The assurance practitioner shall not represent compliance with this ASAE unless the assurance practitioner has complied with the requirements of this ASAE and the requirements of ASAE 3000 identified in this ASAE as relevant to performance engagements, adapted as necessary for direct engagements.

Inability to Comply with Relevant Requirements

Where in rare and exceptional circumstances, factors outside the assurance practitioner’s control prevent the assurance practitioner from complying with a relevant requirement in this ASAE, the assurance practitioner shall:

1. if possible, undertake appropriate alternative evidence‑gathering procedures; and

2. document in the working papers:

   1. the circumstances surrounding the inability to comply;

   2. the reasons for the inability to comply; and

   3. justification of how alternative evidence‑gathering procedures achieve the objectives of the relevant requirement.

When the assurance practitioner is unable to undertake appropriate alternative evidencegathering procedures, the assurance practitioner shall assess the implications for the assurance report.

As required by ASAE 3000, the assurance practitioner shall comply with relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding.^[16] (Ref: Para A6)

(Ref: Para A7-A22)

The assurance practitioner shall initiate, where the assurance practitioner has the legislative mandate to do so, or accept a performance engagement only when:

1. the assurance practitioner has no reason to believe that relevant ethical requirements, including independence, will not be satisfied;

2. the assurance practitioner is satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities, including having sufficient time to perform the engagement;

3. the preconditions for an assurance engagement are present, as required by ASAE 3000;^[17] and

4. the basis on which the engagement is to be performed has been communicated and, where relevant, agreed by the assurance practitioner:

Agreeing on or Communicating the Terms of the Performance Engagement (Ref: Para A7-A9)

If the performance engagement is initiated by an engaging party, the assurance practitioner shall agree the terms of engagement, including the assurance practitioner’s reporting responsibilities, with the engaging party in writing.

If the performance engagement is initiated by a State, Territory or the Commonwealth AuditorGeneral and does not involve an engaging party, then the assurance practitioner shall communicate the terms of engagement with the responsible party, by issuing a written communication advising the responsible party of the planned engagement.

Preconditions for the Assurance Engagement (Ref: Para A10-A22)

When establishing whether the preconditions for an assurance engagement are present, the assurance practitioner shall determine, based on their preliminary knowledge of the performance engagement circumstances, whether the:

1. activity’s performance outcomes/results to be evaluated, are appropriate;

2. criteria identified, selected or developed by the assurance practitioner or agreed with the engaging party are suitable in evaluating the activity’s performance, including that they exhibit the characteristics of suitable criteria,^[18] and will be available to users;

3. assurance practitioner expects to be able to obtain the evidence needed to support the assurance practitioner’s conclusion, which will be contained in a written report; and

4. engagement’s objective is rational^[19], in that the assurance practitioner expects to be able to conclude against it at a meaningful level of assurance after the engagement has been finalised.

When identifying, selecting or developing suitable criteria, or determining whether the identified criteria selected by the engaging party are suitable, the assurance practitioner shall consider whether the identified criteria are reasonable quantitative or qualitative measures of performance and clearly state the performance expectations against which the activity’s performance may be assessed. Suitable criteria for a performance engagement shall reflect the overall engagement objective(s), the performance principle(s) to be addressed and have the following characteristics: (Ref: Para A17-A22)

1. Relevance—relevant criteria contribute to conclusions that assist decision‑making by the intended users.

2. Completeness—criteria are sufficiently complete when relevant factors that could affect the conclusions in the context of the performance engagement circumstances are not omitted.

3. Reliability—reliable criteria allow reasonably consistent evaluation of the activity’s performance, including when used in similar circumstances by similarly qualified assurance practitioners.

4. Neutrality—neutral criteria contribute to conclusions that are free from bias.

5. Understandability—understandable criteria contribute to conclusions that are clear, comprehensive, and not subject to significantly different interpretations. 

The assurance practitioner shall implement the firm’s policies or procedures as required by ASAE 3000.^[20]

The assurance practitioner shall apply professional scepticism, exercise professional judgement and apply assurance skills and techniques in planning and performing a performance engagement.^[21] 

 (Ref: Para A23-A82)

Planning (Ref: Para A23-A30)

The assurance practitioner shall plan the performance engagement so that it will be performed in an effective manner as required by ASAE 3000^[22] to achieve the objectives of this ASAE.

