The approach required by ISAE 3000, and the work undertaken with an assurance engagement, may be similar in many respects to an audit engagement, although the context is different. For each of the assurance engagements on other information, the guidance from ISAE 3000 will apply, with the exception of Prospective Financial Information (PFI) work, where separate guidance is given in ISAE 3400, which is summarised later in this article.
Listed below are the most relevant areas where assurance engagements on other information will typically arise:
- Internal controls and systems reviews
- Due diligence reviews
- Prospective financial information.
Internal control and systems reviews
The type of assurance work arising here is very similar to the work that auditors have been doing for a long time as part of the audit approach required when evaluating the effectiveness of internal control systems. Control and systems review work is tested in Paper F8 and, as such, needs little further coverage in this article.
Key performance indicators
Developments in performance measurement have led to many companies publishing a selection of key performance indicators (KPIs) in the annual financial statements. KPIs represent a set of measures focusing on those aspects of performance that are most crucial for the continued success of an organisation. Many companies are increasingly opting for voluntary disclosure of KPIs, which can be financial (such as ratios based on the financial statements) or non-financial (such as targets on social and environmental matters). The increased tendency to disclose such data is often in response to shareholder expectations. The assurance approach towards KPIs requires careful consideration of how the KPI has been defined, the KPI calculation method, and the purpose of reporting the KPI, and the nature of evidence that would be available on the source of the underlying data.
Problems facing assurance providers in relation to KPI assessment may include the lack of precise definitions of KPI targets, lack of developed systems to capture KPI data, and the potential for KPIs, as disclosed, to be manipulated to achieve a desired result. However, an assurance report provided on the KPIs should add credibility to the published data if sufficient evidence is available to the assurance provider.
Due diligence reviews
There is little specific guidance on due diligence reviews, despite this being an increasingly common form of assurance. Normally, the assurance provider is engaged by the potential acquirer of a company, who seeks to discover information about the target organisation. The assurance provider will attempt to verify any representations made by the management of the target company, and may also offer practical recommendations regarding the acquisition process.
Prospective financial information
Procedures by assurance firms on prospective financial information (PFI) are well established, and separate guidance is given by the IAASB in ISAE 3400, The Examination of Prospective Financial Information, which again is very practical in nature. The standard defines PFI as ‘financial information based about events that may occur in the future and possible actions by an entity’.
The standard recognises that, because PFI relates to events and actions that have not yet occurred and may not occur, PFI work is highly subjective in its nature, and its preparation requires the exercise of considerable judgment.
ISAE 3400 requires that before accepting a PFI engagement, the terms of the engagement should be agreed on and sufficient knowledge of the business should be obtained. The period of time covered by the PFI should be clarified, which could be a forecast (usually a period of up to 12 months) and/or a projection (usually up to five years).
ISAE 3400 also requires that written representations should be requested from management regarding the intended use of the PFI, the completeness of significant management assumptions, and also management’s acceptance of its responsibility for the PFI. The assurance report should make it clear that management is responsible for the PFI and also the assumptions on which it is based. Given the subjective and speculative nature of the PFI, an opinion cannot be given on whether the results shown in the report will be achieved, so only negative assurance can be given.
Non-assurance engagements are more likely to arise with small companies, and only a general awareness will be required of the guidance given by the IAASB for each of these three areas. Each of the three so-called non-assurance areas is briefly summarised below.
The objective of a review of financial statements is to enable an auditor to state whether, on the basis of procedures that do not provide all the evidence required in an audit, anything has come to the auditor’s attention that causes the auditor to believe that the financial statements are not prepared in accordance with the applicable financial reporting framework (ie negative assurance). Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Review Engagements (ISRE) 2400, Engagements to Review Historical Financial Statements.
Another type of review engagement is the review of interim financial information, covered by ISRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the Entity.
There are many similarities between review engagements and the limited assurance engagements (these were discussed earlier, in the context of so-called ‘mini’ or voluntary audits). The best approach to adopt, however, is to consider the work required for the engagement itself, rather than to dwell on how the engagement is classified.
Agreed upon procedures
The objective is for the auditor to carry out procedures of an audit nature to which the auditor, the entity, and any appropriate third parties have agreed, and for the auditor to report on factual findings. Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Related Services (ISRS) 4400, Engagements to Perform Agreed Upon Procedures Regarding Financial Information. Examples of this type of engagement could include the quantification of an insurance claim, or of the loss suffered due to a fraud. The specialist area of forensic accounting and auditing could be viewed as a specific type of agreed upon procedure engagement.
The objective of a compilation engagement is for the practitioner to apply accounting and financial reporting expertise to assist management in the preparation and presentation of financial information in accordance with an applicable financial reporting framework based on information provided by management – and report in accordance with the requirements of ISRS 4410, Compilation Engagements. Thus, the practitioner’s report is not a vehicle to express an opinion or conclusion on the financial information in any form.
Students should expect to see assurance assignments other than reasonable assurance engagements appearing frequently in the Paper P7 exam. In other words, a question that is not based around a ‘traditional audit’, but is presented in the context – for example, of a due diligence engagement, a review of PFI, a review of KPIs, or a limited assurance engagement on historical information. Such a question could appear in Section A or B of the exam.
It is important that candidates appreciate the practical nature of these questions, which will require application of knowledge to the scenario. The requirement may ask the candidate to consider, for example:
- whether or not to accept the engagement
- matters to be discussed with the client post-acceptance
- methods of gathering sufficient and appropriate evidence
- the report to be provided.
Written by a member of the Paper P7 examining team