SSAE 19 Changes the Landscape for Agreed-Upon Procedures Engagements

By Duncan B. Will

All services performed by accountants have some level of risk associated with them. Auditors have traditionally experienced the highest-severity claims, but these claims are among the least common. Claims involving tax preparation services have been the most common, but among the least severe. From CAMICO's experience, agreed-upon procedures (AUP) engagements have historically been the safest services whether measured by frequency or severity. That's about to change.

The risk to CPAs performing AUP engagements has been miniscule because the procedures performed are specified by the parties engaging the accountant; those parties agree that the procedures are sufficient for their needs; and the accountants' findings from having performed those procedures are presented in reports that don’t provide an opinion or conclusion and aren't to be shared with anyone but those who have agreed that the procedures are sufficient for their needs.

Where’s the risk? From not having performed the correct procedures? Not really; the users of the report agreed that the specified procedures were sufficient for their needs, and the resulting reports detail the procedures and the resulting findings. If those procedures or findings were suspect, users could seek clarification or request the procedures be expanded.

If the report were to be used by parties other than the specified users, then any allegations of harm from reliance upon the report would lack standing because the report was never intended for their use. From a risk management perspective, the legacy AUP engagement is the gold standard. The service has been the least "risky" and all but bulletproof.

The only perceived downsides involve impaired independence and triggering peer review when the firm was otherwise not subject to peer review. An AUP is an attest engagement, so CPAs must be independent to perform them. And AUPs are subject to peer review, so if your firm isn't otherwise subject to peer review, the performance of an AUP engagement would subject the firm to an engagement review.

So, what’s changed? In December 2019, the AICPA's Auditing Standards Board issued SSAE 19, Agreed-Upon Procedures Engagements.1 The new standard supersedes SSAE 18 section 215, also entitled Agreed-Upon Procedures Engagements. No longer mandating that practitioners request assertions from responsible parties is a celebrated change, but from a risk management perspective, the benefits of the new pronouncement can be outweighed by the erosion of safety, which had been baked into AUP engagements.

Many herald SSAE 19's arrival, but those who do may not perceive the expanded risk, or plan to address the additional risk with stronger engagement terms and by taking additional precautions. Sadly, few accountants recognized or celebrated the legacy AUP engagement and may not perceive the risk associated with the flexibility provided by the new standard. Oblivious to the expanded risk, accountants may accept and perform the new AUP service and experience claims when third parties later allege that they were harmed because of their reliance on the AUP report, and that the accountant was negligent in not having clearly articulated that the procedures performed didn’t adequately address their needs.

This article is intended to alert you to the risk management considerations related to the altered landscape, to advise you of the options available to you, and to provide you with an engagement letter that adheres to SSAE 19’s requirements while retaining the risk management benefits of the extant standard.

SSAE 19 is effective for AUP reports issued after July 14, 2021, but early implementation is permitted. An Agreed-Upon Procedures — SSAE 19–Compliant engagement letter is available on the CAMICO Members-Only Site (www.camico.com) in the Engagement Letter Resource Center, in the Attest Services Letters section. That letter meets SSAE 19's requirements but calls for the engaging party and intended users to sign the engagement letter acknowledging that the specified procedures are not merely appropriate, but are sufficient and appropriate for the intended purpose of the engagement, and that the resulting report is intended solely for the information and use of specified parties.

Loss Prevention Tips

Recognize that the landscape has changed, and that AUP engagements currently fall within the parameters of both SSAE 18 and SSAE 19. The SSAE 19 AUP can be performed without increasing liability exposure, but you will have to understand the standard and the protections available to you. And, when engaged to perform an SSAE 19 AUP engagement, take care to structure the engagement terms to fit the nature of the engagement you are being asked to perform.

If the engaging party doesn't wish to have a report they can share with unspecified parties, conduct the engagement as an SSAE 18 engagement if the report will be issued by July 14, 2021. If you aren't certain whether your AUP report will be completed by July 2021, use CAMICO’s sample SSAE 19–compliant engagement letter so you don't inadvertently run afoul of the new standard but will retain the safer attributes of the SSAE 18 engagement. An SSAE Agreed-Upon Procedures, Section 215 Compliant engagement letter can be found on CAMICO’s Members-Only Site (www.camico.com) in the Engagement Letter Resource Center, in the Attest Services Letters section.

