Assurance guidance glossary

The American Accounting Association, an association of accountants in academia. Founded in 1916, the AAA continues to arrange events, research, and publications on all aspects of accountancy. The AAA is one of the five organisations that make up the Committee of Sponsoring Organizations of the Treadway Commission (See COSO).

• Access the AAA website

The Audit and Assurance Faculty, one of a range of subject-specific faculties in ICAEW’s technical department.

The Faculty provides technical guidance and support, keeps members up to date with a monthly magazine, provides opportunities for continuing professional development (CPD), and represents the views of members to regulators and legislators.

To help shape the future of the profession, the Faculty also develops thought leadership through initiatives such as AuditFutures and the Audit Quality Forum.

Access AAF Technical Releases. Technical Releases issued by AAF are numbered AAF nn/YY where nn is a sequential number and YY is the year of issue, eg. AAF 01/06.

• Learn more about AAF membership – You do not have to be an ICAEW member to join the Faculty.
• Access AAF online resources – Some resources are only available to AAF members.
• Access AAF Technical Releases – Technical Releases issued by AAF are numbered AAF nn/YY where nn is a sequential number and YY is the year of issue, eg. AAF 01/06

ICAEW’s Technical Release AAF 01/06, Assurance reports on internal controls of services organisations made available to third parties, provides guidance on the subject of assurance over controls.

It can be used to supplement the International Standard for Assurance Engagements (See ISAE) 3402, the equivalent to the American Institute of Certified Public Accountants’ Statement for Standards on Attestation Engagements (See SSAE) 16.

AAF 01/06 was first published in 2006 and has been revised and supplemented since then. It includes a list of illustrative control objectives for reference both by an assurance provider and by management.

• Access Technical Release AAF 01/06

Some assurance reports are designed to be accessed by everyone. For example, a sustainability assurance report published in an organisation’s annual report. Others are designed for a specific organisation or even an individual. For example, an assurance report on controls at an outsourced service organisation may only be shared with the companies outsourcing activity to that organisation.

There may be more than one group or individual with a legitimate interest in an assurance report. It is important that both the assurance provider and their client understands and agrees on the access arrangements for an assurance report. Some direct negotiation with each of the interested parties may be necessary.

• Learn more about access to controls reports

An AUP engagement is one in which a practitioner is engaged to carry out specific procedures as agreed in advance, and to report the factual findings.

The crucial difference between an assurance engagement and an AUP engagement is that in an AUP engagement only factual findings are reported by the practitioner. No conclusion or opinion is provided in an AUP report.

The procedures may be those set out as required by a regulator, or they may be agreed between the practitioner, the organisation that has requested them, and any appropriate third parties.

For example, the practitioner may need to sign a report with the outcome of procedures relating to an industry sustainability measure which is required by a regulator. Or a funding provider might request specific evidence to support an assertion which can be provided in this way. Or management at the organisation itself might want a specific set of factual information to help with decision-making.

AUP engagements are considered related services to assurance engagements as they involve procedures typical of audit and assurance. The relevant standard issued by the International Auditing and Assurance Standards Boards (See IAASB) is therefore the International Standard on Related Services (See ISRS) 4400.

The American Institute of Certified Public Accountants (See AICPA) use a different category, attestation (See Attestation), which covers both non-audit assurance and AUPs.

• Learn more about agreed-upon procedures (AUPs).
• Download the IAASB Handbook, including ISRS 4400, from the IAASB website (login required).

The American Institute of Certified Public Accountants (AICPA). In the United States, AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profit organisations and federal, state and local governments.

The AICPA Statements of Standards for Attestation Engagements (SSAEs) are broadly equivalent to the International Standards for Assurance Engagements (ISAEs) with some exception due to the U.S. specific concept of attestation.

• Access the AICPA website

For professional accountants, assurance is the word for the comfort that somebody can take from an assurance engagement such as a statutory audit. It is a level of confidence in the subject matter of that assurance engagement.

The word assurance is sometimes used to mean confidence about business information in a more general sense, or as the result of something that is not (strictly speaking) an assurance engagement.

For example, the International Framework for Assurance Engagements gives five characteristics of an assurance engagement, which include the use of evidence and the presence of a conclusion given in a written report.

Some benchmarking organisations require disclosures to be made in certain ways to enhance transparency, and will offer an assurance process in which a company’s report is reviewed before they are permitted to use the benchmark on their products.

