Requirements
Applicability of ASAE 3000
18
The assurance practitioner shall not represent compliance with this ASAE unless the assurance practitioner has complied with the requirements of this ASAE and ASAE 3000, adapted as necessary in the case of direct engagements. ASAE 3000 contains requirements and application and other explanatory material specific to attestation assurance engagements but it also applies to direct assurance engagements, adapted as necessary in the engagement circumstances.[6] If this ASAE makes reference to a requirement in ASAE 3000, that requirement shall be applied to both attestation and direct engagements, unless specified otherwise. (Ref: Para. A1, Appendix 4)
Acceptance and Continuance
Preconditions for the Assurance Engagement
20
The assurance practitioner shall accept or continue a compliance engagement only in the circumstances required by ASAE 3000, including that the preconditions for an assurance engagement are present, unless required to accept the engagement by law or regulation.
Appropriateness of the Subject Matter
21
When establishing whether the preconditions for an assurance engagement as required by ASAE 3000 are present, the assurance practitioner is required to assess the appropriateness of the subject matter.[8] In doing so, the assurance practitioner shall determine whether the compliance activities which are to be evaluated are appropriate in addressing the needs of users, that is whether the performance of those activities determines whether the compliance requirements have been met. (Ref: Para. A9-A11)
22
If the subject matter is not appropriate, the assurance practitioner shall not accept the engagement or, if this is determined after accepting the engagement, either withdraw from the engagement or issue a modified conclusion.
Assessing the Suitability of the Criteria
23
When establishing whether the preconditions for an assurance engagement as required by ASAE 3000 are present, the assurance practitioner shall determine the suitability of the criteria expected to be applied, whether the criteria are provided by the engaging party, as in an attestation engagement, or are to be identified by the assurance practitioner, as in a direct engagement, including that they exhibit the characteristics set out in ASAE 3000.[9](Ref: Para. 17(g), A12).
Agreeing on the Terms of the Engagement
24
ASAE 3000[10] requires the parties to the engagement to agree on the terms of the assurance engagement in writing. The assurance practitioner shall obtain the agreement of the responsible party, that it acknowledges and understands its responsibility:
- In an attestation engagement, for evaluating the compliance activity against the compliance requirements and providing a written Statement regarding the outcome of that evaluation and for having a reasonable basis for the written Statement;
- For identifying suitable compliance requirements and whether they were specified by law, regulation, contract, another party (for example, a user group or a professional body) or developed by the responsible party;
- For providing the assurance practitioner with:
- Access to all information, such as records, documentation and other matters of which the responsible party is aware are relevant to the compliance engagement;
- Additional information that the assurance practitioner may request from the responsible party for the purposes of the assurance engagement; and
- Unrestricted access to persons within the entity from whom the assurance practitioner determines it necessary to obtain evidence.
25
The terms of engagement shall identify:
- The scope of the engagement;
- Whether the engagement is a reasonable or limited assurance engagement;
- Whether the engagement is an attestation or direct engagement and, in the case of an attestation engagement, the form of the responsible party’s or evaluator’s evaluation of the compliance activity or Statement and whether that Statement will be available to intended users or only referenced in the assurance report; (Ref: Para. A16,A20)
- The specified period or specified date to be covered by the engagement; (Ref: Para. A17)
- The compliance requirements against which the compliance activity will be evaluated;
- The intended users of the assurance report;
- The content of the assurance report, including whether it will be a short-form or long form report, including additional information such as the compliance requirements, procedures conducted, detailed findings and recommendations to meet the needs of the intended users; and (Ref: Para. A20)
- Any other matters required by law or regulation (e.g. reporting all matters of non-compliance identified to the regulator[11]) to be included in the terms of engagement. (Ref: Para. 27)
Acceptance of a Change in the Terms of the Engagement
Assurance Report Prescribed by Law or Regulation
27
If law or regulation prescribe the compliance requirements for evaluation or the form and content of the assurance report, the assurance practitioner evaluates the compliance requirements and form and content of the assurance report. If the compliance requirements are unsuitable or if intended users might misunderstand the assurance report, the assurance practitioner shall: (Ref: Para. A16, A52)
- Not accept the engagement unless additional explanation in the assurance report mitigates these circumstances; or
- Not include any reference within the assurance report to the engagement having been conducted in accordance with ASAE 3000 or this ASAE, if required to accept the engagement by law or regulation.