Avoid the use of vague or ambiguous language in both the description of the procedures2 to be performed and in the report findings.3 Vague or ambiguous descriptions of procedures could allow report users to infer that procedures were broader in scope than they actually were. Likewise, vague or ambiguous language in the description of findings could invite users to allege they were misled and arrived at flawed conclusions.

If the engaging party truly wants a general-use report, then work closely with the client to identify the report’s potential uses; consider what procedures might be of use to potential users; include those procedures in the detailed procedures to be performed; clearly indicate in the engagement letter and resulting report that the procedures won’t necessarily be sufficient or appropriate for all potential users; and be certain SSAE 19’s new requirements are met. Also, practitioners should consider adding language to the engagement letter requiring written representations directly from any additional users acknowledging that the specified procedures are sufficient and appropriate for their purposes.

If you’re not independent, recognize and disclose your impaired independence to the responsible party.4 Don’t make the mistake of trying to fit the round peg into the square hole to overcome or ignore the independence requirements. While you are prohibited from performing AUP engagements when your independence is impaired, you can perform consulting engagements with engagement terms that mirror all the beneficial attributes of legacy AUP engagements. Such arrangements are almost universally accepted, as few intended users care whether the CPA is independent — they just want the findings resulting from the procedures they wish to have performed. Because of the difficulty in clearly articulating scope and limits, consulting engagements can be among the riskiest of services, but an engagement crafted to mirror legacy AUP engagement requirements avoids the risks inherent in typical consulting engagements and affords practitioners the protections otherwise unique to legacy AUP engagements.

Also, although not required, when the engaging party is not the responsible party, the CPA should require relevant written representations from the responsible party comparable to those obtained from the engagement party.5

Take care when crafting the report as CPAs are precluded from expressing opinions or conclusions in AUP reports. As such, it would be inappropriate to state that the engagement’s intended purpose was to determine whether the subject matter was prepared or stated in accordance with specified criteria or to conclude whether the entity met specific criteria.

CAMICO recommends adding language to the engagement letter expressing that the AUP report will state:
  • No parties other than the engaging party (or if there are other parties, that the engaging party and the other parties) acknowledge the sufficiency and appropriateness of the procedures for their purposes
  • The parties who have acknowledged that the procedures performed are sufficient and appropriate for their purposes
  • The CPA makes no representations regarding the sufficiency or appropriateness of the procedures
  • Uses for which the report is not intended
  • The practitioner has no responsibility to update the report

Please reach out to CAMICO when considering performing AUP engagements if the nature and scope of the engagement presents higher-than-anticipated risks. There may be ways to mitigate the risks. As always, CAMICO policyholders are encouraged to call Loss Prevention at 1.800.652.1772 for assistance.

Duncan B. Will, CPA/ABV/CFF, CFE, is Loss Prevention Manager/Accounting & Auditing Specialist for CAMICO (www.camico.com). He leverages his more than 40 years of experience in accounting, including public accounting, forensic accounting, consulting, and audit and tax compliance, when working closely with the Loss Prevention Specialists to manage the department’s efforts to deliver to policyholders the high-touch, high-quality CAMICO experience. Will’s specialty is accounting and auditing–related risk management services. He advises policyholders through the CAMICO Loss Prevention Hotline and speaks to CPA groups on a wide range of topics.



1 Statement on Standards for Attestation Engagements [SSAE] No. 19, Agreed-Upon Procedures Engagements, available for download at (https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/ssae-19.pdf)
2 SSAE 19, paragraphs .17 and .A27
3 SSAE 19, paragraphs .26, .A38 and .A39
4 ET sec. 1.297.020
5 SSAE 19, paragraphs .27

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 26 May

    Advise and Warn Clients of Embezzlement Risks

    By Ron Klein, J.D.

    The classic small-business embezzlement scenario has occurred so many times over the years that CAMICO Loss Prevention specialists have it memorized:

    The client is a small business owner who is too busy running the business to supervise ... read more

  • 20 May

    Cyber-Security for Working Remotely

    CAMICO's recent cyber claims experience shows that the cyber-security of employees working remotely has not been as effective generally as cyber-security in an onsite office location. The lower security is being exploited by hackers, many of whom are increasing their ransomware demands. <... read more

  • 18 May

    PPP Update / Returning to the Office —The 'New Normal'

    CAMICO continues to monitor the information and guidance on COVID-19 relief measures being put into place by regulatory and legislative bodies to combat the detrimental impacts of this pandemic on people, as well as on the economy.

    Paycheck Protection Program ("PPP") —... read more