Subject matter

An appropriate subject matter is one of the five elements of an assurance engagement required by ISAE 3000 (Revised). This guidance looks at the questions practitioners should ask to identify which aspects of a subject matter to focus on in an engagement.

Practical matters impacting the ability of a practitioner to evaluate the subject matter, and in particular how management handles information they generate internally, are considered in our guidance on possible assurance solutions.

High level questions

In the context of assurance engagements, the practitioner may ask detailed questions to clarify the subject matter. Examples, include:

• How well developed is management control over the subject matter?
• What degree of documentation is available regarding the subject matter?
• What is the most cost effective way to address the needs of the users and achieve an appropriate degree of credibility over the subject matter?

Depending on these factors, an assurance engagement may focus on a different aspect (or aspects) of a subject matter (or subject matter information), such as:

• Fairness of description of the subject matter or criteria in place.
• Design of processes where relevant (for example, business activities, control procedures).
• Operating effectiveness of processes where relevant.
• Outcome (for example, in terms of the compilation or calculation of data outcome based on data in and processes used).
• A comprehensive report (for example, a report that may include elements of all of the above with an overall view from management of the subject matter).

User needs 

In addition to considering the questions above, the focus of an assurance engagement will depend on matters, such as user needs, suitable criteria and the availability of evidence.

For example, the engaging party may be interested in the financial performance of an organisation. The subject matter information may, as in a financial statements audit, be the numerical information which is the outcome of the financial performance. It is equally possible that management is interested in the organisation’s financial reporting process and asks the practitioner to evaluate its report on internal control processes.

In the case of greenhouse gas emissions, meanwhile, management may choose to ask the practitioner to focus on:

• the fairness of the description on its policy and method of measuring the emissions;
• the design effectiveness of the emission measurement procedures;
• the effective operation of the emission measurement procedures;
• the accuracy of the measurement of the emissions; or
• the emissions report.

Maturity of arrangements 

As stated in our guidance on possible assurance solutions, the maturity of the organisation’s arrangements can impact significantly on the nature of what the practitioner can give an assurance conclusion on.

For example, an engagement that focuses solely on controls and processes may lend credibility to how the input data or transactions are processed, but does not directly give any assurance conclusion on the data or outcomes.

However, an engagement that focuses solely on substantive evidence and the evaluation of data or outcomes says little as to the reliability of the underlying systems of control or the robustness or sustainability of the processes involved. Accordingly, it is important for the practitioner to understand the brief from the engaging party and the needs of the users.

At times this can mean that practicalities prevent the users’ needs from being fully met. For example, a user may be ultimately interested in obtaining assurance on the data or outcome. The relevant data may be calculated by processes that are well documented and capable of being tested for design and operating effectiveness.

Where obtaining the input data may be extremely difficult or disproportionately costly, assurance over the output data may not be practical. it may still be possible to evaluate the design and the operating effectiveness of the processes for calculating the output data, combined with a limited sample of input and output data reconciliation. This may be sufficient for the users’ needs in the first instance.

AAF 01/06 - guidance on internal controls

An example is provided by the development of assurance reporting on stewardship. Assurance guidance developed in conjunction with stakeholders was issued as a supplement to AAF 01/06, Guidance on assurance reports on internal controls of service organisations.

While AAF 01/06 covers the fairness of description, design suitability and operating effectiveness of internal controls, the subsequent stewardship supplement to AAF 01/06 focuses on the fairness of description of stewardship compliance by asset managers. The reduced scope was considered appropriate as this was a new subject matter and it is hoped that subsequent reports may cover design and operating effectiveness as this type of reporting develops over time.

The nature of the subject matter also affects what may be important in the context of delivering the assurance engagement. In our guidance on possible assurance solutions, we consider the various stages of management responsibility, but these are not discrete stages.

For example, compare two potential assurance engagements: one relating to assurance over data; another concerning regulatory matters which are primarily behavioural in nature. In the case of an assurance engagement on data, while the practitioner needs to consider the tone at the top, much of the practitioner’s work may focus on the design and operation of control procedures together with some analytical review and substantive testing.

On the other hand, in the case of behavioural compliance, the tone at the top will be of much greater importance. This is because the tone at the top will impact, more directly, on the behaviour of staff, which is the subject matter of the assurance engagement.

Identifying subject matter

A subject matter may take a variety of forms. A clear understanding of the subject matter is essential when the practitioner performs an assurance engagement. This includes understanding why the users are interested in the subject matter and their relationship to it. Do they, for example base their investment decision on the subject matter or do they monitor the matter to calculate industry averages?

Such an understanding, affects whether the subject matter of the engagement is appropriate for the purpose and whether the users would understand the assurance conclusion in an appropriate context. Therefore the practitioner considers whether the subject matter has been defined appropriately and whether the approach to be taken is suitable when accepting an engagement.

The practitioner will consider whether he or she possesses the relevant skills and competences before agreeing to undertake an assurance engagement on the subject matter. Subject matters have different characteristics, including the degree to which information about them is qualitative versus quantitative, objective versus subjective, historical versus prospective and whether it relates to a point in time or covers a period.

When undertaking an assurance engagement, therefore, the practitioner considers whether the subject matter is identifiable and capable of being consistently evaluated or measured against criteria; and the availability and the persuasiveness of evidence.

On the face of it, the “identifiability” of subject matter may not appear to pose any challenges. However when the subject matter is a process, a set of controls, or an organisation's compliance with a set of rules over a certain period, a detailed description of the subject matter will need to be made available to users for the assurance practitioner to be satisfied that all users can identify the relevant process, controls or aspects of compliance that are the subject of the assurance opinion.

The characteristics of the subject matter also affect the type of assurance as these in turn affect the criteria for assessing the information, evidence gathering and ultimately the assurance conclusion. The assurance report notes any characteristics of particular relevance to the intended users of the report, if appropriate.