Comparing SSAE Examinations, Reviews, and Agreed-Upon Procedures

How SSAE examinations, reviews, and agreed-upon procedures differ by subject matter, criteria, assurance level, procedures, and report wording.

Attestation engagements let practitioners report on subject matter other than a traditional audit of historical financial statements. The subject matter may involve compliance, controls, greenhouse gas data, prospective financial information, system security, or another measurable assertion.

The AUD exam usually tests whether you can match the engagement type to the assurance level and report wording. Examinations provide reasonable assurance. Reviews provide limited assurance. Agreed-upon procedures engagements provide no assurance and report only factual findings.

    flowchart TD
	    A["Attestation subject matter"] --> B{"What do users need?"}
	    B -- "Opinion with reasonable assurance" --> C["Examination"]
	    B -- "Limited assurance conclusion" --> D["Review"]
	    B -- "Specific factual findings only" --> E["Agreed-upon procedures"]
	    C --> F["Opinion against suitable criteria"]
	    D --> G["Negative assurance conclusion"]
	    E --> H["Procedures and findings; no opinion or conclusion"]

Attestation Foundation

An attestation engagement requires subject matter and suitable criteria. The practitioner evaluates or reports on the subject matter against those criteria.

Element Meaning
Subject matter The thing being measured, such as compliance with a debt covenant, controls at a service organization, or prospective financial information.
Criteria The benchmark used to evaluate the subject matter, such as contract terms, regulatory requirements, Trust Services Criteria, or AICPA presentation guidelines.
Responsible party The party responsible for the subject matter or assertion.
Practitioner The CPA or firm performing the attestation engagement.
Intended users The users expected to rely on the report.

If the criteria are vague or unavailable to users, the engagement may not be appropriate because users cannot understand what the practitioner’s report means.

Engagement Comparison

Engagement Assurance level Main work Report result
Examination Reasonable assurance Procedures sufficient to obtain reasonable assurance about whether the subject matter conforms with criteria. Opinion.
Review Limited assurance Primarily inquiry and analytical procedures, plus other procedures when needed. Negative assurance conclusion.
Agreed-upon procedures No assurance Procedures agreed to by the engaging party or specified parties. Factual findings only.

These categories are not ranked by importance. They serve different user needs. A lender may want only specific covenant recalculations through an AUP report, while a regulator may require an examination opinion.

Examination Engagements

An examination is the highest-assurance attestation engagement. The practitioner obtains sufficient appropriate evidence to express an opinion on whether the subject matter is in accordance with the criteria, in all material respects.

Examination examples include:

  • Examining compliance with specified requirements.
  • Examining controls at a service organization.
  • Examining prospective financial information.
  • Examining a cybersecurity risk management program against defined criteria.

The report uses opinion-style language. That is the clue that the practitioner is giving reasonable assurance.

Review Engagements

A review provides limited assurance. The practitioner performs procedures that are substantially less in scope than an examination, commonly inquiry and analytical procedures, and expresses a conclusion in negative assurance form.

Review wording often follows this logic: nothing came to the practitioner’s attention that caused the practitioner to believe the subject matter is not in accordance with the criteria.

Reviews are useful when users want more than factual findings but do not need the cost or depth of an examination. A review is not the same as a SSARS review of financial statements, but the assurance concept is similar.

Agreed-Upon Procedures Engagements

An agreed-upon procedures engagement reports procedures performed and findings obtained. The practitioner does not decide whether the subject matter is fairly stated, effective, or compliant overall. Users draw their own conclusions from the reported findings.

AUP feature Exam meaning
Procedures are specified The practitioner performs only the procedures agreed to for the engagement.
Findings are factual The report describes results such as exceptions, counts, matches, or recalculations.
No opinion or conclusion The practitioner does not provide assurance.
Wording must be objective The report should not use vague evaluative language such as “reasonable” unless the procedure defines how to determine it.

For example, an AUP report might state that the practitioner recalculated a covenant ratio for 25 agreements and found 2 exceptions. It should not say the entity is in compliance overall unless that is part of an examination conclusion.

