Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 ... · PDF fileFAR: 90 MCQs (60%), 7...
Transcript of Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 ... · PDF fileFAR: 90 MCQs (60%), 7...
1
Miles CPA Review: AUD Q3 2017 Updates & Errata for 2017 Edition
Summary of updates:
- “New version” CPA exam structure (w.e.f. April 2017)
- AUD-7.2: Attestation Engagements [Auditing Standards Board
(ASB) of the AICPA has issued “clarified” SSAE (AT-C) for clarity
and convergence with international standards]
- AUD-7.3: Governmental Auditing [Miles’ content revised &
updated; new mnemonics – APPEND, AICPA CD-VCD, AICPA SCI-
Fi CD-VCD]
- AUD-7.4: Effect of I.T. on Audit - Also refer to Effect of I.T. on
Internal Controls from BEC-7.5
2
Old version vs. New version:
CPA exams (2011 – March 2017) CPA exams w.e.f. April 2017
Skill-level tested
Remembering & Understanding
Application
Remembering & Understanding
Application
Analysis
Evaluation (for AUD only)
Exam structure & scoring weights
FAR: 90 MCQs (60%), 7 TBSs (40%) AUD: 90 MCQs (60%), 7 TBSs (40%) REG: 72 MCQs (60%), 6 TBSs (40%) BEC: 72 MCQs (85%), 3 WCTs (15%)
FAR: 66 MCQs (50%), 8 TBSs (50%) AUD: 72 MCQs (50%), 8 TBSs (50%) REG: 76 MCQs (50%), 8 TBSs (50%) BEC: 62 MCQs (50%), 4 TBSs (35%), 3 WCTs (15%)
# of Testlets
4 testlets: 3 MCQ testlets + 1 TBS/WCT testlet
5 testlets: 2 MCQ testlets + 3 TBS/WCT testlets
Time Allotment
FAR: 4 hours AUD: 4 hours REG: 3 hours BEC: 3 hours
FAR: 4 hours AUD: 4 hours REG: 4 hours BEC: 4 hours
Break Optional breaks (count against time) 15-min Standard break (after Testlet #3) + Optional breaks (count against time)
* MCQ - Multiple Choice Question | TBS - Task Based Simulation | WCT - Written Communication Task
Testlet #1 36 MCQs
Testlet #3
2 TBSs
Testlet #2
36 MCQs
Testlet #4
3 TBSs Bre
ak:
15
min
Testlet #5
3 TBSs AUD
Testlet #1
33 MCQs Testlet #3
2 TBSs
Testlet #2
33 MCQs
Testlet #4
3 TBSs Bre
ak:
15
min
Testlet #5
3 TBSs FAR
MCQ testlets 50% weightage Recommended time:
Testlet #1: 50 mins Testlet #2: 50 mins
TBS/WCT testlets 50% weightage Recommended time:
Testlet #3: 30 mins Testlet #4: 50 mins Testlet #5: 60 mins
Testlet #1
38 MCQs Testlet #3
2 TBSs
Testlet #2
38 MCQs
Testlet #4
3 TBSs Bre
ak:
15
min
Testlet #5
3 TBSs REG
Testlet #1
31 MCQs Testlet #3
2 TBSs
Testlet #2
31 MCQs
Testlet #4
2 TBSs Bre
ak:
15
min
Testlet #5
3 WCTs BEC
“New version” CPA exam structure (w.e.f. April 2017):
AUD-7 Miles CPA Review
A7-16
7.2) Attestation Engagements (SSAE)
� SSAE (Statements on Standards for Attestation Engagements)
• Attestation engagements - Examination, review, or agreed-upon procedures engagement
(performed under SSAE) where the CPA practitioner is engaged to report on a subject matter,
or an assertion about the subject matter, that is the responsibility of another party
• Subject matter may be based on
� Historical or prospective performance or condition (e.g., historical or prospective financial
info, performance measurements, backlog data)
� Physical characteristics (e.g., narrative descriptions, square footage of facilities)
� Historical events (e.g., the price of a market basket of goods on a certain date)
� Analyses (e.g., break-even analyses)
� Systems and processes (e.g., I/C)
� Behavior (e.g., corporate governance, compliance with laws & regulations, HR practices)
• Assertion is a declaration about whether the subject matter is in accordance with certain
criteria. E.g., management asserts that I/C over compliance is effective based on given criteria
• SSAE do not apply to:
� Audit engagements - SAS applies for non-issuers and PCAOB for issuers {Audit is
examination of historical F/S; SSAE covers other examinations}
� Compilation or Review of F/S of non-issuers - SSARS applies
� Consulting Services - SSCS applies
� Personal Financial Planning Services - PFP applies
� Valuation Services - VS applies
� Tax engagements - SSTS applies
� Litigation services or expert witness services
� Performance audits pursuant to Government Auditing Standards
• SSAE No. 18 - Issued to clarify & revise SSAE effective for periods on or after May 1, 2017.
Attest standards are now codified with the prefix “AT-C” [where C stands for Clarity]
� Key objective of AICPA Clarity projects have been to converge with international standards.
However, one major difference still exists between SSAE & international attest standards:
⇒ Under SSAE, a practitioner is required to obtain a written assertion (for examination &
review engagements) from the engaging party, except when engaging party is not the
responsible party
⇒ This is not a mandatory requirement under international standards (ISAE)
• Few sample attestation engagements:
� Prospective Financial Info (financial forecasts & projections)
� Pro forma financial info
� Compliance attestation (as a specific engagement)
� Management discussion & analysis
� I/C at a Service Organization
⇒ Trust Services criteria
⇒ As Relevant to User Entities’ ICFR
Attestation = ERA of other than historical F/S
SSAE (AT-C Code)
Miles CPA Review AUD-7
A7-17
� Attestation standards
• Extension of GAAS but conceptually different in the following ways:
� SSAE do not refer to F/S
� SSAE do not refer to GAAP
� SSAE provide lower levels of assurance than a GAAS audit
• 11 Standards
� 5 General standards: {TIP where T includes Know Criteria}
⇒ Training & proficiency
⇒ Knowledge of the subject matter
⇒ Criteria - subject matter should be capable of evaluation against criteria that is suitable
& available to users; a suitable criteria is relevant, objective, measurable & complete
⇒ Independence (independence is mandatory for audit & attestation)
⇒ Professional care in planning & performance
� 2 Fieldwork Standards {PIC without the I}
⇒ Planning & supervision
⇒ Internal Controls
⇒ Corroborative Audit Evidence
� 4 Reporting Standards {Identify Clean & Dirty Limits - Reporting standards are less specific
due to the wide variety of attestation engagements possible}
⇒ Identify the subject matter or assertion being reported on and state the character of the
engagement
⇒ Conclusions about the subject matter or assertion to be stated
⇒ Disclose significant reservations about the engagement including unresolved problems
or concerns
⇒ Limited use - Restrict use of report to specified parties if:
- Criteria is suitable for or available to limited number of parties,
- Written assertion not provided by the client (engaging party), or
- Reporting on an AUP engagement
Note:
- Traditionally, attest standards were classified as 11 basic standards as above with 3 groups - general, fieldwork and
reporting. Until April 30, 2017, these were authoritative standards and were directly reflected in the SSAE
- Effective May 1, 2017, the Auditing Standards Board (ASB) of the AICPA has issued “clarified” SSAE (AT-C) for clarity
and convergence with international standards. Though the above classification of attest standards has now been
incorporated into clarified SSAE and are still broadly applicable, the above classification is no longer authoritative
T
Know
Audit = Examination of historical F/S Attest = ERA of other than historical F/S
I
P
C
P
I
C
D
L
Criteria
AUD-7 Miles CPA Review
A7-18
� Categories of Attestation engagements: {attest = new ERA for practitioners with engagements
beyond historical F/S!}
• Examination leading to opinion
• Review leading to assurance
• AUP (Agreed-upon procedures) engagements leading to findings
Examination Review AUP
End result? Expression of opinion
based on reasonable
assurance
Expression of
conclusion based on
limited assurance
(negative assurance)
No assurance but
procedures & findings
are listed. Practitioner
disclaims any
responsibility for the
sufficiency of the
procedures
Work
performed?
Procedures comparable
to audits of historical
F/S
Inquiry & Analytical
procedures
As “agreed-upon” by
practitioner and client
Limited use? - Criteria not suitable/
available
- Written assertion not
provided if engaging
party (client) is not the
responsible party
- Criteria not suitable/
available
- Written assertion not
provided if engaging
party (client) is not the
responsible party
Mandatory
� Reporting options for few types of attestation services:
Attestation service Examination Review AUP
AUP Engagements √
Prospective F/S (forecast/projection) √ √
Pro-forma F/S √ √
Compliance √ √
Management discussion & analysis √ √
I/C at a Service Organization: Trust
Services
√
I/C at a Service Organization: Relevant
to User Entities’ ICFR
√
A
E
R
Miles CPA Review AUD-7
A7-19
� Few key requirements of attestation engagements:
• Written assertion required - An attest engagement is predicated on the concept that a
responsible party makes an assertion about whether the subject matter is measured or
evaluated in accordance with suitable criteria. Therefore, it is required for practitioner to
request a written assertion from the responsible party (ok if the written assertion is included
in an engagement letter, representation letter, alongside presentation of the subject matter or
in the notes, etc.)
