Application and Other Explanatory Material

Application

(Ref: Para. 1)

A1

Engagements which are covered by this ASAE and those that are covered by other subject matter specific ASAEs have been further illustrated at Appendix 4.

Introduction

(Ref: Para. 3-14)

A3

In a direct engagement, the assurance practitioner evaluates the compliance activity conducted by the responsible party to meet the compliance requirement.  In a attestation engagement, the responsible party evaluates the compliance activity against the compliance requirements and provides a statement on the compliance outcome.

A5

In a three party relationship, which is an element of an assurance engagement,[30] the responsible party may or may not be the engaging party, but is responsible for the compliance activities which are the underlying subject matter of the engagement and is a separate party from the intended users.  The responsible party and the intended users may both be internal to the entity, for example if the responsible party is at an operational level of management and the intended users are at the level of those charged with governance, such as the Board or Audit Committee.  See Appendix 1 for a discussion of how each of these roles relate to an assurance engagement on compliance.

Ethical Requirements

(Ref: Para. 19)

Acceptance and Continuance

Competence and Capabilities to Perform the Engagement

A7

Relevant competence and capabilities, including having sufficient time to perform the compliance engagement, as required by ASAE 3000[31] by persons who are to perform the engagement, include matters such as the following:

  • Knowledge of the relevant industry, compliance frameworks, the nature of the overall compliance requirements (for example: emissions quantification or regulatory compliance).
  • An understanding of controls, IT and systems.
  • Experience in evaluating risks as they relate to the compliance requirements.
  • Experience in the design and execution of tests of compliance and the evaluation of the results.

Rational Purpose

A8

When considering the acceptance of a limited assurance engagement on compliance, ASAE 3000 requires the assurance practitioner to determine whether a meaningful level of assurance is expected to be able to be obtained,[32] which may include whether a limited assurance engagement is likely to be meaningful to users.  In making this assessment, consideration is given to the intended users of the assurance report and whether they are likely to understand the limitations of a limited assurance engagement, including the need to read the assurance report in detail to understand the assurance procedures performed and the assurance obtained.

Assessing the Appropriateness of the Subject Matter (Ref: Para. 21)

A9

An appropriate subject matter is:

  1. Identifiable, and capable of consistent evaluation against the identified criteria; and
  2. Able to be subjected to procedures for gathering sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate.

A10

Examples of subject matters that may be appropriate for a compliance engagement include compliance with the following:

  • General Insurers and Insurance Groups - Risk Management Strategy & Reinsurance Management Strategy (RMS/REMS).
  • Treasurer’s Instructions.
  • Managed Investment Schemes – Compliance Plan.
  • Registered Superannuation Entity – SIS Act requirements (SPS 310).
  • Financial Services Licensee – Corporations Act 2001 requirements.

A11

For further guidance on assessing the appropriateness of the subject matter refer to Appendix 3 and ASAE 3000[11]

Assessing the Suitability of the Criteria (Ref: Para. 23)

A13

In the context of a compliance engagement, examples of criteria include:

  • Externally imposed criteria under law or directives, including:
    • Legislation.
    • Regulation.
    • Other statutory requirements (e.g. ASIC Regulatory Guides and Practice Notes or APRA Prudential Standards).
    • Ministerial directives.
    • Industry or professional obligations (professional standards or guidance, codes of practice or conduct).
    • Enforceable contractual obligations.
    • Enforceable undertakings.
  • Internally imposed criteria, as determined by management, including:
    • Organisational policies and procedures.
    • Frameworks, for example, compliance framework based on ISO 19600 – Compliance Management Systems.

A14

Criteria need to be identified by the parties to the engagement and agreed by the engaging party and the assurance practitioner.  The assurance practitioner may need to discuss the criteria to be used with those charged with governance, management and the intended users of the report.  Criteria can be either established or specifically developed.  The assurance practitioner normally concludes that established criteria embodied in laws or regulations or issued by professional bodies, associations or other recognised authorities that follow due process are suitable when the criteria are consistent with the objective.  Other criteria may be agreed to by the intended users of the assurance practitioner’s report, or a party entitled to act on their behalf, and may also be specifically developed for the engagement.

