5.4 Attestation and Government Auditing Signals
Key Takeaways
- The 2026 AUD Blueprint tests assertion-based examinations, direct examinations, attestation reviews, and agreed-upon procedures under SSAE attestation reporting.
- An examination provides reasonable assurance (opinion), an attestation review provides limited assurance (conclusion), and agreed-upon procedures provide findings with no assurance.
- A direct examination has the practitioner measure or evaluate subject matter without a responsible-party assertion; an assertion-based engagement reports on the party's assertion.
- The 2024 Yellow Book (GAGAS) is effective for financial audits of periods beginning on or after December 15, 2025, adding ICFR and compliance reporting beyond GAAS.
- A single audit under Uniform Guidance adds a major-program compliance opinion, internal control over compliance reporting, and a schedule of findings and questioned costs.
Attestation Reporting in the 2026 AUD Blueprint
Area IV of the 2026 AUD Blueprint tests reporting on attestation engagements performed under the Statements on Standards for Attestation Engagements (SSAE). It names four engagement types, and the exam distinguishes them by changing one word in a fact pattern: practitioner instead of auditor, subject matter instead of financial statements, assertion instead of presentation, or findings instead of assurance.
Attestation Engagement Types
| Engagement | Assurance | Report output | Key signal |
|---|---|---|---|
| Assertion-based examination | Reasonable | Opinion | Responsible party makes a written assertion |
| Direct examination | Reasonable | Opinion | Practitioner measures/evaluates subject matter; no assertion needed |
| Attestation review | Limited | Conclusion | Inquiry and analytical procedures |
| Agreed-upon procedures (AUP) | None | Findings | Engaging party agrees to the procedures; users draw their own conclusions |
An examination is the attestation cousin closest to an audit: it provides reasonable assurance and yields an opinion on whether the subject matter is in accordance with the criteria (or whether the assertion is fairly stated). A review provides limited assurance and a conclusion. An agreed-upon procedures engagement is fundamentally different: the practitioner performs only the procedures the parties specified and reports findings without any opinion or conclusion.
Under the current SSAE, an AUP report need not be restricted to specified parties, though the practitioner must be satisfied the procedures are appropriate.
Suitable criteria matter in every attestation engagement: they should be relevant, objective, measurable, and complete, and available to intended users. If criteria are not suitable or available, the engagement may be inappropriate, or the report may require restriction.
Compliance Reporting Signals
Area IV also includes reporting on compliance. In a financial statement audit, the auditor may report on compliance with contractual or regulatory requirements connected with the audited statements (for example, debt-covenant compliance), provided the auditor expresses negative assurance and has not identified noncompliance. In an attestation engagement, a practitioner may examine or perform AUP on compliance with specified laws, regulations, contracts, or grants, or on internal control over compliance.
Auditors report based on professional standards and evidence; they do not render a legal determination that the entity complied with every law.
Government Auditing Standards (Yellow Book)
The Blueprint separately calls out Government Accountability Office (GAO) Government Auditing Standards, known as generally accepted government auditing standards (GAGAS) or the Yellow Book. The 2024 Yellow Book supersedes the 2018 revision and is effective for financial audits and attestation engagements of periods beginning on or after December 15, 2025 - the current edition for 2026-era engagements.
GAGAS does not replace GAAS; it adds reporting requirements, notably a report on internal control over financial reporting and on compliance with laws, regulations, contracts, grant agreements, and provisions that could have a material effect on the statements.
Single Audits Under Uniform Guidance
A single audit (2 CFR Part 200, Uniform Guidance) is required when a nonfederal entity expends $1,000,000 or more in federal awards in a fiscal year (the threshold raised from $750,000 effective for fiscal years beginning on or after October 1, 2024). Recognize these distinct outputs:
- The opinion on the financial statements (GAAS).
- A report on ICFR and compliance under Government Auditing Standards.
- A report on compliance for each major federal program and on internal control over compliance.
- A schedule of findings and questioned costs.
The major-program report provides an opinion on whether the auditee complied, in all material respects, with the direct and material compliance requirements for each major program. The internal-control-over-compliance portion describes the scope of testing and reports significant deficiencies and material weaknesses, but it does not express an opinion on internal control.
Exam Traps
- Agreed-upon procedures report findings, never assurance.
- An attestation review (SSAE) is not the same as a SSARS review of financial statements.
- GAGAS adds reporting; it does not replace GAAS for the financial statement opinion.
- Single-audit questions often ask which report gives the opinion on major-program compliance - it is the compliance report, not the ICFR-over-compliance description.
SOC Engagements: A High-Frequency Attestation Subtype
The exam frequently dresses attestation up as a System and Organization Controls (SOC) engagement performed under SSAE. Distinguish the three:
| Report | Subject | Users | Report type |
|---|---|---|---|
| SOC 1 | Controls at a service organization relevant to user entities' financial reporting | User auditors and management | Examination (opinion) |
| SOC 2 | Controls over security, availability, processing integrity, confidentiality, privacy (trust services criteria) | Knowledgeable parties; restricted | Examination (opinion) |
| SOC 3 | Trust services criteria, general-use summary | Any user | Examination (opinion) |
Within SOC 1 and SOC 2, a Type 1 report covers the design of controls at a point in time, while a Type 2 report covers design and operating effectiveness over a period. A user auditor relying on a service organization's controls reads the service auditor's report and considers whether complementary user-entity controls are in place.
Determining Major Programs in a Single Audit
The risk-based approach to identifying major federal programs proceeds in steps: (1) identify Type A programs by dollar size relative to total federal expenditures; (2) assess Type A programs as low-risk only if audited as major in one of the two prior years with no concerning findings; (3) identify high-risk Type B programs; and (4) ensure coverage meets the percentage-of-coverage rule (generally 40%, or 20% for a low-risk auditee). Candidates are rarely asked to compute thresholds but are often asked to recognize that major-program selection is risk-based, not purely the largest dollar programs.
Findings, Questioned Costs, and Reporting Packages
The schedule of findings and questioned costs has three parts: a summary of the auditor's results, financial statement findings, and federal award findings and questioned costs. A questioned cost is one that may violate a provision of law, regulation, or agreement, lacks documentation, or appears unreasonable. The completed reporting package plus the data collection form is submitted to the Federal Audit Clearinghouse, generally within the earlier of 30 days after receiving the auditor's reports or nine months after the audit period end.
Exam Synthesis
When a question names a practitioner measuring subject matter against criteria and issuing an opinion, think SSAE examination. When it mentions federal awards, major programs, or a schedule of findings, think single audit under Uniform Guidance, layered on top of GAGAS, which is itself layered on top of GAAS.
A practitioner performs procedures specified and agreed to by the engaging party over a schedule of royalty payments and reports the resulting exceptions without providing an opinion or conclusion. Which engagement is described?
In a single audit under Uniform Guidance, which report provides an opinion on whether the auditee complied, in all material respects, with the direct and material compliance requirements for each major federal program?
Which attestation engagement provides reasonable assurance and an opinion while NOT requiring the responsible party to provide a written assertion?