This article looks at the topic of assurance in the context of Paper P7, Advanced Audit and Assurance, describing a framework for the classification of assurance and non-assurance engagements, and giving guidance on the practical approach required when undertaking assurance assignments
Note: ISAE 3000, ISAE 3400, ISRS 4400, ISRS 4410 and ISRE 2400 are not examinable documents for Paper P7 UK and Ireland.
The glossary of terms published by the International Auditing and Assurance Standards Board (IAASB) describes an assurance engagement as:
‘An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria.’
The IAASB has developed the International Framework for Assurance Engagements in which it gives detailed guidance on assurance and non-assurance engagements. The structure and hierarchy of pronouncements are summarised at www.ifac.org in the IAASB handbook, which is freely available online. For Paper P7 purposes, a summary of the developing framework for assurance and non-assurance engagements is shown below:
The first distinction to be made is to distinguish between the two types of assurance engagements on historic financial information that can be provided. The difference is the level of assurance provided on the historical information.
Reasonable assurance engagement
This is a statutory audit, where the approach required will need to be consistent with local legislative requirements, such as the Companies Act 2006 in the UK, and audit work will need to be carried out in accordance with International Standards on Auditing (ISAs). The auditor will express a conclusion designed to enhance the degree of confidence of the intended users of the financial statements, and moderate to high assurance would normally be given.
Limited assurance engagement
A limited assurance engagement is increasingly being seen as an alternative to the statutory audit. A good example of this type of engagement is represented by recent initiatives in the UK, which have proposed the introduction of ‘mini’ audits for companies below the audit exemption threshold. There currently exists no UK statutory requirement for a ‘mini’ audit, although an increasing number of companies are requesting, on a voluntary basis, limited assurance engagements. Such engagements do not give the same level of assurance as a statutory audit, but instead give ‘negative assurance’ based on more limited procedures than are required with a statutory audit. Negative assurance will typically be worded as follows:
‘Based on our review, nothing has come to our attention to indicate that the accompanying financial statements contain material misstatement.’
With a negative assurance statement, effectively no opinion is given on the information, but at least some assurance is provided that the information ‘appears reasonable’.
The International Standard on Assurance Engagements (ISAE) 3000 gives guidance to practitioners (defined by ISAE 3000 as ‘professional accountants in public practice’) for the performance of assurance engagements other than audits or reviews of historical financial information. A summary of the key requirements of ISAE 3000 is shown in the following table.
|1||Ethical requirements – practitioners should comply with ethical requirements (ie IESBA’s Code of Ethics for Professional Accountants and ACCA’s Code of Ethics and Conduct).|
Quality control – the practitioner should implement quality control procedures that are applicable to the individual engagement.
Engagement – the terms of the engagement should be recorded in an engagement letter, and the practitioner should agree on the terms of the engagement with the engaging party.
Planning and obtaining evidence – the practitioner should plan the engagement so that it will be performed effectively, and should consider materiality and assurance engagement risk, and sufficient appropriate evidence should be obtained on which to base the conclusion.
Reporting – the assurance report should be in writing and should contain a clear expression of the practitioner’s conclusion about the subject matter information.
The approach required by ISAE 3000, and the work undertaken with an assurance engagement, may be similar in many respects to an audit engagement, although the context is different. For each of the assurance engagements on other information, the guidance from ISAE 3000 will apply, with the exception of Prospective Financial Information (PFI) work, where separate guidance is given in ISAE 3400, which is summarised later in this article.
Listed below are the most relevant areas where assurance engagements on other information will typically arise:
Internal control and systems reviews
The type of assurance work arising here is very similar to the work that auditors have been doing for a long time as part of the audit approach required when evaluating the effectiveness of internal control systems. Control and systems review work is tested in Paper F8 and, as such, needs little further coverage in this article.
Key performance indicators
Developments in performance measurement have led to many companies publishing a selection of key performance indicators (KPIs) in the annual financial statements. KPIs represent a set of measures focusing on those aspects of performance that are most crucial for the continued success of an organisation. Many companies are increasingly opting for voluntary disclosure of KPIs, which can be financial (such as ratios based on the financial statements) or non-financial (such as targets on social and environmental matters). The increased tendency to disclose such data is often in response to shareholder expectations. The assurance approach towards KPIs requires careful consideration of how the KPI has been defined, the KPI calculation method, and the purpose of reporting the KPI, and the nature of evidence that would be available on the source of the underlying data.