� Examination & Review Engagements - If responsible party refuses to provide a written
assertion, practitioner should withdraw
⇒ Need not withdraw if engaging party ≠ responsible party [in this case, disclose the
refusal in the attest report and restrict use of the report to the engaging party]
� For AUP engagements, responsible party’s refusal to provide a written assertion requires
the practitioner to disclose that refusal in the report
• Preconditions for an Attest Engagement
� Establish written understanding with engaging party (e.g., written engagement letter)
regarding the terms of the engagement, including practitioner’s reporting responsibilities
� Responsible party (e.g., management) takes responsibility for the subject matter
� Engagement exhibits all of the following characteristics
⇒ Subject matter is appropriate
⇒ Criteria to be applied in the preparation and evaluation of the subject matter is suitable
and will be available to the intended users
⇒ Practitioner expects to be able to obtain the evidence including
- Access to all relevant info of which the responsible party is aware of,
- Access to additional info that the practitioner may request, and
- Unrestricted access to persons within the appropriate party(ies)
⇒ Practitioner to issue a written report with opinion (for examination), conclusion (for
review) or findings (for AUP)
• Written representation letter required
� From responsible party
⇒ Not mandatory if engaging party ≠ responsible party, in which case, practitioner would
seek oral responses from responsible party and, if found ok, would restrict the use of
attest report to the engaging party [note: in case of AUP, the use of report is anyways
restricted]
� From engaging party (if engaging party ≠ responsible party) wherein the engaging party
acknowledges that the responsible party is responsible for the subject matter & assertion
• Engagement Documentation - To be assembled/filed within 60 days after report release date
� Thereafter, should not delete/discard any document before the end of the retention period
• Change in terms of the engagement - Practitioner to agree only if reasonable justification exists
� If the practitioner agrees to a downgrade of service (e.g., examination to review),
practitioner’s report should be issued on the lower level of service - with no reference to
the original engagement or scope limitations that resulted in the changed engagement
Engaging party = client who hires CPA Responsible party = responsible for subject matter (e.g., management)
May be same or different
Except: 1.
2.
Except:
AUD-7 Miles CPA Review
A7-20
� Sample Reports on Examination engagements = Opinion
• Sample Report on Examination of a subject matter (e.g., schedule of investment returns):
• Sample Report on Examination of an assertion (e.g., schedule of investment returns presented
in accordance with XYZ criteria):
Independent Accountant’s Report
[Appropriate Addressee]
We have examined the accompanying schedule of investment returns of ABC Company for the year ended December
31, 20XX. ABC Company’s management is responsible for presenting the schedule of investment returns in accordance
with the XYZ criteria set forth in Note 1. Our responsibility is to express an opinion on the schedule of investment
returns based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether the schedule of investment returns is in accordance with the criteria, in all material respects.
An examination involves performing procedures to obtain evidence about the schedule of investment returns. The
nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of
material misstatement of the schedule of investment returns, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
In our opinion, the schedule of investment returns referred to above is presented in accordance with the XYZ criteria
set forth in Note 1, in all material respects.
[Practitioner’s signature | City and State | Date of report]
Independent Accountant’s Report
[Appropriate Addressee]
We have examined management’s assertion that the accompanying schedule of investment returns of ABC Company
for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1. ABC Company’s
management is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion
based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether management's assertion is fairly stated, in all material respects. An examination involves
performing procedures to obtain evidence about management's assertion. The nature, timing, and extent of the
procedures selected depend on our judgment, including an assessment of the risks of material misstatement of
management's assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and
appropriate to provide a reasonable basis for our opinion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
In our opinion, management’s assertion that the accompanying schedule of investment returns of ABC Company for
the year ended December 31, 20XX, is presented in accordance with the XYZ criteria set forth in Note 1 is fairly stated,
in all material respects.
[Practitioner’s signature | City and State | Date of report]
Intro
Scope
Opinion
Intro
Scope
Opinion
Miles CPA Review AUD-7
A7-21
� Sample Reports on Review engagements = Negative assurance
• Sample Report on Review of a subject matter (e.g., schedule of investment returns):
• Sample Report on Review of an assertion (e.g., schedule of investment returns presented in
accordance with XYZ criteria):
•
Independent Accountant’s Review Report
[Appropriate Addressee]
We have reviewed the accompanying schedule of investment returns of ABC Company for the year ended December
31, 20XX. ABC Company’s management is responsible for presenting the schedule of investment returns in accordance
with the XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment
returns based on our review.
Our review was conducted in accordance with attestation standards established by the American Institute of Certified
Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about
whether any material modifications should be made to the schedule of investment returns in order for it to be in
accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to
obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all
material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our
review provides a reasonable basis for our conclusion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
Based on our review, we are not aware of any material modifications that should be made to the accompanying
schedule of investment returns of ABC Company for the year ended December 31, 20XX in order for it be in accordance
with the XYZ criteria set forth in Note 1.
[Practitioner’s signature | City and State | Date of report]
Independent Accountant’s Review Report
[Appropriate Addressee]
We have reviewed management of ABC Company’s assertion that the accompanying schedule of investment returns of
ABC Company for the year ended December 31, 20XX is presented in accordance with XYZ criteria set forth in Note 1.
ABC Company’s management is responsible for presenting the schedule of investment returns in accordance with the
XYZ criteria set forth in Note 1. Our responsibility is to express a conclusion on the schedule of investment returns based
on our review.
Our review was conducted in accordance with attestation standards established by the American Institute of Certified
Public Accountants. Those standards require that we plan and perform the review to obtain limited assurance about
whether any material modifications should be made to the schedule of investment returns in order for it to be in
accordance with the criteria. A review is substantially less in scope than an examination, the objective of which is to
obtain reasonable assurance about whether the schedule of investment returns is in accordance with the criteria, in all
material respects, in order to express an opinion. Accordingly, we do not express such an opinion. We believe that our
review provides a reasonable basis for our conclusion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
Based on our review, we are not aware of any material modifications that should be made to management of ABC
Company's assertion in order for it to be fairly stated.
[Practitioner’s signature | City and State | Date of report]
Intro
Scope
Conclusion
Intro
Scope
Conclusion
AUD-7 Miles CPA Review
A7-22
I) Agreed-Upon Procedures (AUP) Engagements
� Practitioner engaged by client to report findings based on specific agreed-upon procedures
• Performed when specified parties require that findings be derived by an independent CPA
• May be performed on the subject matter, or assertion(s) about the subject matter
� May be performed provided following conditions exist: {ASSURE the practitioner that AUP is ok}
• General standards for all attestation engagements = TIP + Know Criteria
• Agreement of the Parties - Practitioner and specified parties must agree regarding
� Procedures to be performed
� Criteria to be used in the determination of the findings, and
� Any materiality limits to be applied for reporting purposes
• Subject Matter - Responsibility of specified parties or the specified parties are able to provide
evidence that a third party is responsible; however, written assertion is generally not required
� Procedures to be applied to the subject matter should be expected to result in reasonably
consistent findings using the criteria
• Sufficiency of the Procedures - Responsibility of specified parties
• Use of the Report is Restricted to the specified parties
• Responsibility of Practitioner - Practitioner responsible for performing agreed-upon
procedures and report findings (as per AICPA’s SSAE)
• Engagements relating to prospective F/S must include a summary of significant assumptions
� Sample Report on AUP engagement:
Independent Accountant’s Report on Applying Agreed-Upon Procedures
To the Audit Committees and Managements of ABC Company and XYZ Fund:
We have performed the procedures enumerated below, which were agreed to by the audit committees and
managements of ABC Company and XYZ Fund, on the accompanying Statement of Investment Performance Statistics of
XYZ Fund for the year ended December 31, 20XX. XYZ Fund’s management is responsible for the Statement of
Investment Performance Statistics for the year ended December 31, 20XX. The sufficiency of these procedures is solely
the responsibility of those parties specified in this report. Consequently, we make no representation regarding the
sufficiency of the procedures described below either for the purpose for which this report has been requested or for any
other purpose.
[Include paragraphs to enumerate procedures and findings.]
This agreed-upon procedures engagement was performed in accordance with attestation standards established by the
American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or
review, the objective of which would be the expression of an opinion or conclusion, respectively, on the accompanying
Statement of Investment Performance Statistics of XYZ Fund for the year ended December 31, 20XX. Accordingly, we do
not express such an opinion or conclusion. Had we performed additional procedures, other matters might have come to
our attention that would have been reported to you.
[Additional paragraph(s) may be added to describe other matters.]
This report is intended solely for the information and use of the audit committees and managements of ABC Company
and XYZ Fund, and is not intended to be, and should not be, used by anyone other than the specified parties.
[Practitioner’s signature | City and State | Date of report]
A
S
S
U
R
E
Report intended for parties who prescribed procedures
Examination or Review = CPA decides procedures AUP = Client decides procedures. CPA performs these agreed procedures & reports findings
Client responsible for sufficiency, CPA for performance
CPA is responsible
Limited Use
Miles CPA Review AUD-7
A7-23
II) Prospective F/S (forecasts/projections)
� Prospective F/S present expected or hypothetical future results of an entity. 2 types:
• Forecast - Prospective F/S with expected future results; assumptions based on expected
conditions and expected courses of action
� Can be for either general or limited use
� E.g., Company XYZ has received an approval for its technology patent and prepares financial
“forecast” for the next few years based on expected future results
• Projection - Prospective F/S given one/more hypothetical assumptions (based on “what if”
scenarios)
� Based on hypothetical assumptions not necessarily expected; thus, only for limited use by:
⇒ Responsible party (i.e., entity)
⇒ Third parties with whom the responsible party is negotiating directly (e.g., bank with
which the entity is negotiating for a loan, a regulatory agency)
� E.g., To negotiate a loan to expand its plant, Company XYZ prepares financial “projection”
for the next few years using the hypothetical assumption that the requested loan has been
granted and the plant is expanded [i.e., a “what if” scenario]
� Practitioner may either examine or perform AUP on prospective F/S
• Examination - Obtain reasonable assurance and express an opinion as to whether
� prospective F/S conform to AICPA presentation guidelines, and
� underlying assumptions provide a reasonable basis for the forecast/projection
• Review of prospective F/S is NOT allowed
• AUP - Report findings from the procedures & summary of significant assumptions
� As applicable in AUP engagements, procedures performed by the practitioner are
established by the specified parties
⇒ Also, sufficiency of these procedures is solely the responsibility of the specified parties
(and practitioner makes no representation regarding the same)
� Can only result in a report for limited use whether it involves forecast or projection
� Reports also need to include:
• Warning (Caveat) that the prospective results may not be achieved
• Statement that the practitioner has no responsibility to update the report for events &
circumstances occurring after the report date
• Limited use paragraph in case of examination of projections (in case of AUP, both forecasts
and projections will lead to the limited use para)
� SSARS applies if CPA is engaged to compile prospective F/S
E R A
A S S U R E
Limited use para:
Forecast
Projection
Examination AUP
√
√ √
X
Warning #1 = Future is uncertain
Warning #2 = CPA may not revisit
General Rule: Attest = Follow SSAE (AT-C) Compile = Follow SSARS (AR-C) = non-issuers only
AUD-7 Miles CPA Review
A7-24
� Sample Reports on Examination of Prospective F/S:
Independent Accountant’s Report
[Appropriate Addressee]
We have examined the accompanying forecast of XYZ Company, which comprises [identify the statements, for example, the
forecasted balance sheet as of December 31, 20XX, and the related forecasted statements of income, stockholders’ equity, and cash
flows for the year then ending], based on the guidelines for the presentation of a forecast established by the American Institute of
Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the forecast in accordance
with the guidelines for the presentation of a forecast established by the American Institute of Certified Public Accountants. Our responsibility is to express an opinion on the forecast based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the
forecast is presented in accordance with the guidelines for the presentation of a forecast established by the American Institute of
Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about the forecast. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of
material misstatement of the forecast, whether due to fraud or error. We believe that the evidence we obtained is sufficient and
appropriate to provide a reasonable basis for our opinion.
