ASAE 3500

This Standard on Assurance Engagements (ASAE) applies to direct engagements to provide an assurance report on an activity’s performance.

This ASAE is operative for assurance engagements commencing on or after 1 April 2025, with early adoption permitted.

This ASAE deals with direct engagements in which an assurance practitioner evaluates a responsible party or parties’ performance of an activity (hereafter referred to as an ‘activity’s performance’) against identified criteria and aims to obtain sufficient appropriate evidence to express, in a written direct assurance report, a conclusion to intended users about the outcome of the evaluation. (Ref: Para A1)

This ASAE includes requirements and application and other explanatory material for reasonable and limited assurance performance engagements. Unless otherwise stated, each requirement of this ASAE applies to both reasonable and limited assurance engagements. Because the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the assurance practitioner performs in a limited assurance engagement will vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement. Requirements and Application and Other Explanatory Material that apply only to limited assurance or reasonable assurance engagements have been presented with the letter “L” (limited assurance) or “R” (reasonable assurance) after the paragraph number. Although some procedures are required only for reasonable assurance engagements, they may nonetheless be appropriate in some limited assurance engagements. (Ref: Para A2)

This ASAE addresses assurance engagements on performance:

1. of all or part of any activity, whether within an entity or across multiple entities; (Ref: Para A3-A4)
2. evaluated against identified criteria selected or developed by the assurance practitioner or the engaging party; and
3. for either restricted use by the engaging party or specified third parties, or to be publicly available through tabling in Parliament or other means of distribution.

Other frequently performed engagements that are not assurance engagements and, therefore, are not covered by this ASAE, include:

1. Agreed-upon procedures engagements^[2], where procedures are conducted and factual findings are reported but no assurance conclusion is provided, and
2. Consulting engagements^[3], for the purpose of providing advice on performance but no assurance conclusion is provided.

Nature of a Performance Engagement

The essential elements of performance engagements are: (Ref: Appendix 1 and Appendix 2)

1. a three party relationship involving:
   1. an assurance practitioner who may be a State, Territory or Commonwealth Auditor‑General;
   2. a responsible party or a number of responsible parties involved in the activity’s performance; and 
   3. intended users of the assurance report, which may include the responsible party, Parliament and the general public;
2. an appropriate activity’s performance (the subject matter);
3. suitable criteria;
4. sufficient appropriate evidence; and
5. a written assurance report.

Performance engagements are most commonly conducted on activities delivered or controlled by the Government. Performance engagements generally focus on one or more of the principles of economy, efficiency, effectiveness, and/or ethics; however, may also focus on performance principles such as equity, probity and sustainability, amongst others. (Ref: Para A3-A5)

Performance engagements are usually initiated by a State, Territory or the Commonwealth Auditor-General and will not involve an engaging party. The authority of an Auditor-General to conduct a performance engagement derives from their legislative mandate, consequently the party responsible for the activity does not initiate the performance engagement and their agreement to the terms of engagement may not be required. The scope of a performance engagement is generally determined by an Auditor-General. The roles and responsibilities of the parties to a performance engagement initiated by an Auditor-General are illustrated in Appendix 3. (Ref: Para A9, A10)

Performance engagements may also be accepted by a private sector assurance practitioner from an engaging party in the private or public sector. In these circumstances, the scope of the performance engagement is determined by the engaging party based on the information needs of the engaging party and other identified users.

This ASAE adapts the requirements in ASAE 3000^[4], which is written primarily for attestation engagements, as necessary, to direct engagements on performance and identifies the requirements of ASAE 3000 which the assurance practitioner is required to comply with in conducting a performance engagement in addition to the requirements of this ASAE.^[5]   The Framework for Assurance Engagements, which defines and describes the elements and objectives of an assurance engagement, provides the context for understanding this ASAE and ASAE 3000.

This ASAE requires the assurance practitioner to apply the ASAE 3000 requirement to comply with relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. It also requires the Audit Office of an Auditor-General to apply ASQM 1^[6] or the assurance practitioner to be a member of a firm that applies ASQM 1 or other professional requirements, or requirements in law or regulation, that are at least as demanding as ASQM 1.

An assurance engagement performed under this ASAE may be part of a larger engagement. If multiple standards are applicable to the assurance engagement, the assurance practitioner applies, either:

1. if the engagement can be separated into sections, the standard relevant to each section of the engagement, including this ASAE for the section on performance; or
2. if the engagement cannot be separated into sections, the standard which is most directly relevant to the subject matter.

In circumstances when an assurance engagement performed under this ASAE includes a compliance section, the assurance practitioner applies both ASAE 3100^[7] and ASAE 3500, as applicable, in conducting the assurance engagement.

Assurance conclusions on performance may be required by Parliament, legislation, industry bodies or other users in conjunction with assurance conclusions on historical financial statements, other historical financial information, compliance, controls and/or other subject matters. In these performance engagements, the subject matter, identified criteria against which that subject matter is evaluated and the level of assurance sought may vary, in which case different standards will apply. Assurance reports can include separate sections for each subject matter, identified criteria or level of assurance, in order that the different matters to be concluded upon are clearly differentiated.

A table showing the AUASB Standards that apply to certain engagements, depending on the subject matter and engagement circumstances, is contained in Appendix 4.

In conducting a performance engagement, the objectives of the assurance practitioner are to:

1. obtain reasonable or limited assurance to express an appropriate conclusion in a written report about an activity’s performance against an engagement objective and identified criteria; and
2. communicate further as required by this ASAE and any other relevant ASAEs.

For the purposes of this ASAE, the following terms have the meanings attributed below:

Activity―An aspect of an entity’s operations such as the achievement of strategic objectives or legislative requirements or the delivery of a product, service or programme. An activity may be conducted within a single entity or across multiple entities, departments, agencies, joint ventures or other organisations, within a single jurisdiction or across multiple jurisdictions. (Ref: Para A3-A4)

Activity’s performance—The responsible party or parties’ performance of the activity being reported on (that is, the subject matter for the performance engagement).

Assurance practitioner―Individual or firm or other organisation, whether in public practice, industry and commerce or the public sector, providing assurance services including performance engagements.

Attestation engagement―An assurance engagement in which a party other than the assurance practitioner measures or evaluates the underlying subject matter against the criteria. A party other than the assurance practitioner also often presents the resulting subject matter information in a report or statement. In some cases, however, the subject matter information may be presented by the assurance practitioner in the assurance report. In an attestation engagement, the assurance practitioner’s conclusion addresses whether the subject matter information is free from material misstatement.^[8] (Ref: Para A1)

Criteria―The benchmarks used to evaluate the activity’s performance. The “identified criteria” are the criteria used for the particular engagement. (Ref: Para 27)

Direct engagement on performance―An assurance engagement in which the assurance practitioner obtains sufficient appropriate evidence to evaluate an activity’s performance (the subject matter) against identified criteria. The outcome of this evaluation, that is, the resulting subject matter information (for example, the assurance practitioner’s analysis and findings) is presented as part of, or accompanying, the assurance report. In a direct engagement, the assurance practitioner’s conclusion addresses the reported outcome of the evaluation of the subject matter against the criteria.^[9] (Ref: Para A1)

Engagement objective (objective of the performance engagement)―States the purpose of the performance engagement. The engagement objective needs to be expressed in a way that makes it possible to conclude against the objective after the engagement has been finalised.^[10] (Ref: Para A27-A30)

Engagement risk―The risk that the assurance practitioner expresses an inappropriate conclusion.^[11]

Engaging party―The party(ies) that engages the assurance practitioner to perform the assurance engagement. In a performance engagement initiated by an Auditor-General there will not normally be an engaging party as the State, Territory or Federal Parliament provide the mandate for the Auditor-General to conduct performance engagements, but will not usually engage the Auditor-General to perform specific performance engagements.

Further procedures—Procedures, including tests of controls and substantive procedures, performed to: (Ref: Para 41-46)

1. In a limited assurance engagement, respond to the identified areas where a significant variation in an activity’s performance is likely to arise; and
2. In a reasonable assurance engagement, respond to the risks that may cause significant variations in an activity’s performance.

Intended users―Parliament and the responsible party(ies), as well as organisations, groups or individuals that the assurance practitioner expects will use the assurance report. If the assurance report is publicly available, intended users includes the public.

Limited assurance engagement―An assurance engagement in which the assurance practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance engagement as the basis for the assurance practitioner’s conclusion. The assurance practitioner’s conclusion is expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the assurance practitioner’s attention to cause the assurance practitioner to believe that the responsible party(ies) did not perform the activity in accordance with the identified criteria. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the assurance practitioner’s professional judgement, meaningful. To be meaningful, the level of assurance obtained by the assurance practitioner is likely to enhance the intended users’ confidence about the activity’s performance to a degree that is clearly more than inconsequential. For further information on the nature, timing and extent of procedures in a limited assurance engagement and the concept of ‘meaningful assurance’, refer to ASAE 3000^[12] (Ref: Para A2, A100).

Performance engagement―An assurance engagement that concludes on all or a part of an activity’s performance as evaluated against identified criteria. Performance engagements generally focus on one or more performance principle (see 18(n) below). Performance engagements seek to provide new information, analysis or insights and, where appropriate, recommendations for improvement^[13].

Performance principle—The specific aspect of performance being evaluated against the engagement objective. Performance engagements generally focus on one or more of the principles of economy, efficiency, effectiveness, and/or ethics; however, may also focus on performance principles such as equity, probity and sustainability, amongst others. (Ref: Para A5)

Professional scepticism―An attitude that includes a questioning mind, being alert to the validity of evidence obtained and critically assessing evidence that contradicts or brings into question the reliability of information obtained. Information may include data, documents and responses to enquiries.