That review often does not require any independent gathering of evidence, or any independent report produced by the reviewer that a third party could access. The process enhances the level of comfort that somebody seeing the benchmark can have, but it does not go far enough to be assurance in the sense that the Framework or the International Standards for Assurance Engagements use the word.

Accountancy experts can have fun talking around the edges of the concept of assurance and working out what does or does not meet the technical definition. For practical purposes, two things are important:

• professional accountants must apply professional standards, so what they describe as an assurance engagement should meet the requirements in those standards; and
• confusion about the use of words can lead to false assurance (ie, taking more assurance than is sensible) or to undervaluing assurance (ie, not having enough confidence considering what has been done). Clarity benefits every assurance provider and every client.

An engagement in which a practitioner expresses a conclusion to enhance the degree of confidence that somebody can have when using a piece of information that they did not directly prepare or have responsibility for.

The purpose of assurance engagements is always to increase confidence in the subject matter. To put this another way, assurance engagements mitigate risks associated with information that might not be reliable.

There are five characteristic features which indicate that an engagement is an assurance engagement:

1. Three parties are involved: the party preparing the information, the party relying on the information, and the party providing the assurance conclusion.
2. There is appropriate subject matter.
3. Suitable criteria can be found to assess that subject matter.
4. Evidence is gathered on how the subject matter performs against the criteria.
5. A conclusion is provided by the assurance practitioner in a written report.

The statutory audit of a company’s financial statements is perhaps the most obvious example of an assurance engagement, but there are many others. Sustainability assurance, assurance over internal controls, auditor’s reports over other kinds of information: as long as they have all five of these characteristics they are considered to be assurance engagements.

The principles behind assurance engagements are set out in the International Framework for Assurance Engagements and the relevant international standards are the International Standards for Assurance Engagements (ISAEs).

• Download the Framework and ISAE 3000 from the website of the International Federation of Accountants (IFAC)

Attestation is, like assurance, a word with a broad general meaning and a technical accounting meaning.

In general, attestation means affirmation that something is true or genuine. The technical meaning derives from its use by the American Institute of Certified Public Accountants (AICPA) to define a category of engagements, many of which are assurance engagements.

An attestation engagement, according to the AICPA, comes about when a practitioner “is engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about the subject matter … that is the responsibility of another party”. There are exceptions: engagements carried out according to AICPA auditing, accountancy and review, and consultancy standards are not included. Neither are expert witness, advocacy, or tax preparation and advice.

• Access the AICPA’s Statement on Standards for Attestation Engagements 

In practice it is difficult to identify any principle that sets an audit apart from an attestation engagement.

Attestation engagements are sometimes understood as being those engagements where the practitioner is asked to affirm an assertion made by somebody else. However, an audit opinion is also an affirmation of an assertion: the assertion made by the preparer of the financial statements that they are (for example) true and fair.

The difference is mostly an accident of history. Audit standards were established long before most attestation standards were a twinkle in a professional body’s eye.

It is worth noting that the meanings of ‘attestation’ (as used by the AICPA) and ‘assurance’ (as used elsewhere, particularly by the International Audit and Assurance Standards Board (IAASB) overlap but are not identical. For example, agreed-upon procedures engagements are addressed by an attestation standard by the AICPA, but the IAASB standard refers to them as related services (ie, not assurance but in similar territory).

As a result the term ‘attestation’ is mostly used in the context of applying AICPA standards and has limited applicability outside the United States.

The word ‘audit’ is often used in accountancy as a shorthand for ‘the annual statutory audit of the financial statements’. The root of the word is from the Latin, audiō, or ‘I hear’. The original auditors, in societies where literacy was rare, often heard accounts read aloud as a review process.

In the modern world most countries require at least some organisations to have an audit of their financial statements every year, and to publish the audit report alongside those statements. Other organisations are required to have an audit by a finance provider such as a bank, or choose to have one because they feel that the process is beneficial and that it improves their chances of obtaining finance in the future.

An audit in this sense has all five of the characteristics of an assurance engagement as set out in the International Framework for Assurance Engagements. Many of the technical skills and quality control approaches that are applied in other assurance engagements were developed originally for the audit of the financial statements.

