For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

SECTION 8: Standards for Attestation Engagements

This was pretty easy to read! Want to earn credit for reading? The latest version of “The Yellow Book Interpreted” is now on sale at 15 hours for $200


  • Determine whether an attestation engagement can be performed using the described project criteria
  • Distinguish among the three types of attestation engagements
  • Compare the requirements regarding internal controls, violations of contracts or grant agreements, fraud, and abuse among the three engagement types

8-1 Introduction

Chapter 5 of the Yellow Book (the attestation engagement chapter) is VERY repetitive of the chapter on financial auditing.

But instead of layering on top of the AICPA Statements on Auditing Standards (SASs) as the financial audit standards do , this chapter layers on top of the AICPA Statements on Standards for Attestation Engagements (SSAEs).

5.01 This chapter contains requirements, guidance, and considerations for performing and reporting on attestation engagements conducted in accordance with generally accepted government auditing standards (GAGAS). Auditors performing attestation engagements in accordance with GAGAS should comply with the American Institute of Certified Public Accountants (AICPA) general attestation standard on criteria, the field work and reporting attestation standards, and the corresponding statements on standards for attestation engagements (SSAEs), which are incorporated in this chapter by reference. Auditors performing attestation engagements in accordance with GAGAS should also comply with the additional requirements in this chapter. The requirements and guidance contained in chapters 1 through 3 also apply to attestation engagements performed in accordance with GAGAS.

As of September 2011 (the date of this writing), AICPA SSAEs are available for free on AICPA’s website. I cannot quote them here extensively due to copyright law. However, if you do an SSAE engagement, I suggest that you study the relevant SSAEs in detail.

Again, they are neither too long nor very complex. But what they lack in complexity they make up for in specificity. Attestation engagement reports contain very specific wording and auditors are not allowed to change it!

Any differences in language are due to the differences between these two types of engagements. SASs deal with audits while SSAEs deal with attestation engagements. Financial audits express an opinion, so they involve high-intensity audit work. SSAEs are either limited in scope or limited in intensity. The level of intensity and the scope of attestation engagements vary and depend on the type of attestation engagement: examination, review, or agreed-upon procedure.

8-1-1 What type of attestation engagement are you agreeing to perform?

Key to implementing this chapter is deciding which of the three types of attestation engagement you are performing:

  • Examination
  • Review
  • Agreed-upon procedures

An examination is the most intense engagement in the list, and the requirements for performing it closely mimic the requirements for a financial audit.

When you perform a review or an agreed-upon procedures engagement, many of the requirements do not apply. For instance, on an examination level engagement, you need to gain an understanding of the internal controls relevant to your examination subject. In an agreed-upon procedures engagement, you only do the procedures to which you agreed and do not worry about internal controls.

Here is the definition of the three levels of engagement from Chapter 2 of the Yellow Book in order of their intensity, starting with the most intense engagement first:

2.09…The three types of attestation engagements are:

a.     Examination: Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria.

b.     Review: Consists of sufficient testing to express a conclusion about whether any information came to the auditors’ attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. Auditors should not perform review-level work for reporting on internal control or compliance with provisions of laws and regulations.

c.     Agreed-Upon Procedures: Consists of auditors performing specific procedures on the subject matter and issuing a report of findings based on the agreed-upon procedures. In an agreed-upon procedures engagement, the auditor does not express an opinion or conclusion, but only reports on agreed-upon procedures in the form of procedures and findings related to the specific procedures applied.

But I actually like the definitions from the SSAEs better:

AICPA ATT  101.54: In an attest engagement designed to provide a high level of assurance (referred to as an examination), the practitioner’s objective is to accumulate sufficient evidence to restrict attestation risk to a level that is, in the practitioner’s professional judgment, appropriately low for the high level of assurance that may be imparted in his or her report. In such an engagement, a practitioner should select from all available procedures – that is procedures that assess inherent and control risk and restrict detection risk – any combination that can restrict attestation risk to such an appropriately low level.

AICPA ATT  101.55: In an attest engagement designed to provide a moderate level of assurance (referred to as a review), the objective is to accumulate sufficient evidence to restrict attestation risk to a moderate level. To accomplish this, the types of procedures performed generally are limited to inquiries and analytical procedures (rather than also including search and verification procedures).

AICPA ATT  201.03: An agreed-upon procedures engagement is one in which a practitioner is engaged by a client to issue a report of findings based on specific procedures performed on a subject matter. The client engages the practitioner to assist specified parties in evaluating subject matter or an assertion as a result of a need or needs of the specified parties…. Because the needs of the specified parties may vary widely, the nature, timing, and extent of the agreed upon procedures may vary as well; consequently, the specified parties assume responsibility for the sufficiency of the procedures since they best understand their own needs…. The practitioner does not perform an examination or review and does not provide an opinion or negative assurance. Instead, the practitioner’s report on agreed-upon procedures would be in the form of procedures and findings.