Reasonable assurance engagement―An assurance engagement in which the assurance practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the assurance practitioner’s conclusion. The assurance practitioner’s conclusion is expressed in a form that conveys the assurance practitioner’s conclusion on the outcome of the evaluation of the activity’s performance against the identified criteria.

Representation―Statement by the responsible party(ies), either oral or written, provided to the assurance practitioner to confirm certain matters or to support other evidence.

Responsible party―The party or parties responsible for the performance of all or part of the activity, which is the subject matter of the performance engagement.

Risk procedures—Procedures designed and performed to: (Ref: Para 36-40)

1. In a limited assurance engagement, identify areas where a significant variation in an activity’s performance is likely to arise; and
2. In a reasonable assurance engagement, identify and assess the risks that may cause significant variations in an activity’s performance.

Significance^[14]—The relative importance of a matter, within the context in which it is being considered, that could potentially influence the decisions of the intended users of the assurance report. (Ref: Para 31-33)

Subject matter—The phenomenon that is measured or evaluated by applying criteria.^[15] In the context of a performance engagement the subject matter is the responsible party or parties’ performance of an activity as evaluated against the identified criteria.

Variation—An instance where the actual performance of the activity varies from the identified criteria.

The assurance practitioner shall not represent compliance with this ASAE unless the assurance practitioner has complied with the requirements of this ASAE and the requirements of ASAE 3000 identified in this ASAE as relevant to performance engagements, adapted as necessary for direct engagements.

Inability to Comply with Relevant Requirements

Where in rare and exceptional circumstances, factors outside the assurance practitioner’s control prevent the assurance practitioner from complying with a relevant requirement in this ASAE, the assurance practitioner shall:

1. if possible, undertake appropriate alternative evidence‑gathering procedures; and

2. document in the working papers:

   1. the circumstances surrounding the inability to comply;

   2. the reasons for the inability to comply; and

   3. justification of how alternative evidence‑gathering procedures achieve the objectives of the relevant requirement.

When the assurance practitioner is unable to undertake appropriate alternative evidencegathering procedures, the assurance practitioner shall assess the implications for the assurance report.

As required by ASAE 3000, the assurance practitioner shall comply with relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding.^[16] (Ref: Para A6)

(Ref: Para A7-A22)

The assurance practitioner shall initiate, where the assurance practitioner has the legislative mandate to do so, or accept a performance engagement only when:

1. the assurance practitioner has no reason to believe that relevant ethical requirements, including independence, will not be satisfied;

2. the assurance practitioner is satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities, including having sufficient time to perform the engagement;

3. the preconditions for an assurance engagement are present, as required by ASAE 3000;^[17] and

4. the basis on which the engagement is to be performed has been communicated and, where relevant, agreed by the assurance practitioner:

Agreeing on or Communicating the Terms of the Performance Engagement (Ref: Para A7-A9)

If the performance engagement is initiated by an engaging party, the assurance practitioner shall agree the terms of engagement, including the assurance practitioner’s reporting responsibilities, with the engaging party in writing.

If the performance engagement is initiated by a State, Territory or the Commonwealth AuditorGeneral and does not involve an engaging party, then the assurance practitioner shall communicate the terms of engagement with the responsible party, by issuing a written communication advising the responsible party of the planned engagement.

Preconditions for the Assurance Engagement (Ref: Para A10-A22)

When establishing whether the preconditions for an assurance engagement are present, the assurance practitioner shall determine, based on their preliminary knowledge of the performance engagement circumstances, whether the:

1. activity’s performance outcomes/results to be evaluated, are appropriate;

2. criteria identified, selected or developed by the assurance practitioner or agreed with the engaging party are suitable in evaluating the activity’s performance, including that they exhibit the characteristics of suitable criteria,^[18] and will be available to users;

3. assurance practitioner expects to be able to obtain the evidence needed to support the assurance practitioner’s conclusion, which will be contained in a written report; and

4. engagement’s objective is rational^[19], in that the assurance practitioner expects to be able to conclude against it at a meaningful level of assurance after the engagement has been finalised.

When identifying, selecting or developing suitable criteria, or determining whether the identified criteria selected by the engaging party are suitable, the assurance practitioner shall consider whether the identified criteria are reasonable quantitative or qualitative measures of performance and clearly state the performance expectations against which the activity’s performance may be assessed. Suitable criteria for a performance engagement shall reflect the overall engagement objective(s), the performance principle(s) to be addressed and have the following characteristics: (Ref: Para A17-A22)

1. Relevance—relevant criteria contribute to conclusions that assist decision‑making by the intended users.

2. Completeness—criteria are sufficiently complete when relevant factors that could affect the conclusions in the context of the performance engagement circumstances are not omitted.

3. Reliability—reliable criteria allow reasonably consistent evaluation of the activity’s performance, including when used in similar circumstances by similarly qualified assurance practitioners.

4. Neutrality—neutral criteria contribute to conclusions that are free from bias.

5. Understandability—understandable criteria contribute to conclusions that are clear, comprehensive, and not subject to significantly different interpretations. 

The assurance practitioner shall implement the firm’s policies or procedures as required by ASAE 3000.^[20]

The assurance practitioner shall apply professional scepticism, exercise professional judgement and apply assurance skills and techniques in planning and performing a performance engagement.^[21] 

 (Ref: Para A23-A82)

Planning (Ref: Para A23-A30)

The assurance practitioner shall plan the performance engagement so that it will be performed in an effective manner as required by ASAE 3000^[22] to achieve the objectives of this ASAE.

Significance (Ref: Para 18(t), A31-A55)

The assurance practitioner shall consider significance when planning and performing the engagement. The assurance practitioner’s consideration of significance is matter of professional judgement that is integrated into all aspects of the performance engagement, including when:

1. Selecting performance engagement topics and activities to examine;
2. Defining the objective(s) and evaluation criteria for the engagement;
3. Determining the nature, timing and extent of procedures;
4. Evaluating the sufficiency and appropriateness of evidence obtained to confirm if a performance variation exists;
5. Evaluating the significance of any identified variations in the activity’s performance, taken individually and in combination;
6. Reporting findings;
7. Formulating the assurance conclusion(s); and
8. Developing recommendations (if appropriate).

During the performance engagement, the assurance practitioner shall reassess the significance of any matter if there is any indication that the basis on which the significance of the matter was determined has changed.

The assurance practitioner shall document factors relevant to the practitioner’s consideration of significance, including the basis for professional judgements made when deciding if a matter is significant.

Risk Procedures and Related Activities (Ref: 18(s), Para A56-A82)

Understanding the Activity and Other Performance Engagement Circumstances (Ref: Para A56-A57)

The assurance practitioner shall obtain an understanding of the activity included in the scope of the performance engagement, and other engagement circumstances, including events or conditions that may cause significant variations in the activity’s performance.

Enquiries and Discussion with Appropriate Parties

The assurance practitioner shall make enquiries of parties as appropriate to the scope of the performance engagement and other engagement circumstances, regarding whether:

1. They have knowledge of any intentional variations in the activity’s performance or non-compliance with laws and regulations relevant to the engagement objective(s). In the absence of identified or suspected non-compliance with laws and regulations, the assurance practitioner is not required to perform any further procedures regarding an entity’s compliance with laws and regulations. (Ref: Para A58)
2. The responsible party has an internal audit function and, if so, make further enquiries to obtain an understanding of any reviews of the activity’s performance by the internal audit function and the main findings; and
3. The responsible party has used any internal or external experts in dealing with the activity.

Designing and Performing Risk Procedures (Ref: 18(s), Para A59-A82)

Understanding Internal Controls Relevant to the Performance Engagement (Ref: Para A67-A82)

The assurance practitioner shall perform risk procedures sufficient to determine whether internal controls are relevant to the engagement objective(s). The extent to which internal controls are relevant depends on the engagement circumstances and the level of assurance required, and is a matter of professional judgement.

The assurance practitioner shall obtain an understanding of internal controls the practitioner considers are relevant to the evaluation of the activity’s performance against the identified criteria. This understanding shall include identifying controls designed to address (mitigate) the risk of significant variation from the identified criteria.

For controls over which the assurance practitioner plans to obtain evidence by testing their operating effectiveness, the practitioner’s understanding shall include:

1. Evaluating whether the control is designed effectively to address the risk of significant variation or designed effectively to support the operation of other relevant controls; and

2. If designed effectively, determining whether the control has been implemented by performing procedures in addition to enquiry of the responsible party.

Identifying areas where Significant Variations are likely to arise (Limited Assurance) or Identifying and Assessing the Risks of Significant Variation (Reasonable Assurance)

(Ref: Para 18(j), A83-A94) 

Revision of Risk Assessment in a Reasonable Assurance Engagement

R. The assurance practitioner’s assessment of the risks of significant variation in the activity’s performance may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence which is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of significant variation, the practitioner shall revise the assessment, and design and perform modified and/or additional procedures.

Performing Modified and/or Additional Procedures in a Limited Assurance Engagement (Ref: Para A89L-A91L)

L. If the assurance practitioner becomes aware of a matter that causes the practitioner to believe that a significant variation in the activity’s performance may exist, the practitioner shall design and perform modified and/or additional procedures to obtain further evidence until the practitioner is able to form a conclusion that either:

1. the matter is not likely to result in a significant variation in the activity’s performance; or

2. a significant variation in the activity’s performance exists.

Work Performed by an Assurance Practitioner’s Expert

When the assurance practitioner plans to use the work of an assurance practitioner’s expert, the assurance practitioner shall comply with the requirements in ASAE 3000.^[23]

Work Performed by Another Assurance Practitioner, a Responsible Party’s Expert, or an Internal Auditor

If the assurance practitioner plans to use information prepared by another party as evidence, the assurance practitioner shall comply with the requirements of ASAE 3000.^[24]

Written Representations (Ref: Para A92-A94)

The assurance practitioner shall request and endeavour to obtain written representations from the responsible party, as appropriate for the performance engagement.

