jiesenSign in

AICPA Standards — Auditing, Attestation, Compilation, Review, and Valuation

The professional standards governing engagements performed by AICPA members for non-public entities, including AU-C, SSARS, SSAE, and SSVS.

AICPA8 min readLast reviewed: 2026-01Official source
AICPA Standards — Auditing, Attestation, Compilation, Review, and Valuation

Scope

The American Institute of Certified Public Accountants (AICPA) issues professional standards for CPAs through several boards and committees. These standards govern engagements performed for non-public entities. For audits of SEC registrants, PCAOB standards apply instead.

The AICPA's standard-setting bodies and their products:

  • Auditing Standards Board (ASB) — issues Statements on Auditing Standards (SAS), codified as AU-C sections. Governs financial statement audits of non-public entities.
  • Accounting and Review Services Committee (ARSC) — issues Statements on Standards for Accounting and Review Services (SSARS), codified as AR-C sections. Governs compilation and review engagements.
  • Attestation Standards Subcommittee — issues Statements on Standards for Attestation Engagements (SSAE), codified as AT-C sections. Governs attestation engagements other than audits (e.g., SOC reports, examination of prospective financial information).
  • Forensic and Valuation Services Executive Committee — issues Statements on Standards for Valuation Services (SSVS). Governs business valuation engagements.
  • Tax Executive Committee — issues Statements on Standards for Tax Services (SSTS). Governs tax practice.
  • Professional Ethics Executive Committee — issues the AICPA Code of Professional Conduct, governing independence and ethical behavior.

AU-C — Auditing Standards (private company audits)

The AU-C series mirrors the structure of International Standards on Auditing (ISA) and is broadly aligned with PCAOB AS, though numbered differently. Key sections:

  • AU-C 200 series — General Principles and Responsibilities
  • AU-C 300 series — Risk Assessment and Response to Assessed Risks
  • AU-C 500 series — Audit Evidence
  • AU-C 600 series — Using the Work of Others
  • AU-C 700 series — Audit Conclusions and Reporting
  • AU-C 800 series — Special Considerations
  • AU-C 900 series — Special Considerations in the United States

Notable individual standards: AU-C 240 (Consideration of Fraud), AU-C 315 (Understanding the Entity), AU-C 330 (Performing Audit Procedures), AU-C 540 (Auditing Accounting Estimates), AU-C 700 (Forming an Opinion), AU-C 705 (Modifications to the Opinion), AU-C 940 (Audit of Internal Control — the private-company counterpart to PCAOB AS 2201).

SSARS — Compilation and Review (AR-C sections)

For non-public entities, three levels of service exist below an audit:

  • Preparation Engagement (AR-C 70) — the CPA prepares financial statements but issues no report. Used when management needs help producing statements but doesn't require any external assurance.
  • Compilation Engagement (AR-C 80) — the CPA presents financial information that is the representation of management; no assurance is provided. A compilation report is issued.
  • Review Engagement (AR-C 90) — the CPA performs analytical procedures and inquiries to obtain limited assurance that no material modifications are needed. A review report is issued, with the limited-assurance qualifier ("nothing came to our attention").

Reviews are not audits. They don't require risk assessment, internal control evaluation, or substantive procedures beyond analytics and inquiry. For private-company financial statements where lenders or investors require some level of independent professional involvement but don't require full audit assurance, reviews are the common middle ground. Pricing typically runs 30–50% of an audit fee.

SSAE — Attestation Engagements (AT-C sections)

Attestation engagements cover anything where a CPA expresses a conclusion about subject matter other than historical financial statements. The most common in practice:

  • SOC 1 reports — System and Organization Controls report on controls relevant to user entities' ICFR. Issued by service organizations (payroll processors, cloud-hosted ERPs, custodians) to enable their customers' SOX programs.
  • SOC 2 reports — controls relevant to security, availability, processing integrity, confidentiality, and privacy (the Trust Services Criteria). Used widely by SaaS providers as a security attestation.
  • SOC 3 reports — public-facing version of SOC 2, less detailed.
  • Examination of prospective financial information — when a CPA attests to forecasts or projections (rare, but a defined service).

SSAE engagements come in three flavors of assurance: examination (reasonable assurance, the highest level), review (limited assurance), and agreed-upon procedures (no assurance, the CPA reports findings on specifically-described procedures).

SSVS — Valuation Services

For CPAs performing business valuations or valuations of intangible assets (most commonly for ASC 805 purchase price allocations, ASC 350 goodwill impairment, ASC 718 stock-based compensation, or estate and gift tax matters), SSVS provides the practice framework. Two levels of service:

  • Valuation Engagement — the CPA estimates value and issues a Valuation Report.
  • Calculation Engagement — the CPA performs specified procedures resulting in a "calculation of value" rather than a valuation. Less rigorous, used when the client doesn't need full valuation services.

Code of Professional Conduct — independence

For audit and attestation engagements, independence is non-negotiable. The AICPA Code defines independence requirements through:

  • Independence in fact — the auditor must actually be independent in mental attitude.
  • Independence in appearance — a reasonable, informed third party must perceive the auditor as independent.

Specific prohibitions cover financial relationships, employment relationships, business relationships, and non-audit services to audit clients. For SEC registrants, the SEC's independence rules under Regulation S-X Rule 2-01 apply in addition to the AICPA Code and are generally more restrictive.

Common pitfalls

  • Treating a review like an audit. Review engagements have a defined scope (analytics and inquiry) and a defined assurance level (limited). Performing audit-like procedures on a review engagement creates scope ambiguity that's hard to resolve in the report.
  • Independence creep. Non-attest services performed for an attest client must be evaluated against the independence rules. Bookkeeping, payroll, tax compliance, and consulting can all impair independence depending on the scope and the safeguards in place.
  • Confusing SOC 1 and SOC 2. SOC 1 is about ICFR — the controls a service organization has that its user entities rely on for their financial reporting. SOC 2 is about security and operational controls — not focused on ICFR. Many service organizations have both; user entities should request the one that addresses their actual risk.
  • Missing SSARS preparation engagements. Engagements where a CPA prepares financial statements but doesn't issue a report still fall under SSARS (AR-C 70). The lack of a report doesn't mean the engagement is unregulated.

Access

AICPA standards are available at aicpa.org. Many sections are freely accessible; the full text of the Code of Professional Conduct and the technical standards is published through paid platforms. State CPA society membership often includes access.

Related references

  • PCAOB Auditing Standards (the public-company counterpart)
  • COSO Frameworks (the control framework used in AU-C 940 ICFR audits)
  • SEC Reporting (Regulation S-X Rule 2-01 independence rules)
This summary is an operator's working reference. For authoritative guidance, consult the official source at https://us.aicpa.org/research/standards. Updated: 2026-01.