditor only needs to describe the scope of auditors testing and any findings
Auditor Reporting Requirements

GAAS Audit
Audit Report on F/S (opinion)
No Report on I/C unless significant deficiencies are identified
No Report on Compliance
GAGAS Audit = GAAS++

Report on ICFR (no opinion required)
Report on Compliance (no opinion required)
A7-43
where, CD-VCD = additional reporting requirements per GAGAS

CD Communicating Deficiencies in Internal Control / Non-compliance, Fraud & Abuse
Communicate I/C significant deficiencies & material weaknesses on ICFR Report {AICPA}
Communicate material Non-compliance, Fraud & Abuse in Compliance Report {AICPA}
ICFR Report / Communicate Communicate
Compliance in writing per Auditors
Report (required) Judgment
Deficiencies in ICFR
Material Weaknesses
Significant Deficiencies
Other Deficiencies
Fraud & Non-compliance with Provisions of laws/regulation
Material Effect on F/S
Not material but warrants TCWGs attention
Does not warrant TCWGs attention
APPEND
Noncompliance with provisions of contracts and grant agreements

Material Effect on F/S
Abuse
Material
Note: If there is an ongoing investigative or legal proceeding - Consult with authorities
or legal counsel and limit public reporting to matters that would not compromise the
proceeding (e.g., report only on info that is already a part of the public record)
Findings to be presented in the Auditors Report(s) on ICFR & Compliance (or the Report(s)
may refer to a separate schedule of findings). Include:
Previous years engagements findings/deficiencies not yet remediated A P P E N D
Elements of the findings APPEND
Description of the nature & extent of issues being reported (e.g., $ value) and extent of
work performed that resulted in the finding
Pertinent info/findings to be communicated directly to parties outside the entity: A P P E N D
If management fails to report such info to external parties per law/regulation - Auditor
first communicates failure to report to TCWG. If entity still does not do the needful, then
auditor should report directly to specified external parties
If management fails to respond timely & appropriately to non-compliance, fraud or
abuse and involves funding received directly/indirectly from a government agency -
Auditor first communicates failure to report to TCWG. If entity still does not do the
needful, then auditor should report directly to the funding agency
A7-44
V Views/comments from responsible officials of the entity to be reported -

If Report on ICFR discloses deficiencies in I/C and/or Report on Compliance discloses non-
compliance, fraud or abuse, auditor should have:
Provided a draft report with findings to the responsible officials of the entity
Obtained their views/comments on auditors findings, conclusions & recommendations,
as well as any planned corrective actions. Written is preferred; but sometimes oral is ok
(e.g., reporting deadline, officials already know, auditor expects officials to agree)
Included the views/comments on the auditors report along with auditors evaluation of
comments (as appropriate)
Few scenarios in terms of views/comments of responsible officials:
Written comments received - Include in the auditors report (as a copy or summary)
Oral comments received - Auditor should prepare a summary of the comments and
provide a copy of the same to the responsible officials (to verify accuracy)
Comments are inconsistent or in conflict with auditors findings, conclusions or
recommendations - Auditor should evaluate the validity of the entitys comments, and
- If auditor disagrees with entitys comments, explain reasons on the auditors report
- If auditor agrees with entitys comments, modify the auditors report as necessary
Comments not received (e.g., entity refused or was unable to provide it timely) - Auditor
may issue the report without the comments but should indicate in the report that the
entity did not provide comments
C Confidential and Sensitive Info - If needed to be excluded from auditors report, auditor should
disclose in the report that certain info has been omitted (along with reasons)
Auditor may issue a separate limited use report containing such info and distribute the
report only to persons authorized by law or regulation to receive it
When circumstances call for omission of certain info, auditors should evaluate whether this
omission could distort the audit results or conceal improper or illegal practices
D Distributing Reports -
Auditors of government entities should distribute auditors reports to:
appropriate entity officials,
TCWG,
appropriate oversight bodies or organizations requiring or arranging for the audits,
other officials who have legal oversight authority or who may be responsible for acting
on audit findings and recommendations, and
others authorized to receive such reports
Auditor should clarify report distribution responsibilities with the engaging party
Auditors should document any limitation on report distribution
Internal audit organizations in government entities may also follow the Institute of Internal
Auditors (IIA) International Standards for the Professional Practice of Internal Auditing
Head of internal audit should communicate results to the parties who can ensure that
the results are given due consideration
If the above is not otherwise mandated by statutory/ regulatory requirements, prior to
releasing results to parties outside the organization, the head of internal audit should:
- Assess the potential risk to the entity,
- Consult with senior management or legal counsel (as appropriate), and
- Control dissemination by indicating the intended users in the report
A7-45
Sample GAGAS Reports: A I CPA