(Ref: Para A95)

The assurance practitioner shall evaluate whether the identified variations in the activity’s performance are significant, individually or in combination. The assurance practitioner shall consider the size and severity of the impact or potential impact of those variations and conclude whether the activity was partially performed or not performed as evaluated against the identified criteria.^[25]

In making this evaluation, the assurance practitioner shall consider whether individual variations in performance identified during the engagement (other than those that are clearly trivial) have characteristics, for example, a root cause or a systemic issue, that indicate the combined effect of individual variations is likely to be significant.

(Ref: Para A96-A97)

When relevant to the performance engagement, the assurance practitioner shall consider the effect on the activity’s performance of events that become known to the assurance practitioner up to the date of the assurance report. The practitioner shall respond appropriately to facts that become known to the assurance practitioner after the date of the assurance report that, had they been known to the assurance practitioner at that date, may have caused the assurance practitioner to amend the assurance report. The extent of consideration of subsequent events depends on the assurance practitioners’ judgement of the potential for such events to affect the activity’s performance and to affect the appropriateness of the assurance practitioner’s conclusion. However, the assurance practitioner has no responsibility to perform any procedures regarding the activity’s performance after the date of the assurance report.

(Ref: Para A98-A100)

The assurance practitioner shall evaluate whether sufficient and appropriate evidence has been obtained from the procedures performed. If there is not sufficient or appropriate evidence, the assurance practitioner shall perform procedures to obtain further evidence to be able to form a conclusion on the activity’s performance. If the assurance practitioner is unable to obtain the necessary further evidence, the assurance practitioner shall consider the implications for the assurance practitioner’s conclusion.^[26] The assurance practitioner shall state in their conclusion that there was not sufficient or appropriate evidence to conclude against aspects of the engagement objective(s) or engagement objective(s) as a whole.

The assurance practitioner shall form a conclusion(s) about the activity’s performance against the engagement objective(s). In forming that conclusion, the assurance practitioner shall consider the outcomes of procedures performed in paragraphs 47-50.

(Ref: Para A101-A121)

The assurance report shall be in writing and shall contain a clear expression of the assurance practitioner’s reasonable or limited assurance conclusion about the activity’s performance against the engagement objective(s), or explain why this was not possible.

The assurance practitioner’s conclusion shall be clearly identified in the assurance report, separate from findings, recommendations and other information or explanations included in the report.

The assurance report shall include information necessary to address the engagement objective(s), and be sufficiently detailed to allow report users to understand the activity’s performance and the assurance practitioner’s conclusion(s), findings and recommendations (if appropriate).

Assurance Report Content (Ref: Para A104-A121)

The assurance report shall include at a minimum the following elements, to the extent that it is not inconsistent with relevant legislation or regulation:

1. A title or title page, indicating that it is an independent assurance report.

2. An addressee.

3. Identification of the scope of the performance engagement including:

   1. the activity’s performance which was the subject matter of the performance engagement; (Ref: Para 18(b))

   2. the engagement objective(s); (Ref: Para 18(g))

   3. the criteria for evaluating the activity’s performance, and their sources; (Ref: Para 18(e), 27, A111)

   4. if relevant, the date of, or period(s) covered by, the report;

   5. any activities the assurance practitioner has specifically excluded from the scope; and

   6. if appropriate, a description of any significant inherent limitations associated with the evaluation of the activity’s performance against the identified criteria; 

4. Identification or description of the level of assurance obtained/provided by the assurance practitioner. (Ref: Para A115)

5. Identification of the responsible party(ies) and a description of their responsibilities. (Ref: Para 18(r))

6. The assurance practitioner’s conclusion(s) against the engagement objective(s) which: (Ref: Para A98, A114-A118)

   1. in a reasonable assurance engagement, shall be expressed in a positive form.

   2. in a limited assurance engagement, shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the assurance practitioner’s attention to cause the practitioner to believe that the responsible party did not perform the activity in accordance with the identified criteria.

7. When the assurance practitioner was unable to obtain sufficient appropriate evidence (a scope limitation exists), the assurance report shall contain: (Ref: Para 58-59)

   1. A description of the causes and consequences of those findings; and (Ref: Para A112-A113)

   2. The assurance practitioner’s conclusion that there was not sufficient or appropriate evidence to conclude on the responsible party’s performance of: 

      1. certain aspects of the activity; or (Ref: Para A116(a))

      2. the activity as a whole. (Ref: Para A116(b))

8. When the assurance practitioner has identified significant variations in the activity’s performance, the assurance report shall contain:

   1. A description of the causes and consequences of those findings; and (Ref: Para A112-A113)

   2. The assurance practitioner’s conclusion that either the responsible party: 

      1. did not perform the activity in accordance with the identified criteria in certain significant respects; or(Ref: Para A117(a))

      2. did not perform the activity in accordance with the identified criteria in all significant respects. (Ref: Para A117(b))

9. The basis for the assurance practitioner’s conclusion, including: (Ref: Para A119-A120)

   1. A statement that the engagement was conducted in accordance with ASAE 3500 Performance Engagements; (Ref: Para A119)

   2. An informative summary of the work performed by the practitioner as the basis for the practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion.  For a limited assurance engagement, the summary of the work performed shall state that: (Ref: Para A100, A120)

      1. The procedures performed in a limited assurance engagement vary in nature and timing from, and are lesser in extent than for, a reasonable assurance engagement; and

      2. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed; 

   3. A statement that identifies the assurance practitioner’s responsibilities or refers to a section in the assurance report that describes the practitioner’s responsibilities.*

   4. A statement that the assurance practitioner complies with the independence and other relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding.*

   * Alternatively, where the information in (iii) and (iv) above is not included within the assurance report but provided within a separate report, or on a website controlled and managed by an Audit Office of an Auditor-General, the assurance report shall include a summary statement with a specific reference to the location of such information.

10. Signature of the assurance practitioner, the Audit Office or location in the jurisdiction where the assurance practitioner practices, and the date of the assurance report.

If appropriate, the assurance practitioner shall provide recommendations intended to address, or are related to, the assurance practitioner’s findings from the engagement. (Ref: Para A121)

If the assurance practitioner is required to conclude on other subject matters under different AUASB Standards in conjunction with an engagement to report under this ASAE, the assurance report shall include a separate section for each subject matter in the assurance report, clearly differentiated by appropriate section headings. (Ref: Appendix 4)

Scope Limitation (Ref: Para 55(g))

A limitation on the scope of the assurance practitioner’s work may be imposed by the terms of the engagement, if the engagement was initiated by an engaging party, or by the circumstances of the particular engagement. When the limitation is imposed by the terms of the engagement, and it is likely to prevent the assurance practitioner from reaching a conclusion, the engagement shall not be accepted, unless required to do so by law or regulation.

When a scope limitation is imposed by the circumstances of the particular engagement, the assurance practitioner shall attempt to perform alternative procedures to overcome the limitation. When a scope limitation exists and remains unresolved, the wording of the assurance practitioner’s report shall comply with paragraph 55(g).

If, during the course of the performance engagement, the assurance practitioner identifies any significant variations in the activity’s performance, the assurance practitioner shall report those variations to the responsible party on a timely basis in order to allow the responsible party sufficient time to investigate and respond to the identified variations.

The assurance practitioner shall consider whether, pursuant to the terms of the performance engagement, if applicable, and other engagement circumstances or legislative requirements, any matter has come to the attention of the assurance practitioner that is to be communicated with Parliament, the responsible party, the engaging party (if applicable) or others, as required by ASAE 3000.^[27]

The assurance practitioner shall determine whether there is a responsibility or legislative requirement for the assurance practitioner to report the occurrence or suspicion of fraud or other misconduct to a party outside the entity, including Parliament, a regulator or government agency. Any such reporting shall be in accordance with the relevant legislation.

(Ref: Para A122-A123)

The assurance practitioner shall prepare documentation in accordance with ASAE 3000.^[28] In documenting the nature, timing and extent of procedures performed as required by ASAE 3000, the assurance practitioner shall record:

1. the identifying characteristics of the activity’s performance being tested;

2. who performed the work and the date such work was completed; and

3. who reviewed the work performed and the date such review was performed.

(Ref: Para 3-16)

Direct engagements share many features of an attestation engagement undertaken under ASAE 3000. However, direct engagements also have unique features that are different from those of attestation engagements. For example, performance engagements undertaken in the public sector are ordinarily direct engagements, that have the following features: (Ref: Para 18(d)(f))

• The party responsible for the activity’s performance being reported on does not make a public assertion or statement on the activity’s performance as evaluated against the identified criteria.
• Pursuant to their legislative mandate, the assurance practitioner decides the:
  • activity’s performance to be evaluated; and
  • nature and scope of the activity’s performance to be reported on.
• The assurance practitioner identifies or develops the evaluation criteria against which the activity’s performance is assessed.
• The assurance practitioner then evaluates the activity’s performance (the subject matter) against the identified criteria and presents the outcome of the evaluation (the resulting subject matter information) as part of, or accompanying, the assurance report.

If the assurance practitioner initiates or accepts a limited assurance engagement to evaluate an activity’s performance, the assurance practitioner ensures:

1. the users understand the lower level of assurance which the assurance practitioner will obtain as a basis for their conclusion;
2. a limited assurance conclusion is likely to still meet the users’ needs; and
3. the assurance conclusion clearly communicates that the procedures performed vary in nature and timing from, and are lesser in extent than for, a reasonable assurance engagement and so the level of assurance obtained may be substantially lower than in a reasonable assurance engagement.

