Reporting on Compliance Attestation Engagements and Special Reports
Feb 7, 2025
How practitioners evaluate compliance with laws, regulations, contracts, and grants through examination or agreed-upon procedures reports.
On this page
Compliance attestation engagements report on whether an entity complied with specified requirements. The requirements may come from a law, regulation, contract, debt covenant, grant agreement, or similar source.
The exam usually turns on two questions: are the compliance criteria suitable and measurable, and is the practitioner issuing an examination opinion or only agreed-upon procedures findings?
flowchart TD
A["Compliance requirement identified"] --> B["Locate suitable criteria"]
B --> C{"User need"}
C -- "Reasonable assurance on compliance" --> D["Compliance examination"]
C -- "Specific procedures and findings" --> E["Agreed-upon procedures"]
D --> F["Test compliance and express opinion"]
E --> G["Perform specified procedures and report findings only"]
F --> H["Report exceptions, material noncompliance, or modified opinion as needed"]
G --> I["Users evaluate findings themselves"]
Compliance Criteria
The criteria are the benchmark for deciding whether the entity complied. They must be specific enough for the practitioner to test and for users to understand the report.
Criteria source
Example
Why it works
Law or regulation
Environmental emission limit, minimum capital requirement, reporting deadline.
Formal rule that can be inspected or measured.
Contract
Debt-to-equity covenant, required insurance coverage, permitted use of funds.
Weak criteria include broad mission statements, vague management preferences, and unwritten expectations. A practitioner cannot meaningfully attest to “good compliance culture” unless the engagement defines measurable criteria.
Examination vs. AUP
Compliance work may be structured as an examination or as agreed-upon procedures. The report wording must match the engagement type.
Feature
Compliance examination
Compliance AUP
Assurance
Reasonable assurance
No assurance
Report result
Opinion on whether the entity complied, in all material respects, with specified requirements
Procedures and factual findings
Procedures
Designed by practitioner to support the opinion
Agreed by the engaging party or specified parties
User conclusion
Practitioner provides the conclusion
Users draw their own conclusions
Typical use
Regulator, lender, grantor, or board needs an overall compliance conclusion
Users need specific testing steps, exceptions, or recalculations
If the answer choice says the practitioner reports only procedures and findings, it is AUP. If it says the practitioner expresses an opinion on compliance, it is an examination.
Evidence and Testing
The practitioner designs procedures around the criteria. In a compliance examination, the practitioner obtains sufficient appropriate evidence to support reasonable assurance. In AUP, the practitioner performs only the specified procedures.
Common procedures include:
Inspect contracts, grant agreements, regulations, or filing instructions.
Recalculate covenant ratios or reimbursement formulas.
Inspect invoices, payroll records, or supporting documentation for allowable costs.
Compare activity to permitted or prohibited uses.
Inspect approvals, certifications, or regulatory submissions.
Test controls over compliance when relevant to the engagement objective.
Evaluate exceptions against materiality or specified thresholds.
Materiality in compliance is not purely financial. A small-dollar violation may matter if it affects a license, default clause, grant eligibility, or regulator decision.
Reporting Effects
The report must identify the specified requirements, the responsible party, the practitioner’s responsibilities, the standards followed, and the results of the engagement.
Situation
Reporting effect
Entity complied in all material respects in an examination
Unmodified compliance opinion may be appropriate.
Material noncompliance exists
Modified opinion or adverse conclusion may be needed, depending on severity and standards.
Practitioner cannot obtain sufficient evidence
Scope limitation reporting or withdrawal may be necessary.
AUP procedures find exceptions
Report the factual exceptions without an overall conclusion.
Criteria are intended for specified users
Report use may be restricted.
The practitioner should avoid legal conclusions beyond the engagement. The report evaluates compliance with specified criteria; it does not provide a legal guarantee.
Debt Covenant Example
A lender requires a borrower to maintain a debt-to-equity ratio below 2.50 to 1. The covenant definition says debt excludes operating lease liabilities and equity excludes accumulated other comprehensive income.
Step
Practitioner focus
Identify criteria
Loan agreement covenant and definitions.
Select engagement type
Examination if lender wants an opinion; AUP if lender wants specified recalculations.
Perform procedures
Recalculate the ratio using the agreement definitions and inspect supporting schedules.
