After the engagement letter has been signed, the next stage of any assurance engagement is to discuss the practicalities of the fieldwork to be undertaken. This analysis will generate the substantive evidence that is necessary for a reliable, high quality assurance engagement.
Planning the engagement
The practitioner will have agreed with the client, and any other party to the engagement letter, the form of report that is appropriate for the purpose of the assurance engagement. In an assurance engagement, the practitioner is responsible for determining the nature, timing, and extent of evidence-gathering procedures required in order to support the type of assurance report to be issued.
Availability of evidence
When planning to gather evidence, it is important that the practitioner maintains a focus on the engagement objectives. Evidence should be relevant to the subject matter and the planned assurance conclusion. The practitioner is expected to maintain an attitude of professional scepticism throughout the engagement. This impacts on the selection of tests to be performed and the extent of testing.
We can derive from ISA 320 the definition that misstatements, including omissions, are considered to be material if they individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the subject matter information (ISA (UK) 320 paragraph 2). This definition can also be used for non-financial assurance, with the substitution of ‘narrative assertions’ for ‘financial statements’.
An assurance practitioner’s objective is to reduce the risk of a material misstatement of the subject matter to the level commensurate with the degree of assurance being provided, whether reasonable or limited. However unlike financial statement auditing, it is not always possible in a non-financial assurance engagement to express materiality as one or a series of quantitative thresholds with which misstatements can be compared.
Quality of evidence
The same principles apply in evidence gathering for an assurance engagement as for a financial statement audit. The choices available to the practitioner include: inspection, observation, enquiry, confirmation, re-calculation, re-performance and analytical procedures.
Considerations in determining test selection, include the reliability of the evidence the test will produce. For example:
- Evidence is more reliable when it is obtained from independent sources outside the organisation.
- Evidence that is generated internally is more reliable when the related controls applied by the organisation are effective.
- Evidence obtained directly by the practitioner, eg, observation of the application of a control, is more reliable than evidence obtained indirectly or by inference, eg, enquiry about the application of a control.
- Evidence is more reliable when documented, whether by paper, electronic, or other medium, eg, a timely written record of a meeting is more reliable than a subsequent oral representation of the matters discussed.
- Evidence provided by original documents is more reliable than evidence provided by copies.
The practitioner and team will need to use their judgement to decide on the procedures that will provide sufficient, appropriate evidence in the context of the assurance engagement. This is likely to include both tests of controls and substantive procedures.
Focus on subject matter and purpose of engagement
The nature of the evidence gathering and related tests will vary according to the nature of the subject matter and the related assurance being sought.
- Fair description: The practitioner may discuss the processes being described with client employees, read the client’s description and compare it with a walk-through of the relevant processes adopted, searching for ambiguities and ensuring that the description contains all significant information in relation to its operation, read relevant policy and procedure manuals, read and evaluate other information the client has provided to third parties that describes the processes.
- Design of processes and controls (eg, control procedures): The practitioner may evaluate the control design and walk through the control steps using one or two transactions to confirm their understanding. Tests might include specific checks on the operation of controls where this is necessary to confirm the detail of the design of the control.
- Operating effectiveness of controls: Having evaluated the design of controls as explained above, the practitioner may proceed to perform tests of operating effectiveness of the control. The practitioner may consider it appropriate to perform some substantive testing, depending on the nature of the engagement.
- Outcome (eg, of profit sharing calculation): Having understood the background of the engagement and related risks, testing will focus on the engagement objectives. This may, or may not, require testing of control design and operation. However, whatever testing is performed, it will need to provide suitable evidence that supports the management assertion. If management of the responsible party has produced a complete report, the practitioner may also need to read the narrative report to ensure that it does not include any claims (or statements) that are inconsistent with the detailed findings. Where significant claims are being made in the narrative, the practitioner considers whether these should also be tested to an appropriate level.
The choice of evidence gathering method primarily depends on the subject matter, the criteria, the sources of evidence and whether the engagement is providing reasonable or limited assurance.
In the case of a reasonable assurance engagement, the sample sizes selected to conduct tests and collect evidence need not be different from those determined using the principles applicable for a financial statement audit, because the risk of a material misstatement in the management assertion needs to be reduced to a similar acceptably low level.
Sample sizes for tests of operating effectiveness of controls will generally be larger when the controls themselves are the subject matter of the assurance, for example in a service organisation controls assurance engagement, than when controls testing is part of the evidence-gathering in relation to data which is the subject of assurance, for example in a grant claim assurance engagement.
It is a requirement of assurance engagements conducted under ISAE 3000 (Revised) that the practitioner should obtain a management representation letter. This letter needs to be tailored to suit the subject matter, the nature of the engagement and the risks and uncertainties involved in the work. However, the principles involved in the letter are the same as those for a financial statements audit.