In our opinion, the accompanying forecast is presented, in all material respects, in accordance with the guidelines for the
presentation of a forecast established by the American Institute of Certified Public Accountants, and the underlying assumptions are suitably supported and provide a reasonable basis for management’s forecast.
There will usually be differences between the forecasted and actual results because events and circumstances frequently do not occur as expected, and those differences may be material. We have no responsibility to update this report for events and
circumstances occurring after the date of this report.
[Practitioner’s signature | City and State | Date of report]
Independent Accountant’s Report
[Appropriate Addressee]
We have examined the accompanying projection of XYZ Company, which comprises [identify the statements, for example, the
projected balance sheet as of December 31, 20XX, and the related projected statements of income, stockholders' equity, and cash
flows for the year then ending] based on the guidelines for the presentation of a projection established by the American Institute of
Certified Public Accountants. XYZ Company's management is responsible for preparing and presenting the projection based on
[identify the hypothetical assumption(s), for example, the granting of the requested loan as described in the summary of significant
assumptions] in accordance with the guidelines for the presentation of a projection established by the American Institute of Certified
Public Accountants. The projection was prepared for [describe the special purpose, for example, the purpose of negotiating a loan to
expand XYZ Company's plant]. Our responsibility is to express an opinion on the projection based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public
Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether the projection is presented in accordance with the guidelines for the presentation of a projection established by the American Institute
of Certified Public Accountants, in all material respects. An examination involves performing procedures to obtain evidence about
the projection. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of material misstatement of the projection, whether due to fraud or error. We believe that the evidence we obtained is
sufficient and appropriate to provide a reasonable basis for our opinion.
In our opinion, [describe the hypothetical assumption(s), for example, assuming the granting of the requested loan for the purpose of
expanding XYZ Company's plant as described in the summary of significant assumptions] the projection referred to above is
presented, in all material respects, in accordance with the guidelines for the presentation of a projection established by the American Institute of Certified Public Accountants, and the underlying assumptions are suitably supported and provide a reasonable
basis for management's projection given the hypothetical assumption(s).
Even if [identify the hypothetical assumption, for example, the loan is granted and the plant is expanded], there will usually be
differences between the projected and actual results because events and circumstances frequently do not occur as expected, and
those differences may be material. We have no responsibility to update this report for events and circumstances occurring after the date of this report.
The accompanying projection and this report are intended solely for the information and use of [identify specified parties, for
example, XYZ Company and DEF National Bank], and are not intended to be and should not be used by anyone other than these
specified parties.
[Practitioner’s signature | City and State | Date of report]
Warnings
Warnings
Limited Use
Miles CPA Review AUD-7
A7-25
III) Pro-forma F/S
� Pro-forma F/S are used to show the significant effects of an event on historical F/S “if” the same
consummated/proposed event had occurred at an earlier date
• Pro-forma adjustments are applied to historical F/S based on management’s assumptions and
give effect to all significant effects directly attributable to the transaction/event
• Commonly used to show the effects of transactions/events such as the following:
� Business combination (e.g., what “if” the business combination had happened earlier?)
� Change in capitalization (e.g., what “if” the capitalization had been changed earlier?)
� Disposition of a portion of the business (e.g., what “if” the disposal had happened earlier?)
� Change in the form of business organization or status as an autonomous entity
� Proposed sale of securities and the application of the proceeds
• Pro-forma F/S should be labeled as such to distinguish it from historical F/S
� Need to describe the transaction/event that is reflected in the pro forma F/S, the source of
the historical F/S on which it is based, the significant assumptions used in developing the
pro forma adjustments, and any significant uncertainties about those assumptions
� Need to also indicate that pro-forma F/S should be read in conjunction with related
historical F/S and that the pro-forma F/S is not necessarily indicative of the results that
would have been attained had the transaction/event actually taken place earlier
� Practitioner may either examine or review pro-forma F/S
• Examination - Obtain reasonable assurance and express an opinion as to whether
� Management’s assumptions provide a reasonable basis for presenting the significant effects
directly attributable to the underlying transaction/event,
� Related pro-forma adjustments give appropriate effect to those assumptions, and
� Pro-forma amounts reflect proper application of those adjustments to the historical F/S
• Review - Obtain limited assurance and express a conclusion as to the same 3 points as above
� Reports also need to include:
• Reference to the historical F/S from which historical financial info is derived and state if such
F/S were audited (and if audited by another auditor)
� Note: Level of service on the pro-forma F/S should not exceed that on related historical F/S
⇒ Examination of pro-forma F/S only if related historical F/S were audited
⇒ Review of pro-forma F/S only if the related historical F/S were audited/reviewed
• Statement that the pro forma adjustments are based on management’s assumptions
• Description of the objectives and limitations of pro-forma F/S
� SSARS applies if the CPA is engaged to compile pro-forma F/S
E R A
AUD-7 Miles CPA Review
A7-26
� Sample Report on Examination of Pro-forma F/S:
Independent Accountant’s Report
[Appropriate Addressee]
We have examined the pro forma adjustments giving effect to the underlying transaction (or event) described in
Note 1 and the application of those adjustments to the historical amounts in the accompanying pro forma condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma condensed statement
of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical
condensed financial statements are derived from the historical financial statements of X Company, which were
audited by us, and of Y Company, which were audited by other accountants, appearing elsewhere herein [or "and
are readily available"]. The pro forma adjustments are based on management's assumptions described in Note 1. X
Company's management is responsible for the pro forma financial information. Our responsibility is to express an
opinion on the pro forma financial information based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain
reasonable assurance about whether, based on the criteria in Note 1, management's assumptions provide a
reasonable basis for presenting the significant effects directly attributable to the underlying transaction (or event),
and, in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and
the pro forma amounts reflect the proper application of those adjustments to the historical financial statement
amounts. An examination involves performing procedures to obtain evidence about management's assumptions, the
related pro forma adjustments, and the pro forma amounts in the pro forma condensed balance sheet of X Company
as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended. The
nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks
of material misstatement of the pro forma financial information, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
The objective of this pro forma financial information is to show what the significant effects on the historical financial
information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro
forma condensed financial statements are not necessarily indicative of the results of operations or related effects on
financial position that would have been attained had the above-mentioned transaction (or event) actually occurred
at such earlier date.
In our opinion, based on the criteria in Note 1, management's assumptions provide a reasonable basis for presenting
the significant effects directly attributable to the above-mentioned transaction (or event) described in Note 1, and,
in all material respects, the related pro forma adjustments give appropriate effect to those assumptions, and the pro
forma amounts reflect the proper application of those adjustments to the historical financial statement amounts in
the pro forma condensed balance sheet of X Company as of December 31, 20X1, and the related pro forma
condensed statement of income for the year then ended.
[Practitioner’s signature | City and State | Date of report]
Refer to historical F/S
Objective & Limitations
Miles CPA Review AUD-7
A7-27
� Sample Report on Review of Pro-forma F/S:
IV) Internal control over financial reporting: No longer attest
� Earlier: For non-issuers, the auditor could be engaged for an attest engagement on ICFR (per SSAE
standards) integrated with an audit of F/S (i.e., attest of ICFR + audit of F/S). No longer applicable
� Effective Dec 15, 2016: AU-C 940 applies if an auditor is engaged to perform an audit of ICFR
integrated with an audit of F/S
• Note again that the audit of ICFR is optional for non-issuers; but if the non-issuer wants to opt
for it, it needs to an integrated audit per GAAS
Independent Accountant’s Report
[Appropriate Addressee]
We have reviewed the pro forma adjustments giving effect to the transaction (or event) described in Note 1 and the
application of those adjustments to the historical amounts in the accompanying pro forma condensed balance sheet of X Company as of March 31, 20X2, and the related pro forma condensed statement of income for the three months
then ended (pro forma financial information), based on the criteria in Note 1. These historical condensed financial
statements are derived from the historical unaudited financial statements of X Company, which were reviewed by
us, and of Y Company, which were reviewed by other accountants, appearing elsewhere herein [or "and are readily
available"]. The pro forma adjustments are based on management's assumptions as described in Note 1. X
Company's management is responsible for the pro forma financial information. Our responsibility is to express a
conclusion based on our review.
Our review was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our review to obtain limited
assurance about whether, based on the criteria in Note 1, any material modifications should be made to
management's assumptions in order for them to provide a reasonable basis for presenting the significant effects
directly attributable to the underlying transaction (or event); the related pro forma adjustments, in order for them to
give appropriate effect to those assumptions; or the pro forma amounts, in order for them to reflect the proper
application of those adjustments to the historical financial statement amounts. A review is substantially less in scope
than an examination, the objective of which is to obtain reasonable assurance about whether, based on the criteria,
management's assumptions provide a reasonable basis for presenting the significant effects directly attributable to
the underlying transaction (or event), and, in all material respects, the related pro forma adjustments give
appropriate effect to those assumptions, and the pro forma amounts reflect the proper application of those
adjustments to the historical financial statement amounts, in order to express an opinion. Accordingly, we do not
express such an opinion. We believe that our review provides a reasonable basis for our conclusion.
The objective of this pro forma financial information is to show what the significant effects on the historical financial
information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro
forma condensed financial statements are not necessarily indicative of the results of operations or related effects on
financial position that would have been attained had the above-mentioned transaction (or event) actually occurred
at such earlier date.
