Introduction
Scope of this Standard on Assurance Engagements
1
This Standard on Assurance Engagements (ASAE) deals with assurance engagements undertaken by an assurance practitioner[1], # to provide a report for use by user entities and their auditors, on the controls at a service organisation that provides a service to user entities that is likely to be relevant to user entities’ internal control as it relates to financial reporting. It complements ASA 402,[2] in that reports prepared in accordance with this ASAE are capable of providing appropriate evidence under ASA 402. (Ref: Para. A1)
See ASAE 3000 Assurance Engagements Other Than Audits or Reviews of Historical Financial Information, paragraph 12(r).
See ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements, Para. Aus 12.2 and ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial Information, paragraph Aus 7.1.
See ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation.
2
The Framework for Assurance Engagements (the Assurance Framework) states that an assurance engagement may be a “reasonable assurance” engagement or a “limited assurance” engagement and that an assurance engagement may be either an attestation engagement or a direct engagement.[3] This ASAE only deals with reasonable assurance attestation engagements.[4]
ASAE 3000, paragraph 12.
3
This ASAE applies only when the service organisation is responsible for, or otherwise able to make a statement about, the suitable design of controls. This ASAE does not deal with assurance engagements:
- To report only on whether controls at a service organisation operated as described; or
- To report on controls at a service organisation other than those related to a service that is likely to be relevant to user entities’ internal control as it relates to financial reporting (for example, reports only on controls that affect user entities’ production or quality control).
This ASAE, however, provides some guidance for such engagements carried out under ASAE 3000. (Ref: Para.A2)
4
In addition to issuing an assurance report on controls, a service auditor may also be engaged to provide reports such as the following, which are not dealt with in this ASAE:
- A report on a user entity’s transactions or balances maintained by a service organisation; or
- An agreed‑upon procedures report on controls at a service organisation.
Relationship with ASAE 3000, Other Pronouncements and Other Requirements
5
The service auditor is required to comply with ASAE 3000 and this ASAE when performing assurance engagements on controls at a service organisation. This ASAE supplements, but does not replace, ASAE 3000, and expands on how ASAE 3000 is to be applied in a reasonable assurance engagement to report on controls at a service organisation.
[Footnote deleted by the AUASB.]
[Footnote deleted by the AUASB.]
Aus 6.1
Compliance with ASAE 3000 requires, among other things, compliance with the relevant ethical requirements* related to assurance engagements, or other professional requirements, or requirements imposed by law and regulation, that are at least as demanding. It also requires the lead assurance practitioner# to be a member of a firm that applies ASQM 1,† or other professional requirements, or requirements in law or regulation, that are at least as demanding as ASQM 1.
See ASAE 3000, paragraph 3(a), Aus 20.1 and 34. ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements.
The term “lead assurance practitioner” is referred to in ASQC 1 as the “engagement partner”.
Effective Date
7
[Deleted by the AUASB. Refer Aus 0.2.]