Introduction
Scope of this Auditing Standard
3
This Standard on Assurance Engagements (ASAE) deals with assurance engagements undertaken by an assurance practitioner to provide an assurance report on the suitability of the design of controls to achieve identified control objectives, and, if applicable, fair presentation of the description of the system, implementation of the controls as designed and/or operating effectiveness of controls as designed.
4
This ASAE addresses engagements on controls, except those engagements to which ASAE 3402 applies: (Ref: Para. A2-A7)
- over any subject matter, whether directed at operations, external reporting, contractual compliance or regulatory compliance; (Ref: Para. A3)
- evaluated against the achievement of either overall or specific control objectives;
- covering one or more component/s of control;[3]
- providing a limited or reasonable assurance conclusion;
- for either restricted use, by those charged with governance of the entity or specified third parties, or to be publicly available; (Ref: Para. A5)
- either based on an attestation engagement or a direct engagement; (Ref: Para. 17(a), 17(o), A6)
- to conclude either:
- as at a specified date, on the suitability of the design of controls to achieve the identified control objectives, and, if included in the scope of the engagement:
- fair presentation of the description of the system; and/or
- implementation of the controls as designed; or
- throughout the period, on the suitability of the design of controls to achieve identified control objectives and operating effectiveness of controls as designed, and, if included in the scope of the engagement, fair presentation of the description of the system.
- as at a specified date, on the suitability of the design of controls to achieve the identified control objectives, and, if included in the scope of the engagement:
Control components will depend on the controls framework applied. For example the control components in the Treadway Commission’s Internal Control Integrated Framework 2013 (COSO Framework) are: the control environment, risk assessment, control activities, information and communication or monitoring activities and in the COBIT 5 Framework the equivalent are the following enablers: principles, policies and frameworks; processes; organisational structures; culture, ethics and behaviour; information; services, infrastructure and applications; and people, skills and competencies.
5
The scope of an engagement on controls includes either implementation at a specified date or operating effectiveness over the period but not usually both, because implementation is inherent in testing operating effectiveness.
6
Agreed-upon procedures engagements, where procedures are conducted and factual findings are reported but no conclusion is provided, and consulting engagements, for the purpose of providing advice, on controls are not assurance engagements and are not dealt with in this ASAE. Agreed-upon procedures engagements are addressed under Standard on Related Services, ASRS 4400.[4]
See ASRS 4400 Agreed‑upon Procedures Engagements to Report Factual Findings.
Nature of Engagements
7
Assurance engagements on controls may include, but are not limited to:
- compliance with contractual requirements agreed with customers, investors, financiers, purchasers or government for controls to achieve identified control objectives at an entity, such as controls over health and safety, ethics, privacy and security of data and information technology (IT) accessibility;
- compliance with regulatory requirements, such as:
- Australian Prudential Regulation Authority (APRA) reporting requirements for limited assurance on controls over compliance, data reliability and other specified matters for general insurers,[5] authorised deposit-taking institutions,[6] life companies,[7] superannuation entities[8] and APRA–regulated group level 3 heads;[9] or
- legislative requirements for assurance reports on controls at certain government entities;
- concluding on operational or compliance controls at a service organisation to meet the needs of user auditors, except for financial reporting controls (Ref: Para. 1, A1);[10] or
- voluntary engagements initiated by the entity on its own controls over services, activities undertaken or functions which it provides.
See Guidance Statement GS 004 Audit Implications of Prudential Reporting Requirements for General Insurers and Insurance Groups and Prudential Standard GPS 310 Audit and Related Matters.
See Guidance Statement GS 012 Prudential Reporting Requirements for Auditors of Authorised Deposit-taking Institutions and Prudential Standard APS 310 Audit and Related Matters.
See Guidance Statement GS 017 Prudential Reporting Requirements for Auditors of a Life Company and Prudential Standard LPS 310 Audit and Related Matters.
See Guidance Statement GS 002 Audit Implications of Prudential Reporting Requirements for Registrable Superannuation Entities and Prudential Standard SPS 310 Audit and Related Matters.
See Prudential Standard 3PS 310 Audit and Related Matters.
Financial reporting controls at a service organisation are addressed in ASAE 3402 and so are excluded from this ASAE.
8
The control framework applied in designing the controls is relevant when identifying the components of control and overall control objectives to be addressed in the scope of the engagement and as a basis for the development of specific control objectives. The control framework may be derived from:
- legislation or regulation;
- a publicly available framework, such as the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control Integrated Framework 2013 (COSO Framework) or COBIT 5;
- industry standard, developed specifically to meet the relevant industry; or
- in-house development to meet the entity’s needs.
Relationship with ASAE 3000, Other Pronouncements and Other Requirements
9
The assurance practitioner is required to comply with ASAE 3000 and this ASAE when performing assurance engagements on controls, other than engagements required to be conducted under ASAE 3402. This ASAE supplements, but does not replace, ASAE 3000, and expands on how ASAE 3000 is to be applied to limited and reasonable assurance engagements on controls. This ASAE applies the requirements in ASAE 3000 to attestation engagements and adapts those requirements, as necessary, to direct engagements on controls. ASAE 3000 includes requirements in relation to such topics as engagement acceptance, planning, obtaining evidence and documentation that apply to all assurance engagements, including engagements conducted in accordance with this ASAE. The Assurance Framework, which defines and describes the elements and objectives of an assurance engagement, provides the context for understanding this ASAE and ASAE 3000.
10
Compliance with ASAE 3000 requires, among other things, that the assurance practitioner complies with relevant ethical requirements related to assurance engagements.[11] (Ref: Para. 19) It also requires the lead assurance practitioner[12] to be a member of a firm that applies ASQC 1.[13]
The term “lead assurance practitioner” is referred to in ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, and Other Assurance Engagements as the “engagement partner”.
11
An assurance engagement performed under this ASAE may be part of a larger engagement. In such circumstances, this ASAE is relevant only to the portion of the engagement relating to assurance on controls.
12
If multiple standards are applicable to an assurance engagement on controls, the assurance practitioner applies, in addition to ASAE 3000, either:
- if the engagement can be separated into parts, the standard relevant to each part of the engagement; or
- if the engagement cannot be separated into parts, the standard which is most directly relevant to the subject matter.
13
Assurance conclusions on controls are often required by regulators or users in conjunction with assurance conclusions on financial reports, other historical financial information, compliance and/or other subject matters. In addition, service auditors may be engaged to report under ASAE 3402, on controls at a service organisation that are likely to be relevant to user entities’ internal control as it relates to financial reporting, as well as to report under this ASAE, on controls over operational or compliance requirements, as agreed in a service level agreement. In these engagements the subject matter, criteria against which that subject matter is evaluated and the level of assurance sought may vary, in which case different standards will apply. Assurance reports can include separate sections for each subject matter, criteria or level of assurance in order that the different matters concluded upon are clearly differentiated. (Ref: Para. A8)
14
A table showing the AUASB Standards to apply to assurance engagements on controls depending on the subject matter and engagement circumstances is contained in Appendix 3.