• Access the International Framework for Assurance Engagements on the website of the International Auditing and Assurance Standards Board (IAASB)
• Access the International Standards for Auditing (ISAs) on the website of the IAASB
• Access the Statements on Auditing Standards (SASs) on the website of the American Institute of Certified Public Accountants (AICPA)
• Access the ICAEW research guide to UK Auditing Standards

Because the word ‘audit’ also retains its ancient meaning of ‘some kind of review or investigation’, many other activities are referred to as audits. They are subject to different levels of regulation, with many engagements that are called audits being subject little or no regulation.

It may be useful, when considering how to interpret an audit report that is not a statutory audit of the financial statements, to consider each of the five elements of assurance and whether or how it is represented in the engagement. Another factor to bear in mind is the independence, qualification, and regulatory status of the assurance provider.

The annual audit of the financial statements has a crucial role in allowing shareholders and the wider community to hold businesses to account. Because of this it is a regulated service in many jurisdictions, and must be carried out by a registered auditor with a professional qualification in the context of a suitable oversight regime.

Due to its long history, ‘audit’ is also used to refer to assessments and reviews carried out in other contexts. For example, a health and safety audit. To avoid any confusion about the nature of their work, those who are regulated as financial auditors often prefer not to use the term ‘audit’ for their other engagements.

One compromise that has been used by some regulators is to describe an assurance report as an auditor’s report. This can still lead to confusion and for clarity a different term appropriate to the engagement is more useful. Depending on the engagement, for example, ‘assurance report’ or ‘agreed-upon procedures report’ could be used.

Banking laws and regulations issued by the Basel Committee on Banking Supervision.

Basel III is a comprehensive set of reforms which makes use of market discipline (ie, competitive pressures) to motivate prudent management by enhancing the degree of transparency in banks’ public reporting. It sets out the public disclosures that banks must make that lend greater insight into the adequacy of their capitalisation.

This is a recent example of regulation which can give rise to a demand for assurance. Regulators need to think about how they can be comfortable about the way that organisations apply Basel III and report. Organisations need comfort at a senior level about the information that they issue. Assurance providers can meet those needs, and will need to work out how to provide the best value both to the organisation and to the regulator.

A term used in relation to assurance engagements over the controls at an outsourced service provider, particularly in the context of Statement on Standards for Attestation Engagements (SSAE) 16 published by the American Institute of Certified Public Accountants (AICPA).

Management at a service organisation are responsible for setting out their control objectives and such controls as are in place to meet those objectives, before any assurance engagement can take place.

If a service organisation is outsourcing some of its activities to another service organisation, management can choose not to include details of controls at that other organisation in their own description of controls.

The controls at the second service organisation would be ‘carved out’ of both the description and the assurance engagement taking place at the first organisation.

Management at the first service organisation would still need to identify what has been outsourced to the second service organisation in its description of controls.

Rather than describing the controls in place at the second organisation, management at the first organisation would need to describe their own controls that addressed the question of how effective the control environment at the second organisation was.

For example, management at an IT service provider might prepare a description of their control environment which identifies that they have outsourced their payroll to an HR service provider. Rather than going into detail about the controls in place at the HR service provider, they could simply state that they gained confidence over those controls from an assurance report (such as an SSAE 16 Review report) that the HR service provider made available to them.

The alternative to the carve-out method is the inclusive method.

The client is the party or parties to whom the assurance provider is contractually bound to deliver their assurance opinion.

In most cases, the preparer is one of the client parties, and is also the party best placed to negotiate terms with the assurance provider.

Other parties can also become clients, sometimes even without apparently contracting. For example, if an assurance engagement forms part of a regulatory regime or is a requirement for a grant application, there may be standing terms of engagement in place with a regulator or with a grant awarding body.

Assurance providers need to give careful thought as to who the client is, as well as who other intended users of the report might be, as this affects the lens through which they look at the subject matter.

Also referred to as ‘user organisation controls’ or ‘complementary customer controls’, these are controls that a service organisation expects to see in place at those organisations that are using its services.

For example, even if the service organisation has the most effective IT controls in the world, they could be bypassed by someone who picked up a post-it note with passwords and log in details from a desk in an unsecured area of the user’s building.

The controls in place at the service organisation will only be fully effective if the appropriate complementary user entity controls are also in place.

Although this concept originates with assurance over controls in place at a service organisation, it is a useful one for any assurance engagement. Assurance providers should always consider what factors outside the immediate context of the engagement could have an effect on the subject matter, and whether those factors should be brought to the attention of the user of the assurance report. This includes relevant factors, such as controls, in place outside the organisation preparing that subject matter.