Quality Management
28
The assurance practitioner shall implement quality management procedures as required by ASAE 3000.[13]
Professional Scepticism, Professional Judgement and Assurance Skills and Techniques
29
The assurance practitioner shall apply professional scepticism, exercise professional judgement and apply assurance skills and techniques in planning and performing an assurance engagement on compliance as required by ASAE 3000.[14] In applying professional scepticism, the assurance practitioner shall recognise the possibility that matters of non‑compliance due to fraud could exist, notwithstanding the assurance practitioner’s past experience of the honesty and integrity of the entity’s management and those charged with governance.
Planning and Performing the Engagement
Planning
Materiality
31
The assurance practitioner shall consider materiality, as required by ASAE 3000,[16] when determining the nature, timing and extent of procedures. (Ref: Para. A24-A29 )
Obtaining an Understanding of the Compliance Framework and Compliance Requirements
32
Limited Assurance |
Reasonable Assurance |
L. The assurance practitioner shall obtain an understanding of the entity’s compliance framework and its key elements, the compliance requirements which are included in the scope of the engagement, and other engagement circumstances, and on the basis of that understanding, the assurance practitioner shall: (Ref: Para. A30- A32)
|
R. The assurance practitioner shall obtain an understanding of the entity’s compliance framework and its key elements, the compliance requirements which are included in the scope of the engagement, and other engagement circumstances, and on the basis of that understanding, the assurance practitioner shall: (Ref: Para. A30- A32)
|
Identifying Risks of Fraud
33
When performing risk assessment procedures and related activities to obtain an understanding of the compliance framework and other engagement circumstances, the assurance practitioner shall obtain sufficient information for use in identifying the risks of the compliance requirements not being met due to fraud. (Ref: Para. A33-A34)
Obtaining an Understanding of the Internal Audit Function
33
When performing risk assessment procedures and related activities to obtain an understanding of the compliance framework and other engagement circumstances, the assurance practitioner shall obtain sufficient information for use in identifying the risks of the compliance requirements not being met due to fraud. (Ref: Para. A33-A34)
Obtaining an Understanding of the Internal Audit Function
35
The assurance practitioner shall consider based on the compliance engagement circumstances whether it is appropriate to use the work of the internal audit function.
Using the Work of the Internal Audit Function
37
If the assurance practitioner’s evaluation of the internal audit function confirms that the work of the internal audit function can be used for purposes of the compliance engagement, then the assurance practitioner shall determine the planned effect of the work of the internal audit function on the nature, timing or extent of the assurance practitioner’s procedures and in doing so, shall consider: (Ref: Para. A36, A43-A44)
- The nature and scope of work performed, or to be performed, on the compliance framework by the internal audit function;
- The significance of that work to the assurance practitioner’s conclusions;
- The degree of subjectivity involved in the evaluation of the evidence obtained in support of those conclusions; and
- Re-performing some of the work of the internal audit function that is planned to be used.
38
The use of internal auditors to provide direct assistance is prohibited in an assurance engagement conducted in accordance with this ASAE. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the assurance practitioner.[18] This prohibition does not preclude reliance on the work of the internal audit function to modify the nature or timing, or reduce the extent, of assurance procedures to be performed directly by the assurance practitioner. (Ref: Para. A36)
Obtaining Evidence
39
Based on the assurance practitioner’s understanding obtained under paragraph 32L and 32R, the assurance practitioner shall perform assurance procedures to respond to identified or assessed risks in paragraph 32L(b) to obtain limited or 32R(b) to obtain reasonable assurance to support the assurance practitioner’s conclusion. (Ref: Para. A37-A39)
40
The assurance practitioner shall design and perform additional procedures, the nature, timing and extent of which are responsive to the risks of material deficiency in the compliance framework or matters of non‑compliance with compliance requirements, having regard to the level of assurance required, reasonable or limited, as appropriate. (Ref: Para. A40)
Responses to Assessed Risks of Fraud
41
The assurance practitioner shall treat those assessed risks of compliance requirements not being met due to fraud as significant risks. Accordingly, the assurance practitioner shall design and perform procedures, on controls designed to mitigate such risks, and whose nature, timing and extent are responsive to those assessed risks. In doing this the assurance practitioner shall have regard to the level of assurance required, reasonable or limited, as appropriate. (Ref: Para. A34)
Obtaining Evidence Regarding the Compliance Activity
42
When reporting on compliance throughout the specified period or as at a specified date, the assurance practitioner shall evaluate those compliance activities that the assurance practitioner has determined are necessary to meet the compliance requirements identified, and assess their compliance throughout the specified period or as at a specified date. (Ref: Para. A37)
43