Significance (Ref: Para 18(t), A31-A55)

The assurance practitioner shall consider significance when planning and performing the engagement. The assurance practitioner’s consideration of significance is matter of professional judgement that is integrated into all aspects of the performance engagement, including when:

1. Selecting performance engagement topics and activities to examine;
2. Defining the objective(s) and evaluation criteria for the engagement;
3. Determining the nature, timing and extent of procedures;
4. Evaluating the sufficiency and appropriateness of evidence obtained to confirm if a performance variation exists;
5. Evaluating the significance of any identified variations in the activity’s performance, taken individually and in combination;
6. Reporting findings;
7. Formulating the assurance conclusion(s); and
8. Developing recommendations (if appropriate).

During the performance engagement, the assurance practitioner shall reassess the significance of any matter if there is any indication that the basis on which the significance of the matter was determined has changed.

The assurance practitioner shall document factors relevant to the practitioner’s consideration of significance, including the basis for professional judgements made when deciding if a matter is significant.

Risk Procedures and Related Activities (Ref: 18(s), Para A56-A82)

Understanding the Activity and Other Performance Engagement Circumstances (Ref: Para A56-A57)

The assurance practitioner shall obtain an understanding of the activity included in the scope of the performance engagement, and other engagement circumstances, including events or conditions that may cause significant variations in the activity’s performance.

Enquiries and Discussion with Appropriate Parties

The assurance practitioner shall make enquiries of parties as appropriate to the scope of the performance engagement and other engagement circumstances, regarding whether:

1. They have knowledge of any intentional variations in the activity’s performance or non-compliance with laws and regulations relevant to the engagement objective(s). In the absence of identified or suspected non-compliance with laws and regulations, the assurance practitioner is not required to perform any further procedures regarding an entity’s compliance with laws and regulations. (Ref: Para A58)
2. The responsible party has an internal audit function and, if so, make further enquiries to obtain an understanding of any reviews of the activity’s performance by the internal audit function and the main findings; and
3. The responsible party has used any internal or external experts in dealing with the activity.

Designing and Performing Risk Procedures (Ref: 18(s), Para A59-A82)

Understanding Internal Controls Relevant to the Performance Engagement (Ref: Para A67-A82)

The assurance practitioner shall perform risk procedures sufficient to determine whether internal controls are relevant to the engagement objective(s). The extent to which internal controls are relevant depends on the engagement circumstances and the level of assurance required, and is a matter of professional judgement.

The assurance practitioner shall obtain an understanding of internal controls the practitioner considers are relevant to the evaluation of the activity’s performance against the identified criteria. This understanding shall include identifying controls designed to address (mitigate) the risk of significant variation from the identified criteria.

For controls over which the assurance practitioner plans to obtain evidence by testing their operating effectiveness, the practitioner’s understanding shall include:

1. Evaluating whether the control is designed effectively to address the risk of significant variation or designed effectively to support the operation of other relevant controls; and

2. If designed effectively, determining whether the control has been implemented by performing procedures in addition to enquiry of the responsible party.

Identifying areas where Significant Variations are likely to arise (Limited Assurance) or Identifying and Assessing the Risks of Significant Variation (Reasonable Assurance)

(Ref: Para 18(j), A83-A94) 

Revision of Risk Assessment in a Reasonable Assurance Engagement

R. The assurance practitioner’s assessment of the risks of significant variation in the activity’s performance may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence which is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of significant variation, the practitioner shall revise the assessment, and design and perform modified and/or additional procedures.

Performing Modified and/or Additional Procedures in a Limited Assurance Engagement (Ref: Para A89L-A91L)

L. If the assurance practitioner becomes aware of a matter that causes the practitioner to believe that a significant variation in the activity’s performance may exist, the practitioner shall design and perform modified and/or additional procedures to obtain further evidence until the practitioner is able to form a conclusion that either:

1. the matter is not likely to result in a significant variation in the activity’s performance; or

2. a significant variation in the activity’s performance exists.

Work Performed by an Assurance Practitioner’s Expert

When the assurance practitioner plans to use the work of an assurance practitioner’s expert, the assurance practitioner shall comply with the requirements in ASAE 3000.^[23]

Work Performed by Another Assurance Practitioner, a Responsible Party’s Expert, or an Internal Auditor

If the assurance practitioner plans to use information prepared by another party as evidence, the assurance practitioner shall comply with the requirements of ASAE 3000.^[24]

Written Representations (Ref: Para A92-A94)

The assurance practitioner shall request and endeavour to obtain written representations from the responsible party, as appropriate for the performance engagement.

