CHAPTER 16

ATTESTATION REPORTS

Sound financial management in the Federal Government requires a wide assortment of special reports that enable Federal executives and managers to effectively exercise their oversight responsibility and guide and control programs for which they are responsible.

Some of these special reports (performance audits and grant audits) were discussed in prior chapters. This chapter presents additional reports that are commonly utilized by Federal Agencies.

ATTEST ENGAGEMENTS

The reports and engagements discussed in this chapter are referred to as attest engagements. The American Institute of Certified Public Accountants (AICPA)’s Statements on Standards for Attestation Engagements (SSAEs) currently in effect are listed next.

For government engagements, the guidance also includes Chapter 5 (“Standards for Attestation Engagements”) of the Government Auditing Standards (2011 revision, Yellow Book) of the Government Accountability Office (GAO).

Attestation Standards

As is the case with financial audit engagements, attestation engagements are to be executed in accordance with certain basic standards developed by the AICPA. These standards, which are similar but not identical to the audit standards, are set forth in AT 50 and are summarized next.

General Standards

1. The engagement shall be performed by a practitioner having adequate technical training and proficiency to perform the attestation engagement.
2. The practitioner must have adequate knowledge of the subject matter.
3. The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.
4. The practitioner must maintain independence in mental attitude in all matters related to the engagement.
5. The practitioner must exercise due professional care in the planning and performance of the engagement and the preparation of the report.

Standards of Fieldwork

1. The practitioner must adequately plan the work and must properly supervise any assistants.
2. The practitioner must obtain sufficient evidence to provide a reasonable basis for the conclusion that is expressed in the report.

Standards of Reporting

1. The practitioner must identify the subject matter or assertion being reported on, and state the character of the engagement in the report.
2. The report shall state the practitioner’s conclusion about the subject matter or the assertion in relation to the criteria against which the subject matter was measured.
3. The practitioner must state all of the practitioner’s significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto in the report.
4. The practitioner must state in the report the report is intended solely for the information and use of the specified parties under the following circumstances:
  • When the criteria used to evaluate the subject matter are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria.
  • When the criteria used to evaluate the subject matter are available only to specified parties.
  • When reporting on subject matter and a written assertion has not been provided by the responsible party.
  • When the report is on an attestation engagement to apply agreed-upon procedures (AUPs) to the subject matter.

Additional Government Standards in the Execution of Attestation Engagements

As noted earlier, Chapter 5 of the Yellow Book adds additional standards. These standards are summarized next.

Additional Fieldwork Standards

Additional Reporting Standards

The attestation engagements discussed in this chapter must comply with the standards discussed in this section.

Reports on Management’s Assertions

Reports on management’s assertions typically address compliance with specific requirements that an entity is required to meet. Compliance with requirements may take numerous forms, including compliance with laws and regulations, contractual covenants, specific entity policies, and so on.

Within the Federal Government, a common use of these types of reports concerns the execution of an agency’s oversight function. Such reports can be very useful in evaluating Federal grantees and contractors, including entities participating in major Federal programs such as Medicare and Medicaid.

A report on management’s assertion is always interchangeable with a report on a subject matter. This is true because the assertion itself addresses compliance with a subject matter. The auditor always has the option (assuming the client concurs) to report on compliance with a subject matter instead of the assertion. The discussion in this chapter applies equally to reports on compliance with a subject matter; the only difference is the wording included in the clean opinion example. In this instance, the auditor reports on the subject matter directly in the introductory and opinion paragraphs.

In many respects, the approach to the execution of this engagement parallels the execution of financial audits. As with financial statement audits, the effort normally consists of a planning phase, an internal control evaluation phase, a testing phase, and a reporting phase. The difference, of course, lies in what happens during the execution of each phase.

Determining the Feasibility of the Engagement

At the outset, the auditor must determine whether it is possible to evaluate compliance at all (General Standard No. 3). In fairness, this possibility must be considered before the auditor is engaged to execute the project. In practice, this determination may not be feasible until additional information becomes available during the planning phase. Very seldom is establishing the feasibility of the project straightforward; generally it requires the exercise of judgment.