Report on F/S Audit {A of AICPA}
Independent Auditors Report
Report on the Financial Statements
We have audited the accompanying financial statements of the governmental activities, the business-type activities,
the aggregate discretely presented component units, each major fund, and the aggregate remaining fund
information of the City of XYZ, Any State, as of and for the year ended June 30, 20X1, and the related notes to the
financial statements, which collectively comprise the City of XYZs basic financial statements as listed in the table of
contents.
Managements Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements in accordance
with accounting principles generally accepted in the United States of America; this includes the design,
implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial
statements that are free from material misstatement, whether due to fraud or error.
Auditors Responsibility
Our responsibility is to express opinions on these financial statements based on our audit. We conducted our audit in
accordance with auditing standards generally accepted in the United States of America and the standards applicable
to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United
States. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether
the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial
statements. The procedures selected depend on the auditors judgment, including the assessment of the risks of
material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments,
the auditor considers internal control relevant to the entitys preparation and fair presentation of the financial
statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of the entitys internal control. Accordingly, we express no such opinion.
An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluating the overall presentation of the financial
statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit
opinions.
Opinions
In our opinion, the financial statements referred to above present fairly, in all material respects, the respective
financial position of the governmental activities, the business-type activities, the aggregate discretely presented
component units, each major fund, and the aggregate remaining fund information of the City of XYZ, Any State, as of
June 30, 20X1, and the respective changes in financial position and, where applicable, cash flows thereof for the year
then ended in accordance with accounting principles generally accepted in the United States of America.
Other Matters
[E.g., Relating to Required Supplementary Information]
Other Reporting Required by Government Auditing Standards

In accordance with Government Auditing Standards, we have also issued our report dated [date of report] on our
consideration of the City of XYZ's internal control over financial reporting and on our tests of its compliance with
certain provisions of laws, regulations, contracts, and grant agreements and other matters. The purpose of that
report is solely to describe the scope of our testing of internal control over financial reporting and compliance and
the results of that testing, and not to provide an opinion on the effectiveness of the City of XYZ's internal control over
financial reporting or on compliance. That report is an integral part of an audit performed in accordance with
Government Auditing Standards in considering City of XYZs internal control over financial reporting and compliance.
[Auditors signature | Auditors City & State | Date of auditors report]
A7-46
GAGAS
Report on ICFR & Compliance {ICPA of AICPA} = No opinions required
^ Independent Auditors Report
We have audited, in accordance with the auditing standards generally accepted in the United States of America and
the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller
General of the United States, the financial statements of the governmental activities, the business-type activities, the
aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of
XYZ Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which
collectively comprise XYZ Entitys basic financial statements, and have issued our report thereon dated August 15,
20X1.
Internal Control Over Financial Reporting A I CPA

In planning and performing our audit of the financial statements, we considered XYZ Entity's internal control over
financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for
the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion
on the effectiveness of XYZ Entitys internal control. Accordingly, we do not express an opinion on the effectiveness
of XYZ Entitys internal control.
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal
control, such that there is a reasonable possibility that a material misstatement of the entitys financial statements
will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to
merit attention by those charged with governance.
Our consideration of internal control was for the limited purpose described in the first paragraph of this section and
was not designed to identify all deficiencies in internal control that might be material weaknesses or significant
deficiencies. Given these limitations, during our audit we did not identify any deficiencies in internal control that we
consider to be material weaknesses. However, material weaknesses may exist that have not been identified.
Compliance and Other Matters A I CPA

As part of obtaining reasonable assurance about whether XYZ Entity's financial statements are free from material
misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant
agreements, noncompliance with which could have a direct and material effect on the determination of financial
statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our
audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of
noncompliance or other matters that are required to be reported under Government Auditing Standards
Purpose of this Report

The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the
results of that testing, and not to provide an opinion on the effectiveness of the entitys internal control or on
compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards
in considering the entitys internal control and compliance. Accordingly, this communication is not suitable for any
other purpose
A7-47
Single Audit for entity & major programs

