Audit Engagement Letters in Financial Services

Audit engagement letters are the foundational contractual documents that define the terms, scope, and responsibilities governing a financial audit before fieldwork begins. This page covers how engagement letters function within financial services, the regulatory expectations that shape their content, and the critical distinctions between letter types. Understanding these documents is essential for audit committees, compliance officers, and financial institution management navigating the audit process.

Definition and Scope

An audit engagement letter is a written agreement executed between an auditor and a client entity that formalizes the terms of the audit relationship prior to any substantive audit work. Under AU-C Section 210 of the American Institute of Certified Public Accountants (AICPA) standards, the auditor is required to agree on the terms of the audit engagement with management or those charged with governance — typically the audit committee — before the engagement commences.

The letter establishes the legal and professional framework governing the engagement. Its minimum required components, as specified by AICPA AU-C Section 210, include:

  1. The objective and scope of the audit
  2. The responsibilities of the auditor
  3. The responsibilities of management
  4. Identification of the applicable financial reporting framework (e.g., U.S. GAAP, IFRS)
  5. The expected form and content of the audit report
  6. A statement that circumstances may require modification of the auditor's report

For registered public companies, the Public Company Accounting Oversight Board (PCAOB) imposes additional requirements. PCAOB AS 1301, Communications with Audit Committees, requires auditors to communicate the terms of the engagement — including the planned scope and timing — directly to the audit committee. The engagement letter functions as a formalized mechanism for satisfying portions of that obligation.

The scope of engagement letters extends beyond simple contract law. In financial-statement-audit-process contexts, the letter triggers the official start of the auditor-client relationship, which has direct implications for independence calculations, fee arrangements, and regulatory disclosures.

How It Works

The engagement letter process follows a defined sequence tied to professional standards and, where applicable, regulatory timelines:

  1. Engagement acceptance: The CPA firm conducts client acceptance procedures, evaluating independence, competence, and risk factors before issuing a letter.
  2. Draft and negotiation: A draft letter is prepared and reviewed by client management and legal counsel. In broker-dealer audits subject to PCAOB standards for financial audits, this draft must reflect PCAOB-compliant engagement terms.
  3. Audit committee review: For entities with audit committees — required for SEC registrants under Sarbanes-Oxley — the committee reviews and approves the engagement. The audit committee role in financial services includes oversight of the engagement letter terms.
  4. Dual execution: Both the auditor's authorized representative and the appropriate client representative (typically the CFO or audit committee chair) sign the letter.
  5. Annual renewal or reissuance: Engagement letters are reviewed annually and reissued if the terms, entity structure, or regulatory requirements have changed materially.

A critical functional distinction separates new engagement letters from recurring engagement letters. A new engagement letter is issued when an audit relationship is established for the first time, when there is a change in auditor, or when a significant change in engagement scope occurs (such as a first-year audit following an IPO). A recurring or continuing engagement letter is a reconfirmation of existing terms, permissible under AICPA guidance when no material changes have occurred, though PCAOB-registered firms are generally expected to issue a fresh letter each year for public company audits.

Fixed-fee and hourly-fee billing structures both appear in engagement letters. Fixed fees are common in smaller financial institution audits; hourly or time-and-materials arrangements appear more frequently in complex engagements involving multiple regulatory frameworks, such as those combining a GAAS financial statement audit with a review of internal controls under Sarbanes-Oxley Section 404.

Common Scenarios

Financial services engagements produce several distinct engagement letter configurations:

Bank and credit union audits: Engagement letters for depository institutions must reflect applicable frameworks, including Federal Deposit Insurance Corporation (FDIC) requirements and, for institutions with total assets above $500 million, the audit and reporting standards under 12 C.F.R. Part 363 (FDIC audit requirements for banks). These letters often specify requirements for management reports on internal controls and attestation by external auditors.

Investment adviser and fund audits: Registered investment advisers and funds subject to SEC custody rules (Rule 206(4)-2 under the Investment Advisers Act of 1940) must obtain annual financial statement audits by a PCAOB-registered firm. Engagement letters for hedge fund audit requirements and mutual fund audit regulatory requirements typically identify the specific fund entities covered, given that a single adviser may sponsor multiple fund structures.

Broker-dealer audits: FINRA audit obligations for broker-dealers require annual audits by independent PCAOB-registered firms. Engagement letters for broker-dealers must address the supplemental auditor's report on internal controls (FOCUS Report compliance) required under SEC Rule 17a-5.

SOC report engagements: Service Organization Control (SOC 1 and SOC 2) engagements, common for payment processors and fintech entities, use engagement letters that identify whether the engagement is conducted under AT-C Section 320 (SOC 1) or AT-C Section 205 (SOC 2) of AICPA standards, creating materially different terms from a standard financial statement audit.

Decision Boundaries

The engagement letter defines what the auditor is — and is not — responsible for. Three decision boundaries carry recurring practical significance:

Scope inclusions and exclusions: The letter must specify which entities, locations, periods, and financial statement elements fall within scope. A parent-subsidiary structure, common in financial holding companies, requires explicit identification of consolidated versus standalone entity scope.

Responsibility allocation: Management responsibility for the preparation of financial statements and design of internal controls is formally documented in the engagement letter. This separation has direct bearing on auditor liability and on how regulatory examiners interpret the division of accountability during bank examinations or PCAOB inspections of financial services auditors.

Limitation of liability clauses: Some engagement letters include arbitration clauses or liability caps. State-level professional liability rules affect whether these clauses are enforceable; CPA licensing boards in states such as California have issued guidance restricting certain limitation clauses for attest engagements.

Engagement letter versus management representation letter: These are distinct documents. The engagement letter precedes fieldwork and sets scope. The management representation letter is obtained near engagement completion and confirms management's assertions about the financial statements — a requirement under AICPA AU-C Section 580. Conflating the two creates audit documentation deficiencies that appear in PCAOB inspection findings.

For engagements that combine a financial statement audit with compliance audit vs. financial audit components — such as a combined GAAS audit and BSA/AML compliance review — the engagement letter must either cover both scopes explicitly or separate letters must be issued, each defining the applicable standards and deliverables.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator