345843475.

docEd3 1

Chapter 4

AN AUDITORS SERVICES

4.1 Learning Objectives

After studying this chapter, you should be able to:

1. Understand the general definition of assurance services.

2. Identify the assurance and non-assurance services normally performed by auditors.

3. Explain what an assurance engagement entails.

4. Describe the five elements exhibited by all assurance engagements.

5. Know the various subject matters that can be covered in an assurance engagement.

6. Distinguish between the different suitable criteria applicable to an assurance service.

7. Understand what distinguishes a review from a compilation.

8. Understand to place of professional judgment in audits

9. Describe professional skepticism.

10.Give the inherent limitations of an audit

11. Discuss the requirements of International Standard on Quality Control #1

4.2 International Framework for Auditor Services

Auditor services are work that an audit firm performs for their clients. Except for consulting

services, the work that auditors do is under the guidance of engagement standards set by the

International Auditing and Assurance Standards Board (IAASB). All auditor services standards have

as their basis the IESBA Code of Ethics (see Chapter 3) and International Standards on Quality

Control (ISQC). In this chapter we discuss the basic requirements of assurance engagements,

audits of historical financial information, professional judgment, professional skepticism, inherent

345843475.doc
 345843475.docEd3 2

limitation and quality control. We will give details on other assurance engagements including

sustainability, internal controls and review engagements and non-assurance engagements such as

compilation in Chapter 14. Consulting services engagements will not be discussed in this book

IAASBS Technical Pronouncements

Illustration 4.1 shows the general structure of IAASBs technical pronouncements.

ILLUSTRATION 4.1

ASSURANCE ENGAGEMENTS AND RELATED SERVICES2

[UNFig near here]

345843475.doc
 345843475.docEd3 3

345843475.doc
 345843475.docEd3 4

Code of Ethics and ISQC

All auditor services standards have as their basis the Code of Ethics for Professional

Accountants (the IESBA Code) issued by the International Ethics Standards Board of Accountants

(IESBA). (discussed in Chapter 3 Ethics for Professional Accountants) and International Standard

on Quality Control 11 (ISQC # 1) (see Chapter 1 International Auditing Overview). The Code has

been employed by IFAC from the early days. Quality control standards are currently being created

by the IAASB.

Two Audit Services Frameworks Assurance and Related Services

Some engagement standards are based on International Framework for Assurance

Engagements (assurance engagements), and others result from the Related Services Framework

(related services engagements). Three sets of standards (ISAs, ISREs and ISAEs) share the

assurance engagement framework and one standard set (ISRS) is based on the related services

framework. ISAs, ISREs, ISAEs and ISRSs are collectively referred to as the IAASBs Engagement

Standards.

IAASBs Engagement Standards

The IAASB engagement standards encompass the following: 2

International Standards on Auditing (ISAs) are to be applied in the audit of historical financial

information.

International Standards on Review Engagements (ISREs) are to be applied in the review of

historical financial information.International Standards on Assurance Engagements (ISAEs) are

to be applied in assurance engagements other than audits or reviews of historical financial

information.

345843475.doc
 345843475.docEd3 5

International Standards on Related Services (ISRSs) are to be applied to compilation

engagements, engagements to apply agreed upon procedures to information, and other related

services engagements as specified by the IAASB.

Assurance Engagements for Audits and Reviews for Historical Financial

Information (ISAs and ISREs)

International Standards on Auditing (ISA) 200 Overall Objectives Of The Independent Auditor And

The Conduct Of An Audit In Accordance With International Standards On Auditing describes the

main concepts applicable to audit, review or special purpose frameworks. Financial statement audit

standards are described in ISA 200799. Special Purpose Frameworks and other examinations of

historical financial information are given in ISA 800-899. Review standards are ISREs 2000-2699.

Assurance Engagements Other than Audits or Reviews of Historical

Financial Information (ISAEs)

International Standards on Assurance Engagements (ISAE) 3000 Assurance Engagements

Other than Audits or Reviews of Historical Financial Information describes concepts applicable to

assurance services whose subject matter is not related to historical financial information. These

audit services will be discussed in Chapter 14 Other Assurance and Non-Assurance

Engagements.

The ISAE standards are divided into two parts:

1 ISAEs 30003399 which are topics that apply to all assurance engagements.

2 ISAEs 34003699 which are subject specific standards, for example standards relating to

examination of prospective financial information.

345843475.doc
 345843475.docEd3 6

The subject matter of ISAEs 34003699 now includes examination of prospective financial

information (ISAE 3400) and assurance reports on controls at a service organization (ISAE 3402).

However, in future it might include non-financial information (e.g. corporate governance,

statistical, environmental), systems and processes (e.g. internal control (such as that required under

the Sarbanes-Oxley Act), corporate governance, environmental management systems), and behavior

(corporate governance, compliance, and human resources practices). Right now, because IAASB

does not set these standards, reports of social, environmental and economic assurance engagements

are commonly based on a whole variety of established criteria, for example, the Global Reporting

Initiative (GRI) Sustainability Reporting Guidelines.3 These audit services will be discussed in

Chapter 14 Other Assurance and Non-Assurance Engagements.

Other Engagements Performed by Auditors

Not all engagements performed by auditors are assurance engagements. Other engagements

frequently performed by auditors that do not meet the definition of an assurance engagement and

which are therefore not covered by the framework for assurance engagements include:

engagements covered by International Standards for Related Services (ISRSs);

the preparation of tax returns where no conclusion conveying assurance is expressed;

consulting engagements such as tax consulting, or engagements in which a practitioner is

engaged to testify as an expert witness in accounting, auditing, taxation or other matters, given

stipulated facts.

Related Services Framework (ISRSs)

Engagements covered by International Standards on Related Services ISRS are based on the

Related Services Framework a framework that is still in the development stage at the IAASB.

Standards under this framework (ISRSs) are applied currently to two audit services: engagements to

345843475.doc
 345843475.docEd3 7

perform agreed-upon procedures regarding financial information (ISRS 4400) and compilation

engagements (ISRS 4410). Compilations offer no assurance whatsoever. On agreed-upon

procedures no assurance is expressed. Instead, users of the report assess for themselves the

procedures and findings reported by the auditor and draw their own conclusions from the auditors

audit procedures in a very limited agreed upon area with a proscribed set of users. These audit

services will be discussed in Chapter 14 Other Assurance and Non-Assurance Engagements.

Guidance and Practical Assistance Provided by Practice Statements (IAPS,

IAEPs, IRSPSs)

The IAASBs Standards contain basic principles and essential procedures together with related

guidance in the form of explanatory and other material, including appendices. International

Auditing Practice Notes (IAPNs), represented by IAPN 1000-1100, are issued to provide

interpretive guidance and practical assistance to auditors in implementing ISAs for audit, review,

and special purpose engagements. Although there are currently no practice notes for assurance

engagements or related services, in the planning stage are International Assurance Engagement

Practice Notes (IAEPNs), provide interpretive guidance for ISAEs, and International Related

Services Practice Notes (IRSPNs) will provide assistance for auditors implementing ISRSs.

4.3 Elements of an Assurance Engagement

Assurance engagement means an engagement in which a practitioner expresses a conclusion

designed to enhance the degree of confidence of the intended users4 (other than the responsible

party5) about the outcome of the evaluation or measurement of a subject matter6 against criteria7.

The outcome of the evaluation or measurement of a subject matter is the information that

results from applying the criteria to the subject matter. For example, an assertion about the

345843475.doc
 345843475.docEd3 8

effectiveness of internal control (outcome) results from applying a framework for evaluating the

effectiveness of internal control, such as COSO 8 or CoCo9, (criteria) to internal control, a process

(subject matter). The assurance framework uses the term subject matter information to mean

the outcome of the evaluation or measurement of a subject matter. It is the subject matter

information about which the practitioner gathers evidence to provide a reasonable basis for

expressing a conclusion in an assurance report.

The subject matter of an assurance engagement is the topic about which the assurance

engagement is conducted. Subject matter could be financial statements, statistical information, non-

financial performance indicators, capacity of a facility, etc. The subject matter could also be systems

and processes (e.g. internal controls, environment, IT systems) or behavior (e.g. corporate

governance, compliance with regulation, human resource practices). The assurance engagement

evaluates whether the subject matter conforms to suitable criteria that will meet the needs of an

intended user.

Assurance Engagement Defined

Under International Framework for Assurance Engagements, there are two types of assurance

engagement: a reasonable assurance engagement and a limited assurance engagement. The

objective of a reasonable assurance engagement is a reduction in assurance engagement risk to an

acceptably low level based on the circumstances of the engagement 10 as the basis for a positive form

of expression of the practitioners conclusion. The objective of a limited assurance engagement is a

reduction in assurance engagement risk to a level that is acceptable in the circumstances of the

engagement, but where that risk is greater than for a reasonable assurance engagement, as the basis

for a negative form of expression of the practitioners conclusion.

