SSAE 19 Brings Greater Flexibility to Agreed-Upon Procedures  

AUP Engagements are Both Targeted and Flexible 

Agreed-upon procedures (AUP) engagements offer organizations an alternative to traditional financial statement audits. The AICPA Auditing Standards Board’s recently issued SSAE 19 eases the process of reviewing specific business procedures for professionals, ultimately offering more flexibility in engagements. What does SSAE 19 bring to the table, and how does it differ from its predecessor, SSAE 18 (AT-C section 215)? 

What Are the Advantages of an AUP Engagement? 

Agreed Upon Procedures is an attestation service involving three parties: the ‘provider’ or CPA firm, the ‘client’ who engages the provider, and the ‘intended user’ who benefits from the report. It is similar to a SOC examination in that it is performed by a CPA firm, but there are some distinct differences. This attestation is unique because it doesn’t require an auditor’s opinion or conclusion on the engagement’s overall scope. 

The advantages of this are that an AUP is less rigorous than a SOC audit, for example, but it is also a lot more flexible. The engagement can be customized so that it verifies specific information. 

Related article: Agreed-Upon Procedures vs. SOC 2® Audits: Which One Do You Need? 

What’s New with SSAE 19? 

SSAE (Statement on Standards for Attestation Engagements) 19 is an updated rule issued by the AICPA Auditing Standards Board that makes it easier for professionals to assist clients in reviewing specific procedures within their business. This rule removes some previous requirements, allows more flexibility in creating and adjusting procedures, and makes the final report available for broader use. This change can lead to more opportunities for professionals to help clients with different types of transactions. 

The new Agreed-Upon Procedures (AUP) standard, SSAE 19, offers more flexibility to CPAs compared to the previous guidance, SSAE 18 AT-C section 215. This flexibility comes from changes such as no longer requiring an assertion from the responsible party, permitting general-use reports, not requiring intended users to take responsibility for the procedures’ sufficiency, and allowing auditors to develop or alter procedures during the engagement. SSAE 19 engagements have clear objectives and a specific report structure with procedures and findings. 

The standard emphasizes acceptable and precise wording for describing procedures, proper documentation, and the requirement for attestation independence. SSAE 19 provides illustrative AUP reports and became effective for AUP reports dated on or after July 15, 2021, with early implementation allowed. 

How Are SSAE 18 and SSAE 19 Different? 

The latest version of the standard is more closely aligned with the IAASB‘s standards for agreed-upon procedures engagements. SSAE 19 introduces several changes that make the process of reviewing specific procedures in a business easier for professionals. 

Here’s an overview of the main changes that were ushered in by SSAE 19. 

1. No need for an assertion: Professionals no longer have to request or mention a responsible party’s claim about the subject being reviewed. Sometimes, the responsible party may not be able or willing to evaluate the subject matter. 
2. General-use reports allowed: Professionals can create reports that are usable for a wider audience since users of the report, unlike before, are not required to take responsibility for how suitable the procedures performed are. However, the reports do caution that the procedures and findings may not be suitable for every user’s purpose. Professionals can still restrict report usage if they believe it’s necessary. 
3. Intended users don’t need to take responsibility for the sufficiency of procedures: In the previous version, SSAE 18, certain users needed to help decide on the procedures and be responsible for their suitability. This becomes difficult when procedures change or more parties join the engagement. SSAE 19 removes this obligation. 
4. Flexible procedure development: Professionals, clients, or intended users can develop procedures together, and this can change throughout the engagement. This means that procedures may be developed over the course of the engagement. Plus, only the engaging party has to agree that the procedures performed are appropriate for the engagement’s purpose before the report is issued. This makes the overall process more adaptable. 

What Are SSAE 19 Report and Documentation Requirements? 