Elements of an activity’s performance that may be considered in a performance engagement include:

1. systems for planning, budgeting, authorisation, control and evaluation of resource allocation;
2. systems for ensuring compliance with relevant legislation, policies or procedures;
3. governance structures, including the assignment of responsibilities and accountability;
4. identification and management of risks;
5. reporting on resources used; and
6. reporting on outputs, outcomes and the achievement of objectives.

In the public sector, the conduct of performance engagements by AuditorsGeneral is legislated in the respective jurisdictions. While the legislative requirements may have either a narrow or broad scope, performance engagements may include examination of:

1. economy, efficiency, effectiveness and/or ethical aspects of:
   1. management systems or an entity’s management in order to contribute to improvements;
   2. the operations of an entity or an activity of an entity;
   3. the implementation of government policies or programs, and the application of government grants;
   4. financial prudence in the application of public resources; and
   5. administrative arrangements.
2. intended and unintended impacts of the implementation of government policies or programs and the extent to which community needs and stated objectives of an activity or entity have been met; or
3. probity processes and identification of weaknesses.

Performance Principle (Ref: Para 18(n))

The performance principle(s) to be addressed in evaluating an activity’s performance will vary depending on the terms of the engagement agreed or, for Auditors-General, the legislative mandate that applies in their jurisdiction. Performance engagements generally focus on one or more of the following performance principles (there may be others):

• Economy―The principle relating to the minimisation of the costs of resources, within the operational requirements of timeliness and availability of required quantity or quality.
• Effectiveness―The principle relating to the extent to which the intended objectives or outcomes of an activity are achieved.
• Efficiency―The principle relating to minimising the inputs employed to deliver outputs of an activity at the appropriate quality and quantity and when the outputs are needed.
• Ethics—The principle relating to the extent to which the proposed use of public resources is consistent with the core beliefs and values of society. Where a person behaves in an ethical manner it could be expected that a person in a similar situation would undertake a similar course of action. For the approval of proposed commitments of relevant money, an ethical use of resources involves managing conflicts of interests, and approving the commitment based on the facts without being influenced by personal bias. Ideally, ethical considerations are balanced with considerations of whether the use will also be efficient, effective and economical.^[29]
• Equity—The principle relating to fairness and impartiality in the use of public resources and/or the availability of public services.^[30] Equity is often treated as an element of ethics.
• Probity—The principle relating to evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.^[31] As there may be some overlap between probity and ethics, probity is often treated as an element of ethics.
• Sustainability—The principle relating to sustainable development strategies or management of sustainable development and environmental issues in meeting the needs of the present generation without compromising the ability of future generations meeting theirs.^[32]

(Ref: Para 22)

Relevant ethical requirements include the following fundamental principles with which the assurance practitioner is required to comply:

1. integrity;
2. objectivity, including independence;
3. professional competence and due care;
4. confidentiality; and
5. professional behaviour.

(Ref: Para 23-27)

Agreeing on or Communicating the Terms of the Performance Engagement (Ref: Para 24-25)

The terms of the performance engagement normally identify:

1. the engagement objective(s);
2. whether the engagement is a reasonable or limited assurance engagement;
3. the activity’s performance to be evaluated in the engagement;
4. the period to be covered by the engagement;
5. the performance principle(s) to be addressed in evaluating performance;
6. suitable criteria, in so far as the criteria have been identified, against which the activity’s performance will be evaluated;
7. the intended users of the assurance report;
8. the base elements of the assurance report; and
9. any other matters required by law or regulation to be included in the terms of engagement.

The terms of engagement may also seek the responsible party’s agreement that they acknowledge and understand their responsibility to provide the assurance practitioner with:

1. access to all information, such as records, documentation and other matters of which the responsible party is aware are relevant to the activity’s performance;
2. all additional information that the assurance practitioner may request from the responsible party for the purposes of the performance engagement; or
3. unrestricted access to persons engaged in the activity from whom the assurance practitioner determines it necessary to obtain evidence.

If there is no engaging party, such as for performance engagements initiated by an Auditor-General, the existence of a legislative mandate may obviate the need to agree on the terms of the performance engagement. Even in those circumstances it may be useful for the assurance practitioner to communicate the terms of engagement to the responsible party, including referral of any legislative requirements imposed on the responsible party to provide access to information or people relevant to the activity. (Ref: Para 9)

Preconditions for the Assurance Engagement (Ref: Para 26-27)

In the public sector, if a performance engagement is initiated by the assurance practitioner, some of the preconditions for the assurance engagement may be assumed to be present if they are set out in legislation, such as the roles and responsibilities of the responsible party and the right of access to information by the assurance practitioner. (Ref: Para 9)

When initiating or accepting a performance engagement, in order to satisfy themselves that those persons who are to perform the performance engagement collectively have the appropriate competence and capabilities, including having sufficient time to perform the engagement, the assurance practitioner may need to either assemble a multidisciplinary team or be a specialist in the relevant discipline.

When multidisciplinary teams are used in a performance engagement, adequate direction and supervision of engagement teams and review of their work are particularly important, so that the engagement team members’ different perspectives, experience and specialties are appropriately used. It is important that all engagement team members understand the objectives of the particular performance engagement and the terms of reference of work assigned to them. Adequate direction and supervision of engagement teams and review of their work are important so that the work of all engagement team members is executed properly and is in compliance with this ASAE and meets the quality management requirements of ASAE 3000.

Assessing the appropriateness of the activity’s performance to be evaluated as the subject matter (Ref: Para 26(a))

When assessing the appropriateness of the activity’s performance to be evaluated as the subject matter of the performance engagement, the assurance practitioner considers whether the:

• the activity is identifiable, and whether its performance can be consistently evaluated against identified criteria; and

• the activity’s performance can be subjected to procedures for gathering sufficient appropriate evidence to support a conclusion.

If after initiating or accepting the performance engagement, the assurance practitioner concludes that the activity’s performance is not an appropriate subject matter, the assurance practitioner assesses whether to:

• change the scope of the performance engagement or, if terms of the performance engagement have been agreed with the engaging party, seek to amend those terms; or

• withdraw from or discontinue the performance engagement.

In the event that the assurance practitioner is unable to change the scope or terms of, or withdraw from or discontinue, the performance engagement under paragraph A14 of this ASAE, the assurance practitioner considers the implications for the assurance report.

In a performance engagement initiated by the assurance practitioner, the identification of the subject matter and development of the engagement objective(s) and criteria is revised and refined as:

• more information on the subject matter is gathered; and

• the assurance practitioner better understands the needs of the intended users.

Assessing the Suitability of the Criteria (Ref: Para 26(b), 27)

Criteria are the measures used to evaluate the activity’s performance. Criteria which address each objective or subobjective are developed or identified in planning the performance engagement. In assessing the suitability of the criteria, the assurance practitioner considers whether the criteria are derived from sources such as:

1. regulatory bodies, legislation or policy statements;
2. industry standards, relevant benchmarks, and relevant practice guides developed by professional bodies, associations or other recognised authorities;
3. statistics, measures or practices developed by the responsible party or by similar entities; or
4. those developed by the assurance practitioner themselves, in which case the assurance practitioner documents why the identified criteria are suitable.

Regardless of the source, the assurance practitioner documents their assessment of the suitability of the identified criteria. The suitability of the criteria is determined within the context of the engagement circumstances, including the performance principle(s) to be addressed.

Criteria may range from general to specific. General criteria are broad statements of acceptable and reasonable performance. Specific criteria are derived from general criteria and are more closely related to an entity's governing legislation or mandate, objectives, programs, systems and controls.

Criteria are either established or specifically developed. Ordinarily, established criteria are suitable when they are relevant to the needs of the intended users. For some engagements criteria may have been developed to meet the needs of specific users. In this case, the assurance report may state, if it is relevant to the intended users:

• that the criteria are not embodied in laws or regulations, or issued by authorised or recognised bodies of experts that follow a transparent due process; and
• that the assurance report is only for the use of the intended users and for their purposes.

If, after initiating or accepting the performance engagement, the assurance practitioner concludes that the identified criteria are not suitable, the assurance practitioner may either:

• identify or develop suitable criteria;

• seek to change the terms of the performance engagement, if necessary, such as when the terms have been agreed with an engaging party; or

• withdraw from or discontinue the performance engagement.

In the event that the assurance practitioner is unable to change the terms of, or withdraw from or discontinue, the performance engagement, the assurance practitioner considers the implications for the assurance report.

(Ref: Para 30-40)

In the public sector, Auditors-General regularly receive topic suggestions for performance engagements from members of Parliament, executive government and the public. Auditors-General may also select topics that align with government policy objectives and reform agendas to assess progress and impacts. Auditors-General ordinarily adopt a strategic and risk-based approach to selecting performance engagement topics that are significant and auditable, and consistent with their legislative mandate. Once an Auditor-General has selected an engagement topic, the assurance practitioner plans the performance engagement.

Planning involves developing an overall strategy for the scope, emphasis, timing and conduct of the performance engagement. The performance engagement plan consists of a detailed approach for the nature, timing and extent of evidence-gathering procedures to be undertaken and the reasons for selecting them. Ordinarily, adequate planning:

• helps to devote appropriate attention to important areas of the activity’s performance, identify potential risk areas on a timely basis and properly organise and manage the performance engagement in order for it to be conducted in an effective and efficient manner;

• assists the assurance practitioner to properly assign work to performance engagement team members, and facilitates the direction and supervision of engagement team members and the review of their work; and 

• assists, where applicable, the coordination of work done by other assurance practitioners and experts. 

The nature and extent of planning activities will vary with the performance engagement circumstances, for example the size and complexity of the activity and the assurance practitioner’s previous experience with it. Examples of the main matters to be considered include:

• The terms of the performance engagement.

• The assurance practitioner’s understanding of the activity and other performance engagement circumstances.

• The characteristics of the activity and the identified criteria.