Based on our review, we are not aware of any material modifications that should be made to management's
assumptions in order for them to provide a reasonable basis for presenting the significant effects directly
attributable to the above-mentioned transaction (or event) described in Note 1, the related pro forma adjustments
in order for them to give appropriate effect to those assumptions, or the pro forma amounts, in order for them to
reflect the proper application of those adjustments to the historical financial statement amounts in the pro forma
condensed balance sheet of X Company as of March 31, 20X2, and the related pro forma condensed statement of
income for the three months then ended, based on the criteria in Note 1.
[Practitioner’s signature | City and State | Date of report]
If Integrated Audit for non-issuers, do Audit of F/S + Audit of ICFR [no longer attest]
Refer historical F/S
Objective & Limitations
AUD-7 Miles CPA Review
A7-28
V) Compliance (as a specific engagement)
� Relates to an entity’s compliance with specified laws, regulations, rules, contracts, or grants
• Does not provide a legal determination of an entity’s compliance with specified requirements.
However, attest report may be useful to legal counsel or others in making such determinations
� Practitioner may either examine or perform AUP
• Examination - Obtain reasonable assurance and express an opinion on the entity’s compliance
with specified requirements (or, management’s assertion on compliance with specified
requirements if fairly stated)
• Review on compliance engagements is NOT allowed
• AUP - Subject matter of the engagement may be on:
� Entity’s compliance with specified requirements
� Entity’s I/C over compliance with specified requirements
� Few key requirements:
• Preconditions [for both Examination and AUP]
� Practitioner should determine if:
⇒ Management accepts responsibility for the entity’s compliance and I/C over compliance
⇒ Management evaluates the entity’s compliance with specified requirements
� Written assertion to be requested from management [required for Examination; not if AUP]
⇒ If management refuses to provide, practitioner should withdraw [for Examination only]
• Obtain an understanding of the specified requirements via [for both Examination & AUP]:
� Consideration of laws, regulations, rules, contracts, and grants that pertain to the specified
requirements, including published requirements
� Consideration of knowledge about the specified requirements obtained through prior
engagements and regulatory reports
� Discussion with appropriate individuals within the entity (e.g., CFO, internal auditors, legal
counsel, compliance officer, or grant or contract administrators)
• For Examination engagements [if AUP, need to perform procedures as agreed]
� Obtain an understanding of relevant portions of I/C over compliance sufficient to plan the
engagement and to assess control risk for compliance with specified requirements. In
planning the examination, such knowledge should be used to identify types of potential
non-compliance, to consider factors that affect the risk of material non-compliance, and to
design appropriate tests of compliance
� For engagements involving compliance with regulatory requirements, procedures should
include reviewing reports of relevant examinations & related communications between
regulatory agencies and the entity and, when appropriate, making inquiries of regulatory
agencies, including inquiries about examinations in progress
• Request written representation letter from management [for both Examination & AUP]
� Additional representations needed from management [for both Examination & AUP]:
⇒ Acknowledgement of management’s responsibility for establishing and maintaining
effective I/C over compliance
E R A
Miles CPA Review AUD-7
A7-29
⇒ Statement that management has performed an evaluation of the entity’s compliance
with specified requirements.
⇒ Management’s interpretation of any compliance requirements that have varying
interpretations
� In case of Examination engagement, required even if the client (engaging party) ≠
responsible party - i.e., the exception covered earlier is not permitted in this case
⇒ Management’s refusal to furnish the written representations constitutes a scope
limitation sufficient to preclude an unmodified opinion and may be sufficient to cause
the practitioner to withdraw from the Examination engagement
• Forming an opinion for Examination engagement - In evaluating whether the entity has
complied with the specified requirements, the practitioner should evaluate
� Nature and frequency of the non-compliance identified, and
� Whether such non-compliance is material relative to the nature of the compliance
requirements
� Reports also need to include:
• Identification of the specified requirements against which the entity's compliance (or I/C over
compliance) was measured/evaluated
• For Examination reports, statement that the examination does not provide a legal
determination on the entity's compliance with specified requirements
• For Examination reports, often the criteria is contained in the compliance requirements, in
which case, it is not necessary to repeat the criteria in the practitioner's report; however, if the
criteria are not included in the compliance requirement, the report should identify the criteria
� Sample Reports
• On Examination of an Entity’s Compliance:
Independent Accountant’s Report
[Appropriate Addressee]
We have examined XYZ Company's compliance with [identify the specified requirements, for example, the requirements
listed in Attachment 1] during the period January 1, 20X1, to December 31, 20X1. Management of XYZ Company is
responsible for XYZ Company's compliance with the specified requirements. Our responsibility is to express an opinion
on XYZ Company's compliance with the specified requirements based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether XYZ Company complied, in all material respects, with the specified requirements referenced
above. An examination involves performing procedures to obtain evidence about whether XYZ Company complied with
the specified requirements. The nature, timing, and extent of the procedures selected depend on our judgment,
including an assessment of the risks of material noncompliance, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Our examination does not provide a legal determination on XYZ Company's compliance with specified requirements.
In our opinion, XYZ Company complied, in all material respects, with [identify the specified requirements, for example,
the requirements listed in Attachment 1] during the period January 1, 20X1 to December 31, 20X1.
[Practitioner’s signature | City and State | Date of report]
AUD-7 Miles CPA Review
A7-30
• On AUP engagement of an Entity’s Compliance:
• On AUP engagement of an Entity’s I/C over Compliance:
Independent Accountant’s Report on Applying Agreed-Upon Procedures
[Appropriate addressee]
We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for
example, the management and board of directors of XYZ Company], related to XYZ Company's compliance with [identify
the specified requirements, for example, the requirements listed in Attachment 1] during the period January 1, 20X1 to
December 31, 20X1. XYZ Company's management is responsible for its compliance with those requirements. The
sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we
make no representations regarding the sufficiency of the procedures enumerated below either for the purpose for
which this report has been requested or for any other purpose.
[Include paragraphs to enumerate procedures and findings.]
This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the
American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or
review, the objective of which would be the expression of an opinion or conclusion, respectively, on compliance with
specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we performed additional
procedures, other matters might have come to our attention that would have been reported to you.
This report is intended solely for the information and use of [identify the specified parties, for example, the management
and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the
specified parties.
[Practitioner’s signature | City and State | Date of report]
Independent Accountant’s Report on Applying Agreed-Upon Procedures
[Appropriate addressee]
We have performed the procedures enumerated below, which were agreed to by [identify the specified parties, for
example, the management and board of directors of XYZ Company], related to XYZ Company's internal control over
compliance with [identify the specified requirements for example, the requirements listed in Attachment 1], as of
December 31, 20X1.7 XYZ Company’s management is responsible for its internal control over compliance with those
requirements. The sufficiency of these procedures is solely the responsibility of the parties specified in this report.
Consequently, we make no representations regarding the sufficiency of the procedures enumerated below either for the
purpose for which this report has been requested or for any other purpose.
[Include paragraphs to enumerate procedures and findings.]
This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the
American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or
review, the objective of which would be the expression of an opinion or conclusion, respectively, on internal control
over compliance with specified requirements. Accordingly, we do not express such an opinion or conclusion. Had we
performed additional procedures, other matters might have come to our attention that would have been reported to
you.
This report is intended solely for the information and use of [identify the specified parties, for example, the management
and board of directors of XYZ Company] and is not intended to be, and should not be, used by anyone other than the
specified parties.
