Ernst & Young LLP
Suite 1800
950 Main Ave.
Cleveland, OH 44113
Tel: +1 216 861 5000
ey.com
Ms. Sherry Hazel Booth
Audit and Attest Standards
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, New York 10036-8775
29 November 2013
Proposed Statement on Standards for Attestation Engagements,
Attest Standards: Clarification and Recodification
Dear Ms. Hazel:
Ernst & Young LLP (“Ernst & Young”) is pleased to submit this comment letter to the Auditing Standards
Board (ASB) in response to the ASB’s request for comment regarding the above- referenced proposed
Statement on Standards for Attestation Engagements (proposed ATs).
We support the issuance of these proposed ATs. We agree with the ASB’s strategy to move forward with
the clarity redraft of the attestation standards, so they are consistent with the format of the clarified SASs
that were issued as SAS No. 122, Statements on Auditing Standards: Clarification and Recodification.
*
*
*
*
*
Attached is our response to each of the ASB’s three questions for respondents as well as comments
related to the proposed ATs for your consideration. We would be pleased to discuss any of our comments
with members of the ASB or its staff.
Sincerely,
A member firm of Ernst & Young Global Limited
Attachment
1
Responses to guide for respondents
Question 1: Are the objectives of the practitioner in each of the chapters appropriate?
Yes. We believe the objectives of the practitioner are appropriate.
Question 2. Are the substantive and language changes to extant AT sections 20, 50, 101 and 201
made by the exposure draft appropriate?
Yes. We believe the differences between the proposed ATs and extant AT sections 20, 50, 101 and 201
are appropriate. Specifically, we agree with:
►
�Restructuring the attestation standards
►
�Requiring an assertion in examinations and reviews
►
�Requiring representation letters in examinations and reviews
►
�Requiring risk assessments for examination engagements
►
�Incorporating detailed requirements
►
�Separating the discussion of review engagements
►
�Scope limitation imposed by the engaging party or the responsible party
Question 3. Are there considerations for less complex entities and governmental entities that should
be addressed in the exposure draft?
No. We have not identified any additional considerations to address less complex or governmental
entities.
Attachment
2
Comments for consideration
Overall comments that affect multiple chapters of the proposed ATs:
►
►
►
►
We recommend that the two column format continue to be utilized for all of the attestation
standards when issued. For the exposure draft, the ASB utilized the side by side presentation of
the requirements with the application guidance, instead of the auditing standards sequential
presentation (requirements followed by application guidance) to facilitate reference and review.
We believe practitioners would also benefit from the use of this convention.
We suggest that the requirements and application guidance related to the use of internal audit
or others be updated for the Proposed Statement on Auditing Standards, Using the Work of
Internal Auditors.
We ask the ASB to consider adding application guidance to the requirements related to
engagement agreement for Chapters 2, 3 and 4 that explains that completion of the engagement
is contingent on the material cooperation of the responsible party and the responsibilities of the
engaging party in procuring such cooperation (e.g. paragraph 2.A.3 for attestation engagements).
The term deviation is used in three different ways throughout the proposed ATs. It is primarily
used in reference to deviating from the criteria and differences observed from control testing
(e.g., paragraph 2.22). However, it is also used as a synonym for misstatement (e.g., in the definition
of misstatement) and as a term to explain a difference when sampling is used (e.g., 2.A.26).
We suggest that the term be limited to describe deviations from the criteria and differences from
control testing.
Chapter 2 — Examination Engagements
►
Paragraphs 2.34 – 2.35 of the proposed ATs addresses the use of the work of internal audit.
Paragraph 2.36 addresses the use of the work of other practitioners. Since in many cases
companies separately engage accounting firm personnel through an outsourcing or co-sourcing
arrangement to act as an internal audit function, we suggest that an application paragraph be
added which would permit the use of work performed by an accounting firm personnel through an
outsourcing or co-sourcing arrangement to act as an internal audit function, and other similar
activities.
We suggest the following paragraph, adapted from the Proposed SAS, Using the Work of Internal
Auditors, be added as application guidance after paragraph 2.A41:
Activities similar to those performed by an internal audit function may be conducted by
functions with other titles within an entity. Some or all of the activities of an internal audit
function may also be outsourced to a third- party service provider. Neither the title of the
function nor whether it is performed by the entity or a third- party service provider are sole
determinants of whether or not the practitioner can use the work of internal auditors. Rather it
is the nature of the activities, the extent to which the internal audit function’s organizational
status and relevant policies and procedures support the objectivity of the internal auditors,
Attachment
3
competence, and systematic and disciplined approach of the function that are relevant.
