An assurance report is the tangible output of an assurance engagement. This report may be for internal use or for external use, but it will always be shared with the person using the information who needs to be confident that it is credible.
Based on the evidence obtained during the engagement, the practitioner concludes whether the assurance objective has been met. The objective would be for either a positive or negative assurance conclusion to be issued in accordance with the type of assurance, ie, reasonable or limited assurance, as agreed at the start of the engagement.
The title of an assurance report delivered in accordance with applicable assurance standards includes the term "assurance". This distinguishes it from reporting on non-assurance engagements, for instance agreed-upon procedures engagements – even though such non-assurance engagements may be referred to by clients and other users colloquially as assurance. An assurance report draws the attention of the addressees to the basis of the practitioner’s work (such as ISAE 3000 (Revised) and any appropriate technical releases).
Where the responsible party decides the scope of engagement or, in particular, provides a written assertion or statement on the subject matter, the practitioner communicates the fact, including how the scope of the report is defined and how the criteria have been selected, in the assurance report. The practitioner also describes any significant, inherent limitation associated with the evaluation or measurement of the subject matter against the criteria in the assurance report.
For the assurance conclusion not to be misleading, the practitioner needs to consider whether the responsible party’s assertions or statements on the subject matter are appropriate. The practitioner should discuss misstatements and deficiencies with the responsible party in the event that they may wish to rectify the assertions or statements or the supporting detail. In the event that the responsible party refuses to do so, the practitioner considers the implication for the assurance report.
The assurance report reflects the agreement set out in the engagement letter and is supported by the work carried out by the practitioner. The report makes clear for whom it has been prepared, who may have access to it, and who is entitled to rely upon it and for what purpose, in accordance with the engagement terms.
The assurance report states the restrictions on its replication in whole or in part in other published documents. The practitioner may be guided by AAF 04/06 (risk and liability) in determining what restrictions to place on distribution and use of and reliance on the report; applicable regulations or contractual terms will also have a bearing on the practitioner’s decisions in relation to use and availability of the report and, therefore, on the wording of any restrictions, caveats and disclaimers.
In drafting the assurance report it is important for the practitioner to be aware of the language being used. It is important that language that implies assurance – including words, such as "opinion" and "conclusion” – is used only in relation to those aspects of the subject matter on which the practitioner has agreed to provide assurance as reflected in the objectives of the engagement and the wording that is used in the management’s assertions or statements.
While the practitioner may have formed professional views on other related aspects of the subject matter and the processes and controls surrounding information flows, these should not be expressed in the same language as is used for the assurance conclusion itself. It may be more appropriate to report on such related matters in a private report for management only – a "highlights memo" or management letter - or as a separate appendix which makes it clear that these views do not affect the assurance conclusion.
The key requirements are that the language in the assurance report should be:
- Consistent with the scope of work agreed in the engagement letter: ie, that it reflects accurately the scope of work agreed.
- Consistent with that used in the management assertions: ie, that it:
- uses the same terminology; and
- uses language that is consistent with the nature of the assurance so that it is clear whether the conclusion is over selected data, processes and controls or whole report.
- Internally consistent between the elements of the report itself, for example:
- terminology should be consistent throughout;
- should the scope of work agreed be data, then the description of the work performed and conclusion reached should refer to data and not processes or a whole report; and
- the conclusion should not imply assurance over the operation of controls in the system used to calculate the data, unless that was both intended and a part of the scope of work agreed.
To achieve this degree of consistency it is expected that the practitioner will be involved in detailed discussions with the client regarding the wording not just of the assurance report, but also of the management assertions in the course of the engagement.
Provided management’s assertions or statements are made available with the subject matter, it is acceptable for the assurance conclusion to be expressed in terms of either the management assertions or by direct reference to the subject matter. The report will still be appropriate for an attestation engagement.
Options for the qualification of the report and the importance of obtaining an understanding of engagement circumstances as they potentially impact the assurance conclusion.
The practitioner considers other information supplied by the responsible party or users. If such other information is inconsistent with the assurance conclusion or with other matters that the practitioner is or has become aware of the practitioner discusses this with the client and may wish to draw attention to the fact in the assurance report.
The practitioner only signs the assurance report as agreed in the engagement letter if sufficient and appropriate evidence to support the assurance conclusion is obtained. Where either the responsible party or users subsequently ask the practitioner to provide reports on related matters which are not directly covered by the scope of the engagement, the practitioner is unlikely to be able to issue such reports.
The practitioner may, however, be able to issue an alternative form of report which is capable of being supported by work performed as part of the engagement, such as a report of the factual findings of agreed-upon procedures. The practitioner agrees a separate engagement for such assignment with the party that requests an additional report.
While performing procedures on the operations performed by third parties, the practitioner may become aware of uncorrected errors, fraud or illegal acts attributable to the responsible party’s systems, management or employees that may affect the functions that interact with the users.
Unless clearly inconsequential, the practitioner determines from the responsible party whether this information has been communicated to the affected users. If the responsible party has not communicated this information to the users and is unwilling to do so, then the practitioner considers the implications for the engagement.
Where the engagement is with the responsible party, the practitioner informs the responsible party’s audit committee or other management with equivalent authority. If the audit committee or equivalent authority does not respond appropriately, the practitioner considers whether to resign from the engagement and whether any other action or reporting is appropriate.
The practitioner is generally not required to confirm with the users whether the responsible party has communicated such information. However, if the client is the user, the practitioner considers the materiality of the matter and whether the matter has been brought to the attention of the responsible party and promptly corrected. Depending on the outcome, the practitioner may need to take advice on further actions.
The practitioner is associated with a subject matter when reporting on information about the subject matter or consenting to the use of the practitioner’s name in a professional connection with respect to that subject matter.
If the practitioner learns that the client (or any other party) is inappropriately using the practitioner’s name in association with a subject matter, the practitioner requires the client (or other party) to cease doing so. The practitioner may also consider what other steps may be needed, such as informing any known parties that may have received the report that inappropriately uses the practitioner’s name and seeking legal advice.
During the course of an assurance engagement, practitioners may come across matters that may not be sufficiently significant to affect the assurance conclusion, but may nevertheless be useful for management. Such matters may include errors, deficiencies and risks related to the subject matter, but that are not material to the conclusion, recommendations, and comment on the status of matters that were included in a similar report to management in previous periods.
Matters for communication to management are not a qualification of the assurance conclusion. These matters are therefore communicated preferably in a separate management letter rather than in the assurance report.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.