Limited Assurance |
Reasonable Assurance |
L. The nature, timing and extent of evaluation of compliance activities, shall be limited to:
The results of exception reporting, monitoring or other management controls may be examined to provide evidence about the operation of the compliance activity rather than directly testing it. (Ref: Para. A37)
|
R. The nature, timing and extent of testing and evaluation of compliance activities, shall include:
The results of exception reporting, monitoring or other management controls may be examined to reduce the extent of direct testing and evaluation of the operation of the compliance activity but shall not eliminate it entirely. (Ref: Para. A37) |
44
Limited Assurance |
Reasonable Assurance |
L. The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material non-compliance with the compliance requirements. If the assurance practitioner determines that additional assurance procedures are required to dispel or confirm a suspicion that a material matter of non-compliance exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. (Ref: Para. A39-A40)
|
R. The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material non-compliance with the compliance requirements. (Ref: Para. A39) |
45
Limited Assurance |
Reasonable Assurance |
|
R. When determining the extent of testing and evaluation of compliance activities, the assurance practitioner shall consider matters including the characteristics of the population to be tested and evaluated, which includes the nature of the compliance activity, the frequency of their occurrence (for example, monthly, daily, a number of times per day), and the expected rate of matter(s) of non-compliance. Some compliance activities operate continuously, while others operate only at particular times, so the testing and evaluation of compliance shall be performed throughout the specified period of time that is sufficient to allow the practitioner to conclude.(Ref: Para. A40) |
46
When the assurance practitioner uses sampling to test compliance, the assurance practitioner shall: (Ref: Para. 45R)
- Consider the purpose of the procedure and the characteristics of the compliance activity from which the sample will be drawn when designing the sample;
- Determine a sample size sufficient to reduce sampling risk to an acceptably low level;
- Select items for the sample in such a way that each sampling unit in the population has a chance of selection and the sample is representative of the population; and
- If unable to apply the designed procedures, or suitable alternative procedures, to a selected item, treat that item as a deviation.
Work Performed by an Assurance Practitioner’s Expert
Work Performed by Another Assurance Practitioner or a Responsible Party’s or Evaluator’s Expert
Written Representations
51
The assurance practitioner shall request the responsible party, or other relevant person(s) within the entity to provide written representations, in addition to those required by ASAE 3000,[21] that the responsible party: (Ref: Para. A46)
- In the case of an attestation engagement, reaffirms their Statement regarding the outcome of the responsible party’s evaluation of the compliance activity against the compliance requirements throughout the specified period or as at a specified date;
- Acknowledges its responsibility for the compliance activity, including identifying the risks that threaten the compliance requirements being met, and designing, implementing and maintaining internal controls to mitigate those risks, including the risk of fraud, so that those risks will not prevent achievement of the compliance requirements;
- Has provided the assurance practitioner with all relevant information and access agreed to, as set out in paragraph 24(c)(i);
- Has disclosed to the assurance practitioner any of the following of which it is aware may be relevant to the engagement:
- Instances of non-compliance with the compliance requirements; or
- Any events subsequent to the specified period or as at the specified date covered by the assurance practitioner’s conclusion up to the date of the assurance report that could have a significant effect on the assurance practitioner’s conclusion.
The assurance practitioner shall evaluate written representations in accordance with ASAE 3000. (Ref: Para. A47)
Subsequent Events
52
When relevant to the compliance engagement, the assurance practitioner shall consider the effect on the compliance outcome of events up to the date of the assurance report, and shall respond appropriately to facts that become known to the assurance practitioner after the date of the assurance conclusion, that had they been known to the assurance practitioner at that date, may have caused the assurance practitioner to amend the assurance conclusion. The extent of consideration of subsequent events depends on the potential for such events to impact the assurance practitioner’s conclusion. The assurance practitioner has no responsibility to perform any procedures regarding the compliance outcome after the date of the assurance report. (Ref: Para. A49-A50)
Forming the Assurance Conclusion
53
The assurance practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary, attempt to obtain further evidence. If the assurance practitioner is unable to obtain necessary further evidence, the assurance practitioner shall consider the implications for the assurance practitioner’s conclusion in accordance with ASAE 3000.[22] The assurance practitioner shall qualify their conclusion if the possible effects of undetected matters of non‑compliance with the compliance requirements due to an inability to obtain sufficient appropriate evidence could be material, and shall disclaim their conclusion if the possible effects could be both material and pervasive.