• The performance engagement process and possible sources of evidence.

• Identification of intended users and their needs, and consideration of significance in the context of the engagement.

• The assessment of risk.

• Personnel and expertise requirements, including the nature and extent of involvement by internal and external experts.

Planning is not a discrete phase, but rather a continual and iterative process throughout the performance engagement. As a result of unexpected events, changes in conditions, or the evidence obtained from the results of evidencegathering procedures, the assurance practitioner may need to revise the overall strategy and performance engagement plan and, as such, the resulting planned nature, timing and extent of further evidencegathering procedures.

Engagement Objective(s)^[33] (Ref: Para 18(g))

The objective of a performance engagement is often presented as a statement of purpose or question, which references the responsible party, the subject matter and the performance principle(s) to be addressed (for example, economy, efficiency, effectiveness and/or ethics). The assurance practitioner exercises professional judgement in determining the use of the most appropriate terminology throughout the performance engagement and especially in the assurance report.

The engagement objective is framed in a way that allows for an unambiguous conclusion to be reached as to whether the responsible party performed, or did not perform, the activity in accordance with the identified criteria.

In planning the performance engagement, if the scope of the engagement is based on an overall objective, then the assurance practitioner may identify more precise subobjectives/questions (or lines of enquiry) from which they can identify, select or develop the criteria against which the activity’s performance can be evaluated. Such subobjectives/questions are typically thematically related, complementary, not overlapping and collectively exhaustive in addressing the engagement objective.

Ideally, each engagement would have one overall objective that provides a clear focus for the engagement. However, for more complex engagements, the assurance practitioner may choose to develop several engagement objectives, which do not always need to be broken down into sub-objectives.

Significance^[34] (Ref Para 31-33)

For the purpose of this ASAE, significance may be viewed as the relative importance of a matter, within the context in which it is being considered, that could potentially influence the decisions of the intended users of the assurance report.

For the purpose of this ASAE, the term ‘significance’ is used instead of the ASAE 3000 term ‘materiality’. The concept of significance is considered more useful in the context of a performance engagement. It can be applied more flexibly at different stages of the engagement and is considered more helpful in ensuring that the assurance practitioner selects the right activities, criteria and findings to report, and provide assurance reports that are relevant and useful for the intended users. Significance may also be more meaningful to the lay person reading the assurance report, especially when communicated in terms of the causes and consequences of a finding (that is, the size and severity of the impact or potential impact of the finding).

Consideration of significance is a matter of professional judgement and depends on the assurance practitioner’s perception of the intended users’ needs and interests. Since the subject matter of performance engagements can vary broadly, that perspective may vary from one engagement to another.

In judging the relative importance of a matter, the assurance practitioner considers the:

• nature of the impact(s), which may relate to monetary value or the impact on the environment, society, politics, culture and the economy;
• size and severity of the impact or potential impact if it can be quantified; and
• likelihood of an impact occurring, which may be expressed using general terms (likely, very likely) or more precisely (for example, the probability of something occurring).

The inherent characteristics of an item may render a matter significant by its very nature. A matter may also be significant because of the context in which it occurs. Relevant considerations may include economic, environmental, political, cultural and other societal challenges at local, regional and global levels related to the activity’s performance examined, as well as compliance with laws and regulations.

Impacts may include negative and positive impacts, could be intended or unintended and may impact the short-term or long-term. The assurance practitioner also takes into account that impacts may change over time as activities and context evolve.

What is considered significant will depend on the perspective of the intended users, which may vary over time. In identifying individuals and groups whose interests are or could be affected by the assurance report, the assurance practitioner also takes into account that intended users may include individuals or groups who may not be able to articulate their views (for example, future generations) but whose interests are affected or could be affected. For the same engagement, the intended users may also be different for each of the identified criteria.

It may not always be possible for the assurance practitioner to identify all those who will read the assurance report, particularly where the assurance report is publicly available. In such cases, particularly when potential users are likely to have a broad range of interests in the assurance report, intended users may be limited to major stakeholders with significant and common interests. In the public sector, Parliament and the responsible party is likely to be the primary users of assurance reports on performance prepared by Auditors-General. Other major stakeholders may include, government, regulators, lobby groups and representative organisations.

When communicating significant variations in assurance reports, it may not always be reasonable for the assurance practitioner to assume that all of the intended users, such as members of Parliament or the general public:

1. have a reasonable knowledge of the activity or a willingness to study the assurance report with reasonable diligence;
2. understand that the assurance practitioner has applied the concept of significance in evaluating and obtaining assurance regarding the activity’s performance, and have an understanding of any significance concepts included in the identified criteria; and
3. understand any inherent uncertainties involved in evaluating the activity’s performance.

Unless the performance engagement has been designed to meet the particular information needs of specific users, the possible effect of variations in performance on specific users whose information needs may vary widely, is not ordinarily considered.

Professional judgements about significance are made in light of surrounding circumstances but are not affected by the level of assurance. That is, for the same intended users and purpose, the assurance practitioner applies the same considerations in both limited assurance and reasonable assurance engagements when considering the significance of matters.

Due to the importance of using professional judgement in considering the significance of matters and concluding on significant findings, the assurance practitioner’s documentation should be sufficiently complete and detailed, and include the rationale in support of any judgements made and conclusions reached.

Consideration of significance when selecting activities to examine

Effective performance engagements may have considerable impact. Assurance reports on performance provide new information, analysis or insights and, where appropriate, recommendations for improvement. In the public sector, this information may play a role in improving public sector performance and supporting accountability and transparency.

A significant activity is one that the assurance practitioner judges:

1. to be important to the intended users of an assurance report on the activity’s performance; and

2. for which new insights or more accessible information may influence the decisions made by those users.

The process to evaluate and select activities for examination, may include the following steps:

1. identify actual and potential impacts of the activity and the engagement; 

2. assess the significance of the impacts applying suitable criteria; and

3. prioritise the impacts based on their significance.

To understand the significance of an activity, the assurance practitioner may perform quantitative and qualitative analysis. The practitioner may also need to consult with relevant internal or external experts and relevant stakeholders.

The assurance practitioner may assess the significance of, and risks associated with, public sector activities and prioritise engagements by considering factors such as:

• Economic and financial magnitude—the economic contribution or impact of the activity may be significant.

• Social, public safety, political and/or environmental impact—activities affecting a large segment of the population or vulnerable sections of a population, or which may impact environmental sustainability, may be judged to be more significant.

• Visibility—the extent of interest shown in an activity or aspects of an activity by, for example, the legislature, regulatory bodies or the public, may indicate the importance of the activity to users. For example, a large number of complaints relating to the activity.

• Nature, size and complexity of the activity—an increase in the complexity of an entity’s activities, for example, increased variety and type of operations, functions and programmes may increase the risk that the entity does not achieve its objectives and goals or that they are not achieved in an efficient or economical manner.

• Likely impact of the performance engagement (added value expected from the engagement)—engagements that offer more opportunities to have an impact, may be prioritised.   

• Impact of the activity or failure of an activity on other areas within government, including in the areas of compliance, governance, transparency and accountability.

Significance in planning and performing the engagement

Given limited resources and time, a performance engagement cannot focus equally on all aspects of a significant activity’s performance during the engagement. Understanding what aspects of the activity’s performance may be significant to the intended users may assist the assurance practitioner in focusing their efforts and in applying professional judgement when considering the significance of any identified variations in performance.

Scoping the proposed engagement to focus on significant aspects of the activity’s performance, that is, the areas which will potentially add the most value, will support the development of an engagement objective(s).

For a performance engagement to be efficient and effective, which in this context means concluding against the engagement objective(s) and satisfying the needs of the intended users, it is important that the assurance practitioner assess and prioritise the most appropriate questions (lines of enquiry) and criteria to examine. For example, they may assess the risk of significant variations as either high, medium or low for each potential question/criteria. This assessment will require a good understanding of the activity and the information needs of the intended users of the assurance report.

In some instances, there may be no tolerance for variations in relation to significant criteria.

In conducting the performance engagement, the assurance practitioner considers the significance of the information that is being collected and the potential results of the analysis undertaken. The practitioner applies professional judgement to ensure that work is focused on significant aspects of the activity’s performance being examined.

Significance in formulating and reporting findings, conclusions and recommendations

During the reporting phase of the engagement, the assurance practitioner uses professional judgement to decide which findings are of such significance to include in the assurance report. While all identified variations may be reported to the responsible party, the assurance report should only include significant findings, that is, those that have a bearing on the conclusion and the reader’s use of the report.

An identified variation in the activity’s performance against the identified criteria may be considered significant when, in the assurance practitioner’s judgement, information about the variation could reasonably be expected to influence decisions made by intended users of the assurance report. What is relevant to report users is the consequence(s) of a finding (that is, the size and severity of the impact or potential impact of the finding) and cause (why it happened).

Individual variations in performance identified during the engagement (other than those that are clearly trivial) may have characteristics, for example, a root cause or a systemic issue, that indicate the combined effect of individual variations is likely to be significant.

The assurance practitioner may take the following factors into account when determining whether a variation constitutes a significant variation from the identified criteria:

• The number of persons or entities impacted. 

• The economic, social, political and environmental impact of an activity. Where there is broader societal interest in an activity or where the activity could present a significant risk to the public, for example, where the health or safety of the general public or vulnerable groups is affected, the tolerance for variations in performance may be less. 

• Whether a variation is the result of an intentional act or is unintentional.

• Whether a variation affects compliance with law or regulation.

• Whether a variation relates to transparency or accountability.

• If the likely cost of correcting an issue is greater than the benefit to be derived, significance may be questionable.

• Minor variations from several criteria may signal minor problems or may be indicative of a problem (or theme) of greater significance that may need to be reported as a significant variation.