[Practitioner’s signature | City and State | Date of report]
Miles CPA Review AUD-7
A7-31
VI) Management discussion & analysis (MD&A)
� Relates to the performance of an attest engagement with respect to MD&A (presented in annual
reports and other documents) which are prepared pursuant to SEC rules & regulations
• May provide services to:
� Public entity that prepares MD&A in accordance with SEC rules & regulations
� Non-public entity that prepares MD&A and whose management provides a written
assertion that the presentation has been prepared using SEC rules & regulations
• The guidance of this section (AT-C 395) does NOT
� Change the auditor's responsibility in an audit of F/S
� Apply to situations in which the practitioner is requested to provide recommendations to
improve MD&A rather than to provide assurance (may be taken up as a Consulting service)
� Apply if practitioner is engaged to provide attest services with respect to MD&A prepared
based on criteria other than SEC rules and regulations (may be still taken up as an attest
engagement but the guidance of this section AT-C 395 will not apply)
• Note: In practical scenarios, practitioners rarely perform attest engagements to report on
MD&A prepared pursuant to SEC rules and regulations (so AT-C 395 rarely applies)
� Practitioner may either examine or review MD&A
• Examination - Obtain reasonable assurance and express an opinion as to whether
� Presentation includes the required elements of SEC rules and regulations,
� Historical financial amounts have been accurately derived from the entity’s F/S, and
� Underlying info, determinations, estimates, and assumptions of the entity provide a
reasonable basis for the disclosures contained therein
• Review - Obtain limited assurance and express a conclusion as to the same 3 points as above
� Few key requirements:
• Pre-conditions
� Examination engagement - Practitioner audits the latest period F/S (and prior period F/S
have also been audited either by the same practitioner or a predecessor auditor)
� Review engagement -
⇒ MD&A is for annual period - Practitioner audits the latest period F/S (and prior period
F/S have also been audited either by the same practitioner or a predecessor auditor)
⇒ MD&A is for interim period - Practitioner reviews/audits the latest interim F/S (and
MD&A for the last fiscal year have been examined/reviewed either by the same
practitioner or a predecessor auditor)
• Obtain an understanding of the SEC rules & regulations, and management’s methodology for
the preparation of MD&A
E R A
AUD-7 Miles CPA Review
A7-32
VII) Trust Services
� Relates to System and Organization Controls (SOC) for Service Organizations - Examination of I/C
at a service organization providing valuable info that users need to assess/address the risks
associated with an outsourced service
SOC 1 - SOC for Service
Organizations: ICFR
SOC 2 - SOC for Service
Organizations: Trust
Services Criteria
SOC 3 - SOC for Service
Organizations: Trust
Services Criteria for
General Use Report
Professional
Standard
Examination per SSAE Examination per SSAE Examination per SSAE
Subject
Matter
Controls at a service
organization relevant to
user entities’ ICFR
Controls at a service
organization relevant to
security, availability,
processing integrity,
confidentiality, or privacy
Controls at a service
organization relevant to
security, availability,
processing integrity,
confidentiality, or privacy
Report Type - Type 1 Report - Opinion
on design of I/C
- Type 2 Report - Opinion
on design & operating
effectiveness of I/C
- Type 1 Report - Opinion
on design of I/C
- Type 2 Report - Opinion
on design & operating
effectiveness of I/C
- Type 2 Report only -
Opinion on design &
operating effectiveness
of I/C
Use of Report
& Intended
Users
Restricted Use
(management of service
organization, user
entities, user auditors)
Restricted Use
(management of service
organization, user
entities, user auditors)
General Use,
Allows organization to
place a seal on their
website upon successful
completion
E R A
Trust Services Criteria
Miles CPA Review AUD-7
A7-33
� Trust Services - SOC 2 & SOC 3 attest engagements require the service organization’s controls meet
the specified Trust Service Criteria (TSC) as defined by the AICPA
• Trust Services Criteria (TSC) used to evaluate the controls SOC 2 and SOC 3 engagements:
� Security - Info & systems are protected against unauthorized access, unauthorized
disclosure of info, and damage to systems that could compromise the availability, integrity,
confidentiality, and privacy of info or systems that affect the entity’s ability to meet its
objectives
� Availability - Info & systems available for operation and use to meet the entity’s objectives
� Processing integrity - System processing is complete, valid, accurate, timely, and authorized
to meet the entity’s objectives
� Confidentiality - Info designated as confidential is protected to meet the entity’s objectives
� Privacy - Personal info is collected, used, retained, disclosed, and disposed to meet the
entity’s objectives
• SOC 2 vs. SOC 3
� SOC 2 Report - Restricted use report intended for specified parties (management of the
service organization and current/prospective users)
⇒ SOC 2 report is detailed; includes auditor’s opinion, management’s assertion, detailed
description of system & organizations controls, and results of auditor’s test of controls
� SOC 3 Report - General use report that is also fit to be displayed online
⇒ SOC 3 report is brief; includes auditor’s opinion, management assertion, brief
background on the service organization. No details on specific controls or results of
auditor’s test of controls
• SOC 2 reports are intended to meet the needs of users who need detailed info and assurance
about the controls at a service organization relevant to security, availability, and processing
integrity of the systems the service organization uses to process users’ data and the
confidentiality and privacy of the info processed by these systems. These reports can play an
important role in:
� Oversight of the organization
� Vendor management programs
� Internal corporate governance and risk management processes
� Regulatory oversight
• SOC 3 reports can be issued on one or multiple Trust Services Criteria and allow the service
organization to place a seal on their website as a representation of an unmodified opinion.
Given the focus on e-commerce and online transactions, most common SOC 3 reports include:
� Websites (Webtrust) - Examination of website and effectiveness of info system controls
based on the trust services criteria
� Information systems (Sys Trust service) - Examination of info system controls based on the
trust services criteria
AUD-7 Miles CPA Review
A7-34
VII) I/C at a Service Organization Relevant to User Entities’ ICFR
� Attest engagement applicable when “service auditor” is examining I/C at a “service organization”
that provides services to user entities
• May provide appropriate evidence required by the “user auditor” relating to the I/C of the
“service organization” when those I/C are likely to be relevant to user’s ICFR
� E.g., Payroll processing “service organization” (like ADP) I/C related to the timely remittance
of payroll deductions to government authorities may be relevant to a user entity as late
remittances could incur interest/penalties that would result in a liability to the user
� E.g., “Service organization” I/C over the acceptability of investment transactions from a
regulatory perspective may be considered relevant to a user entity’s ICFR
• Objective of the “service auditor” - Obtain reasonable assurance and express opinion regarding:
� Management’s description of the service organization’s system (if it is fairly presented)
� Design and implementation of I/C
� Operating effectiveness of I/C (only in Type 2 engagement)
• “Service auditor” engagement/report may be a Type 1 or Type 2
� Type 1 Report - Opinion on design/implementation of the service organization’s I/C
� Type 2 Report - Opinion on design/implementation AND operating effectiveness of the
service organization’s I/C
� “Service auditor” considerations
• Preconditions:
� Management of service organization acknowledges and accepts its responsibility for the
description of the service organization’s system and for I/C at the service organization
� Service auditor’s preliminary knowledge indicates that the scope of the engagement will not
be so limited that they are unlikely to be useful to user entities and their auditors
• Written assertion to be requested from management of the service organization
� If management refuses to provide, the service auditor should withdraw
• Assess suitability of the criteria used by the management of the service organization in
� Preparing its description of the service organization’s system,
� Evaluating design/implementation of I/C,
� Evaluating operating effectiveness of I/C (in the case of a type 2 engagement)
• Obtain an understanding of the service organization’s system and assess RMM
• Respond to assessed RMM - Perform further procedures and obtain evidence regarding:
� Management’s Description of the Service Organization’s System,
� Design/Implementation of I/C,
� Operating Effectiveness of I/C (Type 2 engagement only)
• Request written representation letter from management of the service organization
� Required even if the client (engaging party) ≠ responsible party - i.e., the exception
covered earlier is not permitted in a type 1 or type 2 engagement
� Refusal by management of the “service organization” (or by management of a subservice
organization that is being presented using the inclusive method) to furnish the written
representations constitutes a scope limitation sufficient to preclude an unmodified opinion
(and the service auditor may withdraw from the engagement)
E R A
Miles CPA Review AUD-7
A7-35
� Sample Type 2 Service Auditor’s Report:
Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its [type or name of] System and
the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service
Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of
the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the
design and operating effectiveness of the controls included in the description to achieve the related control objectives
stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion" (assertion). The
controls and control objectives included in the description are those that management of XYZ Service Organization
believes are likely to be relevant to user entities' internal control over financial reporting, and the description does not
include those aspects of the [type or name of] system that are not likely to be relevant to user entities' internal control
over financial reporting.
[Add additional statement(s) in one/more of the below situation(s):
� information that is not covered by the report is included in the description of the service organization's system
� the service organization uses a subservice organization, the carve-out method is used to present the subservice
organization (i.e., management’s description of the service organization's system identifies services performed
by the subservice organization BUT subservice organization’s I/C excluded from scope of service auditor’s
engagement), and complementary subservice organization controls are required to meet the control objectives
� complementary user entity controls are required to meet the control objectives]
Service Organization's Responsibilities
In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the
fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the
description and assertion, including the completeness, accuracy, and method of presentation of the description and
assertion, providing the services covered by the description, specifying the control objectives and stating them in the
description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in
the assertion, and designing, implementing, and documenting controls that are suitably designed and operating
effectively to achieve the related control objectives stated in the description.
Service Auditor's Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of
the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,
based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether, in all material respects, based on the criteria in management's assertion, the description is
fairly presented and the controls were suitably designed and operating effectively to achieve the related control
objectives stated in the description throughout the period [date] to [date]. We believe that the evidence we obtained is
sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of a description of a service organization's system and the suitability of the design and operating
effectiveness of controls involves
• performing procedures to obtain evidence about the fairness of the presentation of the description and the
suitability of the design and operating effectiveness of the controls to achieve the related control objectives
stated in the description, based on the criteria in management's assertion.
• assessing the risks that the description is not fairly presented and that the controls were not suitably designed
or operating effectively to achieve the related control objectives stated in the description.
• testing the operating effectiveness of those controls that management considers necessary to provide
reasonable assurance that the related control objectives stated in the description were achieved.
• evaluating the overall presentation of the description, suitability of the control objectives stated in the
description, and suitability of the criteria specified by the service organization in its assertion.
AUD-7 Miles CPA Review
A7-36
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Description of Tests of Controls
The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the
description of tests of controls is presented].
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organization’s controls throughout the period
[date] to [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and
user entity controls assumed in the design of XYZ Service Organization’s controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service
Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date], and their auditors who audit and report on such user entities' financial statements or internal control over
financial reporting and have a sufficient understanding to consider it, along with other information, including
information about controls implemented by user entities themselves, when assessing the risks of material misstatement
of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the
specified parties.
[Service auditor's signature]
[Service auditor's city and state]
[Date of the service auditor's report]
Miles CPA Review AUD-7
A7-37
� Sample Type 1 Service Auditor’s Report:
[Note that the Type 2 Service Report template has been taken and modified to the Type 1 Service
Report - all edits are highlighted in grey to appreciate the differences between the two reports]
Independent Service Auditor’s Report on XYZ Service Organization’s Description of Its [type or name of] System and
the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service
Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of
the function performed by the system] throughout the period [date] to [date] as of [date] (description) and the
suitability of the design and operating effectiveness of the controls included in the description to achieve the related
control objectives stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion"
(assertion). The controls and control objectives included in the description are those that management of XYZ Service
Organization believes are likely to be relevant to user entities' internal control over financial reporting, and the
description does not include those aspects of the [type or name of] system that are not likely to be relevant to user
entities' internal control over financial reporting.
[Add additional statement(s) in one/more of the below situation(s):
� information that is not covered by the report is included in the description of the service organization's system
� the service organization uses a subservice organization, the carve-out method is used to present the subservice
organization, and complementary subservice organization controls are required to meet the control objectives
� complementary user entity controls are required to meet the control objectives]
Service Organization's Responsibilities
In [section number where the assertion is presented], XYZ Service Organization has provided an assertion about the
fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the
description and assertion, including the completeness, accuracy, and method of presentation of the description and
assertion, providing the services covered by the description, specifying the control objectives and stating them in the
description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in
the assertion, and designing, implementing, and documenting controls that are suitably designed and operating
effectively to achieve the related control objectives stated in the description.
Service Auditor's Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of
the design and operating effectiveness of the controls to achieve the related control objectives stated in the description,
based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management's assertion, the description is
fairly presented and the controls were suitably designed and operating effectively to achieve the related control
objectives stated in the description throughout the period [date] to [date] as of [date]. We believe that the evidence we
obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of a description of a service organization's system and the suitability of the design and operating
effectiveness of controls involves
• performing procedures to obtain evidence about the fairness of the presentation of the description and the
suitability of the design and operating effectiveness of the controls to achieve the related control objectives
stated in the description, based on the criteria in management's assertion.
