What is assurance?
Here you can find guidance on: what assurance means, what can trigger the need for assurance, and what an assurance engagement is.
These operational and reporting processes enable users to make decisions and develop policies. Confidence diminishes when there are uncertainties around the integrity of information or of underlying operational processes.
There is a range of different ways of getting assurance, often summarised into the four lines of defence, which are:
- the day-to-day management of risks during normal activity within an organisation;
- the strength of broader control framework within that organisation;
- an internal, independent perspective from internal auditors; and
- an external perspective from an external assurance provider.
ICAEW's guidance on assurance focuses on the last two lines of defence, where assurance is taken from the independent work of an assurance provider either internal or external to the organisation.
Something has happened that has raised the question of whether more assurance is needed.
This could be as routine as a director reviewing an assurance map and finding a place where a changing situation means that further assurance would be useful.
It could be the result of a new regulatory requirement, or it could be a concern (or the anticipation of a concern) raised by a stakeholder either inside or outside the organisation.
Or, in some cases, it could be a problem caused by poor-quality information leading to bad decisions, or failing to stand up to outside scrutiny.
Whatever the reason, a risk has been identified that might be mitigated if a piece of information was subject to greater scrutiny.
The Amended International Framework for Assurance Engagements, developed by the International Auditing and Assurance Standards Board (IAASB), identifies five elements that all external assurance engagements share:
- A three-party relationship.
- An agreed and appropriate subject matter.
- Suitable criteria.
- Sufficient and appropriate evidence.
- A conclusion or opinion, expressed in a written report appropriate to a reasonable assurance engagement or a limited assurance engagement.
The need for assurance only arises when one party wishes to take comfort over a subject matter prepared by a second party, and the assurance is only provided when a third party can provide an independent perspective.
That independent perspective is only useful if it is well understood by everyone involved, hence the importance of agreement on the subject matter and suitability in the criteria that it is assessed against.
The written report allows the first and second parties to hold the assurance provider to their word. If it is not supported by sufficient and appropriate evidence, then it may be providing false assurance. These elements are therefore necessary to ensure a good quality engagement.
The work of a professional accountant should always increase the confidence of those referring to it. However, that work is often concerned with the first and second lines of defence, and not with the provision of independent assurance that forms the third and fourth lines of defence.
The distinction may seem subtle, but it has significant implications in terms of the investment required to obtain the result and the level of comfort that can be taken from that result.
For example, an internal auditor could design a system of internal controls. An external professional accountant could put together an organisation’s statutory financial statements. In either case, the organisation would benefit from the expertise and skills of the practitioner.
If, however, further assurance was required, the practitioner would need to consider whether prior involvement with preparation of the subject matter (the internal controls or financial statements referred to above) constitutes a threat to their independence as an assurance provider and, if so, what steps should be taken to reduce such a threat to an acceptable level.
Relevant requirements and guidance can be found in our section on Professional Ethics and Independence.