The Latest

SSARS No. 23 and SSAE No. 18: Changes and Risk Management Advice

By Duncan Will, CPA/ABV/CFF, CFE

Several AICPA pronouncements became effective May 1, 2017. Omnibus Statement on Standards for Accounting and Review Services – 2016

(SSARS No. 23) became effective (or most of it) when issued in 2016, but amendments to AR-C Sections 70 and 80 now address prospective financial engagements.

The AICPA’s Auditing Standards Board (ASB) issued another impactful AICPA pronouncement, Statement on Standards for Attestation Engagements No. 18

(SSAE No. 18) in April 2016, but it didn’t become effective until this spring. Interestingly, only days before the standard took effect, less than half the audience of a conference I was attending were aware that SSAE No. 18 had been issued.

Ignorance is not bliss. Not complying with the standards, and not appreciating the risk management considerations available but not specifically addressed in the standards, could unknowingly expose you to considerable risk.

Please access this link for “Definitions of terms relevant to attestation engagements


So, what are the changes?

SSARS No. 23

The Omnibus SSARS No. 23 was issued in October 2016. The new standard amended review, compilation, and preparation requirements. The immediate effective date for some of its amendments created situations where some practitioners inadvertently or unknowingly have not complied with the amendments. AR-C 80 and AR-C 90 were modified to indicate that when supplementary information accompanies compiled or reviewed financial statements, the accountant’s reports are to indicate the degree of responsibility, if any, that the accountant takes with respect to the supplementary information. This responsibility is to be communicated either in a separate paragraph within the accountant’s report or a separate report on the supplementary information.

Another SSARS No. 23 change is an amendment to the compilation standards to address reporting of known departures from the entity’s financial reporting framework (e.g., U.S. GAAP, or modified cash basis of accounting). When a material departure from the framework is known and not revised, the accounting should disclose the departure in a separate paragraph of the report. If management has determined the departure’s impact, or the accountant’s procedures identify the effects, the paragraph should disclose the effects of the departure. Accountants are not permitted to include a statement that the financial statements don’t conform with the applicable financial reporting framework, as such a statement would be tantamount to expressing an adverse opinion, which is only permitted on audit engagements.

The recodification of the attestation standards (see SSAE No. 18 below) now has the Accounting and Review Services Committee responsible for the standards for engagements involving prospective financial information when no assurance is to be provided on the prospective financial information (preparation and compilation engagements). Note:

The standards prohibit practitioners from performing a review of prospective financial information.

SSARS No. 23 modifies AR-C 60, 70 and 80 to include the objectives and responsibilities when CPAs are asked to perform preparation or compilation engagements on prospective financial information. CAMICO policyholders are encouraged to access the Engagement Letter Resource CenterCAMICO Members-Only Site(,

, located on the

to obtain SSARS-compliant engagement letter templates.

SSARS No. 23 revised AR-C 60 General Principles for Engagements Performed in Accordance With Statements on Standards for Accounting and Review Services.

SSARS No. 23 now permits CPAs to accept responsibility for their client’s internal control. If the accountant chooses to accept such responsibility, the accountant is no longer required to obtain the agreement of management that management acknowledges and understands its internal control responsibilities.

Accepting this responsibility should not be taken lightly or assumed unless the accountant is fulfilling a controllership-type role. Even then, CAMICO believes it is best to have the client’s management take responsibility for the entity’s internal control, as management is ultimately responsible for the organization’s internal control.

If clients push back, consider offering the analogy to parents’ responsibility for their children’s education. Teachers and the school system play a vital role in the education of children, but parents are ultimately responsible for their children’s education. Likewise, CPAs may fulfill a controllership-type role on some engagements, but the owner or the entity’s management is ultimately responsible for the organization’s internal controls.

Were the CPA to accept this responsibility, the engagement letter language would need to be modified to remove management’s acknowledgment and understanding of its responsibility for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of the entity’s financial statements. CPAs performing reviews of financial statements cannot accept responsibility for their client’s internal control, as that role is a management function that, if assumed, would impair independence required when performing reviews (or any attest engagement). (See the following Loss Prevention Tips.)

SSARS No. 23 clarifies that CPAs


withdraw from preparation engagements when they are unable to include a legend indicating “no assurance is provided.” CAMICO recommends that the legend on each page of the financial statements (including footnotes) indicate, “No CPA provides any assurance on these financial statements.”

