Attestation Report

An attestation report is an official document issued by an independent, trusted professional—typically a Certified Public Accountant (CPA)—that expresses an opinion on a specific claim or “assertion” made by a company. Think of it as a specialized fact-check. While a traditional audit report focuses on whether a company's overall financial statements are accurate, an attestation report can zoom in on almost any other piece of information. This could be a claim about the effectiveness of its cybersecurity measures, its compliance with environmental regulations, or the reliability of its internal billing system. The CPA examines the evidence behind the company’s assertion and then issues a report telling investors and other stakeholders whether that claim is fairly and accurately presented. The ultimate goal is to add a layer of credibility and assurance to information that falls outside the scope of a standard financial audit, making it more trustworthy for decision-making.

For the value investor, who acts like a financial detective, an attestation report is a valuable piece of evidence. It's an independent voice cutting through corporate jargon and marketing fluff.

Management teams are naturally optimistic about their own companies. An attestation report provides an objective, third-party check on their claims. This is crucial for verifying the “story” behind the numbers.

• Beyond the Financials: A company's true value often lies in intangible assets or operational strengths not fully captured in a Form 10-K. Is a tech company’s claim about 99.99% uptime a real, verified metric? An attestation report can confirm this, validating a core part of the investment thesis.
• Risk Mitigation: These reports can uncover hidden dangers. A report on a company's internal controls might reveal significant weaknesses, signaling poor management or a higher risk of fraud. A negative or qualified opinion is a serious red flag that warrants immediate investigation.
• Confirming a Moat: If a company's competitive advantage (its “moat”) is built on something like superior data security or an ethical supply chain, an attestation report verifying these claims provides powerful proof that the moat is real and defensible.

When you find an attestation report, don't just note its existence. Read the summary and pay close attention to these key elements:

• The Subject Matter: What exactly is the CPA giving an opinion on? Is it a critical part of the business, or something minor? A report on inventory controls for a retailer is far more important than one on the cafeteria's accounting.
• The Opinion Rendered: The conclusion is everything. There are four main types:
  1. Unqualified (or Unmodified) Opinion: The gold standard. The CPA agrees with management’s assertion without any significant reservations. This is a green light.
  2. Qualified Opinion: A yellow light. It's an “except for” conclusion. The CPA believes the assertion is fair except for a specific issue, which is detailed in the report. You need to assess if that issue is material to your investment.
  3. Adverse Opinion: A blaring red light. The CPA concludes the assertion is materially misstated and should not be relied upon. Steer clear.
  4. Disclaimer of Opinion: Another red light. The CPA states they were unable to obtain enough evidence to form an opinion. This often points to a lack of transparency or chaotic record-keeping.

It's easy to confuse these accounting reports, but they serve different purposes and provide different levels of assurance.

• Attestation Report:
  1. Focus: A specific management claim (e.g., “Our system processed transactions in compliance with GDPR”).
  2. Assurance: High. It's a formal examination.
  3. Analogy: A certified mechanic inspecting just the engine of a car you want to buy.
• Audit Report:
  1. Focus: The entire set of historical financial statements (the big picture).
  2. Assurance: High. The most rigorous and comprehensive examination.
  3. Analogy: The mechanic conducting a full, 150-point inspection of the entire car.
• Review Report:
  1. Focus: Historical financial statements, but much less detailed than an audit.
  2. Assurance: Limited. Primarily involves asking questions and looking for obvious anomalies.
  3. Analogy: The mechanic asking the owner a few questions and taking the car for a quick spin around the block.

Attestation reports are not just theoretical; you'll find them in practice, often providing critical insights.

• Service Organization Control (SOC) report: This is one of the most common types. If you're analyzing a SaaS company that uses Amazon Web Services (AWS) to host its platform, the company's own health depends on AWS's security and operational integrity. AWS regularly undergoes examinations and issues SOC reports, which its customers (like the company you're analyzing) can use to assure their own clients that the underlying infrastructure is sound.
• ESG & Sustainability Claims: As environmental, social, and governance (ESG) factors become more important, companies are making bold claims about their carbon emissions, water usage, or ethical labor practices. An attestation report from a CPA can verify these claims, separating genuine leaders from those engaging in “greenwashing.”
• Compliance with Contracts: A company may have debt agreements that require it to maintain certain financial ratios. An attestation report can provide assurance to lenders that the company is in compliance, preventing a potential default.