AUD attestation coverage for examinations, reviews, agreed-upon procedures, prospective information, compliance, and SOC reports.
This chapter covers attestation services that extend beyond the standard financial statement audit. The challenge is understanding the objective of each engagement type, the level of assurance involved, and how the report is tailored to that objective.
AUD questions in this area often turn on service selection. An examination, review, agreed-upon procedures engagement, compliance attestation, prospective-information engagement, or SOC report may involve different procedures, responsibility language, assurance level, and user expectations.
| Engagement clue | What to decide first | Common AUD trap |
|---|---|---|
| Examination | Whether reasonable assurance is appropriate for the subject matter. | Treating examination language like a limited-assurance review. |
| Review | Whether limited assurance and inquiry/analytical procedures fit the user need. | Assuming review procedures provide the same evidence as an examination. |
| Agreed-upon procedures | Whether specified parties define procedures and accept responsibility for sufficiency. | Calling it an assurance opinion when the practitioner reports findings. |
| SOC report | Whether SOC 1, SOC 2, or SOC 3 matches the user and subject matter. | Choosing the SOC report type based only on the service organization label. |
| Step | AUD question to ask | Reporting implication |
|---|---|---|
| 1. Define the subject matter | Is the engagement about financial information, compliance, controls, prospective information, or service-organization controls? | The subject matter determines which attestation standard and report form apply. |
| 2. Identify responsible party and users | Who is responsible for the subject matter and who will use the report? | Responsibility language and distribution limits depend on these roles. |
| 3. Select assurance level | Does the user need reasonable assurance, limited assurance, findings only, or a SOC report type? | Procedure depth and report wording change with the engagement form. |
| 4. Match procedures to objective | Are examination procedures, review procedures, specified procedures, or SOC testing appropriate? | AUD distractors often pair the right subject matter with the wrong service level. |
| 5. Confirm report wording | Does the report express an opinion, conclusion, findings, or SOC-specific description? | The report should not imply assurance that the engagement did not provide. |
| Checkpoint | Ask before selecting a report | Reporting effect |
|---|---|---|
| Subject matter | Is the engagement about compliance, controls, prospective information, financial information, or service-organization controls? | Subject matter determines the applicable attestation model. |
| Responsible party | Who is responsible for the subject matter and written assertion? | Responsibility language changes the report. |
| User need | Do users need reasonable assurance, limited assurance, specified findings, or a SOC report type? | Assurance level drives procedure depth and wording. |
| Procedure fit | Are examination, review, agreed-upon procedures, compliance, or SOC procedures appropriate? | The right service can still be wrong if procedures do not match the objective. |
| Distribution and wording | Is the report general use, restricted use, opinion-based, conclusion-based, or findings-only? | AUD often tests whether the report overstates the assurance provided. |