Attestation vs direct reporting

Attestation

In an attestation (also known as assertion-based engagement), the responsible party carries out the measurement or evaluation of the subject matter and reports the information. This subject matter information contains the responsible party’s assertion (for example: "The subject matter information is fairly stated as of date/month/year"). The work the practitioner performs is to give an assurance conclusion on this assertion.

Sometimes, management may engage another third party to carry out the measurement or evaluation of the subject matter. The assurance practitioner will need to understand the split of responsibilities between management and the third party preparer - for example, are management in any case, required to take responsibility for the third party’s evaluation and assertion – to determine how best to structure and contract for the engagement.

Both the subject matter information including the responsible party’s assertion and the practitioner’s assurance report are made available together to the intended users. Attestation engagements are a familiar form of assurance engagement, as audits and reviews of financial statements have been structured as attestation engagements: management reports the financial performance and position in the annual accounts, asserts the information as being true and fair, and the practitioner gives a conclusion on the assertion.

Direct reporting

In a direct (direct reporting) engagement, the responsible party does not present the subject matter information in a report in a direct engagement. Instead the practitioner reports directly on the subject matter and provides the intended users with an assurance report containing the subject matter information.

An example of a direct engagement would be a Sarbanes-Oxley engagement to report on the effective control over the financial reporting process.

A direct assurance conclusion would be constructed as: "In our opinion the company maintained, in all material respects, effective internal control over financial reporting as of date/month/year, based on the criteria established in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)."

Attestation vs direct

Practitioners more commonly perform assertion-based engagements. This is because, ultimately, management (as the responsible party) are responsible for their business and, therefore, should be in a position to present relevant assertions in the subject matter information. They are also in a better position to understand who would use the information, what users want to see, in what format, and for what purpose.

Service organisation assurance reports are a well-established example of attestation assurance engagements. Service organisation management is responsible for the preparation of the description of its system and of the accompanying service organisation’s statement, including the completeness, accuracy and method of presentation of that description and statement.

The service organisation's written assertion as to the description’s fair presentation of the system, the suitability of design and the controls and the operating effectiveness of the control may be attached to the description of the service organisation's system or may be included in the description if clearly segregated from the description, for example, through the use of headings.

It would be difficult for an assurance provider to accept an engagement to provide assurance over controls without such an assertion and description, not only because the risk of providing assurance over controls over which management themselves had made no assertion would be very high but also because the user of the report would not know which controls were in the scope of the assurance – the subject matter would not be identifiable.

In contrast, an engagement to provide assurance over client assets in accordance with the FRC’s CASS standard is a direct assurance engagement.

These engagements are acceptable to practitioners because the standard requires management to provide written representations to the assurance provider confirming, among other matters, that:

• they acknowledge their responsibility for maintaining CASS records and systems of control in accordance with the rules of the FCA; and
• that the regulated entity has complied, as far as management are aware, with all relevant CASS Rules throughout the period and at the period end, other than in respect of those breaches which they have notified to the CASS auditor.

It could be argued that, absent a description of the systems and controls relevant to compliance with the client asset rules, the subject matter of a CASS assurance engagement is not identifiable. However, the CASS regime, and related assurance requirement, is well-established and the degree of prescription in the assurance standard pre-supposes a common core of controls in operation at all regulated entities.

It is perhaps easiest to understand the concept of direct reporting engagements in the context of regulatory compliance assurance where, whether or not a compliance statement is required ot be made and/or published by management, the responsibility both for compliance and for regular monitoring of compliance clearly rests with management as a matter of regulation.

However, ISAE 3000 (Revised) and the ISAAB's Amended International Framework for Assurance Engagements seem to envisage direct reporting scenarios where the assurance practitioner measures quantitative information and presents this in the assurance report alongside an assurance conclusion.

It is less easy to understand how the structure of such direct engagements can be compatible with the relevant independence requirements, and many practitioners are cautious about accepting such engagements except where a direct report is required by law or regulation.