54
When the assurance practitioner forms a conclusion in accordance with ASAE 3000,[23] the assurance practitioner shall evaluate the materiality, individually and in aggregate whether due to fraud or error, of any matter(s) of non-compliance with the compliance requirements. If the matters of non-compliance identified are: (Ref: Para. A45-A46)
- Material but not pervasive, the assurance practitioner shall qualify their assurance conclusion with respect to the relevant matter; or
- Material and pervasive, the assurance practitioner shall issue an adverse conclusion.
Preparing the Assurance Report
55
The assurance practitioner shall prepare the assurance report in accordance with ASAE 3000[24] for attestation engagements and shall also apply those requirements for direct engagements.
Assurance Report Content
56
For both attestation and direct engagements, the assurance practitioner shall include in the assurance report the basic elements required by ASAE 3000,[25] which are at a minimum:
- A title, indicating that it is an independent assurance report;
- An addressee;
- An identification of whether reasonable or limited assurance has been obtained by the assurance practitioner;
- Identification of the compliance requirements;
- Whether the assurance practitioner is reporting on compliance throughout the specified period or as at a specified date;
- In the case of an attestation engagement, reference to the responsible party’s Statement as required by paragraph 24(a) and whether that Statement is available to intended users by accompanying the assurance report, reproduction in the assurance report or another identified source;
- Identification of the overall and/or specific criteria used for evaluating the compliance activity;
- If appropriate, a description of any significant inherent limitations associated with the evaluation of the compliance activity against the compliance requirements;
- A statement that the responsible party or evaluator is responsible for:
- In an attestation engagement:
- Providing a Statement with respect to the outcome of the evaluation of the compliance activity against the compliance requirements;
- Identifying the compliance requirements (where not identified by Parliament, the Government, law or regulation, or another party, for example, a user group or a professional body); and
- In both an attestation and a direct engagement:
- The compliance activity covered by the assurance practitioner’s report;
- Identifying, designing and implementing controls to enable the compliance requirements to be met and to monitor ongoing compliance;
- In an attestation engagement:
- A statement that the assurance practitioner’s responsibility is to express a conclusion on whether the compliance requirements have, in all material respects, been met;
- A statement that the engagement was performed in accordance with ASAE 3100 Compliance Engagements;
- A statement that the firm of which the assurance practitioner is a member applies ASQM 1, or other professional requirements, or requirements in law and regulation, that are at least as demanding as ASQM 1. If the assurance practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law and regulation, applied that are at least as demanding as ASQM 1;
- A statement that the assurance practitioner complies with the independence and other relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding;
- An informative summary of the work performed as a basis for the assurance practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed shall state that: (Ref: Para. A53-A57)
- The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and
- Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed;
- When the criteria used to evaluate the compliance requirements are available only to specific intended users, or are relevant only for a specific purpose, a statement restricting the use of the assurance report to those intended users or that purpose; (Ref: Para. A58)
- Either, the assurance practitioner’s opinion for a reasonable assurance engagement or the assurance practitioner’s conclusion for a limited assurance engagement about whether, in all material respects the entity complied with the compliance requirements throughout the specified period or as at a specified date;
- When the assurance practitioner expresses a modified conclusion, the assurance report shall contain:
- A section (entitled: Basis for Qualified/Adverse/Disclaimer of Conclusion/Opinion) that provides a description of the matter(s) giving rise to the modification; and
- A section that contains the assurance practitioner’s modified conclusion;
- The assurance practitioner’s signature, the date of the assurance report and the location in the jurisdiction where the assurance practitioner practices.