Nature, timing and extent of tests
The practitioner obtains sufficient and appropriate evidence on which to base his conclusion. The nature, timing and extent of work may differ according to the type of assurance engagement. Sufficiency is the measure of the quantity of evidence while appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability.
The practitioner uses professional judgement and exercises professional scepticism in evaluating the quantity and quality of evidence, and thus its sufficiency and appropriateness to support the assurance conclusion. The practitioner describes the tests performed or provides a summary to communicate sufficient information to support the assurance conclusion.
In particular, depending on the nature of the subject matter and as agreed on accepting the engagement, the practitioner may perform tests over a period of time or at a point in time. The practitioner therefore describes the timing of tests and considers the impact on the assurance conclusion.
The practitioner may be prevented by the responsible party from having access to personnel, premises or operational information during the course of the assignment. Similarly, there may be circumstances beyond the control of the practitioner or the client where sufficient appropriate evidence may not be available.
The practitioner considers whether these restrictions have an impact on the assurance report. Where the practitioner’s work is affected by restricted access, the practitioner may need to consider whether to issue a qualified or adverse conclusion, issue a disclaimer of a conclusion, or where appropriate, withdraw from the engagement.
Using the work of internal auditors
A responsible party may have an internal audit department that as part of its audit plan performs tests of some aspects of the processes and operations which are also the subject of the assurance report. The practitioner may wish to consider whether it might be effective and efficient to use the results of testing performed by internal auditors to alter the nature, timing or extent of the work the practitioner otherwise might have performed in forming the assurance conclusion.
In such cases, the practitioner assesses the independence, objectivity and competence of the internal auditors and the nature, scope, and subjectivity of the work performed by internal audit. Where the practitioner uses the work of internal auditors, the practitioner performs sufficient testing to obtain the principal evidence to reach an appropriate assurance conclusion. The practitioner also considers making reference to the internal auditors and their capability in the assurance report and clarifies the extent of the use of the work of the internal auditors.
Management representation letter
The practitioner normally obtains written representations or a form of written confirmation signed by management of the responsible party who are responsible for and knowledgeable about the subject matter, whether directly or through others within the responsible party. The refusal by management of the responsible party to provide written representations considered necessary by the practitioner may constitute a limitation on the scope of the engagement. The practitioner obtains a representation letter as close as possible, and in any case not after, the date of the assurance report.
Management representations cannot replace other evidence that the practitioner could reasonably be able to obtain. Where the practitioner is unable to obtain sufficient appropriate evidence regarding a matter that may have a material effect on the evaluation or measurement of the subject matter, when such evidence would ordinarily be expected to be available, the practitioner considers if it would constitute a limitation on the scope of the engagement even if management representations are available.
The practitioner is associated with a subject matter when the practitioner reports on information about that subject matter or consents to the use of the practitioner’s name in a professional connection with respect to that subject matter. If the practitioner learns that the client (or any other party) is inappropriately using the practitioner’s name in association with a subject matter, the practitioner requires the client to cease doing so. The practitioner may also consider what other steps may be needed, such as informing any known parties that may have received the report that inappropriately uses the practitioner’s name and seeking legal advice.
Considering subsequent events
The practitioner considers the effect on the subject matter information and on the assurance report of events up to the date of the assurance report. The extent of consideration of subsequent events depends on the extent to which such events may affect the subject matter information and the appropriateness of the practitioner’s conclusion.
Supposing the assurance practitioner has been engaged to give an opinion over a client’s assertions on the suitability of design and operating effective of controls for a period, a report which will be submitted to the client’s regulator. The assurance practitioner obtains sufficient appropriate evidence over the design and operating effectiveness of the controls during the year in question. However, the client has made changes to the relevant systems and these changes have resulted in deterioration of the control environment in the period between the year end and the date of signing the assurance report, though the problems are now in the process of being rectified.
In this example, the primary purpose of the assurance engagement is to provide assurance to the regulator. It would be important for the client to include references to the changes in the control environment in their own report and for the practitioner to consider drawing attention to these matters in their own opinion even though they would have no impact on the design and operation of controls in the period under review.
The practitioner documents matters that are significant and relevant to support the assurance report and to confirm that the engagement was performed as agreed with the client and as set out in the engagement letter. The documentation includes the description of the extent, nature and results of tests, sampling, evidence to support the practitioner’s conclusion and a record of the practitioner’s reasoning on significant matters that require the exercise of judgement and relevant facts.
Page reviewed April 2018. Next review due April 2019. https://www.icaew.com/en/technical/audit-and-assurance/assurance/process/fieldwork-and-analysis