Comply or explain is an approach to regulation pioneered by the UK’s Financial Reporting Council (FRC) with its Corporate Governance and Stewardship Codes.

Those applying the Codes are required either to disclose their compliance to their specific provisions, or to explain publically why they have not complied in each case.

The requirement for an explanation allows organisations some flexibility in applying the Codes, but also ensures that the process is transparent and allows stakeholders to hold those organisations to account.

The objectives for an organisation’s system of controls. In order to determine what controls need to be in place, and organisation should have an understanding of what those controls need to do. Generally, the purpose of controls is to mitigate risks.

For example, one control objective might be to ensure no unauthorised person accesses a system that carries personal data. The risk is the damage that leaking personal data could do to the organisation. Controls that could mitigate this risk and meet the control objective include password protection, regular training on IT security for relevant staff members, or security protocols that must be applied when personal data is transferred.

Control objectives might be similar from one organisation to the next, whereas the controls designed to meet those objectives will vary depending on the nature and activity of each organisation.

A list of illustrative control objectives can be found as an appendix to ICAEW’s Technical Release AAF 01/06 (revised).

Policies and procedures that mitigate risk across an organisation. Controls can be as simple as requiring a line manager’s sign off on an employee’s request for annual leave, or as complicated as running an artificial hacking exercise to test IT security.

If an organisation outsources some of its activity, management may be concerned about the robustness of the control environment at the outsourced service provider.

Assurance / attestation engagements on controls at an outsourced service provider can be carried out with reference to the International Standard for Assurance Engagements (ISAE) 3402, with Statement on Standards for Attestation Engagements (SSAE) 16 published by the American Institute of Certified Public Accountants (AICPA), and with guidance from ICAEW’s Technical Release AAF 01/06.

Assurance over controls can be provided in other contexts using ISAE 3402 and/or AAF 01/06, but SSAE 16 is limited in its focus to outsourced service providers.

For management, assurance over controls is also derived from the work of internal audit.

A list of illustrative control objectives can be found as an appendix to AAF 01/06.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five United States private sector organisations with an interest in risk management, internal controls, and fraud deterrence.

Members of COSO:

• The American Accounting Association (AAA)
• The American Institute of Certified Public Accountants (AICPA)
• Financial Executives International (FEI)
• The Association of Accountants and Financial Professionals in Business (IMA)
• The Institute of Internal Auditors (IIA)

• Access the COSO website

Criteria are the benchmarks used to evaluate or measure the subject matter including, where relevant, those for presentation and disclosure.

For example, the criteria for the preparation of the statutory financial statements are derived from accounting standards. For an assurance engagement on a set of key performance indicators (KPIs) the criteria might come from an industry standard, or from the organisation’s own well-documented policies and procedures.

The assurance practitioner must be confident that the criteria are suitable as a measure for the purposes of the assurance engagement.

Suitable criteria are one of the five characteristics of an assurance engagement

Parties that sign up to the letter of engagement, the contract which sets out the agreed nature and scope of an engagement. These consist of the assurance practitioner, the client and any other users that agreed to the terms of engagement.

Assurance is confidence in information, and false assurance is unjustified confidence that can mislead decision-makers.

False assurance can come about due to fraud or malpractice, but it can equally come about due to complacency or misunderstandings.

For example, there is a common misconception that the audit of the financial statements extends a similar level assurance over the rest of the annual report. While the auditors may do some work on the annual report, there is no requirement for them to provide an audit opinion over it.

Every party in an assurance engagement can help reduce the risk of false assurance by ensuring that there is a good mutual understanding of the scope and purpose of the engagement.

False Assurance is also the title of a training film prepared by ICAEW to support discussions about ethics and the consequences of poor quality assurance, both for organisations and their assurance providers.

• Access the False Assurance trailer.

The Financial Conduct Authority (FCA) is the UK conduct regulator responsible for financial service providers, and is the prudential regulator of over 24,000 financial service firms.

Its work is supplemented by that of the Prudential Regulation Authority (PRA), which is the UK prudential regulator of banks, building societies, credit unions, insurers, and designated investment firms.

Both bodies were created to replace the Financial Services Authority (FSA) on 1 April 2013.

• Access the FCA website.

The Client Asset Sourcebook (CASS) issued by the UK Financial Conduct Authority (FCA) contains rules and guidance for regulated firms concerning client assets. It forms part of the longer FCA Handbook of rules and guidance.