A15

In situations where the criteria have been specifically developed for the engagement, the assurance practitioner may obtain from the intended users or a party entitled to act on their behalf, acknowledgment that the specifically developed criteria are sufficient for the user’s purposes. (Ref: Para. 23)

Agreeing on the Terms of the Engagement (Ref: Para. 24-25)

A16

When agreeing whether the engagement is to be conducted as an attestation or direct engagement, the assurance practitioner considers factors such as whether:

  1. there is a regulatory requirement or users need an evaluation of the compliance activity by the responsible party or evaluator (Ref: Para. 27); or
  2. the entity has the resources and expertise to prepare a suitable description or documentation of the compliance activity, compliance requirements and related controls and conduct a meaningful evaluation of the compliance outcome.

A19

Where relevant, the terms of the engagement could also include a reference to, and description of, the auditor’s responsibility in accordance with:

  • applicable law;
  • regulation or relevant ethical requirements, and
  • obligations to report identified or suspected non-compliance with laws and regulations to an appropriate authority outside the entity is required or appropriate in the circumstances.

A21

An example engagement letter(s) is contained in Appendix 5.

Planning and Performing the Engagement

Planning (Ref: Para. 30)

A22

The nature and extent of planning activities will vary with the compliance engagement circumstances, for example the size and complexity of the compliance activity and requirements, the assurance practitioner’s previous experience with this area and the entity as a whole. Examples of the main matters to be considered when developing the engagement plan include:

  1. Matters affecting the industry in which the entity operates, for example economic conditions, laws and regulations, and technology;
  2. Risks to which the entity is exposed that are relevant to the compliance activity being examined;
  3. The quality of the control environment within the entity and the role of the governing body, audit committee and internal audit function;
  4. Knowledge of the entity’s internal control structure obtained during other engagements;
  5. The extent of recent changes if any, in the entity, its operations or its compliance framework;
  6. Methods adopted by management to evaluate the effectiveness of the compliance framework;
  7. Preliminary judgements about significant risk;
  8. The nature and extent of evidence likely to be available;
  9. The nature of control procedures relevant to the compliance activity and their relationship to the compliance framework taken as a whole;
  10. The assurance practitioner’s preliminary judgement about the effectiveness of the compliance framework taken as a whole and of the control procedures within the framework;
  11. The terms of the compliance engagement;
  12. The characteristics of the compliance activity and the identified criteria;
  13. Identification of intended users and their needs, and consideration of materiality and the components of compliance engagement risk; and
  14. Personnel and expertise requirements, including the nature and extent of involvement by experts.

Materiality (Ref: Para.31)

A26

Materiality is considered when determining the nature, timing and extent of evidence gathering procedures, and when evaluating whether a matter of non‑compliance is material.  In considering materiality, the assurance practitioner understands and assesses what factors might influence the decisions of the intended users.

A27

Materiality is considered when evaluating the effect of accumulated deficiencies in the compliance framework or matters of non‑compliance with the compliance requirements.  Material deficiencies or matters of non‑compliance are those which could significantly impact the compliance requirements being met and reasonably be expected to influence relevant decisions of the intended users.

A28

Materiality is considered in the context of quantitative and qualitative factors, such as relative magnitude of instances of detected or suspected matter(s) of non‑compliance, the nature and extent of the effect of these factors on the evaluation of compliance with the compliance requirements and the interests of the intended users.  The assessment of materiality and the relative importance of quantitative and qualitative factors in a particular engagement are matters for the assurance practitioner’s professional judgement, taking into account specific regulatory reporting requirements.

A29

Quantitative and qualitative factors which the assurance practitioner may consider when assessing materiality include:

  • The magnitude of the instances of detected or suspected matter(s) of non-compliance with the compliance requirements.
  • The financial impact of the matter(s) of non-compliance on the entity as a whole.
  • The nature of the matter(s) of non-compliance – one off or systemic.
  • Evidence of a robust compliance framework in place to detect, rectify and report matter(s) of non-compliance.
  • Commonly accepted practices within the relevant industry.
  • The nature of relevant transactions, whether they involve high volumes, large dollar values and complex transactions relative to the compliance activity as a whole.
  • The extent of interest shown in particular aspects of the compliance activity by, for example, governing body, regulatory authorities and agencies or the public.