Choosing the Engagement Type

User need Best fit
Broad assurance that subject matter conforms with criteria Examination
Moderate comfort using limited procedures Review
Specific testing steps and factual exception reporting Agreed-upon procedures
Consulting advice or recommendations without attestation report Consulting engagement, not SSAE attestation

The practitioner should be alert for scope confusion. If users ask for an “opinion,” an AUP engagement is usually not enough. If users only need a specific recalculation, an examination may be more than necessary.

Exam Traps

  • Examinations provide reasonable assurance; reviews provide limited assurance; AUP provides no assurance.
  • AUP reports factual findings and no opinion or conclusion.
  • Attestation engagements require suitable criteria.
  • A review is not a low-cost examination opinion.
  • Consulting recommendations are different from attestation conclusions.
  • Independence applies to attestation engagements; do not treat an SSAE engagement as ordinary advisory work.

Quick Review

Use this sequence for SSAE engagement-type questions:

  1. Identify the subject matter.
  2. Identify the criteria.
  3. Determine what users need: opinion, limited assurance, or factual findings.
  4. Match the need to examination, review, or AUP.
  5. Match the report wording to the engagement type.
  6. Reject answer choices that imply the wrong assurance level.

Review Questions

### Which SSAE engagement provides reasonable assurance? - [x] Examination. - [ ] Review. - [ ] Agreed-upon procedures. - [ ] Consulting engagement. > **Explanation:** An examination provides reasonable assurance and expresses an opinion. ### Which SSAE engagement uses negative assurance wording? - [ ] Examination. - [x] Review. - [ ] Agreed-upon procedures. - [ ] Compilation. > **Explanation:** A review provides limited assurance, commonly worded as nothing came to the practitioner's attention indicating nonconformity with criteria. ### What does an agreed-upon procedures report provide? - [ ] An opinion on whether the subject matter meets criteria. - [ ] A limited assurance conclusion. - [x] Factual findings from the procedures performed. - [ ] Reasonable assurance on internal control. > **Explanation:** AUP engagements report procedures and findings only; users draw their own conclusions. ### What is required for an attestation engagement to be meaningful? - [ ] A public-company issuer. - [ ] Historical financial statements only. - [x] Suitable criteria for evaluating the subject matter. - [ ] A guarantee of future results. > **Explanation:** Attestation reports evaluate subject matter against criteria. Without suitable criteria, users cannot understand the conclusion or findings. ### A lender wants a CPA to recalculate three debt covenant ratios and list exceptions, with no overall conclusion. Which engagement fits best? - [ ] Examination. - [ ] Review. - [x] Agreed-upon procedures. - [ ] Audit of financial statements. > **Explanation:** AUP engagements are appropriate when users need specified procedures and factual findings rather than assurance. ### A company wants the highest assurance on whether its cybersecurity controls meet specified criteria. Which engagement is most appropriate? - [x] Examination. - [ ] Review. - [ ] Agreed-upon procedures. - [ ] Preparation engagement. > **Explanation:** An examination provides reasonable assurance and an opinion against criteria. ### Which statement about reviews under SSAE is correct? - [ ] They provide reasonable assurance. - [x] They are substantially less in scope than examinations. - [ ] They report only factual findings. - [ ] They do not require suitable criteria. > **Explanation:** Reviews provide limited assurance and use procedures narrower than an examination. ### Which phrase is inappropriate for an AUP report unless it is part of a specifically defined factual procedure? - [ ] "We compared the invoice date to the shipping date." - [ ] "We found 3 exceptions in the 40 items tested." - [x] "The entity is in compliance in all material respects." - [ ] "We recalculated the amount and agreed it to the schedule." > **Explanation:** Overall compliance language is an assurance conclusion, not a factual AUP finding. ### What is the practitioner's role in an examination? - [ ] Perform only procedures specified by users and avoid a conclusion. - [ ] Prepare financial statements with no assurance. - [x] Obtain sufficient appropriate evidence to express an opinion. - [ ] Provide management consulting recommendations only. > **Explanation:** Examination work supports a reasonable-assurance opinion. ### Which pairing is correct? - [ ] Examination: no assurance. - [ ] Review: factual findings only. - [ ] AUP: limited assurance conclusion. - [x] Examination: opinion. > **Explanation:** Examinations result in opinions; reviews result in limited assurance conclusions; AUP reports factual findings.
Revised on Monday, June 15, 2026