Before the FCA was established on 1 April 2013 this guidance was issued by the Financial Services Authority (FSA) and referred to as the FSA CASS Rules.

• Access the FCA Handbook via the FCA website.

Assurance can come from many sources. The ‘four lines of defence’ model is a concept for helping to identify and understand the different contributions the various sources can provide.

The model is essentially the same as the ‘three lines of defence’ model, but adds in a fourth line: the external assurances provided by the external auditor, regulators and other external bodies.

• Read more

The Financial Reporting Council (FRC) is the UK regulator responsible for promoting high quality corporate governance and reporting.

It seeks to promote high standards of corporate governance through the UK Corporate Governance Code, sets standards for corporate reporting and actuarial practice, and monitors and enforces accounting and auditing standards.

• Access the Financial Reporting Council website.

The Financial Services Authority was an independent organisation set up by the UK government with responsibility for regulating financial service providers in the UK.

In 2013 it was replaced by two successor bodies: the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) which is part of the Bank of England.

International Accounting, Auditing and Ethics (IAAE) is an online service developed by ICAEW for other professional accountancy bodies around the world. Members of professional bodies that have signed up for the service can access practical resources in international accounting, auditing and ethics.

• Access the IAAE website

The International Auditing and Assurance Standards Board (IAASB) is an independent international standard-setting body.

Its role is to serve the public interest by setting high-quality international standards for auditing, quality control, review, other assurance, and related services, and by facilitating the convergence of international and national standards.

In doing so, the IAASB enhances the quality and uniformity of practice throughout the world and strengthens public confidence in the global auditing and assurance profession.

The IAASB is one of four independent standard-setting boards supported by the International Federation of Accountants (IFAC), the global organisation for the accountancy profession. The other three are:

• International Accounting Education Standards Board (IAESB)
• International Ethics Standards Board for Accountants (IESBA)
• International Public Sector Accounting Standards Board (IPSASB)

• Access the IAASB website.

ICAEW, in common with many professional membership organisations, requires its members to abide by its Code of Ethics.

The Code comprises Statements containing specific ethical requirements. It is based on the Code of Ethics for Professional Accountants of the International Ethics Standards Board for Accountants (IESBA) published by the International Federation of Accountants (IFAC).

The Code is based on five principles:

• Integrity
• Objectivity
• Professional competence and due care
• Confidentiality
• Professional behaviour

• Access the ICAEW Code of Ethics

The International Ethics Standards Board for Accountants (IESBA) serves the public interest by setting high-quality ethical standards for professional accountants and by facilitating the convergence of international and national ethical standards, including auditor independence requirements, through the development of a robust, internationally appropriate code of ethics.

The IESBA is one of four independent standard-setting boards supported by the International Federation of Accountants (IFAC), the global organisation for the accountancy profession. The other three are:

• International Auditing and Assurance Standards Board (IAASB)
• International Accounting Education Standards Board (IAESB)
• International Public Sector Accounting Standards Board (IPSASB)

• Access the IESBA website.

The Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA).

• Access the Code of Ethics for Professional Accountants on the IESBA website (login required).

The International Federation of Accountants (IFAC) is the global organisation for the accountancy profession. It supports four standard-setting boards:

• International Auditing and Assurance Standards Board (IAASB)
• International Accounting Education Standards Board (IAESB)
• International Ethics Standards Board for Accountants (IESBA)
• International Public Sector Accounting Standards Board (IPSASB)

• Access the IFAC website.

The International Federation of Accountants (IFAC) hosts discussions, resources and news from professional accountants around the world on its Knowledge Gateway.

• Access the IFAC Global Knowledge Gateway on the IFAC website.

A term used in relation to assurance engagements over the controls at an outsourced service provider, particularly in the context of Statement on Standards for Attestation Engagements (SSAE) 16 published by the American Institute of Certified Public Accountants (AICPA).

Management at a service organisation are responsible for setting out their control objectives and such controls as are in place to meet those objectives, before any assurance engagement can take place.

If a service organisation is outsourcing some of its activities to another service organisation, management can choose to include details of control objectives and controls at that other organisation in their own description of controls.

This is in contrast to the carve-out method, in which management leave out those details and finds other ways of getting assurance over those activities.

Internal auditors are responsible for assurance provided inside the organisation they belong to, on whether its risk management, governance and internal controls are operating effectively.