• assessing the risks that the description is not fairly presented and that the controls were not suitably designed
or operating effectively to achieve the related control objectives stated in the description.
• testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved.
• evaluating the overall presentation of the description, suitability of the control objectives stated in the
description, and suitability of the criteria specified by the service organization in its assertion.
Type 1 Report - Design of I/C as of [date] Type 2 Report - Design and Operating Effectiveness of I/C for the period [date] to [date]
AUD-7 Miles CPA Review
A7-38
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Description of Tests of Controls
The specific controls tested and the nature, timing, and results of those tests are listed in [section number where the
description of tests of controls is presented].
Other Matter
We did not perform any procedures regarding the operating effectiveness of controls stated in the description and,
accordingly, do not express an opinion thereon.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date] as of [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] as of [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organization’s controls throughout the period
[date] to [date] as of [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and user entity controls assumed in the design of XYZ Service Organization’s controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date] as of [date], and their auditors who audit and report on such user entities' financial statements or internal
control over financial reporting and have a sufficient understanding to consider it, along with other information,
including information about controls implemented by user entities themselves, when assessing the risks of material
misstatement of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the specified parties.
[Service auditor's signature] [Service auditor's city and state]
[Date of the service auditor's report]
Miles CPA Review AUD-7
A7-39
(This page is left blank for any reference notes on
Attestation Engagements)
AUD-7 Miles CPA Review
A7-40
7.3) Governmental Auditing
I) Government Auditing Standards
� GAGAS (Generally Accepted Government Auditing Standards) - Standards for use by auditors of
government entities, entities that receive government awards and audit organizations performing
GAGAS audits
• Also known as the “Yellow Book”
� Issued by the Comptroller General of the US who is the director of the Governmental
Accountability Office (GAO)
� Comprises of:
⇒ Auditing Standards
⇒ Professional Responsibilities & Ethics
• Types of GAGAS Audits and Attestation Engagements
� Financial Audits - Incorporate SAS (US GAAS) along with additional requirements. Include:
⇒ F/S Audits - Opinion on F/S + Reports on ICFR & Compliance
⇒ Other types of financial audits - Single F/S, Specified elements/accounts/items of F/S,
letter for underwriters, auditing compliance relating to one/more government programs
� Attestation Engagements - Incorporate SSAE along with additional requirements
⇒ May be Examination, Review or AUP engagement {ERA}
⇒ Can cover a broad range of financial or non-financial objectives about the subject matter
or assertion depending on the users’ needs
� Performance Audits - Audits that provide findings/conclusions based on an evaluation of
sufficient, appropriate evidence against criteria; may have one/more of below objectives
{Performance Audits are nothing short of an EPIC!}:
⇒ Effectiveness, economy & efficiency - Assess extent to which a program is achieving its
goals & objectives, or address the costs & resources used to achieve program results
⇒ Prospective analysis - Analysis or conclusions about info that is based on assumptions
about events that may occur in the future, along with possible actions that the entity
may take in response to the future events
⇒ Internal control - Assessment of one or more components of I/C
⇒ Compliance - Assessment of compliance with criteria established by provisions of laws,
regulations, contracts, or grant agreements, or other requirements
E
P
I
C
GAAS++
SSAE++
Miles CPA Review AUD-7
A7-41
• GAGAS incorporates GAAS (SAS AU-C by AICPA), and details additional requirements that apply
� General Standards - TIP + Q {Question - Will the same TIP work for GAGAS?}
� Fieldwork Standards - PIC + APPEND {Need to APPEND the Yellow Book to the Field PIC!}
� Reporting Standards - ACDE + AICPA CD-VCD {Remember you still are AICPA’s auditors
albeit with CDs & VCDs!}
GeneralStandards
•TIP + Q
•Quality Control
Fieldwork Standards
•PIC + APPEND
•Additional Considerations
•Pertinent info
•Previous audits
•Elements of a finding
•Non-compliance, Fraud & Abuse
•Documentation
Reporting Standards
•ACDE + AICPA CD-VCD
•Audit Report per GAGAS
• ICFR Report
•Compliance Report -Provisions & Agreements
•Communicating Deficiencies
•Views of entity officials
•Confidential & Sensitive Info
•Distribution of reports
AUD-7 Miles CPA Review
A7-42
� GAGAS - Auditing Standards:
General Standards - TIP + Q {Question is - Will the same TIP work for GAGAS?}
• Quality Control - Audit firm must establish & maintain a system of quality control (designed to
provide reasonable assurance that the firm and its personnel comply with professional
standards and applicable legal/regulatory requirements). Audit firm should obtain an external
peer review at least once every 3 years
Fieldwork Standards - PIC + APEND {Need to APPEND the Yellow Book to the Field PIC!}
where, APPEND = few requirements in addition to GAAS when performing financial audits:
• Additional auditor considerations for GAGAS financial audits -
� Materiality - Considerations in addition to GAAS may apply. E.g., In GAGAS audits, auditor
may find it appropriate to use lower materiality levels due to public accountability of the
entity, legal/regulatory requirements, and visibility/sensitivity of government programs
� Early Communication of Deficiencies - Especially for matters which are relatively significant
and corrective follow-up action is urgent (e.g., when a control deficiency results in non-
compliance or abuse). Additional GAGAS Reporting requirements {AICPA CD-VCD} still apply
• Pertinent info to be communicated - In addition to GAAS requirements, auditor should
communicate pertinent info (per auditor’s professional judgment) to individuals contracting for
or requesting the audit, and to cognizant legislative committees when auditor performs the
audit pursuant to a law/regulation, or conducts the work for the legislative committee
� This requirement does not apply if the law/regulation requiring an audit of F/S does not
specifically identify the entities to be audited (e.g., single audits)
• Previous audits/attest engagements - Auditor should evaluate whether the entity has taken
appropriate corrective action to address findings & recommendations from previous
audit/attest engagements that could have a material effect on the F/S
� Auditor should identify such info when planning the audit, and use it to assess audit risk and
determine the nature, extent and timing of current audit work
• Elements of a finding to be developed - Auditor should plan & perform procedures to develop
the following elements of findings (e.g., I/C deficiency, non-compliance):
� Condition - Situation that exists
� Criteria - Required/desired state. E.g., I/C standards, laws/regulations, benchmarks
� Cause - Reason for difference between “condition” & “criteria”. E.g., Poorly designed I/C
� Effect or potential effect - Impact or potential impact of the difference between
“condition” & “criteria”. Demonstrates need for corrective action
• Non-compliance, Fraud & Abuse - Auditor should extend GAAS requirements to:
� Consider compliance with contracts or grant agreements (not just with laws/regulation)
� Consider occurrence of abuse - e.g., misuse of authority for personal financial interests. Not
required to detect abuse as these are subjective; however, if auditor becomes aware of
abuse that could be material to F/S, need to perform additional testing
� Avoid interference with or compromising an ongoing investigative or legal proceeding
• Documentation - Auditor should comply with the following additional requirements:
� Document supervisory review, before the report release date, of the evidence that supports
the findings, conclusions, and recommendations in the auditor’s report
� Document any departures from GAGAS requirements (due to laws/regulation, scope
limitation, etc.) and the impact of the same on the audit & on auditor’s conclusions
A
P
E
N
D
Q
P
Miles CPA Review AUD-7
A7-43
Reporting Standards = ACDE + AICPA CD-VCD
{Remember you still are AICPA’s auditors albeit with CDs & VCDs!}
where, AICPA = reports required per GAGAS
• Audit Report per GAGAS - Opinion on F/S; include a statement in the auditor’s report that audit
was performed in accordance with GAGAS
• Report on ICFR (Internal Control over Financial Reporting)
� Report any significant deficiencies or materials weaknesses in I/C identified by the auditor
� Note:
⇒ GAAS audit - Report on ICFR “only” when auditor identified significant deficiencies &
material weaknesses in I/C
⇒ GAGAS audit - Report on ICFR is always required whether or not auditor identifies such
deficiencies
� Maybe included along with the Report on Compliance {CPA of AICPA}, or a separate report;
if separate, need to refer to the Report on Compliance
� No opinion required - Does not require auditor to express opinion on ICFR (as would be
required in an integrated audit per GAAS / PCAOB AS)
⇒ Auditor only needs to describe the scope of auditor’s testing and any findings
• Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements
� Report on:
⇒ Fraud & non-compliance with provisions of laws/regulations that have a material effect
on F/S and any other instances that warrant attention of TCWG
⇒ Non-compliance with provisions of contracts or grant agreements that has a material
effect on F/S
⇒ Abuse that is material (quantitatively/qualitatively)
� Report on Compliance is always required whether or not auditor identifies non-compliance
� Maybe included along with the Report on ICFR {I of AICPA}, or a separate report; if separate,
need to refer to the Report on ICFR
� No opinion required - Does not require auditor to express opinion on compliance
⇒ Auditor only needs to describe the scope of auditor’s testing and any findings
No opinion on ICFR
No opinion on Compliance
A
I
CPA
Auditor Reporting Requirements
GAAS Audit
• Audit Report on F/S (opinion)
• No Report on I/C unless significant deficiencies are identified
• No Report on Compliance
GAGAS Audit = GAAS++
• Audit Report on F/S (opinion)
• Report on ICFR (no opinion required)
• Report on Compliance (no opinion required)
AUD-7 Miles CPA Review
A7-44
where, CD-VCD = additional reporting requirements per GAGAS
• Communicating Deficiencies in Internal Control / Non-compliance, Fraud & Abuse
� Communicate I/C significant deficiencies & material weaknesses on ICFR Report {AICPA}
Communicate material Non-compliance, Fraud & Abuse in Compliance Report {AICPA}
ICFR Report /
Compliance
Report
Communicate
in writing
(required)
Communicate
per Auditor’s
Judgment
Deficiencies in ICFR
Material Weaknesses �
Significant Deficiencies �
Other Deficiencies �
Fraud & Non-compliance with Provisions of laws/regulation
Material Effect on F/S �
Not material but warrants TCWG’s attention �
Does not warrant TCWG’s attention �
Noncompliance with provisions of contracts and grant agreements
Material Effect on F/S �
Not material but warrants TCWG’s attention �
Does not warrant TCWG’s attention �
Abuse
Material �
Not material but warrants TCWG’s attention �
Does not warrant TCWG’s attention �
⇒ Note: If there is an ongoing investigative or legal proceeding - Consult with authorities