345843475.doc
 345843475.docEd3 9

Five Elements Exhibited by all Assurance Engagements

The International Framework for Assurance Engagements describes five elements 11 that all

assurance engagements exhibit:

1. a three party relationship involving a practitioner, a responsible party, and the intended

users;

2. an appropriate subject matter;

3. suitable criteria;

4. sufficient appropriate evidence; and

5. A written assurance report in the form appropriate to a reasonable assurance engagement or

a limited assurance engagement.

Illustration 4.2 is a context data flow diagram of the engagement process. Illustration 4.3

shows a more in depth (zero level) data flow diagram of the relations between the five elements

during an engagement process.

ILLUSTRATION 4.2

CONTEXT DATA FLOW DIAGRAM OF ASSURANCE ENGAGEMENT ELEMENTS

[UNFig near here]

345843475.doc
 345843475.docEd3 10

Three Party Relationship Practitioner, Responsible Party and User

Assurance engagements always involve three separate parties: a practitioner, a responsible

party, and the intended users. The practitioner (e.g. auditor, accountant, expert) gathers evidence to

provide a conclusion to the intended users about whether a subject matter (e.g. financial statements)

conforms, in all material respects, to identified criteria.

The responsible party is the person (or persons) - usually management or the board of

directors- who in a direct reporting engagement is responsible for the subject matter. In an assertion-

based engagement, the responsible party is responsible for the subject matter information (the

assertion), and may be responsible for the subject matter. 12

The responsible party may or may not be the party who engages the practitioner (the engaging

party). The responsible party ordinarily provides the practitioner with a written representation that

evaluates or measures the subject matter against the identified criteria.

The intended users are the person, persons or class of persons for whom the practitioner

prepares the assurance report. The responsible party can be one of the intended users, but not the

345843475.doc
 345843475.docEd3 11

only one. Whenever practical, the assurance report is addressed to all the intended users. Also,

whenever practical, intended users are involved with the practitioner and the responsible party in

determining the requirements of the engagement. However, he practitioner is responsible for

determining the nature, timing and extent of procedures and is required to pursue any matter he

becomes aware of that leads him to believe that a material modification should be made to the

subject matter information.

As you can see from Illustration 4.3, the responsible party selects criteria (e.g. the tax code),

determines the subject matter (financial statements) and engages the practitioner (public

accountant). The subject matter and criteria taken together generates the subject matter information.

For example, the tax code criteria and financial statements subject matter combine to make the

company income tax returns. In an audit, the criteria could be IFRS, the subject matter is financial

performance and position of the company, and subject matter information would be the income

statement and balance sheet. In preparing internal control assurances, the criteria could be the

COSO criteria, subject matter internal controls, and the subject matter information could be a

measure of effectiveness of internal control.

ILLUSTRATION 4.3

DATA FLOW DIAGRAM ASSURANCE ENGAGEMENT ELEMENTS AND ENGAGEMENT SUB-

PROCESSES

345843475.doc
 345843475.docEd3 12

The practitioner determines if the criteria are suitable, collects evidence about the subject

matter information and issues an assurance report. For example, the auditor determines if the proper

income tax codes are being used, evaluates the income tax information provided by the company by

seeking evidence that the information is complete and all transactions from which the data were

derived exist. Put another way a responsible party measures, the auditor re-measures.

Subject Matter

The subject matter, and subject matter information, of an assurance engagement can take many

forms, such as:

345843475.doc
 345843475.docEd3 13

Financial performance or conditions (for example, historical or prospective financial position,

financial performance and cash flows) for which the subject matter information may be the

recognition, measurement, presentation and disclosure represented in financial statements.

Non-financial performance or conditions (for example, performance of an entity) for which the

subject matter information may be key indicators of efficiency and effectiveness.

Physical characteristics (for example, capacity of a facility) for which the subject matter

information may be a specifications document.

Systems and processes (for example, an entitys internal control or IT system) for which the

subject matter information may be a statement of effectiveness.

Behavior (for example, corporate governance, compliance with regulation, human resource

practices) for which the subject matter information may be a statement of compliance or a

statement of effectiveness.

The subject matter must be identifiable and capable of consistent evaluation or measurement against

identified, suitable criteria (such as International Financial Reporting Standards (IFRS)). It must

also be in a form that can be subjected to procedures for gathering evidence to support that

evaluation or measurement.

Suitable Criteria

Suitable criteria are the benchmarks (standards, objectives, or set of rules) used to evaluate

evidence or measure the subject matter of an assurance engagement. For example, in the preparation

of financial statements, the suitable criteria may be IFRS, US Generally Accepted Accounting

Principles (US GAAP), or national standards. When reporting on social or environmental aspects of

the company an auditor might use the Global Reporting Initiative.

345843475.doc
 345843475.docEd3 14

Several standards may guide the report, depending on the assurance service. When using

accounting criteria to report on internal control, the criteria may be an established internal control

framework, such as the COSO report criteria, or individual control objectives specifically designed

for the engagement. When reporting on compliance, the criteria may be the applicable law,

regulation or contract, or an agreed level of performance (for instance, the number of times a

companys board of directors is expected to meet in a year). Without the frame of reference

provided by suitable criteria, any conclusion is open to individual interpretation and

misunderstanding.

The Characteristics for Assessing Suitable Criteria

An auditor cannot evaluate or measure a subject matter on the basis of his own expectations,

judgments and individual experience. That would not constitute suitable criteria. The characteristics

for assessing whether criteria are suitable are as follows: 13

Relevance: relevant criteria contribute to conclusions that meet the objectives of the

engagement, and assist decision making by the intended users.

Completeness: criteria are sufficiently complete when relevant factors that could affect the

conclusions in the context of the engagement objectives are not omitted. Complete criteria

include, where relevant, benchmarks for presentation and disclosure of the subject matter.

Reliability: reliable criteria result in reasonably consistent evaluation or measurement

including, where relevant, presentation and disclosure of the subject matter, when used in

similar circumstances by similarly qualified practitioners.

Neutrality: neutral criteria contribute to conclusions are free from bias.

Understandability: understandable criteria are clear and comprehensive and are not subject to

significantly different interpretation.

345843475.doc
 345843475.docEd3 15

Criteria Established or Specifically Developed

Criteria can be either established or specifically developed. Established criteria are those embodied

in laws or regulations, or issued by recognized bodies of experts that follow due process. Examples

of established criteria are GAAP, IFRS, the national tax code, etc. Specifically developed criteria

are those identified for the purpose of the engagement and which are consistent with the

engagement objective. Examples of specifically developed criteria are criteria generally understood

by the intended users (e.g. the criterion for measuring time in hours and minutes is generally

understood); or criteria available only to specific intended users (e.g. the terms of a contract, or

criteria issued by an industry association that are available only to those in the industry). Criteria

need to be available to the intended users to allow them to understand how the subject matter has

been evaluated or measured.

Concept and a Company 4.1

A Clean Audit for HealthSouth

Concept What is an assurance service? What is an audit-related service?

Story Ernst & Young (E&Y) were the independent auditors of HealthSouth between 2000 and 2002.

They also conducted janitorial inspections of the companys facilities. These inspections were

called pristine audits. E&Y advised HealthSouth to classify the payments for pristine audits as

audit-related fees.

HealthSouth, headquartered in Birmingham, Alabama, USA, is the largest provider of outpatient

surgery, diagnostic and rehabilitative healthcare services in the USA with approximately 1,800

worldwide facilities in the USA, Australia, Puerto Rico, and the UK. Its former CEO, Richard M.

Scrushy, is under an 85-count federal indictment, accused of conspiracy, securities fraud, mail

and wire fraud, and money laundering. (SEC 2003)

345843475.doc
 345843475.docEd3 16

A US government indictment charged that between 1996 and 2002 HealthSouth managers, at the

insistence of Scrushy, inflated profits by $2.74 billion. Scrushy certified the HealthSouth financial

statements when he knew that they were materially false and misleading. On November 4, 2003,

he became the first CEO of a major company to be indicted for violating the Sarbanes-Oxley Act,

which holds executives personally accountable for their companies financial reporting. (Business

Week 2003).