Obtaining an Understanding of the Compliance Framework and Compliance Requirements (Ref: Para. 32)

A30

The assurance practitioner’s understanding of the compliance framework and compliance requirements, ordinarily, has a lesser depth for a limited assurance engagement than for a reasonable assurance engagement. The assurance practitioner’s procedures to obtain this understanding may include:

  • Review and understand the relevant compliance requirements.
  • Enquiring of those within the entity who, in the assurance practitioner’s judgement, may have relevant information.
  • Observing operations.
  • Inspecting documents, reports, printed and electronic records.
  • Re-performing compliance procedures.

A31

The nature and extent of procedures to gain this understanding are a matter for the assurance practitioner’s professional judgement and will depend on factors such as:

  1. The entity’s size and complexity;
  2. The nature of the activity to be examined, including the compliance requirement(s) to which the compliance procedures are directed and the risk that those compliance requirements will not be met;
  3. The extent to which IT is used; and
  4. The documentation available.

A32

The nature and extent of planning and subsequent evidence-gathering procedures will vary with the engagement circumstances, and the maturity of the entity’s compliance framework.

 

Elements of an entity’s compliance framework ordinarily include the following:

  • Procedures for identifying and updating compliance requirements.
  • Staff training and awareness programs.
  • Procedures for assessing the impact of compliance requirements on the entity’s key business activities.
  • Controls embedded within key business processes designed to ensure compliance with requirements.
  • Processes to identify and monitor the implementation of further mitigating actions required to ensure that compliance requirements are met.
  • A monitoring plan to test key compliance controls on a periodic basis and report exceptions.
  • Procedures for identifying, assessing, rectifying and reporting matters of non-compliance.
  • Periodic sign off by management and/or external third party outsourced service providers[34] as to compliance with requirements.
  • A compliance governance structure that establishes responsibility for the oversight of compliance control activities with those charged with governance, typically a Board Audit, Risk Management or Compliance Committee.

Identifying Risks of Fraud (Ref: Para. 33,41)

A34

The assurance practitioner may consider undertaking the following procedures to obtain sufficient appropriate evidence of the risk of fraud in relation to the compliance requirements:

  1. Make enquiries of management with respect to compliance regarding:
    1. Management’s assessment of the risk that controls may be circumvented due to fraud, including the nature, extent and frequency of such assessment;
    2. Management’s process for identifying and responding to the risks of fraud;
    3. Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud; and
    4. Management’s communication, if any, to employees regarding its views on corrupt or fraudulent business practices and unethical behaviour;
  2. Make enquiries of those charged with governance, management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud with respect to compliance affecting the entity;
  3. Make enquiries of the internal audit function, where it exists, to determine whether it has knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud;
  4. Obtain an understanding of how those charged with governance exercise oversight of processes for identifying and responding to the risks of fraud in the entity and the internal controls that have been established to mitigate these risks as far as they relate to the compliance requirements;
  5. Consider whether other information obtained by the assurance practitioner indicates risks of compliance requirements not being met due to fraud, for which mitigating controls are necessary;
  6. Evaluate whether the information obtained from the other risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present; and
  7. Identify controls over matters for which decisions or actions are not routine, such as adjustments to records, development of estimates and activities outside the normal course of business.

Obtaining an Understanding of the Internal Audit Function (Ref: Para. 34-38)

A35

In obtaining an understanding of the compliance framework, including controls, the assurance practitioner determines whether the entity has an internal audit function and its effect on the controls within the compliance framework.  The internal audit function ordinarily forms part of the entity’s internal control and governance structures.  The responsibilities of the internal audit function may include, for example, monitoring of internal control, risk management, and review of compliance with laws and regulations, and is considered as part of the assurance practitioner’s assessment of risk.