Thus, besides providing for an effective audit approach governing the execution of latter phases, a successful engagement approach must consider the next questions/issues:

There are no fast rules to guide the auditor’s decision regarding the feasibility of this type of engagement. The decision often is a subjective one. Basic requirements in support of this decision must include a well-defined yardstick (e.g., clear rules and regulations) against which performance activities can be measured and the presence of audit trails that document support whether the requirements (e.g., rules and regulations) were complied with during the performance of the relevant activities.
Having established the feasibility of measuring performance, the auditor must consider materiality. If anything, this is more subjective than the previous endeavors. The definition of materiality requires an in-depth understanding of the subject matter, including a consideration of both the letter and the spirit of the requirement. In this respect, it is essential to obtain management views regarding materiality. This is particularly relevant when the auditor is engaged by a government agency to assess compliance by a third party. While the auditor must maintain independence in the definition of materiality, the engagement will be of little use to the client if there is a significant difference of opinion regarding materiality. The ability to determine materiality rests on the answers to the next question.
To establish materiality (e.g., what percentage of noncompliance is unacceptable), it is important that members of the audit team have both experience with the subject matter addressed by management’s assertion and related requisite technical skills. It is not unusual for engagements of this nature to require the retention of subject matter experts (SMEs). For example, the execution of this type of engagement in connection with Medicare and Medicaid programs often requires the services of actuaries and medical professionals. However, the presence of an SME does not lessen the requirement for auditors to have the requisite experience with the subject matter being evaluated.
It is essential that the auditor carefully document his or her decision-making process and clearly set forth why in his or her judgment the engagement can be executed. Once the questions posed earlier are answered, the planning phase can be completed.

Internal Controls and Related Testing

Typically, planning provides for a risk-based approach similar to that used in the execution of financial audits. In this regard, it is important to note that the identification of internal controls and related testing of controls that assist in promoting compliance with the subject matter covered by the assertion is essential to the successful execution of the engagement. The urge to jump directly into testing without considering risk and internal controls must be avoided.

Reporting

We have included selected opinions as examples of reports on management’s assertions. To comply with GAO standards, AT Interpretation 9101.58 suggests auditors consider adding the following additional paragraph:

In accordance with Government Auditing Standards, we are required to report significant deficiencies in internal control, identifying those considered to be material weaknesses, violations of provisions of contracts or grant agreements, and abuse that could have a material effect on [subject matter], and any fraud and illegal acts that are more than inconsequential that come to our attention during our examination. We are also required to obtain the views of management on those matters. We performed our examination to express an opinion on whether [subject matter] is presented in accordance with the criteria described above and not for the purpose of expressing an opinion on the internal control over [subject matter] or on compliance and other matters; accordingly, we express no such opinions. The results of our examination did not disclose any matters required to be reported under Government Auditing Standards [or: Our examination disclosed certain findings that are required to be reported under Government Auditing Standards and those findings, along with the view of management, are described in the attached Schedule of Findings].

We believe this paragraph or similar language should be added/reported whenever Yellow Book standards apply. In the interest of brevity, the examples presented next omit this paragraph.

Exhibit 16.1 presents an example of an unqualified report on management’s assertion.

EXHIBIT 16.1 Examination Report on Management’s Assertion (Unqualified Opinion)
Independent Accountant’s Report
To [Federal Agency]
We have examined management’s assertion [identify the assertion]. [Auditee]’s management is responsible for the assertion. Our responsibility is to express an opinion on the assertion based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence supporting management’s assertion and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
In our opinion, management’s assertion referred to above is fairly stated, in all material respects, based on [identify established or stated criteria].
This report is intended solely for the information and use of [Federal Agency] and is not intended to be and should not be used by anyone other than these specified parties.
Firm’s Signature
DATE

Qualified and adverse opinions require (1) changes to the introductory paragraph, (2) introduction of an explanatory paragraph discussing noncompliance, and (3) an opinion paragraph addressing the subject matter directly and not management’s assertion. Exhibit 16.2 is an example of a qualified (or adverse) report on management’s assertion.