Evaluate results
Determine whether the ratio exceeded the covenant limit or report the recalculated ratio as a finding.
Report
Opinion for examination; procedures and findings for AUP.
The exam trap is using normal GAAP ratios when the contract defines the covenant differently.
Exam Traps
Compliance criteria must be objective and measurable.
A compliance examination provides reasonable assurance; AUP provides no assurance.
AUP reports factual findings, not “the entity complied.”
Materiality can be qualitative when a violation affects user decisions.
The practitioner should use the requirements in the contract, regulation, or grant, not a generic compliance idea.
A compliance attestation report is not a legal opinion.
Quick Review
Use this sequence for compliance attestation questions:
Identify the compliance requirement.
Locate the criteria in a law, regulation, contract, or grant.
Decide whether users need an opinion or factual findings.
Match the engagement to examination or AUP.
Test or report only within the engagement scope.
Evaluate exceptions against materiality and reporting requirements.
Review Questions
### What is the foundation of a compliance attestation engagement?
- [ ] Management's broad mission statement.
- [x] Specified criteria from a law, regulation, contract, grant, or similar requirement.
- [ ] A general preference for ethical behavior.
- [ ] The practitioner's personal view of best practice.
> **Explanation:** Compliance must be evaluated against objective, measurable criteria.
### What does a compliance examination provide?
- [x] Reasonable assurance in the form of an opinion.
- [ ] No assurance and factual findings only.
- [ ] A compilation report.
- [ ] Legal certification that no violation can exist.
> **Explanation:** An examination provides reasonable assurance on whether the entity complied, in all material respects, with specified requirements.
### What does a compliance agreed-upon procedures engagement provide?
- [ ] A reasonable assurance opinion.
- [ ] Negative assurance on compliance.
- [x] Procedures performed and factual findings.
- [ ] A guarantee that the entity complied.
> **Explanation:** AUP engagements report factual findings only; users draw their own conclusions.
### Which item is most likely suitable compliance criteria?
- [ ] "Maintain a strong control culture."
- [ ] "Use good judgment when spending grant funds."
- [x] "Debt-to-equity ratio must not exceed 2.50 to 1 at quarter-end."
- [ ] "Operate efficiently."
> **Explanation:** The covenant ratio is objective and measurable.
### Why can small-dollar noncompliance still be material?
- [ ] It is never material unless it exceeds planning materiality.
- [x] It may affect a license, debt default, grant eligibility, or regulator decision.
- [ ] Compliance engagements ignore qualitative factors.
- [ ] It automatically requires an adverse opinion in every case.
> **Explanation:** Compliance materiality often depends on user decisions and consequences, not only dollar amount.
### In a debt covenant compliance engagement, which definition should the practitioner use?
- [ ] The ratio definition from a finance textbook.
- [x] The definition in the loan agreement.
- [ ] The definition preferred by management.
- [ ] The definition used in the prior-year audit report only.
> **Explanation:** Compliance is evaluated against the specified criteria, here the loan agreement.
### What should an AUP report avoid?
- [ ] Listing the procedure performed.
- [ ] Reporting exceptions found.
- [ ] Identifying the specified parties.
- [x] Stating an overall opinion that the entity complied.
> **Explanation:** AUP reports factual findings and no overall assurance conclusion.
### Which procedure is common in compliance attestation?
- [ ] Issuing a product warranty.
- [ ] Preparing the entity's tax return as the only procedure.
- [x] Inspecting documentation supporting allowable grant costs.
- [ ] Forecasting future market share.
> **Explanation:** Compliance testing often inspects documents that support adherence to grant, contract, or regulatory requirements.
### What may be necessary if the practitioner cannot obtain sufficient evidence in a compliance examination?
- [ ] Issue an unmodified opinion anyway.
- [ ] Convert the report into a marketing statement.
- [x] Modify the report, disclaim, or withdraw depending on the circumstances.
- [ ] Ignore the limitation if management signs a representation letter.
> **Explanation:** A scope limitation can prevent a standard compliance examination opinion.
### Which statement about compliance attestation is correct?
- [ ] It always provides a legal opinion.
- [ ] It always reports only factual findings.
- [x] It evaluates compliance with specified criteria under the selected engagement type.
- [ ] It is limited to SEC issuers.
> **Explanation:** Compliance attestation depends on the criteria and whether the engagement is an examination or AUP.