(Ref: Para A95)

The assurance practitioner shall evaluate whether the identified variations in the activity’s performance are significant, individually or in combination. The assurance practitioner shall consider the size and severity of the impact or potential impact of those variations and conclude whether the activity was partially performed or not performed as evaluated against the identified criteria.^[25]

In making this evaluation, the assurance practitioner shall consider whether individual variations in performance identified during the engagement (other than those that are clearly trivial) have characteristics, for example, a root cause or a systemic issue, that indicate the combined effect of individual variations is likely to be significant.

(Ref: Para A96-A97)

When relevant to the performance engagement, the assurance practitioner shall consider the effect on the activity’s performance of events that become known to the assurance practitioner up to the date of the assurance report. The practitioner shall respond appropriately to facts that become known to the assurance practitioner after the date of the assurance report that, had they been known to the assurance practitioner at that date, may have caused the assurance practitioner to amend the assurance report. The extent of consideration of subsequent events depends on the assurance practitioners’ judgement of the potential for such events to affect the activity’s performance and to affect the appropriateness of the assurance practitioner’s conclusion. However, the assurance practitioner has no responsibility to perform any procedures regarding the activity’s performance after the date of the assurance report.

(Ref: Para A98-A100)

The assurance practitioner shall evaluate whether sufficient and appropriate evidence has been obtained from the procedures performed. If there is not sufficient or appropriate evidence, the assurance practitioner shall perform procedures to obtain further evidence to be able to form a conclusion on the activity’s performance. If the assurance practitioner is unable to obtain the necessary further evidence, the assurance practitioner shall consider the implications for the assurance practitioner’s conclusion.^[26] The assurance practitioner shall state in their conclusion that there was not sufficient or appropriate evidence to conclude against aspects of the engagement objective(s) or engagement objective(s) as a whole.

The assurance practitioner shall form a conclusion(s) about the activity’s performance against the engagement objective(s). In forming that conclusion, the assurance practitioner shall consider the outcomes of procedures performed in paragraphs 47-50.

(Ref: Para A101-A121)

The assurance report shall be in writing and shall contain a clear expression of the assurance practitioner’s reasonable or limited assurance conclusion about the activity’s performance against the engagement objective(s), or explain why this was not possible.

The assurance practitioner’s conclusion shall be clearly identified in the assurance report, separate from findings, recommendations and other information or explanations included in the report.

The assurance report shall include information necessary to address the engagement objective(s), and be sufficiently detailed to allow report users to understand the activity’s performance and the assurance practitioner’s conclusion(s), findings and recommendations (if appropriate).

Assurance Report Content (Ref: Para A104-A121)

The assurance report shall include at a minimum the following elements, to the extent that it is not inconsistent with relevant legislation or regulation:

1. A title or title page, indicating that it is an independent assurance report.

2. An addressee.

3. Identification of the scope of the performance engagement including:

   1. the activity’s performance which was the subject matter of the performance engagement; (Ref: Para 18(b))

   2. the engagement objective(s); (Ref: Para 18(g))

   3. the criteria for evaluating the activity’s performance, and their sources; (Ref: Para 18(e), 27, A111)

   4. if relevant, the date of, or period(s) covered by, the report;

   5. any activities the assurance practitioner has specifically excluded from the scope; and

   6. if appropriate, a description of any significant inherent limitations associated with the evaluation of the activity’s performance against the identified criteria; 

4. Identification or description of the level of assurance obtained/provided by the assurance practitioner. (Ref: Para A115)

5. Identification of the responsible party(ies) and a description of their responsibilities. (Ref: Para 18(r))

6. The assurance practitioner’s conclusion(s) against the engagement objective(s) which: (Ref: Para A98, A114-A118)

   1. in a reasonable assurance engagement, shall be expressed in a positive form.

   2. in a limited assurance engagement, shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the assurance practitioner’s attention to cause the practitioner to believe that the responsible party did not perform the activity in accordance with the identified criteria.