References in this attestation standard to the work of the internal audit function include
relevant activities of other functions or third- party providers that have these characteristics.
►
The proposed standard does not address the use of other assurance standards outside of the
AICPA. It is becoming common practice to perform an assurance engagement applying
International Standards for Assurance Engagements, or an assurance standard accepted in
another country, at the same time a practitioner performs an examination engagement applying
AICPA standards. For example, it is not uncommon for a practitioner to be engaged to report on
International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on
Controls at a Service Organization, at the same time they are reporting on AICPA SSAE No. 16,
Reporting on Controls at a Service Organization.
We suggest adding the following requirement paragraph to Chapter 2 of the proposed ATs that
permits such reporting, similar to AU-C 910.11 and AU-C 910.12 in the auditing standards:
If the practitioner is engaged to obtain assurance and report in accordance with an assurance
framework generally accepted in another country, and the agreed-upon terms of the
engagement require the practitioner to apply either the accepted assurance standard(s) of
another country or International Standard(s) on Assurance Engagements, the practitioner
should obtain an understanding of and apply the relevant assurance standard(s), as well as the
attestation standards established by the AICPA, except for requirements related to the form
and content of the report in the situation described below.
If the practitioner is reporting on a subject matter or assertion prepared in accordance with an
assurance framework generally accepted in another country that are intended for use only
outside the United States, the practitioner should report using either:
a.
a U.S. form of report that reflects that the subject matter or assertion being reported
on have been prepared in accordance with an assurance framework generally accepted in
another country, including
i.
the elements required by these attestation standards
ii. a statement that refers to the note to the subject matter or assertion that describes
the basis of presentation of the subject matter or assertion on which the practitioner is
reporting, including identification of the country of origin of the criteria, or
b. the report form and content of the other country (or, if applicable, as set forth in the ISAs),
provided that
i.
such a report would be issued by practitioners in the other country in similar
circumstances,
ii. the practitioner understands and has obtained sufficient appropriate evidence to
support the subject matter or assertion contained in such a report, and
Attachment
4
iii. the practitioner has complied with the reporting standards of that country and
identifies the other country in the report.
We further suggest adding the following application guidance to Chapter 2 of the proposed ATs:
Practitioners are often engaged to apply an International Standard for Assurance
Engagements, or an assurance standard accepted in another country, at the same time a
practitioner applies AICPA attestation standards. Most commonly, the practitioner will be
applying just one non-AICPA attestation standard, but could be applying multiple non-AICPA
standards. In most cases, the form of the report will conform with the AICPA attestation
standards. For example, it is not uncommon for a practitioner to be engaged to report on
International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on
Controls at a Service Organization, at the same time they are reporting on AICPA SSAE No. 16,
Reporting on Controls at a Service Organization.
Applying either the assurance standards of another country or the ISAEs may require the
practitioner to perform procedures in addition to those procedures required by the AICPA
Attestation Standards. An understanding of the assurance standards of another country or the
ISAEs may be obtained by reading the statutes or professional literature, or codifications
thereof, which establish or describe such standards. Statutes or professional literature, or
codifications thereof, however, may not include a complete description of the assurance
practices in another country. The practitioner may consult with persons having expertise in,
including practical experience in applying, the assurance standards of the other country or the
ISAEs, as relevant.
►
The report examples provided in the proposed ATs are structured the same as in the extant
attestation standards, which is different than the auditor reports examples in the clarified auditing
standards.
We suggest that the attestation report requirements be aligned as closely as possible with the
audit report requirements and examples. For example, the ASB should consider requiring a
separate and robust paragraph describing the responsibilities of the responsible party and
separate labeled paragraphs for qualified, adverse and disclaimer of opinions.
►
We suggest that the ASB consider including application guidance in the proposed ATs
considerations for addressing situations in which the practitioner initially concluded that the
criteria would likely be suitable, but after the performance of procedures commenced realized that
the criteria are not suitable. In this situations, we recommend that if the specific criteria:
1. are required by law, then the practitioner should disclaim
2. can’t be modified, then the practitioner should withdraw, or
3. are permitted to be modified, then the practitioner should modify the criteria
Attachment
5
►
We recommend the following change to Paragraph 2.A23:
When the subject matter is internal control, the practitioner obtains evidence of internal
control effectiveness through tests of controls. If the responsible party has implemented
effective monitoring of internal control, the practitioner may choose to test the monitoring
component to reduce the assessment of control risk and the extent of tests of controls needed
to achieve an appropriately acceptably low level of attestation risk. (Ref: par. 2.21)
►
The proposed ATs appropriately require practitioners to obtain representations from the
responsible party. However, in practice, it is sometimes difficult for a practitioner to obtain
representations from the responsibly party when the responsible party is not the engaging party.
