ICAEW.com works better with JavaScript enabled.

Standards and guidance

A comprehensive list of standards and guidance covering external assurance engagements. Find out which standards apply for engagements by subject area, as well as information on individual standards and the practical application of guidance to assurance engagements.

Please note: All of the IFAC standards referenced below sit beneath and operate within the structures described in the Amended International Framework for Assurance Engagements published by the International Auditing and Assurance Standards Board (IAASB).

Page reviewed March 2018. Next review due March 2019.

Standards and guidance by subject matter

Assurance area Standard(s)/guidance
Compliance with contractual agreements ISAE 3000 (Revised)
Environmental information ISAE 3000 (Revised), ISAE 3410
Ethics and behaviour ISAE 3000 (Revised)
Financial processes ISAE 3000 (Revised)Providing Assurance on Client Assets to the Financial Conduct Authority
Governance, strategy and management processes ISAE 3000 (Revised), AAF 01/06 Stewardship Supplement, AAF 12/16 Master Trusts Supplement, AAF 02/07 A Framework for Assurance Reports on Third Party Operations, AAF 04/13 Relevant Trustee Supplement
Greenhouse gas emission statements ISAE 3000 (Revised)
Information technology such as information flows and security ISAE 3000 (Revised), ITF 01/07 
Internal controls and internal control environment ISAE 3000 (Revised), ISAE 3402, AAF 01/06
Management information flows Risk management systems and processes
Operations and projects, including outsourced operations ISAE 3000 (Revised), SSAE 18, ISAE 3402, AAF 01/06
Quantitative information, including financial information and performance measures such as KPIs
ISAs, ISRE 2400, ISRE 2410, ISAE 3000 (Revised), ISAE 3420, SIR 4000, AAF 02/06, AAF 09/13
Regulatory processes and compliance ISAE 3000 (Revised)
Risk management systems and processes ISAE 3000 (Revised)

Assurance standards

All IAASB standards, including ISAE 3000 (Revised), are available from: ifac.org

Standard Title Notes
ISQC1 International Standard on Quality Control, Quality Control for Firms that Perform Audits and Reviews of Financial Statements and Other Assurance and Related Services Engagements Issued by IAASB.
ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information

Provides requirements and guidance on assurance engagements, other than audit or reviews of historical financial information. It is a principles-based standard that is capable of being applied effectively to a broad range of underlying subject matters, and provides a basis for current and future subject-specific ISAEs.

ISAE 3402 Assurance Reports on Controls at a Service Organization For practitioners engaged to give an assurance report on internal controls at service organisations. The scope of assurance reporting covers internal controls over the service the service organisation provides that are relevant to user entities’ internal control over their financial reporting. ISAE 3402 expands on how ISAE 3000 (Revised) is to be applied in a reasonable assurance engagement to report on controls at a service organisation.
ISAE 3410 Assurance Engagements on Greenhouse Gas Statements Deals with assurance engagements to report on an entity’s greenhouse gas statement. Assurance engagements envisaged may cover a GHG statement and other information, for example, when the practitioner is engaged to report on a sustainability report of which a GHG statement is only one part. ISAE 3410 expands on how ISAE 3000 (Revised) is to be applied in an assurance engagement to report on an entity’s GHG statement.
ISAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial Information in a Prospectus Deals with reasonable assurance engagements undertaken by a practitioner to report on the responsible party’s compilation of pro forma financial information included in a prospectus. The ISAE applies where such reporting is required by securities law or the regulation of the securities exchange in the jurisdiction in which the prospectus is to be issued, or this reporting is generally accepted practice in such jurisdiction.
ISRE 2400 (Revised) Engagements to Review Historical Financial Statements Establishes standards and provide guidance on the practitioner’s professional responsibilities when a practitioner, who is not the auditor of an entity, undertakes an engagement to review financial statements and on the form and content of the report that the practitioner issues in connection with such a review. ICAEW issued technical guidance on performing an assurance review engagement on the financial statements of unaudited companies. See AAF 09/13.
ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the Entity Establishes standards and provides guidance on the auditor’s professional responsibilities when the auditor undertakes an engagement to review interim financial information of an audit client, and on the form and content of the report.
ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information Establishes standards and provides guidance on the auditor’s professional responsibilities when an engagement to perform agreed-upon procedures regarding financial information is undertaken and on the form and content of the report that the auditor issues in connection with such an engagement.
ISRS 4410 (Revised)
Compilation Engagements Establishes standards and provides guidance on the practitioner’s professional responsibilities when an engagement to perform agreed-upon procedures regarding financial information is undertaken and on the form and content of the report that the auditor issues in connection with such an engagement.
SSAE 18 Reporting on Controls at a Service Organization Issued by AICPA as the authoritative US guidance for reporting on service organisations.