Six months elapsed from the start of the SECs investigation to the filing of its fraud suit against

Scrushy in March 2003. It took just seven weeks, from March 19 to May 5, for the US Justice

Department to accumulate 11 guilty pleas from Scrushy aides. All five CFOs in the companys

history have admitted to cooking the books. (Helyar 2003)

Pristine Audits

Scrushy devised a facilities inspection program called Pristine Audits and hired E&Y to do the

work. The primary purpose of the inspections was to check the cleanliness and physical

appearance of HealthSouths surgical and rehabilitation facilities. Under the program, E&Y made

unannounced visits to each facility once a year, using dozens of junior-level accountants who

were trained for the inspections at HealthSouths headquarters. For the most part E&Y used audit

personnel who were not members of the HealthSouth audit-engagement team to conduct the

pristine audits.

The accountants carried out the reviews using as criteria a 50-point checklist designed by Mr.

Scrushy. The checklist included procedures such as seeing if magazines in waiting rooms were

orderly, the toilets and ceilings were free of stains, and the trash receptacles all had liners. Other

items on the checklist included: check the walls, furniture, floors and whirlpool areas for stains;

check that the heating and cooling vents are free of dust accumulation; that the floors are free

of trash; and that the overall appearance is sanitary. A small portion of the checklist pertained

to money matters, though none of it pertained to accounting. Assignments included checking if

petty-cash drawers were secure and company equipment was properly tagged. The checklists

did not cover insurance-billing procedures or the quality of the medical treatment. (Weil 2003a)

In 2002 E&Y ended their relationship with HealthSouth, and HealthSouth discontinued the

pristine audits.

345843475.doc
 345843475.docEd3 17

Describing the pristine audits, Mr. Scrushy told an investor group: We believe one of the reasons

that we have done so well has to do with the fact that we do audit all of our facilities, 100 percent,

annually. And we use an outside audit firm, our auditors, Ernst & Young. They visit all our

facilities, 100 percent. On its website, HealthSouth said the pristine audit, administered

independently by Ernst & Young LLP...ensures that all of our patients enjoy a truly pristine

experience during their time at HealthSouth. The average score was 98 percent, with more than

half of our facilities scoring a perfect 100 percent.

E&Y Fees Charged HealthSouth

HealthSouths April 2001 proxy (form DEF14A), filed with the SEC, said the company paid E&Y

$1.03 million to audit its 2000 financial statements and $2.65 million of all other fees. The proxy

said the other fees included $2.58 million of audit-related fees, and $66,107 of non-audit-

related fees. In its April 2002 proxy, HealthSouth said it paid E&Y $1.16 million for its 2001 audit

and $2.51 million for all other fees. The proxy said the other fees included $2.39 million for

audit-related fees and $121,580 for non-audit-related fees.

Neither proxy described in any detail the audit-related or non-audit-related services for which

E&Y was paid. Andrew Brimmer, a HealthSouth spokesman, was quoted as saying the audit-

related-fee figures for each year included about $1.3 million for the pristine audits. Mr. Brimmer

said HealthSouth paid E&Y $5.4 million for 2002, including $1.1 million for financial-statement

audit services and $1.4 million for the pristine audits. (Weil 2003a)

Pristine Audits as Audit-Related Fees

A March 2002 E&Y report to HealthSouths Board of Directors included an attachment that

summarized E&Ys fees and provided a suggested Proxy Disclosure Format. The attachment

classified the pristine audits as audit-related services and the fees for them as audit-related

fees. (Weil 2003a)

David Howarth, a spokesman for E&Y is quoted as saying: The audit-related category is not

limited to services related to the financial statement audit per se. At the time of HealthSouths

disclosures, there were no SEC rules that defined audit-related services. Describing operational

audit procedures as audit-related services was reasonable. Howarth claimed that SEC ruled that

audit-related fees would include assurance services traditionally performed by the independent

345843475.doc
 345843475.docEd3 18

auditor, including internal-control reviews. He maintained the pristine audit was an internal

control review. Under the new SEC rules adopted in response to the Sarbanes-Oxley Act, these

(internal control review) fees are specifically mentioned as ones that should be included in audit-

related fees. (Weil 2003b)

After the Weil 2003b article appeared, Scott A. Taub, the Deputy Chief Accountant of the SEC

wrote a letter to E&Y partner Ed Caulson. Taub wrote: The Commissions current rules state that

registrants are to disclose, under the caption Audit-Related Fees, the aggregate fees billed in

each of the last two fiscal years for assurance and related services by the principal accountant

that are reasonably related to the performance of the audit or review of the registrants financial

statements. (emphasis added) It is clear from a reading of the release text and related rules that

the Commissions intent is that only fees for services that are reasonably related to the

performance of an audit or review of the financial statements and that traditionally have been

performed by the independent accountant should be classified as audit-related.(Taub 2003)

Discussion Questions What criteria would the pristine audits have to meet to be considered an audit

engagement?

What criteria would the pristine audits have to meet to be considered audit-related?

Can the pristine audits be considered an assurance service? How does the pristine audit

meet the five criteria required to qualify an engagement as an assurance service?

References: Business Week, 2003, Sarbanes-Oxleys First, p.52, November 17.

Helyar, J., 2003, The Insatiable King Richard; He started as a nobody. He became a hotshot

CEO. He tried to be a country star. Then it all came crashing down. The bizarre rise and fall of

HealthSouths Richard Scrushy, Fortune, p.76. July 7.

SEC, 2003, Litigation Release 18044, SEC charges HealthSouth Corp., CEO Richard Scrushy

with $1.4 Billion Accounting Fraud, US Security and Exchange Commission, March 20.

Taub, S., 2003, Letter to Ed Coulson, Partner Ernst & Young, Office of Chief Accountant, US

Security and Exchange Commission, July 8.

Weil, J., 2003a, What Ernst Did for HealthSouth Proxy Document Says Company Performed

Janitorial Inspections Misclassified as Audit-Related, Wall Street Journal, June 11.

345843475.doc
 345843475.docEd3 19

Weil, J., 2003b, HealthSouth and Ernst Renew Flap Over Fee Disclosures, Wall Street Journal,

July 1.

Evidence

The practitioner plans and performs an assurance engagement with an attitude of professional

skepticism to obtain sufficient appropriate evidence about whether the subject matter information is

free of material misstatement. The practitioner considers materiality, assurance engagement risk,

and the quantity and quality of available evidence when planning and performing the engagement,

in particular when determining the nature, timing and extent of evidence-gathering procedures.

Sufficiency, Appropriateness, Reliability and Materiality of Evidence

Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of the

quality of evidence; that is, its relevance and its reliability. The quantity of evidence needed is

affected by the risk of the subject matter information being materially misstated (the greater the

risk, the more evidence is likely to be required) and also by the quality of such evidence (the higher

the quality, the less may be required). The reliability of evidence is influenced by its source and by

its nature, and is dependent on the individual circumstances under which it is obtained, which will

be discussed in Chapter 1014.

Materiality is relevant when the auditor determines the nature, timing and extent of evidence-

gathering procedures, and when assessing whether the subject matter information is free of

misstatement. Materiality is considered in the context of quantitative and qualitative factors, such as

relative magnitude and the nature and extent of the effect of these factors on the evaluation of the

subject matter.

345843475.doc
 345843475.docEd3 20

Ordinarily, available evidence will be persuasive rather than conclusive. The quantity or

quality of evidence available is affected by:

The characteristics of the subject matter. For example, when the subject matter is future

oriented, less objective evidence might be expected to exist than when the subject matter is

historical.

Circumstances of the engagement other than the characteristics of the subject matter, when

evidence that could reasonably be expected to exist is not available because of, for example, the

timing of the practitioners appointment, an entitys document retention policy, or a restriction

imposed by the responsible party.

Evidence is discussed further in Chapter10 Audit Evidence.

Assurance Report

The auditor provides a written report containing a conclusion that conveys the assurance

obtained from the subject matter information. ISAs, ISREs and ISAEs establish basic elements for

assurance reports. Also, the auditor considers other reporting responsibilities, including

communicating with those charged with governance when appropriate.

In an assertion-based engagement, the practitioners conclusion can be worded either:

In terms of the responsible partys assertion (for example: In our opinion the responsible

partys assertion that internal control is effective, in all material respects, based on XYZ

criteria, is fairly stated); or

Directly in terms of the subject matter and the criteria (for example: In our opinion internal

control is effective, in all material respects, based on XYZ criteria).

345843475.doc
 345843475.docEd3 21

Reasonable and Limited Assurance Engagements

An auditor may conduct a reasonable assurance or a limited assurance engagement with different

conclusions.

