(Posted May 2024)

When issues testing the CSAE sections appear in a CPA Common Final Exam (CFE) practice case, we expect to receive questions clarifying the differences between the special reports. This blog summarizes the key technical you need to know when addressing these types of issues on the CFE and considerations for your writing approach.

CSAE 3000 and CSAE 3001

These standards are a conceptual framework for all assurance engagements other than audits or reviews of historical financial information. This means that while they might apply to many scenarios you see in a case setting, there may also be other standards that are more appropriate to use, such as CSAE 3530 and CSAE 3531.

In a case setting, the case facts that should trigger you to consider CSAE 3000 and CSAE 3001 as a viable option would be a request for an audit or review of subject matter that is not a financial statement or a part of a financial statement. Examples include whether a company is achieving its KPIs or whether it has satisfied the recommended best practices of a governing body.

Is a CSAE 3000 or CSAE 3001 engagement a review or an audit?

Both CSAE 3000 and CSAE 3001 can be performed at a reasonable level of assurance (audit) or a limited level of assurance (review). The difference between these two standards is not the level of assurance, but how the subject matter is examined.

What is the difference between CSAE 3000 and CSAE 3001?

In a CSAE 3000 (attestation) engagement, an individual who is not the practitioner (usually management) determines the criteria and assesses whether the subject matter has satisfied these criteria. The practitioner will then examine the work of the other individual and conclude (review) or provide an opinion (audit) on whether the subject matter is free from material misstatement.

In a CSAE 3001 (direct) engagement, the practitioner will compare the subject matter to the criteria and will then provide a report that summarizes the results of this work and concludes (review) or provides an opinion (audit) on whether the subject matter is materially misstated. Because the practitioner (and not management) is comparing the subject matter to the criteria, CSAE 3001 is more time-consuming and therefore, more costly than CSAE 3000. In a case setting, if the client is sensitive to the cost of the engagement, they may prefer to do some of the work on their own and CSAE 3000 would be appropriate. On the other hand, if they do not have the time or resources for this, CSAE 3000 may be appropriate.

CSAE 3530 and CSAE 3531

CSAE 3530 and CSAE 3531 provide guidance for assurance engagements that report on an entity’s compliance with specific requirements such as a business contract. These engagements must also comply with CSAE 3000 and CSAE 3001 because they are the conceptual framework for non-financial statement assurance engagements; however, when specific requirements or agreement terms are present in a case setting, you should discuss CSAE 3530 and CSAE 3531 because these would be the most relevant standards.

Like CSAE 3000 and CSAE 3001, CSAE 3530 and CSAE 3531 can be performed as both an audit and review.

What is the difference between CSAE 3530 and CSAE 3531?

CSAE 3530 is an attestation engagement. In this engagement, management will have assessed the company’s compliance with the set of requirements and will have made a statement on whether the company has satisfied them. The practitioner will then audit or review this claim and provide a conclusion (review) or opinion (audit) on whether the company has complied.

CSAE 3531 is a direct engagement, and like CSAE 3001, involves the practitioner assessing the company’s position against the requirements rather than assessing management claims.

What are examples of engagements where CSAE 3530 and CSAE 3531 would be used?

Examples you may see in a case setting would include:

  • Funding agreements that require the recipient to assure that money was used for its specified purpose (e.g., spent only on purchasing food for pets in a humane society)
  • Compliance with requirements in laws or regulations for the industry in which the company operations (e.g., emissions limits)
  • Compliance with bank covenants

Special Reports on the CFE

Special reports are a commonly tested topic on the CFE, particularly for candidates writing the assurance role on Day 2. The CFE may test the choice of special report, special report procedures, or both. While you must adapt to the issue in front of you, there is a common approach that can often be taken for this commonly tested topic.

Step 1: Identify the valid report options

Before you begin writing, identify what the valid reporting options are for your client. Consider the:

  • Type of subject matter being examined (financial vs. non-financial, historic vs future-focused)
  • Level of assurance (audit vs. review) needed by your user, and
  • Cost considerations

It is unlikely that there will be only one valid special reporting option because comparing special reports using case facts is often how depth is achieved on the CFE. Do not jump to writing your response when you have found one viable option – consider whether there are any others. Aim for two valid report options to develop depth in your response. Keep in mind that sometimes there is only one valid report option based on the case facts so do not waste time discussing options that are not valid.

Step 2: Explain the valid reporting options

When you have identified the viable options, it is time to begin your response:

  • State the viable special report options
  • Explain each option and how it will be used to meet the user’s needs by integrating case facts
  • Explain the advantages and disadvantages of each report option
  • Consider the user’s objectives or preferences (e.g., lower cost, preferred level of assurance)

Step 3: Recommend a report option

You should conclude which report is the most appropriate considering the user’s needs, and this recommendation should be consistent with the analysis you performed in step 2.

Step 4: Other considerations

It may be that the user needs to obtain further information before a decision is made. If this is the case, you should still conclude based on the information that is provided, and then recommend further information that could be collected which may change that decision.

The required may have also requested procedures. If so, you should prepare these immediately after your discussion of the special report options while it is clear in your mind. These procedures should be consistent with the type of engagement being performed (audit or review) and should clearly communicate:

  • The risk area for the special engagement
  • The specific steps to test the identified risk area including the documentation or information the practitioner will need and what it will be used for

These special report options and more are discussed at length in our Scenario Flowcharts Workbook which is included in our CFE Prep courses, and in the Competency Map Study Notes.