We believe that the application guidance Agreeing on the terms of the engagement in paragraphs
2.A.1 – 2.a.5 of chapter 2 of the proposed ATs should be modified to be clear that the responsibility
rests with the engaging party, not the practitioner, in obtaining such representations.
We suggest the following change to paragraph 2A3:
When the responsible party is not the engaging party, the engagement letter or other written
agreement regarding the terms of the engagement may include details about the responsibilities
of the responsible party and those of the engaging party. The responsibility rests with the
engaging party, not the practitioner, in obtaining such representations. (Ref: par. 2.6[c])
►
Paragraph 1.10k in chapter 1 of the proposed ATs defines fraud as an intentional act involving the
use of deception that results in a misstatement. Extant AT 801 more broadly addresses “intentional
acts.” We suggest that paragraph 2.29 of the proposed ATs, and other paragraphs as appropriate,
should be revised to address “fraud and other intentional acts” affecting the subject matter.
Therefore, we recommend the following change to paragraph 2.29:
The practitioner should make inquiries of appropriate parties to determine whether they have
knowledge of any actual, suspected, or alleged intentional acts, including fraud, or
noncompliance with laws or regulations affecting the subject matter.
►
We believe practitioners would benefit from additional application guidance in assessing inherent
risk, similar to what is currently in extant AT 601.33. Therefore, after paragraph 2.A.11 we
suggest adding the following application guidance:
In assessing inherent risk, the practitioner may consider factors affecting risk similar to those
an auditor would consider when planning an audit of financial statements. In addition, the
practitioner may consider factors relevant to examination engagements, such as the following:
►
The complexity of the subject matter or assertion
►
The length of time the entity has experience with the subject matter or assertion
►
Prior experience with the entity's assessment of the subject matter or assertion
►
The potential effect of the practitioner not providing an umodified report on the subject
matter or assertion
Attachment
6
Chapter 4 — Agreed-Upon Procedures Engagements
►
►
We ask that the ASB consider if Chapter 4, Agreed-Upon Procedures, should be in the general
section of the attestation standards or should be in another part of the codification (e.g., as a
standalone section) since practitioners don’t obtain assurance for such engagements. In addition
to the services covered in the proposed ATs, we believe there are opportunities in the market for
additional services that are not addressed in the proposed ATs. We acknowledge that it is likely out
of scope of the recodification project, but suggest the ASB consider developing standards for a
service in which practitioners could report on specified procedures without the third party
acknowledging sufficiency of the procedures. We believe there would be value to such a service
since there are situations in which the engaging party has not developed an assertion but has
been requested to have certain procedures assessed in order to comply with a regulation or meet
another party’s contractual obligation (e.g., an entity that wishes to report the performance of
specified procedures to customers to demonstrate progress on a specific matter, but for which it
would be impractical to request agreement to sufficiency of procedures).
We believe that the Practitioner should be made aware by the responsible party of known issues of
non-compliance. To be consistent with extant AT 601.68 e), we suggest adding the following to
paragraph 4.A24 g):
the responsible party has disclosed to the practitioner all known matters of noncompliance in
the areas that the agreed-upon procedures were designed to test
►
When the engaging party is not the responsible party, we believe that the Practitioner may also
want to obtain written representations from the engaging party (in addition to the responsible
party). We suggest adding after paragraph 4.A.24:
When the engaging party is not the responsible party, the practitioner may also want to obtain
written representations from the engaging party. For example, when the engaging party has
entered into a contract with the responsible party and the practitioner is engaged to perform
agreed-upon procedures relevant to the responsible party's compliance with that contract, the
practitioner may want to obtain written representations from the engaging party as to their
knowledge of any noncompliance.
►
We believe additional application guidance related to the importance of including precision in
describing procedures performed should be provided in paragraph 4.A.20. We believe precisely
describing procedures in a report will reduce the risk of misunderstanding by users and also
reduce engagement risk.
We ask the ASB to consider including:
1. Date the procedure was performed
2. Period over which sample items were drawn
3. Sources of information used in performing the procedure
Attachment
7
►
In order to be consistent with Chapters 2 and 3, we recommend that the requirement section in
Chapter 4 of the proposed ATs related to written representation add:
If the practitioner elects to obtain a written representation, the date of the written representation
should be as of the date of the agreed-upon procedures report. The written representations
should address the subject matter and periods referred to in the practitioner’s report.