II) Single Audit if Fed assistance > $750K
Single Audit - Applicable to non-federal entities (includes state/local governments, not-for-profit
entities, etc.) that expend $750,000 or more of federal awards in a fiscal year
Audit conducted pursuant to the Single Audit Act (as amended) which gives authority to the
Director of the Office of Management and Budget (OMB) to set the guideless for single audits.
Most recent OMB regulation issued for this purpose is Title 2 U.S. Code of Federal
Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and
Audit Requirements for Federal Awards (Uniform Guidance)
Requires a single audit (instead of multiple audits of various programs)
Ensures consistency and uniformity for such audits
Improves effectiveness of audits of federal awards (and reduces audit burden)
Applies to both recipients (e.g., City receives funds from Fed) and sub-recipients (e.g., City
receives funds from State which receives funds from Fed)
Scope of the Single Audit in addition to GAGAS:
SEFA (Schedule of Expenditures of Federal Awards) - Must be for the same period as F/S
Compliance - In addition to GAGAS requirements, auditor must determine whether the
entity has complied with Federal statutes, regulations, and the terms & conditions of
Federal awards that may have a direct & material effect on each of its major programs.
Compliance testing must include tests of transactions and such other auditing
procedures necessary to provide the auditor sufficient appropriate audit evidence to
support an opinion on compliance
I/C - In addition to GAGAS requirements, auditor must obtain an understanding of I/C over
major Federal programs, test I/C over compliance for major programs and report any
significant deficiency or material weakness in I/C
Auditor not required to test I/C likely to be ineffective, but must consider if additional
compliance tests are required
Materiality - Consider separately for each major program, not just for F/S taken as a whole
(per GAAS/GAGAS, materiality considered in relation to F/S taken as a whole)
Previous audits engagements - Entity is responsible for follow-up and corrective action on
all audit findings; and must prepare a summary schedule of prior audit findings to report
status of all audit findings included in prior audits Schedule of Findings & Questioned Costs
Auditor follow-up - Required on this summary schedule of prior audit findings and need
to report if the same was materially misrepresented by the entity
Audit Documentation - Auditor must retain audit documentation & reports for a minimum of 3
years after the date of issuance of the auditors report(s)
Alternative to Single Audit: Program-specific audit -

Auditor audits F/S of Federal program per GAGAS (and not F/S of the entity taken as a whole)
Program-specific audit guides available to provide specific guidance to the auditor with
respect to I/C, compliance requirements, suggested audit procedures, and audit reporting
requirements. If a program-specific guide is not available, auditor has basically the same
responsibilities for the Federal program as for an audit of a major program in a single audit
Allowed when:
Entity expends Federal awards under only one Federal program (excluding R&D), and
Terms of the Federal award does not require a F/S audit
A7-48
Reporting requirements for Single Audits {AICPAs auditors now with SCI-Fi CDs & VCDs!}
Reports required per GAGAS: {AICPA}
A Audit Report per GAGAS
I Report on ICFR (Internal Control over Financial Reporting)

Refer to Fi (Schedule of Findings & Questioned Costs)
CPA Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements -

Additional Reports required for Single Audits: {SCI-Fi}

S Schedule of Expenditures of Federal Awards (SEFA Report)
Opinion as to whether the schedule is fairly stated in relation to the F/S as a whole
C I Report on Compliance for each major program and a report on I/C over compliance
Compliance for each major program - Opinion required on compliance with Federal
statutes, regulations, and terms & conditions of Federal awards which could have a direct &
material effect on each major program
I/C over compliance - No opinion required; auditor only needs to describe the scope of
auditors testing and report any significant deficiencies or material weaknesses
Fi Schedule of Findings & Questioned Costs

Summary of Auditors results
Findings relating to the Audit of F/S per GAGAS
Findings & Questioned costs for Federal awards
Auditor Reporting Requirements

GAAS Audit
A Audit Report on F/S (opinion)
No Report on I/C unless significant deficiencies or material weaknesses are identified
No Report on Compliance
GAGAS Audit = GAAS++

I ICFR Report (no opinion required)
CPA Compliance Report (no opinion required)
Single Audit = GAGAS++

ICFR Report (no opinion required)
Compliance Report (no opinion required)
S Schedule of Expenditures of Federal Awards (opinion)
C Compliance Report for each major program (opinion) +
I I/C over Compliance Report (no opinion required)
Fi Findings & Questioned Costs Schedule
A7-49
Compliance of each Major program = AICPA S C I - Fi

Major Program determination - Auditor to use risk-based approach to determine which Federal
programs are major programs
Considerations:
Current and prior audit experience
Oversight by Federal agencies and pass-through entities
Inherent risk of the Federal program
4-step process to be followed:

Step 1: Identify Type A programs (generally, if $750K or more expended); all others labeled
Type B programs
Step 2: Identify Type A programs which are low-risk programs if
Audited as a major program in at least one of the last 2 audit periods, and
In the most recent audit period, the program had unmodified opinion on compliance, no
material weaknesses in I/C over compliance, and known/likely questioned costs of <=5%
of award expended
Step 3: Identify Type B programs which are high risk programs using professional
judgment & specified criteria
Step 4: At a minimum, the auditor must audit all of the following as major programs:
All Type A programs not identified as low risk under Step 2
All Type B programs identified as high-risk under Step 3
Percentage of coverage rule -