• The nature of a variation, for example, the nature of observed variations from a control relevant to the activity’s performance.

• Whether a variation is significant having regard to the assurance practitioner’s understanding of known previous communications to users, for example, in relation to the expected outcome of the evaluation of the activity’s performance.

• Whether a variation relates to the relationship between the responsible party and the engaging party, or their relationship with other parties.

• When a threshold or benchmark value has been identified, whether the result of the procedure deviates from that value.

• When the activity is a governmental program or public sector entity, whether a particular finding is significant with regard to the nature, visibility and sensitivity of the program or entity.

Risk Procedures and Related Activities (Ref: Para 18(s), 34-40)

Understanding the Activity and Other Performance Engagement Circumstances (Ref: Para 34)   

Obtaining an understanding of the activity and other performance engagement circumstances is an essential part of planning and conducting the performance engagement. It provides the assurance practitioner with a frame of reference for exercising professional judgement throughout the engagement. For example, when:

• Defining a rational engagement objective and suitable evaluation criteria.
• Determining whether evidence needed to support the practitioner’s conclusion is available.
• Understanding the implications of applicable laws and regulations on the activity’s performance.
• Considering the factors that, in the assurance practitioner’s professional judgement, are important in directing the engagement team’s efforts, including where special consideration may be necessary (for example, the need for specialised skills or the work of an expert).
• Establishing and evaluating the continued appropriateness of quantitative and qualitative factors that may impact the assurance practitioner’s consideration of significance.
• Developing expectations to be applied when undertaking analytical procedures.
• Using data analysis tools to undertake the engagement.
• Requesting evidence that is relevant to the engagement objective(s) and identified criteria.
• Evaluating evidence, including the reasonableness of the responsible party’s oral and written representations.
• Designing and undertaking further evidence-gathering procedures to reduce the risk of an incorrect conclusion to an acceptable low level.
• Reporting the findings, conclusions and recommendations in an assurance report.

The assurance practitioner ordinarily has a lesser depth of understanding of the activity and other engagement circumstances than the responsible party. The assurance practitioner also ordinarily has a lesser depth of understanding of the activity and other engagement circumstances for a limited assurance engagement than for a reasonable assurance engagement. This will have the following implications:

1. For a limited assurance engagement, the assurance practitioner obtains an understanding of the activity sufficiently to identify areas where a significant variation in the activity’s performance is most likely to arise.  In a reasonable assurance engagement, a more in-depth understanding is required to both identify and assess the risks of significant variation. The assurance practitioner will use professional judgement to determine whether enough has been done to obtain and document the necessary understanding given the level of assurance.

2. Although in some limited assurance engagements the practitioner may identify or obtain an understanding of internal controls relevant to the activity’s performance, this is often not the case.

Enquiries and Discussion with Appropriate Parties (Ref: Para 35(a))

Although the assurance practitioner is not required to perform any further procedures regarding an entity’s compliance with laws and regulations in addition to that specified in paragraph 35(a) of this ASAE, the practitioner shall remain alert to the possibility that procedures performed during the engagement may bring instances of non-compliance or suspected non-compliance with laws and regulations to the practitioner’s attention. The assurance practitioner may have additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non-compliance with laws and regulations.^[35]

Designing and Performing Risk Procedures (Ref: Para 36-40)

The engagement circumstances affect the degree to which each of the components of engagement risk is relevant to the engagement, in particular:

• The nature of the activity reported on. For example, the concept of control risk may be more relevant for engagement objectives related to the effectiveness/efficiency of a system or process (for example to monitor and report on performance), than for objectives related to the outcome of a program or process or the existence of a physical condition.

• Whether a reasonable assurance or a limited assurance engagement is being performed. For example, in limited assurance engagements the assurance practitioner may often decide to obtain evidence by means other than testing of controls, in which case consideration of control risk may be less relevant than in a reasonable assurance engagement to report on the same activity’s performance.

Risk procedures are part of an iterative and dynamic process. Initial expectations may be developed about areas where significant variations are likely to arise (in a limited assurance engagement) or risks of significant variation (in a reasonable assurance engagement), which may be further refined as the assurance practitioner progresses through the engagement, or if new information is obtained. Risk procedures by themselves do not provide sufficient appropriate evidence on which to base the assurance conclusion.

The assurance practitioner may perform further procedures (see ‘Designing and Performing Further Procedures’ below) concurrently with risk procedures when it is efficient to do so.

The nature and extent of risk procedures will vary based on the nature and circumstances of the entity (for example, the formality of the entity’s policies or procedures, processes and systems), the nature and complexity of the activity, the identified criteria, and the characteristics of the events or conditions that could give rise to significant variations. The practitioner uses professional judgement to determine the nature and extent of the risk procedures to be performed to meet the objectives of this ASAE to the level of assurance to be obtained.

Risk procedures may include the following:

1. Enquiries of parties as appropriate to the scope of the performance engagement and other engagement circumstances;

2. Analytical procedures; 

3. Observation; and

4. Inspection.

L. In a limited assurance engagement, identifying the areas where a significant variation in the activity’s performance is likely to arise enables the assurance practitioner to focus procedures on those areas. Risk procedures for a limited assurance engagement would ordinarily be limited to enquiries of appropriate parties, analytical procedures and necessary documentation review. However, there may be circumstances where the assurance practitioner may consider it effective or efficient to design and perform other procedures.

L. In rare circumstances, the assurance practitioner’s risk procedures may not identify any areas where a significant variation is likely to arise. Irrespective of whether any such areas have been identified, the practitioner is required to design and perform procedures to obtain a meaningful level of assurance^[36]. In such cases, the practitioner may perform additional risk procedures or design and perform further procedures in relation to significant areas of the engagement.

Based on the risk procedures performed, the assurance practitioner will be able to make an informed decision about whether the identified criteria are best addressed using a limited or reasonable assurance approach. For example, where risk procedures identify significant levels of engagement risk, a limited assurance engagement may not be suitable because:

• a limited level of assurance may not be meaningful to the users of the assurance report; or

• there may no longer be an efficiency advantage for the assurance practitioner in performing a limited assurance engagement because the assurance practitioner may have to perform considerable additional work under paragraph 43 of this ASAE where the practitioner believes that there may be a significant variation in the activity’s performance.  In these circumstances the assurance practitioner may consider whether a reasonable assurance engagement will be more effective.  This change in approach would be communicated through the engagement strategy.

Understanding Internal Controls Relevant to the Performance Engagement (Ref: Para 37-39)

Internal controls are processes designed, implemented and maintained by those charged with governance, management and other personnel to mitigate the risks which may prevent achievement of objectives relating to an entity and its operations, compliance or reporting.

The assurance practitioner’s understanding of the entity’s system of internal control provides a preliminary understanding of how the entity identifies business risks and how it responds to them. It may also influence the practitioner’s identification and assessment of the risks of significant variation. This assists the practitioner in designing and performing further procedures, including any plans to test the operating effectiveness of controls.

In the context of a performance engagement, a relevant internal control is one designed to address (mitigate) the risks of significant variation in the activity’s performance. A relevant internal control may include components of the control environment, the entity’s risk assessment process, the entity’s process for monitoring its system of internal control, the information system and communication, and specific control activities designed to mitigate specific risks. Professional judgment is needed to determine which controls are relevant in the engagement circumstances.

Internal controls relevant to an activity’s performance may include controls that pervasively impact an entity’s operations (indirect entity-level controls). Whether such controls are relevant, will likely depend on the engagement objective(s). For example, when the objective of an engagement is the effectiveness of the administration of grants for a public sector entity, internal control over human resources management may not be relevant to the performance engagement. If the assurance practitioner’s intention is to rely on the entity’s grants payment system, internal control related to the entity’s information system and information technology may be relevant to such an engagement.

In other situations, internal controls relevant to the engagement may be direct controls designed to mitigate the risks of significant variations from the identified criteria, such as authorisations and approvals, reconciliations, verifications (such as edit and validation checks or automated calculations), segregation of duties, and physical or logical controls, including those addressing safeguarding of assets. For example, a control to ensure contract variations are approved by an appropriate delegate may be relevant when conducting a performance engagement to examine whether procurements of office furniture have been consistent with a government’s procurement rules and are achieving value for money.

When the objective of a performance engagement is to conclude on a specific outcome of a program or process, examination of internal control at either the entity wide level or activity level may not be relevant to that engagement. For example, an assurance engagement may be designed to reach a conclusion regarding whether the time taken to process specific items (for example, applications to receive a service) over a specified period of time exceeds what is permitted under stated policies. The practitioner might simply examine all the items processed during the specified period and conclude on whether there were significant variations from the stated policies.

When the objective of a performance engagement requires the design or implementation of internal controls over a process to be assessed (for example, a process for dealing with patients in a hospital emergency room), the assurance practitioner’s expectations for the effective design and implementation of the internal controls is likely to be a criterion.

When internal controls are judged to be relevant to a performance engagement, the assurance practitioner’s understanding of controls includes identifying controls designed to mitigate the risk of significant variations identified as part of the assurance practitioner’s risk assessment. The aim is to identify controls that, if ineffective, will create a higher risk of significant variation.

The assurance practitioner may plan to obtain evidence by testing the operating effectiveness of identified controls, for example, where such an approach is considered to be more effective or efficient for large volumes of homogenous transactions. The assurance practitioner may also identify risks of significant variation for which it is not possible to obtain sufficient appropriate evidence through substantive procedures alone.

The practitioner is not required to evaluate the design of controls and to determine whether they have been implemented unless the practitioner plans to obtain evidence by testing their operating effectiveness.

R. Risk procedures to obtain an understanding about control design and implementation for a reasonable assurance engagement may include:

• Enquiring with the responsible party’s personnel;

• Observing the application of specific controls;

• Inspecting documents and reports; and

• Performing walk-throughs.