Problems facing assurance providers in relation to KPI assessment may include the lack of precise definitions of KPI targets, lack of developed systems to capture KPI data, and the potential for KPIs, as disclosed, to be manipulated to achieve a desired result. However, an assurance report provided on the KPIs should add credibility to the published data if sufficient evidence is available to the assurance provider.
Due diligence reviews
There is little specific guidance on due diligence reviews, despite this being an increasingly common form of assurance. Normally, the assurance provider is engaged by the potential acquirer of a company, who seeks to discover information about the target organisation. The assurance provider will attempt to verify any representations made by the management of the target company, and may also offer practical recommendations regarding the acquisition process.
Prospective financial information
Procedures by assurance firms on prospective financial information (PFI) are well established, and separate guidance is given by the IAASB in ISAE 3400, The Examination of Prospective Financial Information, which again is very practical in nature. The standard defines PFI as ‘financial information based about events that may occur in the future and possible actions by an entity’.
The standard recognises that, because PFI relates to events and actions that have not yet occurred and may not occur, PFI work is highly subjective in its nature, and its preparation requires the exercise of considerable judgment.
ISAE 3400 requires that before accepting a PFI engagement, the terms of the engagement should be agreed on and sufficient knowledge of the business should be obtained. The period of time covered by the PFI should be clarified, which could be a forecast (usually a period of up to 12 months) and/or a projection (usually up to five years).
ISAE 3400 also requires that written representations should be requested from management regarding the intended use of the PFI, the completeness of significant management assumptions, and also management’s acceptance of its responsibility for the PFI. The assurance report should make it clear that management is responsible for the PFI and also the assumptions on which it is based. Given the subjective and speculative nature of the PFI, an opinion cannot be given on whether the results shown in the report will be achieved, so only negative assurance can be given.
Non-assurance engagements are more likely to arise with small companies, and only a general awareness will be required of the guidance given by the IAASB for each of these three areas. Each of the three so-called non-assurance areas is briefly summarised below.
The objective of a review of financial statements is to enable an auditor to state whether, on the basis of procedures that do not provide all the evidence required in an audit, anything has come to the auditor’s attention that causes the auditor to believe that the financial statements are not prepared in accordance with the applicable financial reporting framework (ie negative assurance). Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Review Engagements (ISRE) 2400, Engagements to Review Historical Financial Statements.
Another type of review engagement is the review of interim financial information, covered by ISRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the Entity.
There are many similarities between review engagements and the limited assurance engagements (these were discussed earlier, in the context of so-called ‘mini’ or voluntary audits). The best approach to adopt, however, is to consider the work required for the engagement itself, rather than to dwell on how the engagement is classified.
Agreed upon procedures
The objective is for the auditor to carry out procedures of an audit nature to which the auditor, the entity, and any appropriate third parties have agreed, and for the auditor to report on factual findings. Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Related Services (ISRS) 4400, Engagements to Perform Agreed Upon Procedures Regarding Financial Information. Examples of this type of engagement could include the quantification of an insurance claim, or of the loss suffered due to a fraud. The specialist area of forensic accounting and auditing could be viewed as a specific type of agreed upon procedure engagement.
The objective of a compilation engagement is for the practitioner to apply accounting and financial reporting expertise to assist management in the preparation and presentation of financial information in accordance with an applicable financial reporting framework based on information provided by management – and report in accordance with the requirements of ISRS 4410, Compilation Engagements. Thus, the practitioner’s report is not a vehicle to express an opinion or conclusion on the financial information in any form.
Students should expect to see assurance assignments other than reasonable assurance engagements appearing frequently in the Paper P7 exam. In other words, a question that is not based around a ‘traditional audit’, but is presented in the context – for example, of a due diligence engagement, a review of PFI, a review of KPIs, or a limited assurance engagement on historical information. Such a question could appear in Section A or B of the exam.
It is important that candidates appreciate the practical nature of these questions, which will require application of knowledge to the scenario. The requirement may ask the candidate to consider, for example:
Written by a member of the Paper P7 examining team