1. Compliance reporting

Reporting on compliance may be done in several situations:

• An auditor may be asked to report on compliance with contractual agreements or regulatory requirements in connection with a financial statement audit.

• A practitioner may be asked to report on an attestation engagement regarding an entity's compliance with requirements of specific laws and regulations or on internal control over compliance.

• An auditor may report on compliance and internal control over compliance as part of a single audit engagement when auditing a recipient of federal financial assistance.

2. Compliance reports in connection with audited financial statements

Often an auditor is asked to issue a report on a client's compliance with contractual agreements or regulatory requ irements in connection with a financial statement audit. The  auditor must have audited the client's financial statements and may only issue negative assurance on compliance.

This engagement is neither a compliance audit nor an attestation engagement, both of which may also be performed in relation to an entity's compliance with contractual agreements or regulatory requirements.

4. Attestation standards: Compliance attestation

Attestation risk is the risk that the practitioner may unknowingly fail to modify appropriately his or her opinion. Similar to a financial statement audit, it is composed of inherent risk (assessed by auditor), control risk (assessed by auditor}, and detection risk (controlled by auditor). The audit risk of noncompliance model adapts the terminology and relationships of the audit risk model.

Audit risk of noncompliance (should be low) = Risk of material noncompliance (assessed by auditor)  × Detection risk (controlled by the auditor)