Obtaining Evidence

(Ref: Para. 42-46)

A37

Compliance engagements require the application of assurance skills and techniques to gather sufficient appropriate evidence as part of an iterative, systematic assurance engagement  process.  As the assurance practitioner performs planned procedures, the evidence obtained may differ significantly from that on which the planned procedures were based and cause the assurance practitioner to perform additional procedures.

A38

When compliance requirements apply throughout the specified period, the assurance practitioner may consider the nature and frequency of the compliance activities undertaken, and modify the nature, timing and extent of evaluation and/or testing to be undertaken on compliance activities.  Knowledge of non‑compliance observed in prior periods is likely to lead the assurance practitioner to increase the extent of evaluation and/or testing throughout the specified period.

Limited and Reasonable Assurance Engagements (Ref: Para. 43)

A40

The level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, therefore the procedures the assurance practitioner performs in a limited assurance engagement are different in nature and timing from, and are less in extent than for, a reasonable assurance engagement. The primary differences between the assurance practitioner’s overall responses to assessed risks and further procedures conducted in a reasonable assurance engagement and a limited assurance engagement on compliance include:

  1. The emphasis placed on the nature of various procedures as a source of evidence will likely differ, depending on the engagement circumstances. For example, the assurance practitioner may judge it to be appropriate in the circumstances of a particular limited assurance engagement to place relatively greater emphasis on indirect evaluation of compliance activities, such as enquiries of the entity’s personnel, and relatively less emphasis, on evaluation of compliance activities, such as observation, re-performance or inspection, than may be the case for a reasonable assurance engagement.
  2. In a limited assurance engagement, the further procedures performed are less in extent than in a reasonable assurance engagement in that those procedures may involve:
    1. Selecting fewer items for examination;
    2. Performing fewer types of procedures; or
    3. Performing procedures at fewer locations.

Work Performed by an Assurance Practitioner’s Expert

(Ref: Para. 47)

A41

ASAE 3000[35] provides application material for the circumstances where an assurance practitioner’s expert is involved in the engagement.  This material may also be used as  guidance when using the work of another assurance practitioner or a responsible party’s or evaluator’s expert.

Work Performed by Another Assurance Practitioner or a Responsible Party’s or Evaluator’s Expert

(Ref: Para. 48)

A42

When information on compliance activities to be used as evidence has been prepared using the work of a responsible party’s or evaluator’s expert, the nature, timing and extent of procedures with respect to the work of the responsible party’s or evaluator’s expert may be affected by such matters as:

  1. The nature and complexity of the compliance activity to which the expert’s work relates;
  2. The risks of a material deficiency in the compliance framework or non-compliance with the compliance requirements throughout the specified period or as at a specified date;
  3. The availability of alternative sources of evidence or mitigating controls;
  4. The nature, scope and objectives of the expert’s work;
  5. Whether the expert is employed by the entity, or is a party engaged by it to provide relevant services;
  6. The extent to which the responsible party or evaluator can exercise control or influence over the work of the expert;
  7. Whether the expert is subject to technical performance standards or other professional or industry requirements;
  8. The nature and extent of any controls within the entity over the expert’s work;
  9. The assurance practitioner’s knowledge and experience of the expert’s field of expertise; and
  10. The assurance practitioner’s previous experience of the work of that expert.

Work Performed by the Internal Audit Function (Ref: Para.  34-38)

A43

The nature, timing and extent of the assurance practitioner’s procedures on specific work of the internal auditors will depend on the assurance practitioner’s assessment of the significance of that work to the assurance practitioner’s conclusions, the evaluation of the internal audit function and the evaluation of the specific work of the internal auditors. Such procedures may include:

  1. Examination of evidence of the operation of the compliance activity already examined by the internal auditors;
  2. Examination of evidence of the operation of other instances of the same compliance activity;
  3. Examination of the outcomes of monitoring of controls by internal auditors; and
  4. Observation of procedures performed by the internal auditors.

Written Representations

(Ref: Para. 51)

A48

The person(s) from whom the assurance practitioner requests written representations will ordinarily be a member of senior management or those charged with governance.  However, because management and governance structures vary by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics, it is not possible for this ASAE to specify for all engagements the appropriate person(s) from whom to request written representations.  The process to identify the appropriate person(s) from whom to request written representations requires the exercise of professional judgement.