Why do I like those explanations better? Because they talk about “levels of assurance.” And I ‘get’ that language. We covered this in previous sections of this text, but I think it deserves another look because of the three levels of attestation engagements.

Auditors provide assurance. They tell their clients whether something is or is not OK. They are objective, third parties who verify that the subject matter meets the criteria.

A high level of assurance means that the auditor is pretty darn sure that the subject matter meets the criteria. To be pretty darn sure, the auditor has to do a lot of work to verify that the subject matter meets the criteria.

An auditor can also work at a moderate level of assurance. This means the auditor is kinda sure that the subject matter meets the criteria. By making this weaker promise, the auditor can do less work than is necessary in giving high assurance.

Or the auditor can simply do what the client asks and make no promises about the subject matter at all. This auditor works at a “no assurance” level.

Obviously, because the auditor does more work in providing a high level of assurance than in providing a moderate level of assurance or no assurance about the subject matter, this is the most costly for the client.

In the CPA realm, when the auditor works at a high level of assurance, the term “opinion” is used. An auditor expresses an opinion on whether the financial statements are presented in accordance with GAAP on a financial audit. An auditor also expresses an opinion on an examination. In an examination, the auditor and the client agree upon the subject matter and the criteria in writing, and the auditor agrees to work at a high level of assurance.

In the CPA realm, the word “conclusion” means that the auditor works at a moderate level of assurance. Conclusions are used when the auditor conducts a review.

In the CPA realm, if asked to perform a procedure and not to draw any conclusions, an auditor is not working within the assurance scale! This auditor neither gives any assurance nor makes any promises; instead, this auditor simply lists what was done and what the results are. Agreed-upon procedure engagements provide no assurance.

Did you notice that I kept saying “In the CPA realm?” Was it too much? Did it get annoying? Well, annoying sticks in the brain! And I want you to know that CPAs see things differently than other auditors. CPAs would never take on an engagement without determining the subject matter, criteria, and level of assurance at the outset. The SASs and the SSAEs actually prevent them from being that flexible.

But flexible is the buzzword of a performance auditor. They can take on any subject matter, any criteria, and any level of assurance. And they can figure all of this out as they go along. But we’ll discuss more about those wacky, flexible performance auditors beginning in Section 9.

8-2 General Attestation Standard on Criteria

8-2-1 Firm criteria

In the CPA realm (there I go again!), auditors cannot take on an engagement unless the criteria are firm. One of the key elements of any audit is audit criteria; without it you spin your wheels in a serious way.

There are three common problems with audit criteria:

  • Irrelevant criteria
  • Vague criteria
  • Non-existent criteria

8-2-1a Irrelevant criteria

Here’s an example of irrelevant criteria. An audit team was assigned to monitor bingo halls that were supposedly run by or on behalf of charities. These bingo halls remitted part of their proceeds to the state (like a bingo tax), and the remainder of the proceeds, after operating expenses were deducted, was to go to the charity.

An ancient state law required that the tickets be pre-numbered. Because the monitoring team took on the role of verifying that the bingo halls were in compliance with state law, they always checked to make sure that the tickets were pre-numbered.

What they didn’t check was whether the bingo halls used the numbers on the bingo cards to reconcile cash to tickets sold. That was the intent of the state law. But the requirement that the entity use the pre-numbering for reconciliations was not state law.

So, the monitors would write up the client for not purchasing pre-numbered tickets, but they disagreed among themselves and with the client about whether they could write up the client for not reconciling receipts to the pre-numbered bingo cards.

8-2-1b Vague criteria

This same team suffered from other bad criteria. State law said that these entities selling tickets could use proceeds from the sale of the cards for “reasonable and necessary expenses” of running the bingo halls. But as might be expected, the monitor’s definition of reasonable and necessary did not match the client’s definition.

Was it acceptable to spend money on a party for the workers and customers of the bingo halls? The managers of the bingo halls argued that the party was necessary to reduce turnover and foster team work and that the customers loved it.

Vague criteria cause more than just fights with the client; they also cause inconsistency in audit results. On one visit, the monitor-in-charge decided that the party was an acceptable expenditure and even shared in a bit of the feast! On the second visit, a new in-charge monitor decided that not only would he not participate in the party, but he would write up the client, too!

No wonder clients sometimes become annoyed and confused. An audit without firm criteria can feel like a witch-hunt to the client.

8-2-1c Non-existent criteria

A Fortune 500 company had only a three-year-old audit team because the leadership and staff had completely turned over three years before. The new team found out early that they had no criteria with which to work.

The team was responsible for auditing approximately 30 manufacturing plants across North America. On their initial audits, the auditors determined that none of the manufacturing plants had policies or procedures in place and consistency in practices was definitely lacking. Each plant had its own way of doing things and these ways were not documented.

So, this team had no criteria against which to audit, and that made their work very difficult. The auditors hit their heads against the wall for nearly a year before they realized they were getting nowhere.

They then decided to visit each plant and write them up for not having policies and procedures. The audit team gave the plants nine months to put policies and procedures in place before conducting a follow-up audit.