ICAEW and other guidance

All ICAEW Audit & Assurance Faculty Technical Releases, including AAF 01/06, are available here.

Guidance Title Notes
AAF 01/06 Assurance reports on internal controls of service organisations made available to third parties Issued in 2006 for practitioners engaged to give an assurance report on internal controls at service organisations. The scope of assurance reporting covers internal controls over the service the service organisation provides and is not restricted to controls related to financial reporting. The guidance contains reporting and assessment criteria for a range of financial service organisations.
AAF 01/06 Stewardship Supplement Stewardship Supplement to AAF 01/06 Issued to assist asset managers to obtain an assurance report on their compliance with the UK Stewardship Code published by the Financial Reporting Council (FRC) in 2010. The framework of assurance reporting follows that of AAF 01/06. The UK Stewardship Code was issued to enhance the quality of engagement between institutional investors and companies they invest in to help improve long-term returns to shareholders and the efficient exercise of governance responsibilities.
AAF 02/06 Identifying and managing certain risks arising from the inclusion of reports from auditors and accountants in prospectuses Guidance which addresses safeguards for accountants who prepare reports for inclusion in or with prospectuses and investment circular and for auditors whose audit report is to be included or referred to in a prospectus or other investment circulars.
AAF 09/13 Assurance Review Engagements on Historical Financial Statements Guidance on performing assurance reviews of financial statements of UK companies that are exempt from statutory audit requirement. AAF 09/13 is consistent with ISRE 2400 (Revised).
AAF 04/06 Assurance engagements: Management of risk and liability Guidance which assists accountants to mitigate their risks and liability when undertaking assurance engagements.
AAF 07/16 Chartered accountants’ reports on the compilation of financial statements of incorporated entities Guidance on the compilation of accounts of incorporated entities ie, prepared in accordance with the Companies Act 2006.
AAF 08/16 Chartered accountants’ reports on the compilation of historical financial information of unincorporated entities Guidance on compilation of historical financial information of unincorporated entities for general or specific purposes.
ITF 01/07 Assurance report on the outsourced provision of information services and information processing services Closely follows the framework set out in AAF 01/06 for specific type of outsourced services – information and information processing services.
Providing Assurance on Client Assets to the Financial Conduct Authority
  Published by the FRC in 2015. The Standard provides guidance on the responsibilities of an auditor appointed to report on regulated firms’ compliance with the FCA’s Client Asset (CASS) rules. The document is available from frc.org.uk.
SIR 4000 Investment Reporting Standards Applicable to Public Reporting Engagements on Pro forma Financial Information SIR 4000 contains basic principles and essential procedures  with which a reporting accountant is required to comply in the conduct of an engagement to report on pro forma financial information, which is included within an investment circular prepared for issue in connection with a securities transaction governed wholly or in part by the laws and regulations of the UK. The document is available from frc.org.uk.
Sustainability assurance: Your choice This booklet from ICAEW highlights key issues around the assurance of sustainability information using a series of questions and answers. The questions cover report users, what an assurance service is, what it should achieve, and what other services could help enhance business sustainability. 
Chartered accountant services: A Practical Guide This information sheet outlines three different services that chartered accountants provide to assist client with company accounts. It also highlights when these services are appropriate and the key benefits arising from them.
SOC 1, 2, 3 SSAE 18 is typically complemented by the Service Organization Control (SOC) Reporting Framework (SOC 1, 2, 3). SOC 1-3 are developed to provide a reporting framework for service organisations on their internal control over financial reporting (SOC 1), for IT related controls concerning, for example, cloud computing, managed service, data centres (SOC 2) and web trust (SOC 3). SOC 1-3 are also issued by the AICPA. Access restricted to AICPA members only.
Amended International Framework for Assurance Engagements Published by IAASB in 2004, the framework sets out high-level principles applicable to various types of assurance services and might help to address some of these issues. But the practical application of this guidance still needs thorough testing.