In a reasonable assurance engagement, the practitioner expresses the conclusion in the positive

form, for example: In our opinion internal control is effective, in all material respects, based on

XYZ criteria. This form of expression conveys reasonable assurance. Having performed

evidence gathering procedures that were reasonable given the characteristics of the subject matter,

the auditor has obtained sufficient appropriate evidence to reduce assurance engagement risk to an

acceptably low level. In most assurance services the audit conclusion is expressed in the positive

form, (See Chapter 12 Audit Reports and Communications.) The opinion on an audit of financial

statements and a report on internal controls for the Sarbanes-Oxley Act are both examples of

opinions with positive assurance.

In a limited assurance engagement, the practitioner expresses the conclusion in the negative

form, for example, Based on our work described in this report, nothing has come to our attention

that causes us to believe that internal control is not effective, in all material respects, based on XYZ

criteria. This form of expression conveys a level of limited assurance that is proportional to the

level of the practitioners evidence-gathering procedures given the characteristics of the subject

matter and other engagement circumstances. In a review of historical financial statements [under

International Standards for Review Engagements (ISRE)], the conclusion is expressed in the

negative form, for example, nothing has come to our attention that causes us to believe that

[subject matter] does not conform, in all material respects, with [criteria]. This form of expression

conveys limited assurance, which indicates that the auditor has obtained sufficient appropriate

evidence to reduce assurance engagement risk to a moderate level. Prospective financial reports

345843475.doc
 345843475.docEd3 22

give a disclaimer that actual results are likely to be different from forecast (projection). (See

Chapter 14, Other Assurance and Non-Assurance Engagements.)

The differences between Reasonable Assurance and Limited Assurance is given in Illustration

4.415

Expression of Other than Unqualified (Unmodified) Assurance Opinion

A practitioner does not express an unqualified (unmodified) conclusion for either type of

assurance engagement when the following material circumstances exist:

There is a limitation on the scope of the practitioners work. The practitioner expresses a

qualified conclusion or a disclaimer of conclusion depending on how material or pervasive

the limitation is. In some cases the practitioner considers withdrawing from the

engagement.

In those cases where:

o The practitioners conclusion is worded in terms of the responsible partys (e.g.,

management) assertion, and that assertion is not fairly stated, in all material

respects; or

o The practitioners conclusion is worded directly in terms of the subject matter and

the criteria, and the subject matter information is materially misstated.

345843475.doc
 345843475.docEd3 23

When it is discovered after the engagement has been accepted, that the criteria are

unsuitable or the subject matter is not appropriate for an assurance engagement.

Illustration 4.4 Comparison of Reasonable and Limited Assurance Engagements

Type of Objective Evidence-gathering The assurance

engagement Procedures report
Reasonable A reduction in Sufficient appropriate Description of
assurance assurance evidence is obtained as the engagement
engagement engagement risk part of a systematic circumstances,
to an acceptably engagement process that and a positive
low level in the includes: form of
circumstances of Obtaining an expression of
the engagement, understanding of the the conclusion
as the basis for a engagement circumstances; (Paragraph 58)
positive form of Assessing risks;
expression of the Responding to assessed
practitioners risks;
conclusion Performing further
(Paragraph 11) procedures using a
combination of inspection,
observation, confirmation,
recalculation,
reperformance,
analytical procedures and
inquiry. Such further
procedures involve
substantive procedures,
including , where
applicable, obtaining
corroborating
information, and
depending on the nature of
the subject matter, tests of
the operating effectiveness
of controls; and
Evaluating the evidence
obtained (Paragraphs 51
and 52)
Limited A reduction in Sufficient appropriate Description of
assurance assurance evidence is obtained as the engagement
engagement engagement risk part of a systematic circumstances,
to a level that is engagement process and a negative
acceptable in the that includes obtaining form of
circumstances of an understanding of the expression of
the engagement subject matter and the conclusion
but where that risk other engagement (Paragraph 59)
is greater than for circumstances, but in

345843475.doc
 345843475.docEd3 24

a reasonable which procedures are

assurance deliberately limited
engagement, as relative to a reasonable
the basis for a assurance engagement
negative form of (Paragraph 53)
expression of the
practitioners
conclusion
(Paragraph 11)

The assurance report may be in short-form or long-form. Short-form reports ordinarily

include only the basic elements identified in appropriate ISAs and International Standards on

Assurance Engagements (ISAEs). Long-form not only gives the auditors conclusion on

compliance ISAs and ISAEs, but also reports in detail the terms of the engagement, the criteria

being used, findings relating to particular aspects of the engagement and related recommendations.

4.4 General Considerations in an Assurance Engagement

The assurance engagement calls for planning, gathering evidence, and reporting. The extent of

planning, the sufficiency of evidence, acceptable engagement risk, and the level of assurance of the

opinion will depend on the type of assurance engagement. An assurance engagement based on

historical financial information requires more intensive planning and evidence gathering than a

related services engagement. The auditor should reduce assurance engagement risk to an acceptably

low level in the case of a historical financial information engagement. It is also possible to conduct

an assurance engagement that provides a reasonable level of assurance on a subject matter other

than historical financial information (e.g. the subject matter of a sustainability report or internal

control report).

345843475.doc
 345843475.docEd3 25

Assurance Report Basic Elements

International Standards on Assurance Engagements 3000 Assurance Engagements Other Than

Audits or Reviews of Historical Financial Information discusses preparing an assurance report for

audits other than financial statement audits (we will cover in Chapter 12) and reviews (covered in

Chapter 14). In preparing the audit report the practitioner should conclude whether sufficient

appropriate evidence has been obtained to support the conclusion expressed in the assurance report.

The assurance report should be in writing and should contain a clear expression of the practitioners

conclusion about the subject matter information. The ISAEs does not require a standardized format

for reporting on all assurance engagements, but rather identifies the basic elements required to be

included in the assurance report:16

The standard elements of the report include the title, addressee, the identification of the subject

matter information , identification of the criteria, identification of the responsible party and their

responsibilities, the practitioners responsibilities, a statement that the engagement was performed

in accordance with ISAEs, summary of the work performed, practitioners conclusion, assurance

report date, practitioners name and specific location, and, if appropriate, a description of any

significant inherent limitations, or a statement restricting the use to certain intended users .

Illustration 4.5 gives the basic elements of the assurance report.

A title that clearly indicates the report is an independent assurance report 17. An appropriate

title helps to identify the nature of the assurance report, and to distinguish it from reports issued by

others.

An addressee identifies the party or parties to whom the assurance report is directed.

Whenever practical, the assurance report is addressed to all the intended users, but in some cases

there may be other intended users.

345843475.doc
 345843475.docEd3 26

A statement to identify the responsible party and to describe the responsible partys and the

practitioners responsibilities: this informs the intended users that the responsible party is

responsible for the subject matter in the case of a direct reporting engagement, or the subject matter

information in the case of an assertion-based engagement, and that the practitioners role is to

independently express a conclusion about the subject matter information.

Where there is a subject matter specific ISAE, that ISAE may require that the assurance report

refer specifically to being performed in accordance with that specific ISAEs.

The name of the firm or the practitioner, and a specific location, which ordinarily is the city

where the practitioner maintains the office that has responsibility for the engagement: this informs

the intended users of the individual or firm assuming responsibility for the engagement.

ILLUSTRATION 4.5

ASSURANCE REPORT BASIC ELEMENTS

[UNFig near here]

345843475.doc
 345843475.docEd3 27

Subject Matter

In the body of the report is a description of the subject matter, for example, identification of the

subject matter and explanation of the subject matter characteristics. The subject matter description

gives the name of the entity to which the subject matter relates and the period of time covered. Are

characteristics of the subject matter qualitative, quantitative, objective, subjective, historical, or

prospective? Are there inherent limitations such as the imprecision of the measurement techniques

being applied?

An identification and description of the subject matter information and the subject matter

includes, for example:

The point in time or period of time to which the evaluation or measurement of the subject

matter relates;

The name of the entity or component of the entity (such as a subsidiary company or

transactions in the sales cycle) to which the subject matter relates; and

An explanation of those characteristics of the subject matter or the subject matter

information of which the intended users should be aware, and how such characteristics may

influence the precision of the evaluation of the subject matter against the identified criteria.

For example:

o The degree to which the subject matter information is qualitative versus

quantitative, objective versus subjective, or historical versus prospective.

o Changes in the subject matter or other engagement circumstances that affect the

comparability of the subject matter information from one period to the next. When

the practitioners conclusion is worded in terms of the responsible partys assertion,

345843475.doc
 345843475.docEd3 28

that assertion is appended to the assurance report, reproduced in the assurance

report or referenced therein to a source that is available to the intended users.

Identification of the Criteria

Criteria by which the evidence is measured or evaluated can be either established or

specifically developed. To illustrate, International Financial Reporting Standards are established

criteria for the preparation and presentation of financial statements in the private sector, but specific

users may decide to specify some other comprehensive basis of accounting (OCBOA) such as cash

accounting, rules of a regulatory authority, or income tax basis that meets their specific information.