Internal auditors are not required to belong to any professional body or be subject to any regulatory framework. However, many are professional accountants and/or members of professional bodies such as the Institute of Internal Auditors (IIA) in the United States or the Chartered Institute of Internal Auditors (CIIA) in the United Kingdom.

• Access resources for internal auditors.

This Framework issued by the International Auditing and Assurance Standards Board (IAASB) defines and describes the elements and objectives of an assurance engagement.

It also identifies engagements to which International Standards on Auditing (ISAs), International Standards on Review Engagements (ISREs) and International Standards on Assurance Engagements (ISAEs) apply.

There are five characteristic features, set out in the Framework, which indicate that an engagement is an assurance engagement:

1. Three parties are involved: the party preparing the information, the party relying on the information, and the party providing the assurance conclusion.
2. There is appropriate subject matter.
3. Suitable criteria can be found to assess that subject matter.
4. Evidence is gathered on how the subject matter performs against the criteria.
5. A conclusion is provided by the assurance practitioner in a written report.

Note that the International Standards on Related Services (ISRSs) apply to services which are related to assurance, but are not considered to be assurance services. The Framework therefore does not cover the ISRSs.

• Access the Framework (together with ISAE 3000) on the website of the IAASB.

The International Standards on Assurance Engagements (ISAEs) are issued by the International Auditing and Assurance Standards Board (IAASB).

As non-audit assurance is a relatively new area of work for external accountants, the IAASB did not have to reconcile many different standards around the world to create them. Unlike the International Standards on Auditing (ISAs), which tend to focus on specific elements of a financial statement audit, the ISAEs each focus on a different kind of engagement.

As best practice cannot be deduced in a vacuum, ISAEs are developed to reflect activity in the developing market and to give a principles-based, high level form of guidance.

There are currently five ISAEs:

• ISAE 3000 International Standard on Assurance Engagements 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information
• ISAE 3400 International Standard on Assurance Engagements 3400, The Examination of Prospective Financial Information
• ISAE 3402 International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organisation
• ISAE 3410 International Standard on Assurance Engagements 3410, Assurance Engagements on Greenhouse Gas Statements
• ISAE 3420 International Standard on Assurance Engagements 3420, Assurance Engagements to Report on the Compilation of Pro Forma Financial Information Included in a Prospectus

• Download the 2015 Handbook, including all the ISAEs, from the IAASB website (login required)

The International Standards on Auditing (ISAs) are issued by the International Auditing and Assurance Standards Board (IAASB).

The ISAs consist of standards, which are prescriptive for audit engagements, and other material designed to assist auditors in interpreting and applying the standards which is not prescriptive.

The IAASB Framework (IAASB Framework) tells assurance providers that ISAs are not prescriptive for non-financial assurance engagements, but can provide relevant guidance.

As of November 2015, the IAASB reported that 111 jurisdictions had adopted the ISAs worldwide.

• Access information on ISA implementation worldwide on the IAASB website.
• Access a complete list of ISAs on the IAASB website.
• Download the 2015 Handbook, including all the ISAs, from the IAASB website (login required).
• Access the ISAs as adopted in the UK from the Financial Reporting Council’s website.

The International Standard on Quality Control 1 (ISQC1): Quality control for firms that perform audits and reviews of historical financial information, other assurance and related services engagements.

ISQC1 is issued by the International Auditing and Assurance Standards Board (IAASB) and sets out a high level of quality control that professional accountants must adhere to.

• Download the 2015 Handbook, including ISQC1, from the IAASB website (login required).

The International Standards on Review Engagements (ISREs) are issued by the International Auditing and Assurance Standards Board (IAASB).

Review engagements are a specific category of assurance engagements where the subject matter is historical financial information, but the level of assurance provided is less than that of an audit. 

• ISRE 2400 International Standards on Review Engagements 2400, Engagements to Review Financial Statements
• ISRE 2410 International Standards on Review Engagements 2410, Review of Interim Financial Information Performed by the Independent Auditor of the Entity

Download the 2015 Handbook, including both ISREs, from the IAASB website (login required).

The International Standards on Related Services (ISRSs) issued by the International Auditing and Assurance Standards Board (IAASB).

Related services are closely connected to assurance, but do not include all five of the elements of assurance set out by the International Framework for Assurance Engagements (See International Framework for Assurance Engagements).