If the entity meets the criteria for a low-risk auditee, auditor needs to audit only the
major programs identified in Step 4 (and any additional Federal programs) such that all
major programs encompass at least 20% of total Federal awards expended
Else For other entities, all major programs need to encompass at least 40% of total Federal
awards expended
Criteria for a low-risk auditee
Single audits were performed on an annual basis for 2 years
Opinion on F/S and SEFA = Unmodified opinion
No material weaknesses in ICFR identified per GAGAS
No going concern issues reported by auditor
Type A programs had unmodified opinion on compliance, no material weaknesses in I/C
over compliance, and known/likely questioned costs of <= 5% of award expended
A7-50
Sample Single Audit Report on Compliance for each major program & Report on I/C over compliance:
Independent Auditors Report
Report on Compliance for Each Major Federal Program
AICPA S C I - Fi
We have audited XYZ Entitys compliance with the types of compliance requirements described in the OMB Compliance
Supplement that could have a direct and material effect on each of XYZ Entitys major federal programs for the year ended
June 30, 20X1. XYZ Entitys major federal programs are identified in the summary of auditors results section of the
accompanying schedule of findings and questioned costs.
Managements Responsibility
Management is responsible for compliance with federal statutes, regulations, and the terms and conditions of its federal
awards applicable to its federal programs.
Auditors Responsibility
Our responsibility is to express an opinion on compliance for each of XYZ Entitys major federal programs based on our
audit of the types of compliance requirements referred to above. We conducted our audit of compliance in accordance
with auditing standards generally accepted in the United States of America; the standards applicable to financial audits
contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the audit
requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles,
and Audit Requirements for Federal Awards (Uniform Guidance). Those standards and the Uniform Guidance require that
we plan and perform the audit to obtain reasonable assurance about whether noncompliance with the types of compliance
requirements referred to above that could have a direct and material effect on a major federal program occurred. An audit
includes examining, on a test basis, evidence about XYZ Entitys compliance with those requirements and performing such
other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion on compliance for each major federal program.
However, our audit does not provide a legal determination of XYZ Entitys compliance.
Opinion on Each Major Federal Program
In our opinion, XYZ Entity complied, in all material respects, with the types of compliance requirements referred to above
that could have a direct and material effect on each of its major federal programs for the year ended June 30, 20X1.
Report on Internal Control Over Compliance AICPA S C I - Fi

Management of XYZ Entity is responsible for establishing and maintaining effective internal control over compliance with
the types of compliance requirements referred to above. In planning and performing our audit of compliance, we
considered XYZ Entitys internal control over compliance with the types of requirements that could have a direct and
material effect on each major federal program to determine the auditing procedures that are appropriate in the
circumstances for the purpose of expressing an opinion on compliance for each major federal program and to test and
report on internal control over compliance in accordance with the Uniform Guidance, but not for the purpose of expressing
an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express an opinion on the
effectiveness of XYZ Entitys internal control over compliance.
A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not
allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and
correct, noncompliance with a type of compliance requirement of a federal program on a timely basis. A material weakness
in internal control over compliance is a deficiency, or a combination of deficiencies, in internal control over compliance,
such that there is a reason-able possibility that material noncompliance with a type of compliance requirement of a federal
program will not be prevented, or detected and corrected, on a timely basis. A significant deficiency in internal control over
compliance is a deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance
requirement of a federal program that is less severe than a material weakness in internal control over compliance, yet
important enough to merit attention by those charged with governance.
Our consideration of internal control over compliance was for the limited purpose described in the first paragraph of this
section and was not designed to identify all deficiencies in internal control over compliance that might be material
weaknesses or significant deficiencies. We did not identify any deficiencies in internal control over compliance that we
consider to be material weaknesses. However, material weaknesses may exist that have not been identified.
The purpose of this report on internal control over compliance is solely to describe the scope of our testing of internal
control over compliance and the results of that testing based on the requirements of the Uniform Guidance. Accordingly,
this report is not suitable for any other purpose
A7-51
AICPA SCI-Fi
Schedule of findings and questioned costs - Must include:
Summary of the auditors results
Audit of F/S - type of opinion issued
ICFR Report - if audit detected any significant deficiencies or material weaknesses in I/C
Compliance Report - if audit detected any non-compliance that is material to F/S
Regarding Major programs:
Identification/listing of major programs; however in case of cluster of programs, only
the cluster name as shown on Schedule of Expenditures of Federal Awards is required
Dollar threshold used to distinguish between Type A and Type B programs
Compliance Report on each major program - Type of opinion issued
I/C over Compliance - if audit detected significant deficiencies or material weaknesses
in I/C over compliance for major programs
Statement as to whether the auditee qualified as a low-risk auditee
Statement as to whether the audit disclosed any Findings & Questioned costs for Federal
awards that the auditor is required to report
Findings relating to the Audit of F/S per GAGAS
Findings & Questioned costs for Federal awards - Include findings in sufficient detail/clarity
Relating to Compliance of each major program and I/C over compliance:
Material non-compliance with provisions of Federal statutes, regulations, or terms &
conditions of Federal awards related to a major program
Also, circumstances concerning why the auditors report on compliance for each major
program is other than an unmodified opinion, if applicable
Known or likely fraud affecting a Federal award
Significant deficiencies and material weaknesses in I/C over major programs and
significant instances of abuse relating to major programs
Questioned costs:
Known questioned costs > $25K for any compliance requirement for a major program
- Known questioned costs are those specifically identified by the auditor. However,
note that in evaluating the effect of questioned costs on the opinion on compliance,
the auditor considers the best estimate of total costs questioned (likely questioned
costs), not just the questioned costs specifically identified (known questioned costs)
Known questioned costs > $25K for a Federal program not audited as a major program
- Except for Audit follow-up, auditor is not required to perform audit procedures for a
program that is not audited as a major program; therefore, less chances of the
auditor finding questioned costs for such programs
Previous audit engagements - Instances where the auditor detects that the summary
schedule of prior audit findings prepared by the entity was materially misrepresented
A7-52
(This page is left blank for any reference notes on