When users of the report have agreed to criteria other than established criteria, then the assurance

report states that it is only for the use of identified users and for the purposes they have specified.

The assurance report identifies the criteria so the intended users can understand the basis for

the auditors conclusion. Disclosure of the source of the criteria, measurement methods used and

significant interpretations made are important for that understanding. The auditor may consider

disclosing: the source of the criteria (e.g. laws, regulations, recognized bodies of experts,

measurement methods used, and any significant interpretations made in applying the criteria).

A summary of the work performed

The summary will help the intended users understand the nature of the assurance conveyed by

the assurance report. ISA 700, Forming an Opinion and Reporting on Financial Statements 18 and

ISRE 2400, Engagements to Review Financial Statements provide a guide to the appropriate type

of summary. Where no specific ISAE provides guidance on evidence-gathering procedures for a

particular subject matter, the summary might include a more detailed description of the work

performed.

345843475.doc
 345843475.docEd3 29

Because in a limited assurance engagement an appreciation of the nature, timing, and extent of

evidence-gathering procedures performed is essential to understanding the assurance conveyed by a

conclusion expressed in the negative form. The limited assurance summary is more detailed than for

a reasonable assurance engagement and identifies the limitations on the nature, timing, and extent of

evidence-gathering procedures. The summary for a limited assurance engagements states that the

evidence-gathering procedures are more limited than for a reasonable assurance engagement, and

therefore less assurance is obtained than in a reasonable assurance engagement.

Special Statements in an Assurance Report

Special statements should be in the assurance report concerning inherent limitations, a

statement restricting use because subject matter criteria has limited availability

A description of any significant, inherent limitation associated with the evaluation or

measurement of the subject matter against the criteria is necessary in the assurance report. For

example, in an assurance report related to the effectiveness of internal control, it may be appropriate

to note that the historic evaluation of effectiveness is not relevant to future periods due to the risk

that internal control may become inadequate because of changes in conditions, or that the degree of

compliance with policies or procedures may deteriorate.

When the criteria used to evaluate or measure the subject matter are available only to specific

intended users, or are relevant only to a specific purpose, a statement restricting the use of the

assurance report to those intended users or that purpose. Furthermore, when the assurance report is

intended only for specific intended users or a specific purpose this would be stated in the assurance

report.

345843475.doc
 345843475.docEd3 30

Practitioners Conclusion

The practitioners conclusion is expressed in positive form, negative form or as a reservation or

denial of conclusion.

In the case of an audit of financial statements or Sarbanes-Oxley internal control engagement,

the conclusion should be expressed in the positive form. The practitioners conclusion may, for

example, be worded as follows: In our opinion internal control is effective, in all material respects,

based on XYZ criteria or In our opinion the responsible partys assertion that internal control is

effective, in all material respects, based on XYZ criteria, is fairly stated.

In the case of a review of financial statements, the conclusion should be expressed in the

negative form. For example, Based on our work described in this report, nothing has come to our

attention that causes us to believe that internal control is not effective, in all material respects, based

on XYZ criteria or Based on our work described in this report, nothing has come to our attention

that causes us to believe that the responsible partys assertion that internal control is effective, in all

material respects, based on XYZ criteria, is not fairly stated.

The conclusion should clearly express a reservation in circumstances where some or all

aspects of the subject matter do not conform, in all material respects, to the identified criteria; or the

auditor is unable to obtain sufficient appropriate evidence.

When the subject matter information is made up of a number of different aspects, separate

conclusions may be provided on each aspect. The conclusion should inform the intended user of

the context to which the conclusion applies.

Qualified Conclusions, Adverse Conclusions and Disclaimers of Conclusion

The practitioner should not express unqualified conclusion when the following circumstances

exist and, the effect of the matter is or may be material:

345843475.doc
 345843475.docEd3 31

There is a limitation on the scope of the practitioners work, that is, either circumstances or

the responsible party imposes restrictions that prevent him from obtaining sufficient

appropriate audit evidence

In those cases where the practitioners conclusion is worded in terms of the responsible

partys assertion which is not fairly stated; and the subject matter information is materially

misstated, the practitioner should express a qualified or adverse conclusion; orWhen it is

discovered, after the engagement has been accepted, that the criteria are unsuitable or the

subject matter is not appropriate for an assurance engagement. The practitioner should

express a qualified conclusion when the effect of a matter is not as material or pervasive as

to require an adverse conclusion or a disclaimer of conclusion. A qualified conclusion is

expressed as being except for the effects of the matter to which the qualification relates.

Communications with the Audit Committee

The auditor communicates relevant matters arising from the assurance engagement with those

charged with governance (such as the audit committee). Relevant matters of governance interest

include only information that has come to the attention of the auditor as a result of performing the

assurance engagement. He is not required to design procedures for the specific purpose of

identifying matters of governance interest.

An auditor who, before the completion of an assurance engagement, is requested to change the

engagement to a non-assurance engagement or from an audit-level engagement to a review-level

engagement should consider if that is appropriate. He should not agree to a change where there is no

reasonable justification for the change. Examples of a reasonable basis for requesting a change in

the engagement are a change in circumstances that affects the intended users requirements or a

misunderstanding concerning the nature of the engagement.

345843475.doc
 345843475.docEd3 32

4.5 Audits of Historical Financial Information

Audits, reviews and examination (special purpose engagements) of historical financial

information are assurance engagements that have as their subject matter historical financial

information.

Engagements to Audit Financial Statements

The overall objectives of an audit of financial statements is to obtain reasonable assurance

about whether the financial statements as a whole are free from material misstatement, whether due

to fraud or error, thereby enabling the auditor to express an opinion whether the financial statements

are prepared, in all material respects, in accordance with an identified financial reporting

framework. The auditor also must report on the financial statements, and communicate as required

by the ISAs, in accordance with the auditors findings. The expression of a conclusion by an auditor

is designed to enhance the degree of confidence intended users can have about historical financial

statements.. The rest of this book is about financial statement audit engagements, so these will not

be discussed here.

4.6 Professional Judgment, Professional Skeptism and Inherent

Limitations

Professional Judgment

345843475.doc
 345843475.docEd3 33

The introduction to Handbook of International Quality Control, Auditing, Review, Other Assurance,

And Related Services Pronouncements states The nature of the International Standards requires the

professional accountant to exercise professional judgment19 in applying them20. Professional

judgment is the application of relevant training, knowledge and experience, within the context

provided by auditing, accounting and ethical standards, in making informed decisions about the

courses of action that are appropriate in the circumstances of the audit engagement. The ISAs

require that the auditor exercise professional judgment and maintain professional skepticism

throughout the planning and performance of the audit.21

Professional judgment is required for the critical elements of auditing including criteria,

independence of mind, sufficient appropriate audit evidence, determining and communicating

significant deficiencies in internal control 22, and determination of whether an audit objective has

been achieved. The assessment of risks is a matter of professional judgment, rather than a matter

capable of precise measurement.23 Professional judgment is required in determination of the level

of supervision of the engagement team. 24

To plan the audit and evaluate evidence, the auditor exercises professional judgment, for

example, when25:

Assessing risks of material misstatement of the financial statements;

Determining materiality26

Considering the appropriateness of the selection and application of accounting policies, and

the adequacy of financial statement disclosures;

Identifying areas where special audit consideration may be necessary, for example, related

party transactions, the appropriateness of managements use of the going concern

assumption, or considering the business purpose of transactions;

Developing expectations for use when performing analytical procedures;

345843475.doc
 345843475.docEd3 34

Responding to the assessed risks of material misstatement, including designing and

performing further audit procedures to obtain sufficient appropriate audit evidence; and

Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the

appropriateness of assumptions and of managements oral and written representations.

Professional judgment is essential to the proper conduct of an audit. This is because

interpretation of relevant ethical requirements and the ISAs and the informed decisions required

throughout the audit cannot be made without the application of relevant knowledge and experience

to the facts and circumstances. Professional judgment is necessary in particular regarding decisions

about:27

Materiality and audit risk.

The nature, timing and extent of audit procedures used to meet the requirements of the ISAs

and gather audit evidence.

Evaluating whether sufficient appropriate audit evidence has been obtained, and whether

more needs to be done to achieve the objectives of the ISAs.

The evaluation of managements judgments in applying the financial reporting framework.

The drawing of conclusions based on the audit evidence obtained, for example, assessing

the reasonableness of the estimates made by management.