Accounting software limitations may not accommodate the desired text, but this can be remedied by printing the financial statements on paper stock on which the desired legend is pre-printed.

The AICPA’s Prospective Financial Information Guide

(published April 1, 2017) should be consulted for any prospective financial information engagement (e.g., forecast or projection). This guide covers SSAE No. 18 and SSARS No. 23 requirements (e.g., examinations and agreed-upon procedures engagements addressed in SSAE No. 18, and compilation and preparation of prospective financial information (covered in SSAE No. 18)).

SSARS No. 23 indicates that CPAs should not prepare or compile prospective financial information that doesn’t disclose the summary of significant assumptions, or a financial projection that doesn’t (1) identify the hypothetical assumptions or (2) describe the limitations on the usefulness of the presentation. This is new territory, as prospective financial information was not previously addressed in the SSARSs.

Known departures from the applicable financial reporting framework must be disclosed in compilation reports even if the departures are disclosed in the financial statements’ footnotes.

If departures from the applicable financial reporting framework are known and material, and the financial statements aren’t revised to correct the material misstatement, the accountant is required to consider whether to modify the report to adequately disclose the departures.

SSAE No. 18

The ASB clarity project was completed with the issuance of SSAE No. 18, effective for SSAE reports issued on or after May 1, 2017. The SSAEs permit accountants to report on subject matter other than historical financial statements. The new SSAE supersedes and restructures virtually all of the attestation standards. SSAE No. 18 represents a clarification and recodification of the attestation standards.

The new standards follow the clarity format that the ASB and the Accounting and Review Services Committee recently adopted. The standard introduced a common concepts section (Section 105, Concepts Common to All Attestation Engagements) that applies to all attestation engagements and includes sections containing incremental requirements and guidance. The standard’s structure represents a “building block” approach and establishes three distinct sections to address the three levels of attestation services:

  • AT-C Section 205, Examination Engagements,
  • AT-C Section 210, Review Engagements, and
  • AT-C Section 215, Agreed-Upon Procedures Engagements.

The new SSAE contains sections addressing four specific subject matters and provides a framework for reporting on a variety of other subject matters. The four specific subject-matter sections are:

  • AT-C Section 305, Prospective Financial Information,
  • AT-C Section 310, Reporting on Pro Forma Financial Information,
  • AT-C Section 315, Compliance Attestation, and
  • AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.

The Common Concepts (AT-C 105) govern all attestation engagements. Separating the Examination, Review, and Agreed-Upon Procedures guidance into distinct Sections (AT-C 205, AT-C 210, and AT-C 215, respectively) allows practitioners to focus their attention on the standards specific to the service they’re engaged to perform.

The four subject-matter sections all permit examination engagements, but some sections do not permit review engagements, and some do not permit agreed-upon procedures engagements (see the “SSAE No. 18 Framework” graphic at the end of this article)

. In my experience, it appears that most CPAs have minimal experience with engagements involving the subject‐matter attestation standards. CAMICO strongly discourages practitioners from dabbling; so, if you don’t already possess the requisite knowledge to practice in these areas, collaborate with practitioners who do, take the time to learn what is necessary, or decline the engagement.

The new attestation standards use the AICPA’s clarification protocol previously adopted within the SSARSs and SASs, and have added the suffix “-C” after each section number to differentiate the new standards from those that are superseded.

SSAE No. 18 now requires practitioners to request a written assertion from the responsible party. An assertion is a statement about whether the subject matter is measured or evaluated in accordance with the criteria. If the responsible party refuses to provide the practitioner with a written assertion in an examination or a review engagement, then the practitioner must withdraw. While the practitioner must also request a written assertion in an agreed-upon procedures engagement, the responsible party’s refusal to provide the assertion does not compel the practitioner to withdraw, but the refusal must be disclosed in the practitioner’s report, and if known at the time, in the engagement letter.

An exception exists for cases in which the responsible party is not the party that engaged the practitioner. In such cases, the written assertion is not required. If the CPA elects not to withdraw, the CPA’s report must indicate (1) the responsible party did not provide an assertion, and (2) use of the report is restricted to the engaging party.

Written representations are not required for agreed-upon procedures engagements, but SSAE No. 18 mandates they be obtained for examination and review engagements. As a practical matter, and for improved risk management, CAMICO encourages CPAs to embed the assertion within the written representations sought from all engaging and responsible parties. The assertion may be included within the engagement letter. However, including the assertion in the representation letter is preferable, as the representations would be obtained at the same time as the CPA’s report is issued; therefore, the representations will be fresh in the parties’ minds.