Under SSAE No. 19, when engaged in an agreed-upon procedures engagement, the organization needs to ensure that the practitioner’s report includes specific information: 

1. Identifying both the engaging and responsible parties as well as the subject matter that the procedures are applied to; 
2. Confirming that the procedures performed are appropriate for the intended purpose of the engagement; 
3. Stating that the report may not be suitable for any other purpose; 
4. Clarifying that the procedures may not address all concerns or meet the needs of all users, and that users should determine if the procedures are suitable for their purposes; 
5. Describing the performed procedures and their respective findings; 
6. Emphasizing that the practitioner did not conduct an examination or review that would result in an opinion or conclusion; 
7. Underlining that the practitioner does not express an opinion or conclusion; 
8. Affirming that the practitioner is required to be independent and follow ethical requirements. 

In addition to the report, the engaged organization should ensure that the practitioner maintains proper documentation, including: 

1. A written agreement acknowledging that the procedures performed are appropriate for the intended purpose of the engagement; 
2. Details on the nature, timing, and extent of the performed procedures; 
3. The results and evidence obtained from the applied procedures. 

What Is Considered Proper Conduct in AUP Engagements? 

When accepting SSAE engagements, a practitioner must follow specific criteria to ensure independence and proper conduct. SSAE No. 19 allows practitioners to help develop procedures, but they still need to maintain independence from responsible parties, as required by the AICPA Code of Professional Conduct. The ethics division believes that independence should not be an issue since the engaging party must agree to the procedures and acknowledge their appropriateness for the engagement’s purpose. 

To accept SSAE engagements, practitioners should ensure these four conditions are met: 

1. Procedures can be designed, performed, and reported following SSAE No. 19 rules. 
2. The engaging party agrees that the procedures are appropriate for the engagement’s purpose. 
3. The procedures will likely lead to consistent findings. 
4. When necessary, the practitioner and engaging party agree on a threshold for reporting exceptions. 

An agreement on the engagement terms should be in writing, usually in an engagement letter, and include the engaging party’s acknowledgment of the appropriateness of the procedures. The practitioner must also be aware of the risks involved, such as incorrect or incomplete reported findings. To reduce these risks, the practitioner should carefully plan and supervise the engagement and use due professional care when performing procedures and preparing reports. 

When Is an AUP Engagement Recommended? 

“This type of engagement isn’t specific to any one industry; it really has wide applicability,” said David. “A real estate or investment firm could employ an AUP engagement. If a landlord wants to verify his schedule of rents and expense, we could test those schedules to assure the landlord that the information available is correct. So, this shows how it can be to do very targeted fact-checking and provide assurance.” 

What Is Included in an AUP Engagement Report? 

The engagement report is very straightforward and easy to read. It includes a cover letter with no formal opinion, a description of the series of procedures performed, and the results of those procedures.  

SSAE 19 significantly enhances the flexibility and practicality of agreed-upon procedure engagements. By eliminating certain previous requirements, allowing more freedom during procedure development, and making reports more widely available, this new standard expands opportunities for professionals to assist clients with tailored engagements that address their specific needs in various types of transactions. Organizations and practitioners can benefit from this adaptability and more streamlined approach, ensuring a smoother, cost-effective agreed-upon procedure engagement experience. 

Resources 

• AICPA, Audit & Attest Standards Team; “At a glance: New standard for agreed-upon procedures engagements,” 2019. 
• AICPA, Auditing Standards Board; “Statement on Standards for Attestation Engagements: Agreed-Upon Procedures Engagements,” December 2019. 
• Journal of Accountancy, Alan Reinstein, Cathleen L. Miller, John Fleming; “More flexibility for agreed-upon procedures,” September 2020.  

About The Author

Joe Ciancimino

Joe is a Director in the I.S. Partners SOC practice. He is a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Controls (CRISC) practitioner and a member of the ISACA Philadelphia Chapter. Joe has been performing IT audit and attestation services for the last 6 years and continues to assist clients in performing a variety of engagements. These include System & Organization Controls (SOC) Reports (SOC 1/SOC 2), Information Technology and Information Systems Audits, IT General Controls / IT Application Controls Testing, ISO/IEC 27001:2013 Internal Audit/Compliance, Internal Audits on a outsourced/co-sourced basis