Determination of what other matters arising from the audit significant to the oversight of

the financial reporting process.28

The exercise of professional judgment in any particular case is based on the facts and

circumstances that are known by the auditor. Consultation on difficult or contentious matters during

the course of the audit, both within the engagement team and between the engagement team and

others within or outside the firm, assist the auditor in making informed and reasonable judgments.

345843475.doc
 345843475.docEd3 35

Consultation uses appropriate research resources as well as the collective experience and technical

expertise of the firm improves the application of professional judgment. 29

Documenting Professional Judgment

Professional judgment needs to be exercised throughout the audit. It also needs to be

appropriately documented. An important factor in determining the form, content and extent of audit

documentation of significant matters is the extent of professional judgment exercised in performing

the work and evaluating the results. Documentation of the professional judgments made, where

significant, serves to explain the auditors conclusions and to reinforce the quality of the judgment.

The auditor is required to prepare audit documentation sufficient to enable an experienced auditor,

having no previous connection with the audit, to understand the significant professional judgments

made in reaching conclusions on significant matters arising during the audit. 30

The auditor may consider it helpful to prepare and retain as part of the audit documentation a

summary (sometimes known as a completion memorandum) that describes the significant matters

identified during the audit and how they were addressed, The summary may facilitate effective and

efficient reviews and inspections of the audit documentation, particularly for large and complex

audits. Further, the preparation of such a summary may assist the auditors consideration of the

significant matters. It may also help the auditor to consider whether there is any individual relevant

ISA objective that the auditor cannot achieve.

Professional Skepticism

The ISAs require31 that the auditors professional actions including planning and performing an

assurance engagement must be carried out with an attitude of professional skepticism recognizing

that circumstances may exist that cause the subject matter information (financial statements,

345843475.doc
 345843475.docEd3 36

internal controls, etc.) to be materially misstated. Professional skepticism is an attitude that

includes a questioning mind, being alert to conditions which may indicate possible misstatement

due to error or fraud, and a critical assessment of audit evidence. 32 An attitude of professional

skepticism means the practitioner makes a critical assessment, with a questioning mind, of the

validity of evidence obtained and is alert to evidence that contradicts or brings into question the

reliability of documents or representations by the management (responsible party). For example, an

attitude of professional skepticism is necessary throughout the engagement process for the auditor

to reduce the risk of overlooking suspicious circumstances, of over generalizing when drawing

conclusions from observations, and of using faulty assumptions in determining the nature, timing

and extent of evidence gathering procedures and evaluating their results.

Professional skepticism is necessary to the critical assessment of audit evidence. This includes

questioning contradictory audit evidence and the reliability of documents and responses to inquiries

and other information obtained from management. It also includes consideration of the sufficiency

and appropriateness of audit evidence obtained in the light of the circumstances, for example, in the

case where fraud risk factors exist. Professional skepticism includes being alert to audit evidence

that contradicts other audit evidence obtained, information that brings into question the reliability of

documents and responses to inquiries, conditions that may indicate possible fraud, and

circumstances that suggest the need for audit procedures in addition to those required by the ISAs.

The auditor may accept records and documents as authentic unless he has reason to believe

the information is not genuine. However, the auditor is required to consider the reliability of

information to be used as audit evidence.33 In cases of doubt about the reliability of information or

indications of possible fraud, the ISAs require that the auditor investigate further and determine

what modifications or additions to audit procedures are necessary to resolve the matter. 34

345843475.doc
 345843475.docEd3 37

Maintaining professional skepticism throughout the audit is necessary if the auditor is to

reduce the risks of: overlooking unusual circumstances, over generalizing when drawing

conclusions from audit observations, and using inappropriate assumptions in determining the

nature, timing and extent of the audit procedures.

Professional skepticism should be documented to provide evidence of the auditors exercise

of professional skepticism in accordance with the ISAs. There is no single way in which the

auditors professional skepticism is documented, but it may include, for instance, specific

procedures performed to corroborate managements responses to the auditors inquiries. As

management is often in the best position to perpetrate fraud, professional skepticism may make it

necessary to corroborate management responses to inquiries with other information suggesting

fraud.

If related party relationships and transactions exist at the auditee, the auditor would be an

increased emphasis on the importance of maintaining professional skepticism throughout the audit

regarding the potential for material misstatement associated with related parties.

4.7 Quality Control (ISQC1 and ISA 220)

Quality control is a very important consideration for auditors. International Standard on Quality

Control #1 ( ISQC #1)35 applies to all firms of professional accountants in respect to audits and

reviews, other assurance, and related services engagements. ISQC #1 gives the requirements

designed to enable the accounting firm to meet the objective of quality control. In addition, it

contains related guidance in the form of application and other explanatory material. ISA 220 36 deals

with quality control procedures for audits of financial statements.

345843475.doc
 345843475.docEd3 38

A major objective of the audit firm is to establish and maintain a system of quality control

to provide it with reasonable assurance that the accounting firm and its personnel comply with

professional standards, legal and regulatory requirements and that reports issued are appropriate in

the circumstances. The audit firm must establish, maintain, document and communicate to their

personnel a system of quality control that includes policies and procedures that address each of the

following elements:

Leadership responsibilities for quality within the firm.

Relevant ethical requirements.

Acceptance and continuance of client relationships and specific engagements.

Human resources.

Engagement performance.

Monitoring.

Leadership Responsibilities for Quality within the Audit Firm

The audit firm must establish policies and procedures designed to promote an internal

culture recognizing that quality is essential in performing engagements.

Quality control policies and procedures require the firms chief executive officer to assume

ultimate responsibility for the firms system of quality control. The firms leadership and the

examples it sets significantly influence the internal culture of the firm. Actions and messages

should encourage a culture that recognizes and rewards high quality work. These actions and

messages may be communicated by, for instance, training seminars, meetings, formal or informal

dialogue, mission statements, newsletters, or briefing memoranda. They may be incorporated in the

firms internal documentation and in partner and staff appraisal procedures.

345843475.doc
 345843475.docEd3 39

The firm audit must establish policies and procedures such that any person assigned

operational responsibility for the firms system of quality control has sufficient and appropriate

experience and ability, and the necessary authority, to assume that responsibility. Sufficient and

appropriate experience and ability enables one responsible for the firms system of quality control to

identify and understand quality control issues and to develop appropriate policies and procedures.

Necessary authority enables that person to implement those policies and procedures.

Relevant Ethical Requirements

The practitioner firm must establish policies and procedures designed to provide

reasonable assurance that the firm and its personnel comply with relevant ethical requirements.

The IESBA Code establishes the fundamental principles of professional ethics see Chapter 3.

Part B of the IESBA Code illustrates how the conceptual framework is to be applied in specific

situations for public accountants. It provides examples of safeguards that may be appropriate to

address threats to compliance with the fundamental principles. The fundamental principles are

reinforced in particular by: the leadership of the firm, education and training, monitoring; and a

process for dealing with non-compliance.

The audit firm should establish policies and procedures designed to provide it with

reasonable assurance that the firm and its personnel maintain independence. (See Chapter 3.) .

These policies and procedures shall require: relevant information about client engagements,

including the scope of services, to evaluate the overall impact on independence requirements;

personnel to promptly notify the firm of threats to independence; and the accumulation and

communication of relevant information to appropriate personnel. Policies should provide

reasonable assurance that the firm is notified of breaches of independence requirements. At least

annually, the firm must obtain written confirmation of compliance with its policies and procedures

345843475.doc
 345843475.docEd3 40

on independence from all firm personnel required to be independent by relevant ethical

requirements.

The practitioner firm must establish policies and procedures setting out criteria for

safeguards when using the same senior personnel on an assurance engagement over a long period of

time. For audits of financial statements of listed entities, this generally requires the rotation of the

engagement partner and the individuals responsible for engagement quality control review after a

specified period. The IESBA Code (see Chapter 3) discusses the familiarity threat that may be

created by using the same senior personnel on an assurance engagement over a long period of time

and the safeguards that might be appropriate to address such threats. For financial statement audits

of listed entities the IESBA Code requires the rotation of the key audit partner after a pre-defined

period, normally no more than seven years. National requirements may establish shorter rotation

periods. For example, rotation in 5 years is required in the United States.

Acceptance and Continuance of Client Relationships and Specific

Engagements

The auditor must establish policies and procedures for the acceptance and continuance of client

relationships designed to provide them with reasonable assurance that the firm is competent to

perform the engagement and have the capabilities, including time and resources, to do so and can

comply with relevant ethical requirements. Furthermore, policies should insure that the auditor has

considered the integrity of the client, and does not have information that would lead it to conclude

that the client lacks integrity.