or legal counsel and limit public reporting to matters that would not compromise the
proceeding (e.g., report only on info that is already a part of the public record)
� Findings to be presented in the Auditor’s Report(s) on ICFR & Compliance (or the Report(s)
may refer to a separate schedule of findings). Include:
⇒ Previous year’s engagements’ findings/deficiencies not yet remediated
⇒ Elements of the findings
⇒ Description of the nature & extent of issues being reported (e.g., $ value) and extent of
work performed that resulted in the finding
� Pertinent info/findings to be communicated directly to parties outside the entity:
⇒ If management fails to report such info to external parties per law/regulation - Auditor
first communicates failure to report to TCWG. If entity still does not do the needful, then
auditor should report directly to specified external parties
⇒ If management fails to respond timely & appropriately to non-compliance, fraud or
abuse and involves funding received directly/indirectly from a government agency -
Auditor first communicates failure to report to TCWG. If entity still does not do the
needful, then auditor should report directly to the funding agency
CD
A P P E N D
A P P E N D A P P E N D
A P
P E
N D
Miles CPA Review AUD-7
A7-45
• Views/comments from responsible officials of the entity to be reported - � If Report on ICFR discloses deficiencies in I/C and/or Report on Compliance discloses non-
compliance, fraud or abuse, auditor should have:
⇒ Provided a draft report with findings to the responsible officials of the entity
⇒ Obtained their views/comments on auditor’s findings, conclusions & recommendations,
as well as any planned corrective actions. Written is preferred; but sometimes oral is ok
(e.g., reporting deadline, officials already know, auditor expects officials to agree)
⇒ Included the views/comments on the auditor’s report along with auditor’s evaluation of
comments (as appropriate)
� Few scenarios in terms of views/comments of responsible officials:
⇒ Written comments received - Include in the auditor’s report (as a copy or summary)
⇒ Oral comments received - Auditor should prepare a summary of the comments and provide a copy of the same to the responsible officials (to verify accuracy)
⇒ Comments are inconsistent or in conflict with auditor’s findings, conclusions or
recommendations - Auditor should evaluate the validity of the entity’s comments, and
- If auditor disagrees with entity’s comments, explain reasons on the auditor’s report
- If auditor agrees with entity’s comments, modify the auditor’s report as necessary
⇒ Comments not received (e.g., entity refused or was unable to provide it timely) - Auditor
may issue the report without the comments but should indicate in the report that the
entity did not provide comments
• Confidential and Sensitive Info - If needed to be excluded from auditor’s report, auditor should
disclose in the report that certain info has been omitted (along with reasons)
� Auditor may issue a separate limited use report containing such info and distribute the
report only to persons authorized by law or regulation to receive it
� When circumstances call for omission of certain info, auditors should evaluate whether this
omission could distort the audit results or conceal improper or illegal practices
• Distributing Reports -
� Auditors of government entities should distribute auditor’s reports to:
⇒ appropriate entity officials,
⇒ TCWG,
⇒ appropriate oversight bodies or organizations requiring or arranging for the audits,
⇒ other officials who have legal oversight authority or who may be responsible for acting
on audit findings and recommendations, and
⇒ others authorized to receive such reports
� Auditor should clarify report distribution responsibilities with the engaging party
� Auditors should document any limitation on report distribution
� Internal audit organizations in government entities may also follow the Institute of Internal
Auditors (IIA) International Standards for the Professional Practice of Internal Auditing
⇒ Head of internal audit should communicate results to the parties who can ensure that
the results are given due consideration
⇒ If the above is not otherwise mandated by statutory/ regulatory requirements, prior to
releasing results to parties outside the organization, the head of internal audit should:
- Assess the potential risk to the entity,
- Consult with senior management or legal counsel (as appropriate), and
- Control dissemination by indicating the intended users in the report
V
C
D
AUD-7 Miles CPA Review
A7-46
� Sample GAGAS Reports:
• Report on F/S Audit {A of AICPA}
A I CPA
Independent Auditor’s Report
[Appropriate Addressee]
Report on the Financial Statements
We have audited the accompanying financial statements of the governmental activities, the business-type activities,
the aggregate discretely presented component units, each major fund, and the aggregate remaining fund
information of the City of XYZ, Any State, as of and for the year ended June 30, 20X1, and the related notes to the
financial statements, which collectively comprise the City of XYZ’s basic financial statements as listed in the table of
contents.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements in accordance
with accounting principles generally accepted in the United States of America; this includes the design,
implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial
statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express opinions on these financial statements based on our audit. We conducted our audit in
accordance with auditing standards generally accepted in the United States of America and the standards applicable
to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United
States. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether
the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial
statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of
material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments,
the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial
statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluating the overall presentation of the financial
statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit
opinions.
Opinions
In our opinion, the financial statements referred to above present fairly, in all material respects, the respective
financial position of the governmental activities, the business-type activities, the aggregate discretely presented
component units, each major fund, and the aggregate remaining fund information of the City of XYZ, Any State, as of
June 30, 20X1, and the respective changes in financial position and, where applicable, cash flows thereof for the year
then ended in accordance with accounting principles generally accepted in the United States of America.
Other Matters
[E.g., Relating to Required Supplementary Information]
Other Reporting Required by Government Auditing Standards
In accordance with Government Auditing Standards, we have also issued our report dated [date of report] on our
consideration of the City of XYZ's internal control over financial reporting and on our tests of its compliance with
certain provisions of laws, regulations, contracts, and grant agreements and other matters. The purpose of that
report is solely to describe the scope of our testing of internal control over financial reporting and compliance and
the results of that testing, and not to provide an opinion on the effectiveness of the City of XYZ's internal control over
financial reporting or on compliance. That report is an integral part of an audit performed in accordance with
Government Auditing Standards in considering City of XYZ’s internal control over financial reporting and compliance.
[Auditor’s signature | Auditor’s City & State | Date of auditor’s report]
Miles CPA Review AUD-7
A7-47
• Report on ICFR & Compliance {ICPA of AICPA}
Independent Auditor’s Report
[Appropriate Addressee]
We have audited, in accordance with the auditing standards generally accepted in the United States of America and
the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller
General of the United States, the financial statements of the governmental activities, the business-type activities, the
aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of
XYZ Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which
collectively comprise XYZ Entity’s basic financial statements, and have issued our report thereon dated August 15,
20X1.
Internal Control Over Financial Reporting
In planning and performing our audit of the financial statements, we considered XYZ Entity's internal control over
financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for
the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion
on the effectiveness of XYZ Entity’s internal control. Accordingly, we do not express an opinion on the effectiveness
of XYZ Entity’s internal control.
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal
control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements
will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to
merit attention by those charged with governance.
Our consideration of internal control was for the limited purpose described in the first paragraph of this section and
was not designed to identify all deficiencies in internal control that might be material weaknesses or significant
deficiencies. Given these limitations, during our audit we did not identify any deficiencies in internal control that we
consider to be material weaknesses. However, material weaknesses may exist that have not been identified.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether XYZ Entity's financial statements are free from material
misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant
agreements, noncompliance with which could have a direct and material effect on the determination of financial
statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our
audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of
noncompliance or other matters that are required to be reported under Government Auditing Standards
Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the
results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on
compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards
in considering the entity’s internal control and compliance. Accordingly, this communication is not suitable for any
other purpose
[Auditor’s signature | Auditor’s City & State | Date of auditor’s report]
A I CPA
A I CPA
= No opinions required ^
GAGAS
AUD-7 Miles CPA Review
A7-48
II) Single Audit
� “Single Audit” - Applicable to non-federal entities (includes state/local governments, not-for-profit
entities, etc.) that expend $750,000 or more of federal awards in a fiscal year
• Audit conducted pursuant to the Single Audit Act (as amended) which gives authority to the
Director of the Office of Management and Budget (OMB) to set the guideless for single audits.
� Most recent OMB regulation issued for this purpose is Title 2 U.S. Code of Federal
Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and
Audit Requirements for Federal Awards (“Uniform Guidance”)
• Requires a “single” audit (instead of multiple audits of various programs)
� Ensures consistency and uniformity for such audits
� Improves effectiveness of audits of federal awards (and reduces audit burden)
• Applies to both recipients (e.g., City receives funds from Fed) and sub-recipients (e.g., City
receives funds from State which receives funds from Fed)
• Scope of the Single Audit in addition to GAGAS:
� SEFA (Schedule of Expenditures of Federal Awards) - Must be for the same period as F/S
� Compliance - In addition to GAGAS requirements, auditor must determine whether the
entity has complied with Federal statutes, regulations, and the terms & conditions of
Federal awards that may have a direct & material effect on each of its major programs.
