There is an emerging reporting need to provide assurance on complex nonfinancial metrics, such as those related to environmental, social, and governance (ESG), artificial intelligence (AI), or cybersecurity. Users of these metrics desire the confidence of knowing that a CPA has performed sufficient appropriate procedures to independently assess the preparation and fair presentation of those metrics in conformance with suitable objective criteria. Practitioner’s need to be prepared to keep pace with these changes to seize new opportunities to serve client needs.
What Is SSAE 21?
Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements, gives practitioners a greater ability related to providing an examination opinion about the result of measurement or evaluation of any subject matter (both financial and nonfinancial) against criteria. A significant change from the previous standard is that direct examination engagements may be accepted without the precondition that a responsible party for the underlying subject matter must first measure or evaluate that subject matter and provide a written assertion of the results to the practitioner. Previous standards only permitted assertion-based engagements, which is predicated on a responsible party providing an assertion.
Get a FREE CPE course from Becker
With Becker, you can meet your CPE requirements, gain new skills, and stay aware of the latest updates and news. See why more accountants are choosing Becker with a free CPE course!
Examples of Direct Examination Engagements
Real-life examples of emerging subject matter for examination engagements includes metrics to measure or evaluate:
- Carbon footprint, such as greenhouse gas (GHG) emissions
- Social impact, such as achieving diversity targets in hiring practices
- Personal information security, such as compliance with the EU’s General Data Protection Regulations (GDPR) or the California Consumer Privacy Act (CCPA)
- Cybersecurity controls in accordance with Trust Services Criteria for a start-up entity
- Specific target achievement to retain access to a government tax break
- Supply chain data, such as proving to customers that materials are ethically sourced
- AI algorithm against bias criteria
SSAE No. 21 Best Practices
The AICPA’s Statements on Standards for Attestation Engagements (SSAEs) are used to provide assurance on subject matter other than historical financial statements. Examinations provide reasonable assurance, similar to audits, resulting in an opinion as to whether a subject matter is free from material misstatement in adhering to established criteria. Practitioners plan, perform risk assessments, test controls (as necessary) and obtain sufficient, appropriate evidence in accordance with professional standards. There are two types of examination engagements, assertion-based and direct examination as a result of SSAE No. 21 (AT-C Section 206), which became effective for reports dated on or after June 15, 2022.
Direct examinations under SSAE No. 21 allow CPAs to provide high-assurance validation to third parties on complex, nonfinancial information without requiring management to first produce a formal assertion. This standard allows practitioners to both directly measure the underlying metrics and provide an opinion on them. It removes the barrier that previously required a client to measure their subject matter against criteria and provide a written assertion before a practitioner could step in. Direct examinations open the door to new types of engagements where the CPA’s expertise is the primary driver of assurance.
For example, assume a company is required to issue a report of its “Scope 1” and “Scope 2” carbon emissions to a major retailer to remain an approved vendor. The company may not have the technical expertise to calculate metric tons of CO2 equivalent based on utility bills and fuel consumption. The CPA may gather the raw data and apply specific GHG Protocol criteria to perform the calculation themselves. And the CPA may also issue a report providing reasonable assurance on their own findings under SSAE No. 21.
Unlike traditional assertion-based examination, a reporting entity does not need to formally measure of evaluate the subject matter against criteria before a direct examination engagement. This option is ideal for emerging reporting of nonfinancial data on operational and security matters, where organizations may lack in-house measurement expertise or resources necessary to prepare the underlying metrics.
Importantly for quality management with a CPA firm, this shift to direct examinations places a heavier emphasis on the practitioner’s independence and objectivity. Practitioners are now the primary source of the measurement and evaluation process vs. purely being a “second set of eyes”. Therefore, the evidence gathered must support a direct conclusion, not just corroborate a client’s assertion statement.
Direct examinations may initially require more time and senior-level involvement. Without a client assertion to guide the process, the scoping and planning phases can be more labor-intensive. Firms must assess if their current staffing levels and technical expertise are sufficient to handle these "blank slate" evaluations.
To further support the performance of these engagements, the AICPA has recently issued exposure drafts to specifically amend SSAE No. 21 to better reflect requirements for reporting on sustainability information and better align with the AICPA’s new Quality Management Standards. Independence requirements are also being clarified to specifically address attestation engagements.
Learn More with Becker CPE
If you'd like to learn more about this and other topics, Becker a huge variety of CPE courses, including over 1,000 annual webcasts, 700 on-demand courses, and weekly CPE podcasts.
Unlock Unlimited CPE with a Prime Subscription
Becker makes it easy to meet your CPE requirements, gain new skills, and stay aware of critical updates and changes in the industry!
With Prime, you can access over 1,700 courses for a full year and earn unlimited CPE credits.
Related Articles
Share
