Agreeing terms of engagement
Guidance on how to agree terms of engagement when drawing up an assurance engagement letter. In particular, the differences in approach when the responsible party is the client and when the users are the client.
Where the responsible party is the client
The responsible party may engage the practitioner to perform an assurance engagement to increase its own and users’ comfort over its operations performed in relation to the users or the information it has produced for the benefit of the users.
Where the responsible party engages the practitioner to perform an assurance engagement, it becomes responsible for enabling the practitioner to perform the necessary procedures to form the assurance conclusion. These include:
Providing sufficient access
Access is required for the practitioner to obtain information to understand the requirements of the engagement and to allow performance of the necessary procedures. This should include access to personnel within the responsible party, as well as to premises and relevant operational and other records. The responsible party should also take ownership for the completeness and accuracy of information supplied to the practitioner during the course of the engagement.
If the responsible party (or any other party to the engagement) restricts the practitioner from obtaining the evidence required in reaching the assurance conclusion, this may be considered a material limitation on the scope of the practitioner’s work and may affect the assurance conclusion.
Disclosing significant changes or events
Anything that has occurred or is expected to occur that could reasonably be expected to have an effect on the assurance conclusion.
Disclosing any illegal acts, fraud, or uncorrected errors
Anything of this nature that is attributable to the responsible party’s management or employees that has or may affect the users, and the responsible party’s whistle-blowing arrangements to the practitioner.
Disclosing all other significant matters of which it is aware and might have a bearing on the subject matter or subject matter information, user needs or any other matters that affect the engagement scope or the procedures the practitioner performs, including the assurance report.
A letter of representation
Providing the practitioner with a letter of representation that includes confirmation of the responsible party’s responsibilities for the provision of information to the practitioner; for assertion based reports the provision of a written assertion on the subject matter or subject matter information; the application of suitable criteria; and, where appropriate, that the responsible party has complied with the contractual requirements with users and other relevant standards and obligation.
The practical value of discussing these matters in detail at an early stage is that it will highlight any issues with gaining access to information which could later result in limitations.
Where the responsible party reports on the subject matter, this may contain descriptions of the operations performed, the evaluation or assessment of the actual performance, any other relevant information (eg, internal controls exercised over the operations) and any significant matters that the responsible party considers need to be brought to the attention of the users. The responsible party is responsible for the completeness, accuracy, validity and method of presentation of the information within the responsible party’s report. The assertions made in the report are also the responsibility of the responsible party and the practitioner obtains representations to that effect.
If the responsible party’s assertions depend on an internal audit, or if you are planning to rely on internal audit, then you need to discuss with the client as part of the engagement set-up.
The practitioner considers the duty of care to his client. AAF 04/06 provides principles-based best practice guidance on the process that the practitioner undertakes when considering requests from the responsible party for assurance reports.
When the users are the client
Users may engage the practitioner to assess aspects of the operations performed, or information provided, by the responsible party with a view to increasing their confidence in these aspects and information. The practitioner considers the increased assurance engagement risk when accepting an engagement assigned by the users because the responsible party may not be part of the engagement which will impact the practitioner’s knowledge of the subject matter and evidence gathering process.
In this type of engagement, the responsible party has a contractual (or other) obligation only to the users, but not to the practitioner. It is therefore important for the practitioner to consider to what degree access to the information at the responsible party is required and whether such access is possible, as this may affect the assurance conclusion.
Where the users engage the practitioner to perform an assurance engagement, they are expected to fulfil their responsibilities and those are broadly in line with those for an engagement with the responsible party. Users are responsible for arranging access for the practitioner to the responsible party’s personnel, information and documentation. The users and the responsible party will need to contract or agree other arrangements that are suitable for the practitioner to obtain sufficient information and evidence to support conclusions.
Similarly, access to personnel, premises and relevant operational and other records kept at the user’s premises may also be needed. The users may provide information on issues, changes or other information of significance that they are aware of and may have an effect on the assurance conclusion if relevant.
Although a management representation letter from the responsible party may not be obtainable for this type of engagement, the practitioner may find it useful to obtain a written confirmation from the responsible party on the factual findings and its responsibilities in relation to the subject matter (eg, the terms of the contract) before releasing the draft report to the client. The practitioner may need to contract separately with the responsible party to ensure rights of access and agree protocols for obtaining information.
The practitioner ensures that reporting protocols regarding who has access to draft or final reports and the rights and obligations (for example to confirm factual accuracy of findings) of the responsible party to comment on, or require the practitioner to reflect comments in, the report are agreed with the responsible party and where appropriate, with the users. The basis of such provision is agreed in writing and does not establish any additional duty of care outside the terms of the engagement.
The practitioner considers the duty of care to his client. While AAF 04/06 provides principles-based best practice guidance on the process the practitioner takes when considering requests for assurance reports, it is designed for circumstances where the responsible party is the client. The practitioner may wish to seek independent legal advice where appropriate.
Page reviewed April 2018. Next review April 2019
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.