The previous attestation standards required CPAs to issue a disclaimer report or withdraw when there was a scope limitation. SSAE No. 18 permits CPAs to issue a qualified or adverse opinion. CPAs should seriously consider the implications of any scope limitations and the impact on their reports. CAMICO recommends policyholders faced with these issues take advantage of the Loss Prevention hotline to obtain reporting and disclosure options specific to their circumstances.

Illustrative practitioner reports are contained in exhibits within SSAE No. 18 immediately after the application and other explanatory material sections for each of the three attestation levels of service (AT-C 205, Examination Engagements – six sample reports; AT-C 210, Review Engagements – 3 sample reports; and AT-C 215, Agreed-Upon Procedures Engagements – 3 sample reports). CAMICO offers sample engagement letters but not sample reports. We strongly encourage CPAs to refer to the exhibits’ reports within the standard before issuing reports.

SSAE No. 18 further broadens the CPAs’ requirements for obtaining an understanding of the development of the subject matter to assess risks of material misstatement. In an examination engagement, the practitioner is now required to assess the risks of material misstatement of the subject matter and perform procedures to address those assessed risks.

As is the case with other recent standards clarifications, the new SSAE now requires that the CPA obtain an engagement letter for all attestation engagements, and that the CPA and engaging party sign the agreement. It is expected and hoped that this change will not have an impact in practice, as CPAs likely already adhered to this best practice. Documenting the scope and limits of each engagement is among the strongest risk management practices for CPAs.

Again, we encourage CAMICO policyholders to access CAMICO’s sample engagement letter templates in the Engagement Letter Resource CenterCAMICO Members-Only Site (

, located on the

Engagement letters impacted by SSAE No. 18 have been updated to comply with the new standard.

Many of these engagements involve a fairly high level of complexity and are not routinely performed by most CPAs; inadvertent noncompliance is very possible. An understanding of attestation engagement nuances is imperative to perform these engagements properly and minimize the risk inherent in dabbling in unfamiliar areas. It is imperative that accountants performing attestation engagements read and understand the Common Concepts (AT-C 105).

Loss Prevention Tips

Don’t dabble, especially in the attestation engagement arena. Be certain that you understand the requirements before engaging to perform an examination, review or agreed-upon procedures attestation engagement.

Recognize that attestation engagements, by their very definition, require the CPA to be independent. Determine whether your existing relationship, or the nature of your services (ET 1.295 implications), impair your independence and thus preclude you from performing the engagement.

Have heightened professional skepticism when a responsible party is unwilling to provide an assertion. This could suggest a tension between the parties and represent a significant area of risk.

Add language to your engagement letter to indicate that management understands and acknowledges that you may withdraw from the engagement if the engaging entity or responsible party do not provide the written assertions sought by the CPA. If the engaging party is not the responsible party, and the responsible party refuses to provide you with a written assertion, you should reconsider performing the engagement. If you do continue, modify your engagement letter to indicate the responsible party’s refusal and that, as a result, the use of your report will be limited to the engaging party.

Before performing services involving prospective financial information, read the AICPA’s Prospective Financial Information Guide

addressing the requirements of SSAE No. 18 and SSARS No. 23 regarding prospective financial information engagements services.

Be sure to understand the significant assumptions upon which the prospective financial information is based. Accountants should not prepare prospective financial information that doesn’t detail the significant assumptions. Also, accountants should not prepare financial projections that don’t identify the hypothetical assumptions or don’t describe known limitations regarding the presentations’ usefulness. A clause should be added to prospective financial statement engagement letters indicating the responsible party acknowledges and agrees that you may disengage and not be liable for any consequences if the responsible party refuses to comply with these requirements.

Be aware that CPAs are not permitted to perform reviews of prospective financial information, internal control, or compliance with laws, regulations, rules, contracts, or grants. Such services cannot be performed as an attest engagement, but you may still be able to perform the services as a consulting engagement. Consulting engagements are often quite risky, but if the parties acknowledge and agree that (1) your independence is impaired, (2) the use of the resulting report will be restricted to the engaging parties, and (3) the detailed specific procedures they’ve asked you to perform are sufficient for their needs, then the enhanced risks associated with this work can be managed and may be performed as a consulting engagement.

As always, CAMICO policyholders are encouraged to contact the Loss Prevention department early and often with questions at 1.800.652.1772 or


Share this article