Governmental Auditing)
A7-53

Aud 2017 Q3 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aud 2017 Q3 PDF

Uploaded by

Copyright:

Available Formats

Miles CPA Review: AUD

Q3 2017 Updates & Errata for 2017 Edition

Old version vs. New version:

Attestation = ERA of other than historical F/S

7.2) Attestation Engagements (SSAE) SSAE (AT-C Code)

A AUP (Agreed-upon procedures) engagements leading to findings

Examination Review AUP

Work Procedures comparable Inquiry & Analytical As agreed-upon by

Limited use? - Criteria not suitable/ - Criteria not suitable/ Mandatory

Reporting options for few types of attestation services:

Preconditions for an Attest Engagement

Written representation letter required

Engagement Documentation - To be assembled/filed within 60 days after report release date

Sample Reports on Examination engagements = Opinion

Sample Report on Examination of an assertion (e.g., schedule of investment returns presented

Sample Reports on Review engagements = Negative assurance

Sample Report on Review of an assertion (e.g., schedule of investment returns presented in

Sample Report on AUP engagement:

II) Prospective F/S (forecasts/projections) E R A

Prospective F/S present expected or hypothetical future results of an entity. 2 types:

Practitioner may either examine or perform AUP on prospective F/S

Reports also need to include: Warning #1 =

Sample Reports on Examination of Prospective F/S:

Independent Accountants Report

III) Pro-forma F/S E R A

Practitioner may either examine or review pro-forma F/S

Reports also need to include:

SSARS applies if the CPA is engaged to compile pro-forma F/S

Sample Report on Examination of Pro-forma F/S:

Sample Report on Review of Pro-forma F/S:

IV) Internal control over financial reporting: No longer attest

Practitioner may either examine or perform AUP

Few key requirements:

Statement that management has performed an evaluation of the entitys compliance

Reports also need to include:

On AUP engagement of an Entitys Compliance:

On AUP engagement of an Entitys I/C over Compliance:

VI) Management discussion & analysis (MD&A) E R A

Practitioner may either examine or review MD&A

Few key requirements:

VII) Trust Services E R A

Use of Report Restricted Use Restricted Use General Use,

Service auditor considerations

Sample Type 2 Service Auditors Report:

Description of Tests of Controls

[Service auditor's signature]

Service Organization's Responsibilities

Service Auditor's Responsibilities

Description of Tests of Controls

[Service auditor's signature]

(This page is left blank for any reference notes on

7.3) Governmental Auditing

Types of GAGAS Audits and Attestation Engagements

Attestation Engagements - Incorporate SSAE along with additional requirements SSAE++

Performance Audits - Audits that provide findings/conclusions based on an evaluation of

General Fieldwork Reporting

Quality Control Additional Audit Report per

GAGAS - Auditing Standards:

Reporting Standards = ACDE + AICPA CD-VCD

I Report on ICFR (Internal Control over Financial Reporting) No opinion on ICFR

CPA Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements

Auditor Reporting Requirements

GAGAS Audit = GAAS++