7. When the assurance practitioner was unable to obtain sufficient appropriate evidence (a scope limitation exists), the assurance report shall contain: (Ref: Para 58-59)

   1. A description of the causes and consequences of those findings; and (Ref: Para A112-A113)

   2. The assurance practitioner’s conclusion that there was not sufficient or appropriate evidence to conclude on the responsible party’s performance of: 

      1. certain aspects of the activity; or (Ref: Para A116(a))

      2. the activity as a whole. (Ref: Para A116(b))

8. When the assurance practitioner has identified significant variations in the activity’s performance, the assurance report shall contain:

   1. A description of the causes and consequences of those findings; and (Ref: Para A112-A113)

   2. The assurance practitioner’s conclusion that either the responsible party: 

      1. did not perform the activity in accordance with the identified criteria in certain significant respects; or(Ref: Para A117(a))

      2. did not perform the activity in accordance with the identified criteria in all significant respects. (Ref: Para A117(b))

9. The basis for the assurance practitioner’s conclusion, including: (Ref: Para A119-A120)

   1. A statement that the engagement was conducted in accordance with ASAE 3500 Performance Engagements; (Ref: Para A119)

   2. An informative summary of the work performed by the practitioner as the basis for the practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion.  For a limited assurance engagement, the summary of the work performed shall state that: (Ref: Para A100, A120)

      1. The procedures performed in a limited assurance engagement vary in nature and timing from, and are lesser in extent than for, a reasonable assurance engagement; and

      2. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed; 

   3. A statement that identifies the assurance practitioner’s responsibilities or refers to a section in the assurance report that describes the practitioner’s responsibilities.*

   4. A statement that the assurance practitioner complies with the independence and other relevant ethical requirements related to assurance engagements, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding.*

   * Alternatively, where the information in (iii) and (iv) above is not included within the assurance report but provided within a separate report, or on a website controlled and managed by an Audit Office of an Auditor-General, the assurance report shall include a summary statement with a specific reference to the location of such information.

10. Signature of the assurance practitioner, the Audit Office or location in the jurisdiction where the assurance practitioner practices, and the date of the assurance report.

If appropriate, the assurance practitioner shall provide recommendations intended to address, or are related to, the assurance practitioner’s findings from the engagement. (Ref: Para A121)

If the assurance practitioner is required to conclude on other subject matters under different AUASB Standards in conjunction with an engagement to report under this ASAE, the assurance report shall include a separate section for each subject matter in the assurance report, clearly differentiated by appropriate section headings. (Ref: Appendix 4)

Scope Limitation (Ref: Para 55(g))

A limitation on the scope of the assurance practitioner’s work may be imposed by the terms of the engagement, if the engagement was initiated by an engaging party, or by the circumstances of the particular engagement. When the limitation is imposed by the terms of the engagement, and it is likely to prevent the assurance practitioner from reaching a conclusion, the engagement shall not be accepted, unless required to do so by law or regulation.

When a scope limitation is imposed by the circumstances of the particular engagement, the assurance practitioner shall attempt to perform alternative procedures to overcome the limitation. When a scope limitation exists and remains unresolved, the wording of the assurance practitioner’s report shall comply with paragraph 55(g).

If, during the course of the performance engagement, the assurance practitioner identifies any significant variations in the activity’s performance, the assurance practitioner shall report those variations to the responsible party on a timely basis in order to allow the responsible party sufficient time to investigate and respond to the identified variations.

The assurance practitioner shall consider whether, pursuant to the terms of the performance engagement, if applicable, and other engagement circumstances or legislative requirements, any matter has come to the attention of the assurance practitioner that is to be communicated with Parliament, the responsible party, the engaging party (if applicable) or others, as required by ASAE 3000.^[27]

The assurance practitioner shall determine whether there is a responsibility or legislative requirement for the assurance practitioner to report the occurrence or suspicion of fraud or other misconduct to a party outside the entity, including Parliament, a regulator or government agency. Any such reporting shall be in accordance with the relevant legislation.

(Ref: Para A122-A123)

The assurance practitioner shall prepare documentation in accordance with ASAE 3000.^[28] In documenting the nature, timing and extent of procedures performed as required by ASAE 3000, the assurance practitioner shall record:

1. the identifying characteristics of the activity’s performance being tested;

2. who performed the work and the date such work was completed; and

3. who reviewed the work performed and the date such review was performed.