Human Resources

345843475.doc
 345843475.docEd3 41

The audit firm must establish policies to insure that it has sufficient personnel with the competence,

and capabilities to perform engagements in accordance with professional standards, legal and

regulatory requirements. For instance, the audit firm must assign responsibility for each engagement

to an engagement partner and establish policies and procedures requiring that the identity and role

of the engagement partner are communicated to the client.

Engagement Performance

The firm must establish policies and procedures designed to insure that engagements are performed

in accordance with professional standards, and, legal and regulatory requirements. These policies

and procedures must include matters relevant to promoting consistency in the quality of

engagement performance, supervision responsibilities, and review responsibilities. Specifically, the

audit firm should establish policies and procedures regarding consultation and engagement quality

control. For instance, the consultation policy should be designed to provide it with reasonable

assurance that appropriate consultation takes place on difficult or contentious matters, sufficient

resources are available, the scope and conclusions resulting from the consultations are documented,

and conclusions are implemented

Policies and procedures requiring an engagement quality control review should be

established. These policies would provide an objective evaluation of the significant judgments

made by the engagement team and the conclusions reached in formulating the report. The

engagement quality control report must not be dated until the completion of the engagement quality

control review. The engagement quality control review must include review of the financial

statements, subject matter information, engagement documentation relating to significant judgments

made, evaluation of the conclusions reached in formulating the report, and a discussion of

significant matters with the engagement partner. When the audit is of financial statements of listed

345843475.doc
 345843475.docEd3 42

entities, the firm must evaluate their independence and see that appropriate consultation has taken

place on matters involving differences of opinion and difficult or contentious matters.

Documentation should reflect the work performed and support the conclusions reached.

The engagement quality control review requires documentation that the procedures required

by the firms policies on engagement quality control review have been performed, the review has

been completed on or before the date of the report; and contain a statement that the reviewer is not

aware of any unresolved matters that would cause the reviewer to believe that the judgments the

engagement team made and the conclusions it reached were not appropriate.

Documentation of the engagement quality control review requires assembly of engagement

files. Engagement teams must complete the assembly of final engagement files on a timely basis

after the engagement reports have been finalized. The audit team must have in place policies to

maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement

documentation.

Monitoring

The audit firm establishes a monitoring process designed to provide reasonable assurance

that their quality control policies and procedures are relevant, adequate, and operating effectively.

This monitoring process includes an evaluation of the firms system of quality control including

inspection of at least one completed engagement for each engagement partner and assignment of the

monitoring process to a partner who is not performing the engagement. The firm also evaluates the

effect of deficiencies noted as a result of the monitoring process and communicates to personnel

deficiencies noted and recommendations for appropriate remedial action.

Recommendations for fixing deficiencies may include changing training and professional

development; the quality control policies and procedures; and disciplinary action against those who

345843475.doc
 345843475.docEd3 43

fail to comply with the policies. For cases where the results of the monitoring procedures indicate

that an assurance report is inappropriate or that procedures were omitted, the firm should determine

what further action is appropriate and consider whether to obtain legal advice.

The results of the monitoring of quality control are communicated at least annually to

engagement partners and other appropriate individuals including its managing board of partners.

This communication should be detailed enough to enable the firm to take prompt and appropriate

action. Information communicated includes a description of the monitoring procedures performed,

the conclusions drawn, significant deficiencies and the actions taken to resolve them.

Handling complaints is an important part of quality control, therefore, the audit firm

establishes policies to provide reasonable assurance that it deals appropriately with complaints and

allegations that the work performed does not comply with professional standards, legal and

regulatory requirements. Clearly defined channels for firm personnel to raise any concerns should

be in place.

345843475.doc
 345843475.docEd3 44

4.8 Summary
Auditor services are work that an audit firm performs for their clients. Except for consulting

services, the work that auditors do is under the guidance of engagement standards set by the

International Auditing and Assurance Standards Board (IAASB). Some engagement standards are

based on International Framework for Assurance Engagements (assurance engagements), and

others result from the Related Services Framework (related services engagements). Two sets of

standards (ISAs and ISAEs) share the assurance engagement framework and one standard set

(ISRS) is based on the related services framework. ISAs, ISAEs and ISRSs are collectively referred

to as the IAASBs Engagement Standards. All auditor services standards have as their basis the

IESBA Code of Ethics (see Chapter 3) and International Standards on Quality Control (ISQC)

The two sets of standard based on the assurance framework are ISA and ISAE. International

Standards on Auditing (ISA) 200 Overall Objectives of The Independent Auditor and the Conduct

Of an Audit in Accordance with International Standards on Auditing describes the main concepts

applicable to audit, review or special purpose engagements. International Standards on Assurance

Engagements (ISAE) 3000 Assurance Engagements on Subject Matters Other than Historical

Financial Information describes concepts applicable to assurance services whose subject matter is

not related to historical financial information. Engagements covered by International Standards on

Related Services ISRS are based on the Related Services Framework. Standards under this

framework (ISRS) are applied currently to two audit services: engagements to perform agreed-upon

procedures regarding financial information (ISRS 4400) and compilations (ISRS 4410).

There are two types of assurance engagement: a reasonable assurance engagement and a

limited assurance engagement. The objective of a reasonable assurance engagement is a reduction

345843475.doc
 345843475.docEd3 45

in assurance engagement risk to an acceptably low level based on the circumstances of the

engagement as the basis for a positive form of expression of the practitioners conclusion. The

objective of a limited assurance engagement is a reduction in assurance engagement risk to a level

that is acceptable in the circumstances of the engagement, but where that risk is greater than for a

reasonable assurance engagement, as the basis for a negative form of expression of the

practitioners conclusion.

The International Framework for Assurance Engagements describes five elements that all

assurance engagements exhibit: (1) a three party relationship involving a practitioner; a responsible

party; and the intended users, (2) an appropriate subject matter, (3) suitable criteria, (4) sufficient

appropriate evidence and (5) a written assurance report in the form appropriate to a reasonable

assurance engagement or a limited assurance engagement.

Assurance engagements always involve three separate parties: a practitioner, a responsible

party and the intended users. A subject matter of an assurance is the topic about which the assurance

is conducted. Subject matter could be financial statements, statistical information, non-financial

performance indicators, systems and processes (e.g., internal controls, environment, and IT

systems) or behavior (e.g., corporate governance, compliance with regulation, human resource

practices). Suitable criteria, which can be either established or specifically developed, are the

benchmarks (standards, objectives or set of rules) used to evaluate evidence or measure the subject

matter of an assurance engagement. In general, the same evidence gathering procedures, quality

control and planning process apply to assurance services as applies to audits. The auditor provides a

written report containing a conclusion that conveys the assurance obtained from the subject matter

information.

In preparing the audit report the practitioner should conclude whether sufficient appropriate

evidence has been obtained to support the conclusion expressed in the assurance report. The

345843475.doc
 345843475.docEd3 46

assurance report should be in writing and should contain a clear expression of the practitioners

conclusion about the subject matter information. ISAE does not require a standardized format for

reporting on all assurance engagements, but rather identifies the basic elements required to be

included in the assurance report. The standard elements of the report include the title, addressee, the

identification of the subject matter information , identification of the criteria, identification of the

responsible party and their responsibilities, the practitioners responsibilities, a statement that the

engagement was performed in accordance with ISAEs, summary of the work performed,

practitioners conclusion, assurance report date, and practitioners name and specific location, and,

if appropriate, a description of any significant inherent limitations, or a statement restricting the use

to certain intended users.

The auditor communicates relevant matters arising from the assurance engagement with those

charged with governance (such as the audit committee). Relevant matters of governance interest

include only information that has come to the attention of the auditor as a result of performing the

assurance engagement. He is not required to design procedures for the specific purpose of

identifying matters of governance interest.

The nature of the International Standards requires the professional accountant to exercise

professional judgment in applying them. Professional judgment is the application of relevant

training, knowledge and experience, within the context provided by auditing, accounting and ethical

standards, in making informed decisions about the courses of action that are appropriate in the

circumstances of the audit engagement. The ISAs require that the auditor exercise professional

judgment and maintain professional skepticism throughout the planning and performance of the

audit.

The critical elements of auditing including criteria, independence of mind, sufficient

appropriate audit evidence and determining and communicating significant deficiencies in internal

345843475.doc
 345843475.docEd3 47

control , and determination of whether an audit objective has been achieved, among other areas,

requires professional judgment. The assessment of risks is a matter of professional judgment, rather

than a matter capable of precise measurement. Professional judgment is required in determination

of the level of supervision of the engagement team.