EXHIBIT 16.2 Examination Report on Management’s Assertion (Qualified or Adverse Opinion)
We have examined [subject matter]. [Auditee]’s management is responsible for [subject matter]. Our responsibility is to express an opinion based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence supporting [subject matter] and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
Our examination disclosed the following [describe material misstatement or deviation from criteria].

The preceding introductory and explanatory paragraphs are used for both qualified and adverse opinions. As is the case with the introductory paragraph, qualified and adverse opinions address the subject matter directly, not the assertion. An example of a qualified opinion paragraph appears next.

In our opinion, except for the material misstatement [or deviation from the criteria] described in the preceding paragraph, [subject matter] referred to above, presents, in all material respects, [subject matter] based on [criteria].

If the noncompliance warrants an adverse opinion, the opinion paragraph should read as follows:

In our opinion because of the material misstatement [or deviation from the criteria] described in the preceding paragraph, [subject matter] referred to above, does not comply with the aforementioned [criteria].

Disclaimers require a different introductory paragraph since auditors were unable to issue an opinion:

We were engaged to examine [subject matter]. [Auditee]’s management is responsible for the [subject matter].

Since we were unable to execute the necessary procedures as a result of scope restrictions, there is no scope paragraph. Instead, the report requires an explanatory paragraph setting forth the scope limitations.

Finally, if a disclaimer is issued instead of an opinion we insert a disclaimer paragraph:

Because of the restriction on the scope of our examination discussed in the preceding paragraph, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion on [subject matter] referred to above, presents, in all material respects [subject matter] based on [criteria].

Practical Consideration

Care should be exercised in ensuring that qualified and adverse opinions address the subject matter and not the representation by management. It is not unusual for Federal Agencies and even some practitioners to not be aware of or to simply forget about this requirement. Keep in mind that this is a requirement and not an option, as is made clear by AT 601.64 (qualified opinion) and AT 601.66 (adverse opinion). While the guidance uses the term should, we see no reason why a practitioner should go out of his or her way to justify a departure (i.e., report on the assertion directly) given the revised guidance included in AU-C 200.25 regarding deviations from “presumptively mandatory requirements” (i.e., when they should be used) and the arguably onerous documentation requirements imposed by AU-C 230.13 when a deviation from the guidance occurs.1 All departures from a clean opinion are addressed by AT 601.63. However, the guidance for disclaimer reports is not fully covered by AT Section 601. Instead, AT 601.63 refers the reader to AT 101.73 and 101.74 for guidance. This guidance does not indicate whether the report should address the subject matter directly. Thus, it is not clear whether disclaimers should also address the subject matter and not the representation.

Since directly addressing the subject matter is always an option, there is no reason to adopt a position not directly sanctioned by the guidance. Thus, the example provided for disclaimers also addresses the subject matter and not management’s representation.

All of the reports just discussed contain a final paragraph restricting distribution. This restriction is not mandatory unless the auditor determines that the criteria used to evaluate compliance are available only to the parties involved in the assertion or to a limited number of parties. However, AT 601.62 states that the auditor is free to restrict distribution of the report if he or she so desires. Due to the often complex nature of compliance requirements with Federal regulations, as a practical matter, the auditor generally should restrict distribution of the reports.

Reports on Agreed-Upon Procedures

Arguably, the most distinguishing characteristic of AUPs is the fact that the client/auditee and not the auditor is responsible for identifying and developing the procedures to be performed. However, it is important to note that the auditor is still responsible for ensuring that: (1) the subject matter is capable of being evaluated (General Standard No. 3); (2) the parties involved agree on the sufficiency and relevancy of the procedures; (3) the auditor (with the aid of specialists if necessary) has the expertise to execute the procedures; and (4) the procedures themselves can be objectively stated or defined without requiring a significant amount of judgment during execution and/or evaluation of results. Additional requirements are documented in AT 201, Agreed-Upon Procedures Engagements.