⇒ Compliance testing must include tests of transactions and such other auditing
procedures necessary to provide the auditor sufficient appropriate audit evidence to
support an opinion on compliance
� I/C - In addition to GAGAS requirements, auditor must obtain an understanding of I/C over
major Federal programs, test I/C over compliance for major programs and report any
significant deficiency or material weakness in I/C
⇒ Auditor not required to test I/C likely to be ineffective, but must consider if additional
compliance tests are required
� Materiality - Consider separately for each major program, not just for F/S taken as a whole
(per GAAS/GAGAS, materiality considered in relation to F/S taken as a whole)
� Previous audits engagements - Entity is responsible for follow-up and corrective action on
all audit findings; and must prepare a summary schedule of prior audit findings to report
status of all audit findings included in prior audit’s Schedule of Findings & Questioned Costs
⇒ Auditor follow-up - Required on this summary schedule of prior audit findings and need
to report if the same was materially misrepresented by the entity
• Audit Documentation - Auditor must retain audit documentation & reports for a minimum of 3
years after the date of issuance of the auditor’s report(s)
� Alternative to Single Audit: Program-specific audit -
• Auditor audits F/S of Federal program per GAGAS (and not F/S of the entity taken as a whole)
� Program-specific audit guides available to provide specific guidance to the auditor with
respect to I/C, compliance requirements, suggested audit procedures, and audit reporting
requirements. If a program-specific guide is not available, auditor has basically the same
responsibilities for the Federal program as for an audit of a major program in a single audit
• Allowed when:
� Entity expends Federal awards under only one Federal program (excluding R&D), and
� Terms of the Federal award does not require a F/S audit
“Single” Audit for entity & major programs if Fed assistance > $750K
Miles CPA Review AUD-7
A7-49
� Reporting requirements for “Single Audits” {AICPA’s auditors now with SCI-Fi CDs & VCDs!}
Reports required per GAGAS: {AICPA}
• Audit Report per GAGAS
• Report on ICFR (Internal Control over Financial Reporting)
� Refer to “Fi” (Schedule of Findings & Questioned Costs)
• Report on Compliance with Provisions of laws/regulations and Contracts/Grant Agreements -
� Refer to “Fi” (Schedule of Findings & Questioned Costs)
Additional Reports required for Single Audits: {SCI-Fi}
• Schedule of Expenditures of Federal Awards (SEFA Report)
� Opinion as to whether the schedule is fairly stated in relation to the F/S as a whole
• Report on Compliance for each major program and a report on I/C over compliance
� Compliance for each major program - Opinion required on compliance with Federal
statutes, regulations, and terms & conditions of Federal awards which could have a direct &
material effect on each major program
� I/C over compliance - No opinion required; auditor only needs to describe the scope of
auditor’s testing and report any significant deficiencies or material weaknesses
� Refer to “Fi” (Schedule of Findings & Questioned Costs)
• Schedule of Findings & Questioned Costs
� Summary of Auditor’s results
� Findings relating to the Audit of F/S per GAGAS
� Findings & Questioned costs for Federal awards
I
CPA
Auditor Reporting Requirements
GAAS Audit
• Audit Report on F/S (opinion)
• No Report on I/C unless significant deficiencies or material weaknesses are identified
• No Report on Compliance
GAGAS Audit = GAAS++
• Audit Report on F/S (opinion)
• ICFR Report (no opinion required)
• Compliance Report (no opinion required)
Single Audit = GAGAS++
• Audit Report on F/S (opinion)
• ICFR Report (no opinion required)
• Compliance Report (no opinion required)
• Schedule of Expenditures of Federal Awards (opinion)
• Compliance Report for each major program (opinion) +
I/C over Compliance Report (no opinion required)
• Findings & Questioned Costs Schedule
A
S
C I
Fi
S C I Fi
A
I CPA
AUD-7 Miles CPA Review
A7-50
� Major Program determination - Auditor to use “risk-based approach” to determine which Federal
programs are “major” programs
• Considerations:
� Current and prior audit experience
� Oversight by Federal agencies and pass-through entities
� Inherent risk of the Federal program
• 4-step process to be followed:
� Step 1: Identify Type A programs (generally, if $750K or more expended); all others labeled
Type B programs
� Step 2: Identify Type A programs which are “low-risk programs” if
⇒ Audited as a major program in at least one of the last 2 audit periods, and
⇒ In the most recent audit period, the program had unmodified opinion on compliance, no
material weaknesses in I/C over compliance, and known/likely questioned costs of <=5%
of award expended
� Step 3: Identify Type B programs which are “high risk programs” using professional
judgment & specified criteria
� Step 4: At a minimum, the auditor must audit all of the following as major programs:
⇒ All Type A programs not identified as low risk under Step 2
⇒ All Type B programs identified as high-risk under Step 3
• Percentage of coverage rule -
� If the entity meets the criteria for a “low-risk auditee”, auditor needs to audit only the
major programs identified in Step 4 (and any additional Federal programs) such that all
major programs encompass at least 20% of total Federal awards expended
⇒ For other entities, all major programs need to encompass at least 40% of total Federal
awards expended
� Criteria for a “low-risk auditee”
⇒ Single audits were performed on an annual basis for 2 years
⇒ Opinion on F/S and SEFA = Unmodified opinion
⇒ No material weaknesses in ICFR identified per GAGAS
⇒ No going concern issues reported by auditor
⇒ Type A programs had unmodified opinion on compliance, no material weaknesses in I/C
over compliance, and known/likely questioned costs of <= 5% of award expended
Compliance of each “Major” program = AICPA S C I - Fi
Else
Miles CPA Review AUD-7
A7-51
� Sample Single Audit Report on Compliance for each major program & Report on I/C over compliance:
Independent Auditor’s Report
[Appropriate Addressee]
Report on Compliance for Each Major Federal Program
We have audited XYZ Entity’s compliance with the types of compliance requirements described in the OMB Compliance
Supplement that could have a direct and material effect on each of XYZ Entity’s major federal programs for the year ended
June 30, 20X1. XYZ Entity’s major federal programs are identified in the summary of auditor’s results section of the
accompanying schedule of findings and questioned costs.
Management’s Responsibility
Management is responsible for compliance with federal statutes, regulations, and the terms and conditions of its federal
awards applicable to its federal programs.
Auditor’s Responsibility
Our responsibility is to express an opinion on compliance for each of XYZ Entity’s major federal programs based on our
audit of the types of compliance requirements referred to above. We conducted our audit of compliance in accordance
with auditing standards generally accepted in the United States of America; the standards applicable to financial audits
contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the audit
requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles,
and Audit Requirements for Federal Awards (Uniform Guidance). Those standards and the Uniform Guidance require that
we plan and perform the audit to obtain reasonable assurance about whether noncompliance with the types of compliance
requirements referred to above that could have a direct and material effect on a major federal program occurred. An audit
includes examining, on a test basis, evidence about XYZ Entity’s compliance with those requirements and performing such
other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion on compliance for each major federal program.
However, our audit does not provide a legal determination of XYZ Entity’s compliance.
Opinion on Each Major Federal Program
In our opinion, XYZ Entity complied, in all material respects, with the types of compliance requirements referred to above
that could have a direct and material effect on each of its major federal programs for the year ended June 30, 20X1.
Report on Internal Control Over Compliance
Management of XYZ Entity is responsible for establishing and maintaining effective internal control over compliance with
the types of compliance requirements referred to above. In planning and performing our audit of compliance, we
considered XYZ Entity’s internal control over compliance with the types of requirements that could have a direct and
material effect on each major federal program to determine the auditing procedures that are appropriate in the
circumstances for the purpose of expressing an opinion on compliance for each major federal program and to test and
report on internal control over compliance in accordance with the Uniform Guidance, but not for the purpose of expressing
an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express an opinion on the
effectiveness of XYZ Entity’s internal control over compliance.
A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not
allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and
correct, noncompliance with a type of compliance requirement of a federal program on a timely basis. A material weakness
in internal control over compliance is a deficiency, or a combination of deficiencies, in internal control over compliance,
such that there is a reason-able possibility that material noncompliance with a type of compliance requirement of a federal
program will not be prevented, or detected and corrected, on a timely basis. A significant deficiency in internal control over
compliance is a deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance
requirement of a federal program that is less severe than a material weakness in internal control over compliance, yet
important enough to merit attention by those charged with governance.
Our consideration of internal control over compliance was for the limited purpose described in the first paragraph of this
section and was not designed to identify all deficiencies in internal control over compliance that might be material
weaknesses or significant deficiencies. We did not identify any deficiencies in internal control over compliance that we
consider to be material weaknesses. However, material weaknesses may exist that have not been identified.
The purpose of this report on internal control over compliance is solely to describe the scope of our testing of internal
control over compliance and the results of that testing based on the requirements of the Uniform Guidance. Accordingly,
this report is not suitable for any other purpose
[Auditor’s signature | Auditor’s City & State | Date of auditor’s report]
AICPA S C I - Fi
AICPA S C I - Fi
AUD-7 Miles CPA Review
A7-52
� Schedule of findings and questioned costs - Must include:
• Summary of the auditor’s results
� Audit of F/S - type of opinion issued
� ICFR Report - if audit detected any significant deficiencies or material weaknesses in I/C
� Compliance Report - if audit detected any non-compliance that is material to F/S
� Regarding Major programs:
⇒ Identification/listing of major programs; however in case of cluster of programs, only
the cluster name as shown on Schedule of Expenditures of Federal Awards is required
⇒ Dollar threshold used to distinguish between Type A and Type B programs
⇒ Compliance Report on each major program - Type of opinion issued
⇒ I/C over Compliance - if audit detected significant deficiencies or material weaknesses
in I/C over compliance for major programs
⇒ Statement as to whether the auditee qualified as a low-risk auditee
� Statement as to whether the audit disclosed any Findings & Questioned costs for Federal
awards that the auditor is required to report
• Findings relating to the Audit of F/S per GAGAS
• Findings & Questioned costs for Federal awards - Include findings in sufficient detail/clarity
� Relating to Compliance of each major program and I/C over compliance:
⇒ Material non-compliance with provisions of Federal statutes, regulations, or terms &
conditions of Federal awards related to a major program
⇒ Also, circumstances concerning why the auditor’s report on compliance for each major
program is other than an unmodified opinion, if applicable
⇒ Known or likely fraud affecting a Federal award
⇒ Significant deficiencies and material weaknesses in I/C over major programs and
significant instances of abuse relating to major programs
� Questioned costs:
⇒ Known questioned costs > $25K for any compliance requirement for a major program
- Known questioned costs are those specifically identified by the auditor. However,
note that in evaluating the effect of questioned costs on the opinion on compliance,
the auditor considers the best estimate of total costs questioned (likely questioned
costs), not just the questioned costs specifically identified (known questioned costs)
⇒ Known questioned costs > $25K for a Federal program not audited as a major program
- Except for Audit follow-up, auditor is not required to perform audit procedures for a
program that is not audited as a major program; therefore, less chances of the
auditor finding questioned costs for such programs
� Previous audit engagements - Instances where the auditor detects that the summary
schedule of prior audit findings prepared by the entity was materially misrepresented
AICPA SCI-Fi
Miles CPA Review AUD-7
A7-53
(This page is left blank for any reference notes on
Governmental Auditing)