Where organisations or their stakeholders identify a specific need to build confidence in data, processes, or information, a professional accountant can play a valuable role.
Assurance reporting is one such role: an independent professional accountant with relevant experience applying the highest standards to examine data, processes, or information and expressing an assurance conclusion provides a strong signal of reliability.
Assurance reporting has been seen in the audit of financial statements for centuries. In recent years, it has also been successfully applied to areas, such as internal controls and sustainability information.
There are other benefits that assurance reporting can bring. For example, the assurance reporting process can help management enhance the quality of its internal systems and controls. An integral part of assurance reporting is the evaluation of assertions made by management over the subject matter.
Management’s process of developing the assertions that are subject to assurance, along with the recommendations resulting from the assurance work can together have great value in enabling improvement of the quality of systems and controls, and the information derived from them.
Lastly, the focus on user needs in the assurance reporting process highlights the importance of understanding and addressing stakeholder needs. As the credibility of information can only be judged meaningfully from a user’s point of view, management needs to consider or involve relevant stakeholders with a view to understanding their information needs. This process influences how organisations behave in their environment and engage with their stakeholders.
Using standards vs other forms of assurance
Key differentiators between an externally performed engagement performed in accordance with assurance standards and other forms of assurance are driven by:
- independence requirements;
- professional and ethical standards applicable; and
- whether the report is provided by an internal or external party.
External assurance using standards | Other forms of assurance | |
---|---|---|
Assurance provider must be independent within the meaning of the IESBA Code | Assurance provider need not be independent within the meaning of the IESBA Code therefore may be provided by an in-house internal audit function or an external practitioner | |
Provided by external practitioner | Provided in-house | Provided by an external practitioner |
Report must include a formal reasonable or limited assurance conclusion |
Reports may include professional views, ratings and gradings. In-house teams may be more relaxed about using wording that implies a formal assurance conclusion is being provided – and for some regulated internal audit frameworks, this may positively be required - but should not assert compliance with assurance standards | Report may not include a formal reasonable or limited assurance conclusion. Professional views, ratings and gradings may be provided but the report should state that these do not constitute assurance in accordance with assurance standards |
Scope of work must be adequate to support the assurance conclusion provided. This tends to require that a risk-based approach is taken and statistical sampling methods employed. | Scope of work determined by the head of internal audit and/or those charged with governance depending on the organisation’s needs. No maximum or minimum requirements. | Scope determined by responsible member of management/those charged with governance, with third parties where relevant. It may be within the practitioner’s remit to provide critical challenge as to the adequacy of the scope of work to the purpose |
Conclusion is based on testing of the subject matter against suitable criteria | Views, ratings and gradings may be based on subjective frameworks that would not necessarily meet the definition of suitable criteria, for example, the practitioner’s view of best practice. | Views ratings and gradings may be based on subjective frameworks that would not necessarily meet the definition of suitable criteria. The practitioner uses the engagement letter and the report itself to provide clarity over the basis for such views. |
To the extent that the report is shared with a third party user or made publicly available, the assurance provider’s reputation can provide added credibility to the report. | If the assurance provider considers it appropriate to permit the report to be shared or referred to externally, the assurance provider’s reputation can provide added credibility to the report. | |
May feel like a more formal process | May feel like a less formal process | The assurance provider can work with management to establish the intended tone of the engagement. |
Features of engagements applying standards
In an assurance engagement, an independent practitioner expresses a conclusion designed to enhance the degree of confidence of the user about the outcome of an evaluation of measurement of a particular item (known as a subject matter or subject matter information) against specified criteria.
For example, have certain identified corporate responsibility metrics (subject matter information) been prepared in accordance with the disclosed basis of preparation (criteria)?
The type of assurance conclusion required will affect the nature and scope of work that the practitioner carries out and the form of conclusion that the practitioner issues. The practitioner expresses either a reasonable assurance conclusion (equivalent to a financial statement audit level), opinion or a limited assurance conclusion (we can think of this as similar to a review level conclusion).
For interim reviews of financial statements, ISRE 2410 sets out a relatively specific scope and, therefore, results in financial statement reviews providing a relatively consistent level of assurance.
In the case of limited assurance over non-financial information, the scope of work and resulting level of assurance can vary considerably.
The practitioner’s report and the conclusion therein are for the benefit of intended users, usually comprising third parties, but which may also include management of the organisation. When the practitioner evaluates a subject matter against a set of criteria that is designed for a specific purpose, the report usually includes a statement restricting the use of the assurance report for that purpose. In addition, the report may indicate that it is intended solely for specific users.
For example, where the criteria are based on the terms of contract between two business partners, they may not be relevant or appropriate for, or even known to, other parties, including potential business partners.