Subsequent Events

(Ref: Para 52)

Preparing the Assurance Report

(Ref: Para. 55-58)

Assurance Report Content

A51

The assurance practitioner may expand the report to include other information not intended as a qualification of the assurance practitioner’s conclusion. If the report includes other information it is a long-form report as the information is additional to the basic elements required in paragraph 56 for a short-form report. This additional information may be required by regulation or agreed in the terms of the engagement to meet the needs of users. When considering whether to include any such information the assurance practitioner assesses the materiality of that information in the context of the objectives of the engagement. Other information is not to be worded in such a manner that it may be regarded as a qualification of the assurance practitioner’s conclusion and may include for example:

  • Relevant background information and historical context.
  • The assurance approach.
  • Underlying facts and criteria applied.
  • Disclosure of materiality levels.
  • Findings relating to particular aspects of the compliance engagement.
  • Analysis of the causes of non-compliance with the compliance requirements.
  • Recommendations for improvements to address identified compliance framework deficiencies.

Summary of the Work Performed (Ref: Para 56(n))

A54

In a limited assurance engagement an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance conveyed by the conclusion, therefore the summary of the work performed is ordinarily more detailed than for a reasonable assurance engagement and identifies the limitations on the nature, timing, and extent of procedures.  It also may be appropriate to indicate certain procedures that were not performed that would ordinarily be performed in a reasonable assurance engagement.  However, a complete identification of all such procedures may not be possible because the assurance practitioner’s required understanding and consideration of engagement risk is less than in a reasonable assurance engagement.

A55

Factors to consider in determining the level of detail to be provided in the summary of the work performed include:

  1. Circumstances specific to the entity (e.g. the maturity of the entity’s compliance framework compared to those typical in the industry sector);
  2. Specific engagement circumstances affecting the nature and extent of the procedures performed; and
  3. The intended users’ expectations of the level of detail to be provided in the report, based on market practice, or applicable law or regulation.

A57

Illustrative examples of assurance practitioner’s reports are contained in Appendix 6.

Intended Users and Specific Purpose of the Assurance Report (Ref: Para.  56(o))

Modified Conclusions (Ref: Para. 6061)

A59

Modifications to the assurance report may be made in the following circumstances:

  1. A qualified conclusion may be issued if the following matters are material but not pervasive:
    1. Unsuitable criteria mandated by legislation or regulation where the assurance practitioner is unable to resign from the engagement;
    2. Scope limitation;
    3. Non-compliance with the compliance requirements;
    4. Misstatement in the Statement;
  2. An adverse conclusion may be issued if the following matters are both material and pervasive:
    1. Unsuitable criteria mandated by legislation or regulation where the assurance practitioner is unable to resign from the engagement;
    2. Non-compliance with the compliance requirements;
    3. Misstatement in the Statement;
  3. A disclaimer may be issued if there is a limitation of scope which is both material and pervasive.

A60

Illustrative examples of elements of modified assurance practitioner’s reports are contained in Appendix 7.

Other Communication Responsibilities

(Ref: Para. 62-65)

A63

Appropriate actions to respond to the circumstances identified in paragraph 65 may include:

  • Obtaining legal advice about the consequences of different courses of action.
  • Communicating with those charged with governance of the entity.
  • Communicating with third parties (for example, a regulator) when required to do so.
  • Modifying the assurance practitioner’s conclusion, or adding an Other Matter paragraph.
  • Withdrawing from the engagement.

Documentation

(Ref: Para. 66-67)

31

See ASAE 3000, paragraph 32.

32

See ASAE 3000, paragraph 24(b)(vi).

33

See ASAE 3000, paragraph 24(b)(i). 

34

Refer to ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation and GS013 Special Considerations in the Audit of Compliance Plans of Managed Investment Schemes paragraphs 36 and 37 for further guidance.

35

See ASAE 3000, paragraphs A120-A134.

36

See ASAE 3000, paragraphs A136-A139.

37

See ASAE 3000, paragraphs A193-A200.