The ISAs require that the practitioner auditors professional actions including planning and

performing an assurance engagement must be carried out with an attitude of professional skepticism

recognizing that circumstances may exist that cause the subject matter information (financial

statements, internal controls, etc.) to be materially misstated. Professional skepticism is an attitude

that includes a questioning mind, being alert to conditions which may indicate possible

misstatement due to error or fraud, and a critical assessment of audit evidence. An attitude of

professional skepticism means the practitioner makes a critical assessment, with a questioning

mind, of the validity of evidence obtained and is alert to evidence that contradicts or brings into

question the reliability of documents or representations by the management (responsible party).

Quality control is a very important consideration for accounting practitioners. International

Standard on Quality Control #1 ( ISQC #1) applies to all firms of professional accountants in

respect to audits and reviews, other assurance, and related services engagements. ISQC #1 gives

the requirements designed to enable the firm to meet the objective of quality control. In addition, it

contains related guidance in the form of application and other explanatory material. ISA 220 deals

with quality control procedures for audits of financial statements.

A major objective of the audit firm is to establish and maintain a system of quality control

to provide it with reasonable assurance that the firm and its personnel comply with professional

standards, legal and regulatory requirements and that reports issued are appropriate in the

circumstances. The audit firm must establish, maintain, document and communicate to their

personnel a system of quality control that includes policies and procedures that address each of the

345843475.doc
 345843475.docEd3 48

following elements: (1) leadership responsibilities for quality within the firm; (2) relevant ethical

requirements; (3) acceptance and continuance of client relationships and specific engagements; (4)

Human resources; (5) engagement performance; and (6) monitoring..

345843475.doc
 345843475.docEd3 49

4. 9 Notes

345843475.doc
1
International Auditing and Assurance Standards Board (IAASB). 2012. International Standard on Quality
Control (ISQC) 1, Quality Controls for Firms that Perform Audits and Reviews of Financial Statements, and
Other Assurance and Related Services Engagements. Handbook of International Quality Control, Auditing
Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1. International
Federation of Accountants. New York.

2
International Auditing and Assurance Standards Board (IAASB). 2012. Preface To The International Standards
On Quality Control, Auditing, Review, Other Assurance And Related Services Handbook of International
Quality Control, Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition,
Volume 1. International Federation of Accountants. New York.

3
Global Reporting Initiative. 2011. Sustainability Reporting Guidelines Version 3.1. GRI Secretariat.
www.globalreporting.org. https://www.globalreporting.org/resourcelibrary/G3.1-Sustainability-Reporting-
Guidelines.pdf Amsterdam, Netherlands.

4
The Intended users are the person, persons or class of persons for whom the practitioner prepares the assurance
report. The responsible party can be one of the intended users, but not the only one.

5
The Responsible party is the person (or persons) who: (a) In a direct reporting engagement, is responsible for
the subject matter; or (b) In an assertion-based engagement, is responsible for the subject matter information (the
assertion), and may be responsible for the subject matter.

6
The subject matter of an assurance engagement is the topic about which the assurance engagement is
conducted. Subject matter could be financial statements, statistical information, non-financial performance
indicators, capacity of a facility, etc.

7
Criteria are the benchmarks used to evaluate or measure the subject matter including, where relevant,
benchmarks for presentation and disclosure. Criteria can be formal or less formal. There can be different criteria
for the same subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of
a subject matter within the context of professional judgment.

8
Internal Control Integrated Framework, The Committee of Sponsoring Organizations of the
Treadway Commission.

9
Guidance on Assessing Control The CoCo Principles, Criteria of Control Board, The Canadian
Institute of Chartered Accountants.

10
Engagement circumstances include the terms of the engagement, including whether it is a reasonable assurance
engagement or a limited assurance engagement, the characteristics of the subject matter, the criteria to be used,
the needs of the intended users, relevant characteristics of the responsible party and its environment, and other
matters, for example events, transactions, conditions and practices, that may have a significant effect on the
engagement.

International Auditing and Assurance Standards Board (IAASB). 2012. International Framework for
11

Assurance Engagements. Paragraph 20. Handbook of International Quality Control, Auditing Review, Other
Assurance, and Related Services Pronouncements, 2012 Edition, Volume 2. International Federation of
Accountants. New York.

12
Ibid. See Paragraph 25 for examples of when the responsible party might be responsible for subject matter,
subject matter information, or both.

13
Ibid. Paragraph 36.

14
Ibid. See Paragraphs 43 46 for details of what constitutes reliability of evidence.

15
Ibid. Appendix

16
Assurance report content is described in paragraph 49 of : International Auditing and Assurance Standards
Board (IAASB). 2012. International Standards on Assurance Engagements (ISAE) 3000 Assurance
Engagements Other Than Audits or Reviews of Historical Financial Information. Handbook of International
Quality Control, Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition,
Volume 2. International Federation of Accountants. New York.

17
If a professional accountant not in public practice, for example an internal auditor, applies ISAEs, and(a) the
Framework or ISAEs are referred to in the professional accountants report; and (b) the
professional accountant or other members of the assurance team and, when applicable, the professional
accountants employer, are not independent of the entity in respect of which the assurance engagement is being
performed, the lack of independence and the nature of the relationship(s) with the assurance client are
prominently disclosed in the professional accountants report. Also, that report does not include the word
independent in its title, and the purpose and users of the report are restricted.

18
There has been a good deal of change in this standard. ISA 700, The Auditors Report on Financial
Statements was withdrawn in December 2006 , replaced by ISA 700, The Independent Auditors Report on a
Complete Set of General Purpose Financial Statements , which was replaced by the present ISA 700 Forming
an Opinion and Reporting on Financial Statements.

19
Professional judgment is the application of relevant training, knowledge and experience, within the context
provided by auditing, accounting and ethical standards, in making informed decisions about the courses of action
that are appropriate in the circumstances of the audit engagement.

Ibid. Preface To The International Standards On Quality Control, Auditing, Review, Other Assurance And
20

Related Services. Paragraph 16.

21
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit In Accordance With
International Standards on Auditing. Paragraph 7. Handbook of International Quality Control, Auditing Review,
Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1. International Federation of
Accountants. New York.

22
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 265 Communicating Deficiencies In Internal Control To Those Charged With Governance And
Management. Paragraph 5. Handbook of International Quality Control, Auditing Review, Other Assurance, and
Related Services Pronouncements, 2012 Edition, Volume 1. International Federation of Accountants. New
York.

23
Ibid. ISA 200. Paragraph A32.

24
International Auditing and Assurance Standards Board (IAASB). 2012. International Standard for Quality
Control (ISQC) #1. Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and
Other Assurance and Related Services Engagements. Paragraph A31. Handbook of International Quality
Control, Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1.
International Federation of Accountants. New York.

25
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 315. Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and
Its Environment ISA 315. Paragraph A1. Handbook of International Quality Control, Auditing Review, Other
Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1. International Federation of
Accountants. New York.

26
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 320 Materiality in Planning and Performing an Audit. Handbook of International Quality Control,
Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1.
International Federation of Accountants. New York.

27
Ibid. ISA 200. Paragraph A23

28
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 260 Communication With Those Charged With Governance. . Paragraph 16, 17 and A20. Handbook of
International Quality Control, Auditing Review, Other Assurance, and Related Services Pronouncements, 2012
Edition, Volume 1. International Federation of Accountants. New York.

29
Ibid. ISQC # 1. Paragraph A36-A37.

30
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 230. Audit Documentation. Paragraph 8. Handbook of International Quality Control, Auditing Review,
Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1. International Federation of
Accountants. New York.

31
Ibid. ISA 200. Paragraphs 7, 15, and A18-A22.

32
ISA 200. Paragraphs 7, 15, and A18-A22.

33
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 500, Audit Evidence. Paragraph 7-8. Handbook of International Quality Control, Auditing Review,
Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1. International Federation of
Accountants. New York.

34
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 240, The Auditors Responsibilities Relating to Fraud in an Audit of Financial Statements. Paragraph
10, 30. Handbook of International Quality Control, Auditing Review, Other Assurance, and Related Services
Pronouncements, 2012 Edition, Volume 1. International Federation of Accountants. New York.

35
International Auditing and Assurance Standards Board (IAASB). 2012. International Standard on Quality
Control # 1. (ISQC #1). Quality Control for Firms That Perform Audits and Reviews of Financial Statements,
and Other Assurance and Related Services Engagements. . Handbook of International Quality Control,
Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1.
International Federation of Accountants. New York.

36
International Auditing and Assurance Standards Board (IAASB). 2012. International Standards on Auditing
(ISA) 220, Quality Control for an Audit of Financial Statements. Handbook of International Quality Control,
Auditing Review, Other Assurance, and Related Services Pronouncements, 2012 Edition, Volume 1.
International Federation of Accountants. New York.