In general, the procedures can take one of two forms:

Both forms of an Agreed-Upon Procedures Report are common to the Federal Government. The first form is useful to management and other stakeholders of the Federal Agency and the second is useful in carrying out agency oversight and/or regulatory duties.

Exhibit 16.3 is an example of such a report issued by GAO regarding certain Department of Transportation activities.

EXHIBIT 16.3 Report on Agreed-Upon Procedures
November 3, 2011
To: U.S. Department of Transportation
We have performed the procedures described in the enclosure to this letter, which we agreed to perform and with which you concurred, solely to assist your office in ascertaining whether the net excise tax revenue distributed to the Highway Trust Fund (HTF) for the fiscal year ended September 30, 2011, is supported by the underlying records.
We conducted the engagement in accordance with U.S. generally accepted Government auditing standards, which incorporate certain financial audit and attestation standards established by the American Institute of Certified Public Accountants.
You are responsible for the adequacy of these agreed-upon procedures to meet your objectives, and we make no representation in that respect. The procedures we agreed to perform were related to (1) transactions that represent the underlying basis of amounts distributed from the general fund to the HTF during fiscal year 2011, (2) the Internal Revenue Service’s (IRS) quarterly HTF excise tax receipt certifications prepared during fiscal year 2011, (3) the U.S. Department of the Treasury’s Financial Management Service adjustments to HTF excise tax distributions during fiscal year 2011, (4) the U.S. Department of the Treasury’s Office of Tax Analysis’s (OTA) estimates of excise tax amounts to be distributed to the HTF for the fourth quarter of fiscal year 2011, (5) adjustments to the HTF for tax on kerosene used in aviation during fiscal year 2011, and (6) the amount of net excise taxes distributed to the HTF during fiscal year 2011. The enclosure provides more detail on the agreed-upon procedures and our results.
We were not engaged to perform, and did not perform, an examination, the objective of which would have been to express an opinion on the amount of net excise taxes distributed to the HTF during fiscal year 2011. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that we would have reported to you. We completed the agreed-upon procedures on October 26, 2011.
We provided a draft of this letter, along with the enclosure, to IRS and OTA officials for review and comment. IRS and OTA agreed with the results and findings presented in the enclosure relating to each agency’s respective responsibilities as it pertains to excise tax distributions to the HTF during fiscal year 2011.
This report is intended solely for the use of the Office of Inspector General of the U.S. Department of Transportation and should not be used by those who have not agreed to the procedures or have not taken responsibility for the sufficiency of the procedures for their purposes.
Next is a description of two procedures performed selected from the enclosure to the GAO report.
Procedure 1
Compare the assessment amounts for diesel fuel tax and gasoline tax, abstracts 60 and 62, respectively, from the tax return to Internal Revenue Service’s master file for agreement.
Description of Findings and Results 1
The assessment amounts for diesel fuel tax and gasoline tax, abstracts 60 and 62, respectively, on the tax return, agreed with the master file for all 21 returns containing primarily HTF-related tax liabilities.
Procedure 2
Calculate the assessment amounts on the tax return for the selected abstracts to determine whether they are mathematically correct.
Description of Findings and Results 2
The taxpayers’ calculations for the selected abstracts were mathematically correct on all 21 returns containing primarily HTF-related tax liabilities.
Source: GAO-12-139R, Fiscal Year 2011 Agreed-Upon Procedures for Excise Tax Distributions to the Highway Trust Fund, November 3, 2011.

Practical Consideration

A very unusual feature of this type of engagement is that the auditor expresses no opinion. Note from the examples the objective nature of this type of report.

This fact is not always apparent to management that engages this service. Disappointment with the professional services provided is always a risk, even if the auditor conducted an efficient and effective engagement and complied with all professional requirements.

The auditor should be aware that it is not unusual for initial procedures developed by the client to require significant judgment on the part of the auditor. Worse, if the client is not made fully aware of the nature of the service, the auditor risks being called on the carpet and asked to justify the value of the services provided.

