ICAEW.com works better with JavaScript enabled.

What is assurance?

Assurance is a general term for the comfort that can be derived from credible information. Here you can find guidance on: what assurance means, what can trigger the need for assurance, what an assurance engagement is and what assurance mapping is.

The nine stages

Typically assurance engagements can be broken up into nine stages, covering scoping, fieldwork and reporting.

Read now
Owners, management, investors, governments, regulators and other stakeholders need to rely on the successful conduct of business activities, sound internal processes and the production of credible information.

These operational and reporting processes enable users to make decisions and develop policies. Confidence diminishes when there are uncertainties around the integrity of information or of underlying operational processes.

There is a range of different ways of getting assurance, often summarised into the four lines of defence, which are:

  • the day-to-day management of risks during normal activity within an organisation;
  • the strength of broader control framework within that organisation;
  • an internal, independent perspective from internal auditors; and
  • an external perspective from an external assurance provider.

ICAEW's guidance on assurance focuses on the last two lines of defence, where assurance is taken from the independent work of an assurance provider either internal or external to the organisation.

What might trigger a consideration of assurance?

Something has happened that has raised the question of whether more assurance is needed.

This could be as routine as a director reviewing an assurance map and finding a place where a changing situation means that further assurance would be useful.

It could be the result of a new regulatory requirement, or it could be a concern (or the anticipation of a concern) raised by a stakeholder either inside or outside the organisation.

Or, in some cases, it could be a problem caused by poor-quality information leading to bad decisions, or failing to stand up to outside scrutiny.

Whatever the reason, a risk has been identified that might be mitigated if a piece of information was subject to greater scrutiny.

Targeting assurance: what is an assurance map?

Gaining assurance is a way of managing a wide range of risks, and an assurance map is a governance tool that shows at a glance how risks and assurance have been aligned across an organisation.

Managing risks is not the same as eliminating all risks. Without some level of risk, no organisation would be able to achieve its goals. The purpose of good risk management is to control the level of risks to suit the risk appetite of the business.

The assurance mapping process can be useful to organisations of any size or complexity, with or without a full assurance map being maintained.

How do assurance engagements work?

The Amended International Framework for Assurance Engagements, developed by the International Auditing and Assurance Standards Board (IAASB), identifies five elements that all external assurance engagements share:

The need for assurance only arises when one party wishes to take comfort over a subject matter prepared by a second party, and the assurance is only provided when a third party can provide an independent perspective.

That independent perspective is only useful if it is well understood by everyone involved, hence the importance of agreement on the subject matter and suitability in the criteria that it is assessed against.

The written report allows the first and second parties to hold the assurance provider to their word. If it is not supported by sufficient and appropriate evidence, then it may be providing false assurance. These elements are therefore necessary to ensure a good quality engagement.

The work of a professional accountant should always increase the confidence of those referring to it. However, that work is often concerned with the first and second lines of defence, and not with the provision of independent assurance that forms the third and fourth lines of defence.

The distinction may seem subtle, but it has significant implications in terms of the investment required to obtain the result and the level of comfort that can be taken from that result.

For example, an internal auditor could design a system of internal controls. An external professional accountant could put together an organisation’s statutory financial statements. In either case, the organisation would benefit from the expertise and skills of the practitioner.

If, however, further assurance was required, the practitioner would need to consider whether prior involvement with preparation of the subject matter (the internal controls or financial statements referred to above) constitutes a threat to their independence as an assurance provider and, if so, what steps should be taken to reduce such a threat to an acceptable level.

Relevant requirements and guidance can be found in our section on Professional Ethics and Independence

ICAEW's assurance resource

This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.

Find out more.