The audit team also facilitated discussions about their developments among the plant managers so that they didn’t recreate what the others were doing. They reinforced the competitiveness of the plant managers by using the fast-adopting, compliant plant’s examples for the rest to emulate. Before you knew it, the auditors had criteria in place and had concrete measures against which to audit.

8-2-2 Clients have an advantage if you don’t have firm criteria

A controller of two new federal grants was about to be audited by a federal grantor. The controller had previous audit experience and was confident that she had all the records in order.

The auditor showed up and, without explaining what he was there to do, he said he wanted to look at the files. For the next three days, he sorted through files scrutinizing them for any little discrepancy.

Again, the controller was pretty confident that everything was fine, but the auditor did write up a few things. They were obscure items that were not documented in the contract or any federal standard or guideline. In other words, he was auditing without criteria!

The CFO and controller worked for the next three months to debunk the auditor’s findings, pointing out again and again that they could not be expected to read the federal government’s mind! And then, miraculously, the auditor’s boss called and said that he was withdrawing the report.

Other clients might have just rolled over and agreed with everything he said. But not these professionals! They knew that the auditor didn’t have a leg to stand on without firm criteria. And they argued successfully against every sentence in the report.

8-2-3 The standard-setting bodies are firm about criteria

If you are doing a financial audit, the criteria are laid out for you in the generally accepted accounting procedures (GAAP). GAAP is the standard to which auditors compare the organization’s financial statements in order to make their judgment and conclusions.

One of the field work standards for an attestation engagement in the Statements on Standards for Attestation Engagements (SSAEs) says that you should only take on an attestation engagement if the subject can be evaluated against clear criteria. ”The practitioner [auditor] must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.”

So, on a financial audit the criteria are laid out for you, and on an attestation engagement you can’t even start without suitable and available criteria. If you are doing a performance audit, the GAO requires that you firm up the criteria as part of the planning process, but we’ll cover that in a later section!

8-2-3a Places to get criteria

Where do you find the criteria?! The criteria may reveal themselves to you as you gather information, or you may have to dig a little bit. Don’t be afraid to ask the client to suggest criteria. They know their organization better than you do and will be more likely to buy into your conclusions and findings if they help determine the criteria.

Here are a few places you may want to look for criteria:

  • Policies and procedures
  • Internal control documentation
  • Laws and regulations
  • Industry data, measures, trends
  • Literature (articles, studies, books)
  • Purpose or goals prescribed by law or regulation or set by officials of the audited entity
  • Technically developed standards or norms
  • Expert opinions
  • Prior periods’ performance
  • Defined business practices
  • Contract or grant terms
  • Performance of other entities or sectors used as defined benchmarks

8-2-4 Document the criteria and get the client to agree

To make sure your project doesn’t suffer from bad criteria, take the following steps as early in the project as you can:

  • Document the criteria. It is always best to use written criteria that you can show the client.
  • Get the client to agree to the criteria. The client should agree to the criteria you use for evaluation. If you decide to use criteria with which they don’t agree, then they might debate your audit results. For instance, in auditing a foster care program, you may choose to use the criteria for safe foster care homes outlined in the Foster Care Association of America’s latest publication. What would be unfortunate and make most, if not all, of your audit work invalid would be this statement by the client at the exit conference, “We think the Foster Care Association of America are a bunch of liberal idiots and we have never subscribed to their standards. They are nuts!” Whoops! Time to start again.

8-2-5 Examples of objectives and related criteria

Here are some example objectives and related criteria:

Objective: Is the plant complying with purchasing guidelines issued by the corporate office?

Criteria: Purchasing guidelines issued by the corporate office.

Objective: Are foster care homes safe?

Criteria: Foster Care Association of America safety guidelines, regulations, city code.

Objective: Is the projection of future highway expenditures for the state reasonable?

Criteria: Benchmarking data/other states, historic cost, budgeting guidelines issued by the Association of Highway Engineers.

Objective: Are performance measures accurately reported?

Criteria: Performance measurement criteria discussed in The Performance Measurement Handbook by Harvard Professor Ling Lang.

(Note: I made these up! These are not real sources of criteria; these examples are provided to give you an idea of what the criteria might look like.)

Leita Hart-Fanta, CPA, CGFM

Resides in Austin, Texas and can be reached at
Making Finance and Auditing Fun and Easy!

Registering for this Webinar - How it works
  1. When you’re ready to register, select the “Register Now” button (at the top-right or bottom-left of this page).
  2. You’ll be taken directly to the secure website of our webinar-distribution partner:  CPA Crossings
  3. Fill out the “Register Online” section of the CPA Crossings page (near the bottom) and then select “Add to Cart”
  4. (Note:  If you want to register multiple attendees on the same purchase, just re-select the webinar and do a separate “Add to Cart” for each, as required.)
  5. After checking out, look for your notification and registration info via email – and mark your calendar to attend the webinar!
Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]



Lost your password?