There are currently two ISRSs:

• ISRS 4400 International Standards on Related Services 4400, Engagement to Perform Agreed-upon Procedures on Financial Information
• ISRS 4410 International Standard on Related Services 4410, Engagements to Compile Financial Statements

Agreed-upon procedures (See Agreed-upon procedures) are not considered assurance because the practitioner only presents the results of the procedures rather than forming an opinion or conclusion.

Compilation is the process of putting together the financial statements in the first place. It may increase confidence to have an expert compile a set of financial statements or report in the appropriate format. However, that expert is not required to provide an opinion or conclusion over the final product and (as the person who prepared it) would not be considered independent if they did offer an opinion.

• Download the 2015 Handbook, including both ISRSs, from the IAASB website (login required).

An assurance engagement can be adapted in various ways to vary the level of work that it involves and the level of assurance that can be taken from the final assurance report.

One of the most significant change that can be made is to limit the scope of the work to a level that is below that customary for audit, while still being acceptable to all the parties in the engagement.

When the scope is limited the conclusion is reworded so that instead of reading “in my opinion, this report is X”, it reads “during the course of my work I have found nothing to suggest that this report is not X”.

Rather than gathering all the necessary evidence to support a positive conclusion, the assurance provider can then limit the scope of their work to a level agreed with the other parties in the engagement.

If an assurance report contains this kind of negative conclusion, then it should also contain an outline of the scope of the work performed.

The result of limited assurance is a less intensive, less costly, and more light-touch engagement.

It can be contrasted with the kind of assurance engagement necessary to support a positive conclusion (ie, “in my opinion, this report is X”), which is referred to as a reasonable assurance engagement because the assurance provider must do everything that can reasonably be expected of them.

There is no such thing as unlimited, or absolute, assurance. It would not be reasonable for an assurance provider to personally watch every single relevant transaction.

Materiality is a technical accounting term for the point at which something matters to the user of a report (or of any other subject matter in an assurance engagement).

If something is immaterial, it is both too small and too insignificant to change the decisions somebody might make when relying on that report.

Materiality can be due to the size or to the nature of a report element. If a mistake leads to a 0.05% inaccuracy in the final figure, then it is probably not going to make any difference to the person relying on that number – unless that 0.05% is the difference between (for example) two tax brackets.

Anybody preparing information should have some idea of what level of inaccuracy would be considered material by the person using that information. If a report is entirely narrative, then the preparer must consider whether the narrative is materially misleading.

The ability to determine what is material is a key skill for assurance providers, who must be able to establish for themselves whether they need to challenge the preparer of the information on each potential problem that they find. Because no two circumstances are exactly the same, materiality is always a matter for professional judgement.

The Prudential Regulation Authority (PRA) is the UK prudential regulator of banks, building societies, credit unions, insurers, and designated investment firms. It is part of the Bank of England.

It supplements the work of the Financial Conduct Authority (FCA) is the UK conduct regulator responsible for financial service providers, and is the prudential regulator of over 24,000 financial service firms not covered by the PRA.

Both bodies were created to replace the Financial Services Authority (FSA) on 1 April 2013.

• Access the PRA website

A term used for an accountant in public practice, as opposed to an accountant who applies their skills within an organisation.

An assurance engagement can be adapted in various ways to vary the level of work that it involves and the level of assurance that can be taken from the final assurance report.

One of the most significant changes that can be made is to limit the scope of the work to a level that is below that customary for audit, while still being acceptable to all the parties in the engagement.

When the scope is limited the conclusion  is reworded so that instead of reading “in my opinion, this report is X”, it reads “during the course of my work I have found nothing to suggest that this report is not X”.

The former is described as a reasonable assurance engagement, and the latter as a limited assurance engagement.

Reasonable assurance is the highest level of assurance that can reasonably be obtained. In order to support a positively expressed opinion such as “in my opinion, this report is X”, the assurance provider must reduce the risk that that opinion is wrong to an acceptably low level.

It is not considered possible to remove all risk of the opinion being wrong. Absolute assurance implies a confidence that could not be justified by any amount of work, and in practice some level of scrutiny is simply not feasible. For example, an assurance provider could not reasonably squat in an office to watch every single transaction entered into a particular system for a whole year.

Reasonable assurance is the level of assurance implied by a financial statement audit. Because it requires often significant levels of substantive work, it is more time-consuming and costly than limited assurance.

The responsible party is the individual or organisation responsible for the subject matter of an assurance engagement. That means they have effective responsibility for operations, processes, and the associated data and report.

