Elements of an assurance report

A title clearly indicating that the report is an independent assurance report.

The practitioners’ report is expressed in a written report attached to the report on the subject matter. The title of the report includes the term "assurance" to distinguish it from non-assurance engagements. While not required by ISAE 3000 (Revised), it may be useful to refer to the type of assurance engagement (reasonable or limited). The explicit reference to "independence" in the title provides a user with immediate confirmation that the practitioner has met the required independence requirements.

An addressee.

The report will usually be addressed to the engaging parties which may include users as well as the client. The addressee may be included in the title of the report. Where an assurance report is for the entity itself, it is usual for the addressee to the be the company, as distinct from the directors who may be the responsible party. 

An identification or description of the level of assurance obtained by the practitioner, the subject matter information and, when appropriate, the underlying subject matter. When the practitioner’s conclusion is phrased in terms of management’s statement, that statement must accompany the assurance report, be reproduced in the assurance report or be referenced to where it is available to the intended users.

Critical identifying factors may include the point of time or period of time to which the subject matter relates and/or the specific information within a client’s report that is the subject of our report. 

Identification of the criteria against which the subject matter is evaluated or measured.

It may be relevant to identify the source of the criteria, for example specific legislation, regulation or contract terms, along with further detail describing the responsible party’s interpretation of the legislation or regulation, which together may be referred to as a "basis of preparation". 

Where appropriate, a description of any significant inherent or other limitations associated with the evaluation or measurement of the subject matter against the criteria.

Inherent limitations associated with the evaluation or measurement of the subject matter against the criteria and any limitations on scope incurred during the work. Some inherent limitation wordings have become standard, for example those relating to measurement methods applied to greenhouse gases, for which examples can be found in ISAE 3410 and those relating to the nature of internal controls, for which examples can be found in ISAE 3402.

Unusual subject matter specific limitations may need to be described in more detail to be understood by a user. 

When the applicable criteria are designed for a specific purpose, a statement alerting readers to this fact and that, as a result, the subject matter information may not be suitable for another purpose.

The identification of the responsible party, the measurer or evaluator if different, users where appropriate, and the respective responsibilities of the responsible party, measurer/evaluator and the practitioner.

The report clearly states the scope (by reference to the engagement letter, whether the engagement is direct or attestation) and the responsibilities of management and the practitioner.
The description of management’s responsibilities will vary but could include:

• responsibilities conferred on management by the legislation or regulation that provides the criteria for the assurance engagement;
• preparation (and presentation) of the subject matter information, and, in the case of an attestation engagement, the accompanying statement;
• designing, implementing and maintaining internal control relevant to the preparation (and presentation) of the subject matter information;
• selecting or developing the criteria;
• ensuring compliance with certain laws or regulations;
• making judgments and estimates that are reasonable in the circumstances of the engagement;
• maintaining adequate records; 
• preventing and detecting fraud; and
• training and supervision of personnel. 

A statement that the engagement was performed in accordance with ISAE 3000 (Revised), or, where there is a subject matter-specific ISAE, that ISAE.

The report makes reference to relevant assurance standard(s) such as ISAE 3000 (Revised) and other relevant guidance, including any appropriate technical release. If, however, the practitioner is required by law or regulation to use a specific format or wording for the assurance report, the assurance report may only refer to compliance with ISAE 3000 (Revised) or other ISAEs if it includes, at a minimum, the elements specified by ISAE 3000 (Revised). 

A statement that the practitioner or firm of which the practitioner is a member applies ISQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as ISQC 1.  

ICAEW has produced a web page that provides guidance to firms for the implementation of the clarified International Standard on Quality Control (ISQC1) and includes the paper on improving audit quality using root cause analysis. 

A statement that the practitioner complies with the independence and other ethical requirements of the IESBA Code, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding as Parts A and B of the IESBA Code related to assurance engagements. 

An informative summary of the work performed. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the conclusion. In a limited assurance engagement, the summary of the work performed shall state that the procedures vary in nature and timing from, and are less in extent than for a reasonable assurance engagement, and consequently the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.

In describing the work performed, the practitioner may describe the types of testing performed: eg, enquiry, inspection and review, observation and re-performance. In particular, it is helpful for the report to give a user a good idea of the relative extent of tests of controls and tests of detail.

For limited assurance reports, it can help users understand the nature of the work if the practitioner indicates certain procedures that were not performed that would ordinarily be expected to be performed in a reasonable assurance engagement. However, a complete identification of all such procedures may not be possible – some may be unknown unknowns. 

The practitioner’s conclusion in the agreed form.

For a reasonable assurance engagement, this shall be expressed in a positive form. For a limited assurance engagement, this shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause them to believe that the subject matter information is materially misstated. The conclusion should be expressed using a wording that appropriately reflects the underlying subject matter and applicable criteria whether phrased in terms of the underlying subject matter and the applicable criteria; the subject matter information and the applicable criteria; or a statement made by the responsible party.

Where the conclusion is qualified (ie, ‘except for’, adverse conclusion or disclaimer of a conclusion), the report includes a section giving a clear description of all reasons for the qualification(s) - including a description of the practitioner’s findings including sufficient details of errors and exceptions found and a section containing the modified conclusion. Where appropriate, the conclusion should inform the intended users of the context in which the practitioner’s conclusion is to be read.

Where the subject matter information is made up of a number of aspects, separate conclusions may be provided on each aspect; for example, it is usual for reports on internal controls to include separate conclusions on the fair presentation of the description, suitability of design and operating effectiveness.

The name and signature of the firm/ practitioner. 

While the practitioners entitled to use the designation may describe themselves as “Chartered Accountants”, the designation “Registered Auditors” should not be used for assurance work that is not financial statement audit. 

The assurance report date. 

The location of the office performing the engagement.

Practitioners may also wish to include the information from the key elements P, Q and R in the introductory sections of the report. 

Identification of the applicable engagement letter. 

Restrictions on the use of the assurance report to the client, and other parties to the engagement letter where appropriate.  

The practitioners’ report makes clear for whom it is prepared and who is entitled to rely upon it and for what purpose. The practitioner should also consider the need to restrict the distribution of or replication of the report in whole or in part and where such restrictions are applied, they should be disclosed in the report. 

Disclaimer of liability of the practitioner to users of the report other than the engaging parties.