This Standard on Assurance Engagements (ASAE) deals with assurance engagements to provide an assurance report on whether the entity has complied in all material respects with the compliance requirements, throughout the specified period or as at a specified date, using the criteria.

This ASAE addresses assurance engagements on compliance: (Ref: Para. A2-A5)

1. With the compliance requirements;
2. Providing a limited or reasonable assurance conclusion;
3. For either restricted use, by those charged with governance of the entity or specified third parties, or to be publicly available; and
4. Either based on an attestation engagement or a direct engagement. (Ref: Para. 17(a), 17(h), A4).

Where this ASAE makes reference to a requirement, that requirement applies to both attestation and direct engagements, unless specified otherwise.

Agreed‑upon procedures engagements, where procedures are conducted and factual findings are reported but no conclusion is provided, and consulting engagements, for the purpose of providing advice, on compliance are not assurance engagements and are not dealt with in this ASAE.  Agreed‑upon procedures engagements are addressed under Standard on Related Services, ASRS 4400.^[1]

Nature of a Compliance Engagement

Compliance engagements are conducted in both the private and public sector, in either case the engaging party will usually be the entity responsible for meeting the compliance requirements which are subject to the compliance engagement.  In these circumstances terms of engagement are agreed with the engaging party.

An entity may have an obligation to comply with externally and/or internally established compliance requirements.  These compliance requirements may be established through law and regulation, contractual arrangements or internally established requirements, for example company policies.  A table showing the nature of assurance engagements on compliance is contained in Appendix 3.

Relationship with ASAE 3000, Other Pronouncements and Other Requirements

The assurance practitioner is required to comply with ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ASAE 3000) and this ASAE when performing compliance engagements.  This ASAE supplements, but does not replace ASAE 3000, and expands on how ASAE 3000 is to be applied in a compliance engagement.  This ASAE applies the requirements in ASAE 3000 to attestation engagements and adapts those requirements, as necessary, to direct engagements on compliance.  ASAE 3000 includes requirements in relation to such topics as engagement acceptance, planning, obtaining evidence and documentation that apply to all assurance engagements, including engagements conducted in accordance with this ASAE.  Framework for Assurance Engagements, which defines and describes the elements and objectives of an assurance engagement, provides the context for understanding this ASAE and ASAE 3000.

An assurance engagement performed in accordance with ASAE 3000 measures or evaluates the underlying subject matter against suitable criteria. In a compliance engagement the assurance practitioner determines whether compliance requirements have been met by evaluating the subject matter against the compliance requirements, using the criteria.  The criteria may be the compliance requirements, or a subset thereof. A table explaining the terminology applied in this ASAE is contained in Appendix 2.

This ASAE requires the assurance practitioner to apply the ASAE 3000 requirement to comply with relevant ethical requirements related to assurance engagements.  It also requires the lead assurance practitioner to be a member of a firm that applies ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Financial Information, Other Assurance Engagements and Related Services Engagements.

An assurance engagement performed under this ASAE may be part of a larger engagement. In such circumstances, this ASAE is relevant only to the portion of the engagement relating to assurance on compliance.

If multiple standards are applicable to the assurance engagement, the assurance practitioner applies, in addition to ASAE 3000, either:

1. If the engagement can be separated into parts, the standard relevant to each part of the engagement, including this ASAE for the part on compliance; or
2. If the engagement cannot be separated into parts, the standard which is most directly relevant to the subject matter.

Assurance conclusions on compliance may be required by Regulators, Government or other users in conjunction with assurance conclusions on financial reports, other historical financial information, and compliance with other requirements, controls and/or other subject matters.  In these engagements the subject matter and criteria against which that subject matter is evaluated and the level of assurance sought may vary, in which case different standards will apply.  Assurance reports can include separate sections for each subject matter, criteria or level of assurance in order that the different matters concluded upon are clearly differentiated.

A table showing the AUASB Standards to apply to compliance engagements depending on the subject matter and engagement circumstances is contained in Appendix 4. (Ref: Para. A1)