The term is sometimes used interchangeably with ‘preparer’, which indicates the person or group of people responsible for preparing the subject matter. For example, the head of the finance department within an organisation could be described as the preparer of the financial statements, but equally the organisation itself could be described as the preparer.

Legislation in the United States providing regulations that publicly traded companies must adhere to relating to corporate governance, financial reporting and related matters.

A term used primarily in the United States in the context of assurance over controls at an outsourced service organisation (See SOC 1 and SOC 2 reports). It describes a practitioner who provides an assurance report on controls at a service organisation.

The term is used to distinguish the service auditor from the user auditor, that is, the practitioner who provides an audit or an assurance report for the organisation that is using the service organisation.

Service Organisation Controls (SOC) reports are prepared by members of the American Institute of Certified Public Accountants (AICPA) following its Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organisation.

These are assurance reports specifically designed for situations where one organisation has outsourced some of its activities to another. These organisations are known respectively as the user organisation and the service organisation.

An independent assurance report is a way for the user organisation to gain confidence in the control environment in place at the service organisation.

The subject matter of a SOC 1 report is the accuracy of the description and the suitability of the design of those controls. A SOC 2 report goes further and considers whether the controls are operating effectively to meet the stated control objectives.

The corresponding international standards is International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organisation.

ICAEW’s Technical Release AAF 01/06, Assurance reports on internal controls of services organisations made available to third parties, provides guidance to supplement ISAE 3402. Its list of illustrative control objectives can also be used to supplement SSAE 16.

• Access guidance on SOC reports on the AICPA website.
• Download the 2015 Handbook, including ISAE 3402, from the IAASB website (login required).
• Access ICAEW Technical Release AAF 01/06.

The Statements on Standards for Attestation Engagements (SSAEs) are issued by the American Institute of Certified Public Accountants (AICPA).

SSAEs provide guidance and support for members of the AICPA carrying out attestation engagements, including assurance and review engagements.

Note that attestation engagements, as defined by the AICPA, also include agreed-upon procedures engagements (AUPs) which would be considered related services by the International Auditing and Assurance Standards Board (IAASB).

• Access the SSAEs on the AICPA website

A subject matter is the matter of interest to the users for whose benefit an assurance engagement is conducted. For example, the financial statements are subject matter of interest to shareholders, who are the primary users of the financial statement audit.

Subject matter information is management’s formally stated assertion about the subject matter. Management may, for example, declare that the financial statements are true and fair. The assurance provider’s job is then to form an opinion on this assertion.

A test to determine whether the controls in place at an organisation are designed suitably and are operating effectively. That is, the assurance provider first establishes that the control, as described, could meet its control objective(s). If the design is suitable, the assurance provider then looks at implementation, ie, whether the control has been put in place as described.

Once satisfied with the design and implementation, the assurance provider tests controls for their operating effectiveness. Ie, do the outcomes match up to what they should be if the control is working as planned.

Tests of controls are used to determine how far an assurance provider can place reliance on the controls in place to reduce the risk of material misstatement. A greater reliance on controls can allow for less substantive testing, which can make the engagement less time-consuming. However, relying on ineffective controls could lead to false assurance.

The UK Corporate Governance Code, published by the UK’s Financial Reporting Council (FRC), sets out general principles and specific provisions for good practice corporate governance. This includes the leadership role of the board, remuneration, accountability, and shareholder relations.

Under the UK Listing Rules, all companies with a premium listing must report how they have complied with the Code in their annual report and accounts, on a comply or explain basis.

In other words, where a company has not complied with a specific provision of the Code, its report and accounts must explain why not.

The UK Corporate Governance Code is paired with the UK Stewardship Code which sets out good practice for institutional investors. It aims to improve the level of engagement between asset managers and the companies they invest in.

• Access the UK Corporate Governance Code on the FRC website.

The UK Stewardship Code, published by the UK’s Financial Reporting Council (FRC) sets out good practice for institutional investors. It aims to improve the level of engagement between asset managers and the companies they invest in.

All UK-authorised asset managers are required to make a statement of their commitment to the Stewardship Code, on a comply or explain basis.

In other words, where an asset manager has not complied with a specific provision of the Code, the statement must explain why not.

The UK Stewardship Code is paired with the UK Corporate Governance Code, which sets out general principles and specific provisions for good corporate governance. This includes the leadership role of the board, remuneration, accountability, and shareholder relations.

• Access the UK Stewardship Code on the FRC website.