To avoid these issues, it is important that the client is made aware of the auditor’s role and specifically the lack of the auditor’s opinion. It is important that this matter be thoroughly discussed with the client and documented in an engagement letter signed by the auditor and the client. The engagement letter should include the procedures to be performed. In this respect, the need to carefully evaluate the procedures cannot be overemphasized. Informing the client on after-the-fact basis that a certain procedure is contrary to AICPA attestation guidance can be very embarrassing.

Reports on Internal Controls

AT Section 501 addresses reporting on internal controls over financial reporting concurrent with the execution of a related audit of the financial statements. Reports on internal controls have always been an integral part of reports that comply with the Yellow Book. Even though these reports are not new to the commercial arena, they did not become common until the creation of the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) and PCAOB requirements that the auditor’s report on SEC filings contain opinions on internal controls over financial reporting.

While certain Federal Agencies receive opinions on internal control as part of their annual audit, the most common practice, sanctioned by the Office of Management and Budget (OMB), is to allow the issuance of a disclaimer in the auditor’s report on internal controls. A sample OMB-sanctioned report on internal controls (including a disclaimer) appeared in the appendix to Chapter 12.

In general, an audit of internal controls follows the same phases as a financial statement audit and, in fact, is incorporated with the procedures being performed to issue an opinion on the financial statements. In developing the scope for a first-time audit of internal controls, the extent to which the auditor had in the past relied on internal controls to audit the entity’s financial statements determines the expanded procedures to be performed.

A financial audit evaluates systems of internal controls for the purpose of issuing an opinion on the financial statements. When executing a financial statement audit, the auditor chooses the most effective combination of internal control reliance (and related testing) and substantive account balance testing. When issuing an opinion on internal control, the auditor considers the initial evaluations and performs additional procedures as necessary to support his or her opinion. It is anticipated that the more the auditor relies upon a system, the less work will be required to support an opinion on controls since there is a presumption that systems worthy of high reliance will be heavily tested by the auditor. By contrast, where the auditor decides that substantive testing is more efficient, the auditor may need to expand his or her scope beyond mere compliance with the Yellow Book requirement to test all significant systems regardless of the auditor’s decision to rely on substantive procedures. Finally, where the auditor determines that the system is not reliable, he or she must consider this factor in deciding whether this weakness requires a departure from a clean opinion (e.g., qualified, adverse, or in certain cases disclaimed).

The reader is referred to Chapters 9 through 12 of this book and AT 501 for further guidance. In Exhibit 16.4, we have included a sample clean opinion adapted to a Federal Agency and designed to comply with the example in AT 501.169

EXHIBIT 16.4 Independent Auditor’s Report on Internal Control
We have examined [Federal Agency]’s internal control over financial reporting as of September 30, XXXX, based on based on criteria established under 31 U.S.C. § 3512 (c), (d), commonly known as the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). [Federal Agency]’s management is responsible for maintaining effective internal control over financial reporting and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying management’s assertion on internal control. Our responsibility is to express an opinion on [Federal Agency]’s internal control over financial reporting based on our examination.
We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants and applicable standards contained in Government Auditing Standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
An entity’s internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America. An entity’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection of and correction of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
In our opinion, [Federal Agency] maintained, in all material aspects, effective internal control over financial reporting as of September 30, XXXX, based on criteria established under 31 U.S.C. § 3512 (c), (d), commonly known as the Federal Managers’ Financial Integrity Act of 1982 (FMFIA).
We have also audited, in accordance with auditing standards generally accepted in the United States of America and applicable standards contained in Government Auditing Standards issued by the Comptroller General of the United States, the financial statements of [Federal Agency] and our report dated [date of report, which should be the same as the date of the report on the examination of internal control] expressed [include nature of opinion].
[Signature]
[Date]

1 The AICPA is currently engaged in a clarification and recodification effort that will replace the current AUs. The term AU-C refers to section numbers that have replaced AUs. Once this effort is completed (anticipated for 2014), all references will revert back to AU