57
If the assurance practitioner provides a long‑form assurance report to meet the information needs of users, as agreed in the terms of engagement, or as required by law or regulation, the assurance practitioner’s report shall include a separate section, or an attachment, containing any other information and explanations that are not intended to affect the assurance practitioner’s conclusion and are clearly identified as such. (Ref: Para. A51)
Emphasis of Matter and Other Matter Paragraphs
59
The assurance practitioner shall include an Emphasis of Matter or Other Matter paragraph in the circumstances provided for in ASAE 3000[26] for an attestation engagement. In a direct engagement, if the assurance practitioner considers it necessary to communicate a matter that, in the assurance practitioner’s judgement, is relevant to intended users’ understanding of the engagement, the assurance practitioner’s responsibilities or the assurance report, the assurance practitioner shall include in the assurance report an Other Matter paragraph, with an appropriate heading, that clearly indicates the assurance practitioner’s conclusion is not modified in respect of the matter.
Modified Conclusions
60
If the assurance practitioner concludes that the compliance activity has not met the compliance requirements throughout the specified period or as at a specified date; or the assurance practitioner is unable to obtain sufficient appropriate evidence, the assurance practitioner’s conclusion shall be modified, and the assurance practitioner’s report shall include a section with a clear description of all the reasons for the modification. (Ref: Para. A59-A61)
Scope Limitation
61
When a scope limitation is imposed by the circumstances of the particular engagement, the assurance practitioner shall attempt to perform alternative procedures to overcome the limitation. When a scope limitation exists and remains unresolved, the wording of the assurance practitioner’s conclusion shall indicate that it is qualified as to the effects of any instances of non‑compliance with the compliance requirements, which might have been identified had the limitation not existed. If the effect of the unresolved scope limitation is both material and pervasive, the assurance practitioner shall express a disclaimer of conclusion. (Ref: Para. A62)
Other Communication Responsibilities
62
The assurance practitioner shall consider whether, pursuant to the terms of the engagement, if applicable, and other engagement circumstances, any matter has come to the attention of the assurance practitioner that is to be communicated with the responsible party, the evaluator, the engaging party, those charged with governance or others, as required by ASAE 3000.[27] If during the course of the engagement the assurance practitioner identifies any matters of non‑compliance with the entity’s compliance requirements other than those which are clearly trivial, the assurance practitioner shall communicate on a timely basis to an appropriate level of management those matters of non‑compliance or those charged with governance on a timely basis those matters of material non‑compliance. (Ref: Para. A64)
63
In limited circumstances the assurance practitioner may be required by law or regulation and the terms of the engagement to report all instances of non‑compliance with the compliance requirements to the regulator[28].
64
If the assurance practitioner has identified a fraud or has obtained information that indicates that a fraud may exist, the assurance practitioner shall communicate these matters on a timely basis to the appropriate level of management or those charged with governance in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. The assurance practitioner shall determine whether there is a responsibility to report the occurrence or suspicion to a party outside the entity. (Ref: Para. A63)
Documentation
66
The assurance practitioner shall prepare documentation in accordance with ASAE 3000.[29] In documenting the nature, timing and extent of procedures performed as required by ASAE 3000, the assurance practitioner shall record (Ref: Para. A65):
- The identifying characteristics of the compliance activity being tested;
- Who performed the work and the date such work was completed; and
- Who reviewed the work performed and the date and extent of such review.
See ASAE 3000, paragraph 2.
See ASAE 3000, paragraphs Aus 20.1 and ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other assurance Engagements.
See ASAE 3000, paragraph 24(b)(i).
See ASAE 3000, paragraph 24(b).
See ASAE 3000, paragraph 27.
An example of where this would apply is the compliance component of an AFSL Licensee FS 71 engagement where the Australian Securities and Investments Commission (ASIC) require reporting of all breaches.
See ASAE 3000, paragraph 29.
See ASAE 3000, paragraphs 31-36.
See ASAE 3000, paragraphs 37-39.
See ASAE 3000, paragraph 40.
See ASAE 3000, paragraph 44.
See ASAE 3000, paragraph 55.
See ASAE 3000, paragraph 52.
See ASAE 3000, paragraphs 53-54.
See ASAE 3000, paragraph 56.
See ASAE 3000, paragraph 66.
See ASAE 3000, paragraphs 64-65.
See ASAE 3000, paragraphs 67-69.
See ASAE 3000, paragraph 69.
See ASAE 3000, paragraph 73.
See ASAE 3000, paragraph 78.
As an example where this would apply is the compliance component of an AFSL Licensee FS 71 engagement where ASIC require reporting of all breaches.
See ASAE 3000, paragraphs 79-83.