Enquiry alone is not sufficient for such purposes.

L. In a limited assurance engagement it will often not be necessary to obtain a detailed understanding of internal controls and the procedures to obtain the understanding may be less in extent, and of a different nature, than those required in a reasonable assurance engagement. For example, in a limited assurance engagement, the assurance practitioner may obtain a sufficient understanding through enquiry but may need to perform a walk-through in a reasonable assurance engagement.

Evaluating the design of a control involves the assurance practitioner’s consideration of whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, significant variations.

The assurance practitioner determines the implementation of an identified control by establishing that the control exists and that the entity is using it. There is little point in the practitioner assessing the implementation of a control that is not designed effectively. To determine if the controls have been implemented, the practitioner may perform walk-throughs or observe the control being performed by, for example, the responsible party’s personnel. The assurance practitioner often evaluates control design and implementation at the same time.

The practitioner may conclude that a control is effectively designed and implemented. It is then appropriate to design and perform further procedures to test its operating effectiveness in order to determine the nature, timing and extent of other assurance procedures. However, when a control is not designed or implemented effectively, there may be no benefit in testing it.

Evaluating the design and determining the implementation of controls is not sufficient to test their operating effectiveness.

(Ref: Para 41-46)

Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability. The assurance practitioner ordinarily considers the relationship between the cost of obtaining evidence and the usefulness of the information obtained. However, the matter of difficulty or expense involved is not in itself a valid basis for omitting an evidence-gathering procedure for which there is no alternative. The assurance practitioner uses professional judgement and exercises professional scepticism in evaluating the quantity and quality of evidence, and thus its sufficiency and appropriateness, to support the conclusions in the assurance report.^[37]

Performance engagements require the application of assurance skills and techniques and the gathering of sufficient appropriate evidence as part of an iterative, systematic assurance engagement process. For further guidance on the nature, timing and extent of evidence-gathering procedures for performance engagements, refer to ASAE 3000.^[38]

L. The evidence required in a limited assurance engagement would ordinarily be limited to that obtained by enquiry, analytical procedures and necessary documentation review. In contrast to a reasonable assurance engagement, the assurance practitioner in a limited assurance engagement would not ordinarily seek to corroborate evidence obtained, as long as the information obtained from applying assurance procedures appears plausible in the circumstances, as judged by the practitioner. In circumstances where the practitioner is not satisfied of the plausibility of the initial evidence collected, it may be necessary to seek corroboration of evidence or to conduct more detailed procedures.

L. In considering the plausibility of evidence obtained, the assurance practitioner may consider, for example, whether the evidence:

1. is consistent with the practitioner’s knowledge and understanding of the entity and activity subject to the engagement, and other evidence obtained during the course of conducting the engagement;  and

2. reasonably demonstrates that the criteria of the engagement have been met or not met.

L. While enquiry is a key procedure in the conduct of a limited assurance engagement, the assurance practitioner is still required to exercise professional scepticism. This means that the documentation of enquiries cannot simply restate the matters discussed but rather should demonstrate the basis on which the assurance practitioner has considered and accepted the evidence as plausible in the circumstances.

Under ASAE 3000^[39] it may not be appropriate for a reasonable assurance engagement that has commenced to be reduced to limited assurance, without reasonable justification. ASAE 3000 notes an inability to obtain sufficient appropriate evidence to support a reasonable assurance conclusion, is not an acceptable reason to change from a reasonable assurance engagement to a limited assurance engagement. In these circumstances the assurance practitioner may consider withdrawing from the engagement or issue a modified conclusion.

Performing Modified and/or Additional Procedures in a Limited Assurance Engagement (Ref: Para 43L)

L. If, in the case of a limited assurance engagement, the assurance practitioner becomes aware of a matter that leads the assurance practitioner to believe that there may be a significant variation in the activity’s performance, the practitioner is required by paragraph 43L of this ASAE to design and perform modified and/or additional procedures to obtain further evidence, until the practitioner is able to form a conclusion that either:

1. the matter is not likely to result in a significant variation in the activity’s performance; or

2. a significant variation in the activity’s performance exists.

L. The modified/additional procedures may include additional enquiry and/or more detailed analytical procedures. The assurance practitioner may also deem it necessary to apply procedures normally used in undertaking a reasonable assurance engagement, which may necessitate detailed transactional or data testing. The fact that the assurance practitioner performs modified/additional procedures does not alter the assurance practitioner’s objective of obtaining limited assurance in relation to the activity’s performance.

L. If, after having performed the modified/additional procedures the assurance practitioner is unable to achieve either of the outcomes in paragraph 43L, a scope limitation exists and the practitioner will issue, as appropriate, a qualified conclusion, disclaim a conclusion, or withdraw from the engagement, where withdrawal is possible under applicable law or regulation.

Written Representations (Ref: Para 46)

If the performance engagement is initiated by the assurance practitioner, the assurance practitioner may not be in a position to obtain representations from the responsible party, particularly as the responsible party may not be a party to the performance engagement.

Representations by the responsible party cannot replace other evidence the assurance practitioner could reasonably expect to be available. An inability to obtain sufficient appropriate evidence regarding a matter that has, or may have, a significant effect on the evaluation of the activity’s performance, when such evidence would ordinarily be available, constitutes a limitation on the scope of the performance engagement, even if a representation from the responsible party has been received on the activity.

Written representations may include that the responsible party:

1. acknowledges its responsibility for conducting the activity, intended to achieve a certain level of performance;
2. has provided the assurance practitioner with all relevant information and access agreed to, as set out in paragraph A8;
3. has disclosed to the assurance practitioner any of the following of which it is aware may be relevant to the performance engagement:
   1. variations in achievement of intended performance; or
   2. any events subsequent to the period covered by the assurance practitioner’s report up to the date of the assurance report that could have a significant effect on the assurance practitioner’s report.

(Ref: Para 47-48)

The assurance practitioner considers the impact of identified variations to assess the overall significance of the findings against the identified criteria, in order to form a conclusion about whether the engagement objective(s) have been achieved. An identified variation in an activity’s performance against the identified criteria may be considered significant when, in the assurance practitioner’s judgement, information about the variation could reasonably be expected to influence decisions made by intended users of the assurance report. What is relevant to report users is the consequences of a finding (that is, the size and severity of the impact or potential impact of the finding) and cause (why it happened).

For further guidance on factors the assurance practitioner may take into account when evaluating the significance of findings, refer to A31-A41, A52-A55.

(Ref: Para 49)

The extent of consideration of subsequent events that come to the attention of the assurance practitioner depends on the potential for such events to affect the activity’s performance and to affect the appropriateness of the assurance practitioner’s conclusions. Consideration of subsequent events in some performance engagements may not be relevant because of the nature of the activity.

The assurance practitioner does not have any responsibility to perform procedures or make any enquiry after the date of the report. However, if after the date of the report the assurance practitioner becomes aware of a matter identified, the assurance practitioner may consider reissuing the report. In a performance engagement the new report discusses the reason for the new report under a heading “Subsequent Events”.

(Ref: Para 50-51, 55(f)-(h))

The assurance practitioner’s conclusion directly addresses the question of whether or not the engagement objective has been met and, if not, is specific about the findings that resulted in exceptions to the conclusion, including the causes and consequences. The conclusion presents the assurance practitioner’s overall view and goes beyond merely restating or summarising the findings. Whereas findings are identified by comparing ‘what should be’, in accordance with the evaluation criteria identified for the engagement (the required or desired performance), with evidence on ‘what is’ (the actual performance), the assurance practitioner’s conclusion reflects the practitioner’s explanations and views based on these findings. The assurance practitioner’s conclusion clarifies and add meaning to the specific findings in the report.^[40] (Ref: Appendix 2)

In forming the conclusion, the assurance practitioner evaluates the sufficiency and appropriateness of the evidence obtained.^[41] The practitioner also assesses the significance of the findings in relation to the engagement objective(s). Evaluating whether sufficient appropriate evidence has been obtained, and whether more needs to be done to achieve the objectives of this ASAE, requires professional judgement.

L. The level of assurance in a limited assurance engagement is not easily quantified. Professional judgement is required in evaluating whether a meaningful level of assurance has been obtained. What is meaningful may vary from just above more than inconsequential to just below reasonable assurance. What is meaningful in a particular engagement represents a judgement within that range that depends on the engagement circumstances, including the information needs of the intended users, the identified criteria, and the nature of the subject matter. Because the level of assurance obtained in limited assurance engagements varies, it is important that the assurance report includes an informative summary of the procedures performed, recognising that an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance practitioner’s conclusion. (Ref: Para 18(l), 55(i))

(Ref: Para 52-59)

The assurance report is the means by which the assurance practitioner communicates the outcome of the direct engagement, which includes the assurance practitioner’s conclusion, findings and recommendations (if any), to the intended users. Clear communication helps the intended users to understand the assurance conclusion.

The assurance practitioner considers which report structure will be most effective to communicate the outcome of the performance engagement. To effectively add value and maximise impact, it is important that the assurance report is comprehensive, convincing, timely, reader friendly and balanced:^[42]

Comprehensive

The assurance report does not have to contain all the information collected and analysed during the engagement to be comprehensive. However, the report includes all the information and arguments the assurance practitioner judges are necessary to address the engagement objective(s), while being sufficiently detailed to help the reader understand the significance of the conclusion and findings discussed in the report.

Convincing

To be convincing, the assurance report is structured in a logical manner to present a clear relationship between the engagement objective(s), identified criteria, findings, conclusion(s) and recommendations (if any). The assurance practitioner aims to present the findings accurately, addressing all relevant arguments to the discussion. Accuracy assures readers that what is reported is credible and reliable.