Critical considerations
The following conditions are required to be met before accepting an assurance engagement:
- an expectation that relevant ethical requirements, such as independence and professional competence will be satisfied;
- an expectation that there is a rational purpose to the engagement;
- the engagement exhibits all of the following five elements:
○ a three-party relationship involving the practitioner, a responsible party, and intended users;
○ an appropriate subject matter;
○ suitable criteria exist and such criteria will be available to intended users;
○ the practitioner will have access to sufficient appropriate evidence to support the conclusion; and
○ a conclusion, in the form appropriate to the engagement, is to be contained in a written report.
If independent, external assurance is to be provided, the subject matter of the assurance engagement - whether or not it constitutes “historical financial information” - will help to determine the professional assurance standards and supporting guidance to be used.
The Amended International Framework for Assurance Engagements (the Framework) published by the IAASB sets out principles that apply to all assurance engagements. Detailed assurance standards, general or subject matter specific, are compliant with the Framework.
For assurance services, other than audits (ISAs) or reviews of historical financial information (ISREs) the applicable standards are International Standards on Assurance Engagements (ISAEs). Such assurance services can cover: internal controls and processes; contractual terms; pro forma financial information; sustainability reports and non-financial performance measures,
Although it might seem simple to determine whether or not subject matter is historical financial information capable of being subject to audit in accordance with ISAs and review in accordance with ISREs in practice it may not be clear-cut. For example a grant claim would initially appear to be historical financial information, but it is accepted practice for ISAEs rather than ISAs to be applied to grant claims.
The Framework does not establish the defining characteristics of historical financial information. A practical distinction may be that historical financial information tends to be extracted from a double-entry accounting system.
The practical consequence of this distinction is that historical financial information is made up of reciprocal populations over which cumulative evidence can be obtained through tests of both under and over-statement of opposing accounts on the debit and credit side of the accounting system; non-financial information is, generally, not derived from double-entry books accounting.
This fundamental difference in the nature of the subject matter has consequential differences for how the assurance provider plans and performs work and this is reflected in differences between the ISAs and the ISAEs.
As a result of either a client’s request or the need to comply with legal and regulatory requirements, the practitioner may be required to provide an assurance report in accordance with specific requirements or use specific wording which may conflict with an assurance engagement standard, such as ISAE 3000 (Revised).
Where in consequence the practitioner is unable to follow an assurance engagement standard in full, he should not refer to the assurance engagement as having been conducted in compliance with the standard. For many such engagements, however, the practitioner should make as much use of the ISAs or ISAEs and the Framework as is possible. This is because these assurance standards provide a clear set of principles for carrying out assurance engagements.
A particular challenge arises when a third-party requirement describes the practitioner performing a limited scope of work while also requiring the practitioner to express a conclusion in a positive form which would not be supported by the limited scope of work requested. In this scenario the practitioner could consider:
- Reaching agreement with management of the entity subject to the requirement to perform sufficient procedures to provide a reasonable assurance opinion. This will, however, result in the engagement costing more than envisaged by the third party, and that cost being borne by the entity.
- Tri-partite discussions with management of the entity and the third party to negotiate a more appropriate wording for the report.
- The practitioner declining to accept the engagement – this may, however, be difficult if the practitioner provides other services to the entity, such as the statutory audit.
- The practitioner accepting the engagement with the prescribed scope of work and report, subject to being permitted to clarify in the report or by way of an attached notice that, although the expression of a positive conclusion is required, the scope of work does not constitute reasonable assurance in accordance with assurance standards. The practitioner should also clarify whether the scope of work is sufficient to express a limited assurance conclusion in accordance with assurance standards, or whether no assurance can be provided.
The decision as to the type of assurance needs to be agreed with the client by the practitioner when agreeing the terms of engagement.
- Read more on the five elements of an assurance engagement
- Read more on the ethical requirements of an assurance engagement
Limited assurance vs reasonable assurance
ISAE 3000 (Revised) provides two options for assurance:
- Reasonable assurance which provides the user of the report with a relatively high degree of comfort that the subject matter is not materially misstated.
- Limited assurance which provides the user of the report with a lower level of comfort that the subject matter, ie not materially misstated. In the event that limited assurance is to be provided then the level of assurance must be at least meaningful.
Attestation vs direct reporting
The Framework further differentiates assurance engagements into two types. The differentiation is based on who initially measures or evaluates the subject of interest (subject matter) and provides information about it.
In an attestation (also known as assertion-based) engagement, the responsible party carries out the measurement or evaluation of the subject matter and reports the information (the subject matter information) which contains the responsible party’s assertion (eg, ‘the subject matter information is fairly stated as of date/month/year’). The work the practitioner performs is to give an assurance conclusion on this assertion.
In a direct (direct reporting) engagement, while the responsible party retains responsibility for the subject matter, it is the practitioner who measures the subject matter to derive the subject matter information, going on to provide the intended users with an assurance report containing the subject matter information.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.
Buyer's guide to assurance on non-financial information
Find out more about the 'Buyer's guide to assurance on non-financial information' from WBCSD.
Find out more