Define the problem
Often the second stage of an assurance engagement is a discussion on diagnosing the nature of the problem, and identifying exactly where increased credibility could add value. Here we have collated guidance on identifying risks. Frequently, by the time an assurance practitioner is involved, it is already clear what the problem is.
This page is intended for:
Asking good questions
In many instances, an organisation’s needs may be very specific. For example, management may be required by law or regulation to obtain an independent assurance report, relating to the organisation’s compliance with a particular law or regulation.
In other instances, the organisation’s management may have concerns that do not relate to any legal requirement. These could be best addressed with an assurance engagement on a particular aspect of the entity’s activities, or could be best addressed in some other manner. Dialogue between the practitioner and management will be essential to understand management’s needs and to identify which service offering is the most appropriate to address this need.
An experienced professional will be able to translate the needs of the management into a range of appropriately structured solutions and support management with choosing between these.
The first step, both for management and for a practitioner, is to ask the right questions to identify the nature of the problem and determine what approach will be most useful in addressing it.
- Has there been a breakdown of trust? If so, what information is mistrusted?
- What is the risk?
What is the corresponding opportunity that makes this risk worthwhile to the organisation?
- Which elements of the organisation are involved?
- Which other stakeholders are involved?
- Has this problem been discussed in the past? If so, what approach was taken? What worked then and what didn’t work?
- Has the organisation dealt with similar problems before? If so, what approach was taken? What worked then and what didn’t work?
- Whose concerns need to be met with assurance? (ie senior management concerns about activity within the organisation; external stakeholders concerns; potential investor concerns; customer concerns)
To provide the most appropriate service, the practitioner might ask questions, such as:
- What issue or topic is management concerned about and why?
- What is the proposed subject matter? Does improving the credibility of this subject matter address management’s real concern?
- Is information prepared by management provided to external parties? If so, who looks at the information and for what purpose?
- Does management’s report offer any assertions on the subject matter themselves, such as a statement of responsibilities and compliance or a formal “sign-off”?
- Are there relevant legal or regulatory drivers for the assurance report?
- Would a professional opinion or other professional report add credibility to information connected with this issue? If so, how – what options are available?
- Who are the intended users of the practitioner’s report and what are their expectations? Do they expect to be involved in setting the scope of the work?
Discussing these questions with management and, where appropriate, with other potential users of the report will help the practitioner determine if a report from a practitioner can add value. If so, also whether this should be an assurance opinion in accordance with assurance standards, or another form of report.
The thought process should help management become more specific about the expectations and the understanding of who the users of the assurance report are and what they will need it for.
While assurance services are often designed as a reaction to a specific entity’s need, service design processes can also help practitioners proactively identify opportunities where new assurance services could manage risk for an organisation and its stakeholders, unlock value for them, or both.
The pitfalls of linguistic ambiguity
Assurance is a term commonly used to refer to any type of work that provides confidence to the recipient. Much of what practitioners do for their clients constitutes ‘assurance’ of this kind in one form or another. For example, a Chief Finance Officer may initially want assurance over the internal controls in a key subsidiary. What the CFO is actually seeking may be objective evaluation by the practitioner of the controls as designed and operated.
Practitioners can meet such a request in several different ways. It is therefore important that practitioners and their clients explore together the nature of the organisation’s needs, because the language used may unnecessarily confuse the situation.
Is it covered by the statutory financial audit?
While financial statement audit remains an essential activity for many companies, providing assurance over the annual accounts, the scope of the audit is limited to the financial statements. The journey: assuring all of the annual report? explains in more detail the scope of the audit and how misunderstandings around the nature of the auditor’s work on other information included in companies’ annual report have led to the development of an "assurance gap". Users of annual reports often believe that narrative information and financial and non-financial information in the "front end" has been tested to the same extent as the financial statements and is included in the “true and fair” opinion when this is not the case.
Introducing regulatory assurance requirements
Some issues affecting all entities operating in a particular sector have given rise to regulatory assurance requirements. These include: Financial Conduct Authority requirements for assurance on client assets; NHS Improvement’s requirements for assurance over NHS quality reports; the Solicitors’ Regulation Authority requirements for assurance over compliance with the Solicitors’ Accounts Rules; and the Civil Aviation Authority Air Travel Organiser’s Licensing Scheme requirements.
Trade and industry bodies that do not have the status of regulators may also have assurance requirements for members, for example the National Federation of Property Professionals client money report.
Although some regulatory and trade body requirements are mature with an established scope of work and a reporting requirement that is generally acceptable to practitioners, an established approach may not yet have developed for newer requirements. In the absence of a well-trodden path, discussions between the practitioner, entity management and, if possible, the third party, will be needed to reach agreement on an approach.
Risk management / assurance mapping
Where management and those charged with governance are not aware of an issue with how a specific risk, or new regulatory requirement is being managed they may assume, perhaps wrongly, that the business is in a steady state.
An assurance mapping process can identify all the sources that provide assurance of how risks are being managed, identify potential gaps or new and emerging assurance needs or provide the framework for a cyclical re-assessment of the adequacy and appropriateness of current sources of assurance.
An assurance map is a structured means of identifying and mapping an organisation’s risks to the main sources and types of assurance over these. It enables coordination of assurance processes and providers to best effect. It also provides the evidence that may be needed to support:
- management confidence in their assertions, particularly those in relation to internal control;
- audit committee assurances to the board on the state of internal controls; and
- public statements by the board as to the state of internal control.
To further support pracitioners in managing risk during an assurance engagement, ICAEW's Audit and Assurance Faculty produced guidance document: AAF 04/06.
When a problem isn’t a problem
Every opportunity comes with some associated risks, and some of those risks are nothing more or less than the price of those opportunities. For example, the potential for human error in quality control processes cannot be wholly eliminated by assurance over those processes.
In such cases, stakeholders are more likely to be concerned that any loss they suffer is covered by externally underwritten insurance or self-insurance – which might be limited to maintaining adequate reserves to absorb any losses. Insurance prevents short-term direct losses only; it does not protect against indirect loss, including loss of reputation. The adequacy of insurance is an important concern for business, but is not covered further in this guidance.
In other cases, what appears to be a flaw in the system may in fact be beneficial for reasons that are only apparent on closer investigation. For example, staff in a professional services business may be allowed to self-authorise expenses. While this may appear to be an obvious control flaw, it may be necessary to manage time lags in the system and an inability to reclaim expenses from clients promptly.
There may be other controls including requirements for staff to comply with ethical standards and independent checks on the nature and value of expenses charged to clients and to company managed accounts. These and related checks may more than compensate for the risk associated with the lack of a primary authorisation check.
Other problems may be genuine, but, when their potential effect is considered in the context of the performance of the organisation as a whole, far less important than they appeared at first. The best approach could simply be to review the situation every so often.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.