Timely

To be of maximum use, the assurance report is issued in time to respond to the needs of the intended users. If permitted, the assurance practitioner may provide interim reports of significant matters to responsible parties to highlight matters that may need immediate attention.

Reader friendly

The assurance report is likely to have a greater impact when it is reader friendly. It is therefore important that the assurance report is clear, concise, logical and focused on the engagement objective(s). The assurance practitioner considers using simple and unambiguous language to the extent permitted by the subject matter. Busy readers may not read reports from beginning to end and may instead focus on a contents page, headings and subheadings, an executive summary, conclusions, significant findings and recommendations (if any). The practitioner may consider using typographical devices (for example, the bolding of text) and other mechanisms (for example, illustrations, figures and tables) to improve clarity and which may assist in better communicating key messages. Where the report includes technical terms and concepts, it may be helpful to the reader if explanations are provided in a glossary or footnotes.

Balanced

A balanced report is impartial in content and tone, presents different perspectives and viewpoints, and includes both positive and negative aspects of the performance being evaluated. Evidence is presented and interpreted in an unbiased manner. By explaining the causes and the consequences of reported findings, users may better understand their significance. This may encourage corrective action and lead to improvements in performance.

There may be circumstances where an Auditor-General, having conducted a performance engagement, decides not to report to Parliament or to publish an assurance report. The Auditor-General usually has discretion under their mandate to choose whether and to whom they will report on performance engagements. Assurance reports which are tabled in Parliament become available to the public. In certain circumstances it may be necessary for the confidentiality of the assurance report to be maintained, in which case the report may, in accordance with relevant legislation be provided to the relevant Parliamentary Committee or other appropriate user, in confidence. The Auditor-General considers the public interest in determining whether the assurance report will be made publicly available.

Assurance Report Content (Ref: Para 55-59)

This ASAE does not require a standardised format for reporting on performance engagements. Instead, it identifies the basic elements the assurance report is to include, whether in an executive summary, the main body of the report or in an appendix to the report. The format of the assurance report may differ depending on whether the assurance practitioner is an Auditor-General reporting to Parliament pursuant to their legislative mandate, or a practitioner engaged to perform a performance engagement in the private sector.

Assurance reports are tailored to the specific performance engagement circumstances and needs of intended users. The assurance practitioner uses professional judgement in deciding how best to meet the reporting requirements detailed in paragraph 55 in reporting conclusion(s), findings and recommendations (if any). The assurance practitioner includes the matters in paragraph 55 as a minimum and reports in the manner and to the extent necessary to facilitate effective communication to the intended users.

To maximise impact, the assurance practitioner may consider including an executive summary in the assurance report which may include, for example:

1. the scope of the engagement;
2. the engagement objective(s);
3. the evaluation criteria;
4. the assurance practitioner’s overall conclusion(s) against the engagement objective(s);
5. key findings; and
6. recommendations (if any);

The purpose of the main body of the assurance report is to substantiate the key findings of the engagement that support the assurance practitioner’s conclusion(s) and recommendations (if any). The engagement findings have to be put into context, and congruence has to be established between the engagement objective(s), conclusions and findings.

For reasons of transparency and accountability, the assurance practitioner may expand the assurance report to include other information and explanations, in addition to the basic elements identified in paragraph 55, including:

• The terms of the engagement.
• Relevant background information and historical context.
• In addition to the overall objective(s), also identify sub-objectives/questions (or lines of enquiry).
• In addition to the overall criteria, also identify sub-criteria.
• The assurance approach/methodology.
• Assurance-specific methods of data-collection and analysis applied.
• Sources of data.
• Factors relevant to the practitioner’s consideration of significance.
• Analysis of the causes of variations in the activity’s performance.
• Comments received in response to the report from the responsible party.

The decision to include information in addition to the basic elements identified in paragraph 55 depends on its significance to the needs of the intended users. To effectively communicate the conclusion and key findings, and not detract from key messages in the assurance report, the assurance practitioner may consider including such information in appendices to the assurance report.

Depending on the circumstances, the assurance practitioner may consider alternative structures to be more appropriate, for example, chronological or entity by entity.

Identified Criteria and their Sources (Ref: Para 18(e), 55(c)(iii))

As the intended users’ confidence in the findings and conclusions depends largely on the criteria used to evaluate the activity’s performance, it is essential that the assurance report identify the criteria used to evaluate performance, as well as their sources. This will include specifying the party responsible for those criteria, if it was not the assurance practitioner.

Findings (Ref: Para 55(g)(i), 55(h)(i))

While the format and style of assurance reports may vary, effective reporting of findings will normally contain the following elements as a minimum:

1. identification of the evaluation criteria (the required or desired performance);
2. evidence (the actual performance, both positive and negative);
3. causes (identify the root cause of problems or observations); and
4. consequences, that is, why the reader should care about the finding (that is, the size and severity of the impact or potential impact of the finding).

Including an explanation of the causes and consequences of a finding will allow users to better understand the significance of findings (and any related recommendations) and may encourage corrective action to be taken, which may lead to improvements in performance.

Conclusion(s) (Ref: Para 55(f)-(h), A100L)

The assurance conclusion is not a summary of findings but rather expresses a clear conclusion against the engagement objective based on the findings. The conclusion directly addresses the question of whether or not the objective of the engagement has been met and, if not, should ideally be specific about the findings that resulted in exceptions to the conclusion. The conclusion is written in a manner that is likely to enhance the degree of confidence of the intended users about the evaluation of the activity’s performance against the identified criteria.^[43] The user may benefit from seeing a summary of the key findings which support the conclusion in close proximity to the overall conclusion.

The level of assurance obtained/provided by the assurance practitioner should be clear from the report. A performance engagement may have more than one overall engagement objective and the assurance practitioner may need to express a conclusion against each objective. There may also be circumstances where a performance engagement may have several overall engagement objectives with a conclusion for each expressing a different level of assurance.^[44] Each conclusion would need to be expressed either in the form appropriate for a reasonable assurance engagement (expressed in positive form) or limited assurance engagement (expressed in negative form). (Ref: Para 55(d))

When the assurance practitioner was unable to obtain sufficient appropriate evidence (a scope limitation exists), the assurance practitioner’s conclusion clearly reflects that either:

1. the practitioner was unable to conclude against certain identified criteria, or certain engagement objectives or sub-objectives — when the assurance practitioner was unable to obtain sufficient appropriate evidence regarding certain aspects of the responsible party’s performance of the activity (a qualified “except for” conclusion); or (Ref: Para 55(g)(ii)a)
2. the practitioner was unable to conclude on the activity’s performance overall — when the assurance practitioner was unable to obtain sufficient appropriate evidence regarding the responsible party’s performance of the activity as a whole (a disclaimer of conclusion). (Ref: Para 55(g)(ii)b)

When the assurance practitioner has identified significant variations in the activity’s performance, the assurance practitioner’s conclusion clearly reflects that either:

1. the responsible party did not perform the activity in accordance with the identified criteria, or certain engagement objectives or subobjectives (a qualified “except for” conclusion); or (Ref: Para 55(h)(ii)a)
2. the responsible party did not perform the activity in accordance with the identified criteria, or the engagement objective(s), as a whole (an adverse conclusion). (Ref: Para 55(h)(ii)b)

L. The conclusion for a limited assurance engagement is expressed in negative form, that is, “… based on the procedures performed and evidence obtained, nothing has come to our/my attention …”. When the assurance practitioner has identified significant variations from the identified criteria, the practitioner issues a modified conclusion in line with paragraph 55(h) (adverse or qualified conclusion) — for example, “… based on the procedures performed and evidence obtained, nothing has come to our/my attention …, except for …” (qualified conclusion). To help users recognise and understand a limited assurance report, there are specific reporting requirements related to the summary of work performed and the conclusion, as outlined in paragraph 55.

Basis for Conclusion(s) (Ref: Para 55(i))

Depending on the legislative mandate that applies in each jurisdiction, Auditors-General may be required to either:

1. conduct public sector performance engagements in accordance with ASAE 3500;
2. have regard to ASAE 3500; or
3. set their own audit and assurance standards which may incorporate ASAE 3500.

Where the assurance report includes a statement that the performance engagement has been conducted in accordance with ASAE 3500, it implies the practitioner has complied with all the requirements of this ASAE that are relevant to the engagement.

L. The summary of the work performed helps the intended users understand the assurance practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed may be more detailed than for a reasonable assurance engagement. This is because an appreciation of the nature, timing and extent of procedures performed is essential to understanding a conclusion expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a significant matter(s) has come to the practitioner’s attention to cause the practitioner to believe that the responsible party did not perform the activity in accordance with the identified criteria. It may be appropriate to indicate in the summary of the work performed certain procedures that were not performed, that would ordinarily be expected to be performed in a reasonable assurance engagement.^[45]

Recommendations (Ref: Para 56)

A constructive recommendation is one that is relevant, practical, measurable, attainable, and likely to contribute significantly to addressing the issues identified by the engagement. Recommendations would ordinarily follow logically from the facts and arguments presented in the assurance report. For Auditors-General, the making of recommendations would be dependent upon their legislative mandates. If no recommendations are relevant, or if only key recommendations are included in the assurance report, the report includes a statement to explain this.

(Ref: Para 63)

Documentation includes a record of the assurance practitioner’s reasoning on all significant matters that require the exercise of professional judgement, and related conclusions. The existence of difficult questions of principle or judgement, calls for the documentation to include the relevant facts that were known by the assurance practitioner at the time the conclusion was reached.

In applying professional judgement to assessing the extent of documentation to be prepared and retained, the assurance practitioner may consider what is necessary to provide an understanding of the work undertaken, and the basis of the principal decisions made, to another experienced assurance practitioner who has no previous connection with the performance engagement. It is neither necessary nor practicable to document every matter the assurance practitioner considers during the performance engagement.^[46]