Application of standards and guidance

Compliance with contractual agreements
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Allocation of royalties The contractual clauses. NB May need to be supplemented by agreements with the contracting parties as to interpretations of clauses ISAE 3000 (Revised) 8, 9, 21
Shared profits, shared cost saving Joint venture agreements in relation to cost or profit sharing arrangements ISAE 3000 (Revised) 10, 11
Environmental information
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Greenhouse gas emissions Greenhouse Gas protocol to quantify greenhouse gas emissions ISAE 3000 (Revised) 13
Risk assessment processes Equator principles: when evaluating social and environmental risks in project financing for emerging markets ISAE 3000 (Revised)
The Occupational Health and Safety Assessment Series 18000 to evaluate health and safety risks ISAE 3000 (Revised)  
Ethics and behaviour
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Anti-bribery procedures Ministry of Justice guidance in relation to the Anti-Bribery and Corruption Act 2010 ISAE 3000 (Revised)
  OECD guidance on anti-bribery & corruption ISAE 3000 (Revised)  
Ethical investment arrangement and its function
Standards as defined by independent bodies such as Transparency International and UN PRI ISAE 3000 (Revised) 16, 17

 

 

Financial processes
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Cost saving achieved Gershon guidelines on cost savings for certain public sector bodies ISAE 3000 (Revised) 18
Pillar III solvency calculations Basel report in relation to Pillar III solvency calculations ISAE 3000 (Revised) 19
Compliance with FSA rules FSA guidance in relation to FSA returns ISAE 3000 (Revised) 20
Governance, strategy and management processes
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Governance arrangement Objectives set by standards defining bodies such as the OECD ISAE 3000 (Revised)
Compliance with the Stewardship Code Investor stewardship in accordance with the principles in the FRC Stewardship Code ISAE 3000 (Revised), AAF 01/06 Stewardship Supplement
Management processes Process objectives set by the company ISAE 3000 (Revised)  
Information technology

This includes: information flows and security.

Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Data and information security AICPA SOC 2 and 3 frameworks for data centres and web trust ISAE 3000 (Revised)  
IT governance arrangement Various IT Governance references in ICAEW ITF 01/07 ITF 01/07  

 

 

Internal controls

This includes the internal control environment.

Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Internal controls over financial reporting COSO report, as used for example in Sarbanes-Oxley opinions ISAE 3402 14
Corporate governance procedures Turnbull report and UK Corporate Governance Code ISAE 3000 (Revised)  
Internal controls over financial and operational controls
Company developed framework; eg by reference to COSO or Turnbull report    

 

 

Management information flows
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Performance of internally developed processes and controls Documented internally developed procedures for managing and reporting on the effectiveness of the management information. ISAE 3000 (Revised) 4

 

 

Operations and projects

These may be performed by third parties

Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Internal processes and controls Process and control objectives agreed between the service and user organisations. ISAE 3000 (Revised)
Internal controls over financial reporting AICPA SOC 1 framework SSAE 16
Internal controls
Process and control objectives set by professional bodies, eg, ICAEW AAF 01/06 on investment operations ISAE 3000 (Revised), ISAE 3402, AAF 01/06 12 
  Process and control requirements set by regulatory bodies such as the FSA ISAE 3000 (Revised)  
Quantitative information

This includes: financial information and performance measures, such as KPIs.

Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Financial statements
International Financial Reporting Standards (IFRSs)
ISAs, ISRE 2400  
Performance of internally developed processes and controls
Company developed processes and controls (or methodologies) eg, for TV programme voting systems ISAE 3000 (Revised)  
Quality of performance Pre-defined arrangements and data measurement methods ISAE 3000 (Revised) 1
Achievement of operational/performance target Commonly used definitions of KPIs ISAE 3000 (Revised)  
  Sponsor defined KPIs; eg, for performance targets set by a Government Department for an arms-length body
ISAE 3000 (Revised)  
  Company defined processes and definitions in relation to benchmarking reports and analyses ISAE 3000 (Revised) 2, 3, 22

 

 

Regulatory processes and compliance

This includes: information flows and security.

Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Compliance with regulatory rules UK Government (or EU) Regulation together with any related guidance issued by the regulator ISAE 3000 (Revised) 5
Any specific regulatory undertakings eg, issued by the Competition Commission following an investigation ISAE 3000 (Revised) 7
Compliance with other rules Detailed rules of the industry association ISAE 3000 (Revised) 6

 

Risk management systems and processes
Example subject matter Evaluation criteria Assurance standards/guidance Vignettes
Business risk management arrangements Company's own criteria developed based on Turnbull report and International Standard for Risk Management AS/NZS ISO 31000:2009 ISAE 3000 (Revised) 15

 

 

ICAEW's assurance resource

This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.

Find out more.