For the purposes of this ASAE, terms have the same meaning as in ASAE 3000 and in addition, the following terms have the meanings attributed below:

Attestation engagement on controls―A reasonable or limited assurance engagement in which a party other than the assurance practitioner, being the responsible party or evaluator, evaluates the design against the control objectives, and, if included in the scope of the engagement, the description, implementation or operating effectiveness of controls, against the design. The outcome of that evaluation is provided in a Statement, which may either be available to the intended users or may be presented by the assurance practitioner in the assurance report. The assurance practitioner’s conclusion may be phrased in terms of: (Ref: Para. A6)

1. the design, and/or description, implementation or operating effectiveness of controls and the control objectives; or
2. the Statement of the responsible party or evaluator.

Anomaly―A deviation in a sample that is demonstrably not representative of deviations in a population.

Carve-out method―A method of dealing with controls operating at a third party, which are integral to the system or control component which is subject to the engagement, whereby that third party’s relevant control objectives and related controls are excluded from the scope of the assurance practitioner’s engagement. The scope of the assurance practitioner’s engagement includes controls at the entity to monitor the effectiveness of controls which form part of the entity’s system, operating at the third party.

Compensating control―A control which makes up for a deficiency in another control in mitigating the risks that threaten achievement of a control objective.

Complementary user entity controls―Controls that an entity, which is a service organisation, assumes, in the design of its service, will be implemented by user entities or clients, and which, if necessary to achieve control objectives stated in the entity’s description of its system, are identified in that description.

Components of control―The integrated components which comprise the system of control, as defined by the control framework applied. (Ref: Para. A9)

Control objective―The aim or purpose of a particular aspect of controls. Control objectives relate to risks that controls seek to mitigate and may be categorised by the framework applied, such as operational (economy, effectiveness and efficiency), reporting (statutory or management, financial or non-financial) or compliance (adherence to laws and regulations or contractual obligations).

Control or internal control―The process designed, implemented and maintained by those charged with governance, management and other personnel to mitigate the risks which may prevent achievement of control objectives relating to the entity’s system. Controls included in the scope of the assurance engagement may comprise any aspects of one or more components of control over an area(s) of activity within a defined boundary, such as the group, entity, facility or location.

Criteria―The benchmarks used to measure or evaluate the underlying subject matter. The “applicable criteria” are the criteria used for the particular engagement.

Description of the system―A document prepared by the responsible party and provided to users, if included in the scope of the engagement, describing the entity’s system, within which the controls to be concluded upon operate, including identification of: the functions or services covered; the period or date to which the description relates; control objectives and details of, or reference to documentation detailing, the controls designed to achieve those objectives. The entity’s functions or services may be identified by geographic, operational or functional boundaries. A description of the system is distinct from documentation prepared by the responsible party or assurance practitioner, as the description is part of the subject matter of the engagement, which, if included in the scope of the engagement, is made available to users and concluded upon by the assurance practitioner. A description may be included in the scope of an attestation or direct engagement, however in a direct engagement no attestation is provided by the responsible party or evaluator with respect to whether the description is fairly presented.

Deficiency in design of controls―An inadequacy or omission in the design of a control/s that, in the assurance practitioner’s professional judgement, means the control/s is not designed suitably to mitigate the risks that threaten achievement of the identified control objective/s.

Deficiency in implementation of controls―Instances where a control was not implemented as designed that, in the assurance practitioner’s professional judgement, mean the control/s, once in operation, may not operate effectively as designed to achieve the identified control objective/s.

Deviation in operating effectiveness of controls―Instances where a control was not operating as designed.

Direct controls―Controls which directly address the risks of a control objective not being achieved, by detecting, preventing or correcting a failure to achieve a control objective on a timely basis.

Direct engagement on controls―A reasonable or limited assurance engagement in which the assurance practitioner evaluates the design of the controls against the control objectives, and, if included in the scope of the engagement, the description, implementation and/or operating effectiveness of controls against the design. The outcome of the assurance practitioner’s evaluation (the subject matter information) is expressed in the assurance practitioner’s conclusion. (Ref: Para. A6)

Engaging party―The party(ies) that engages the assurance practitioner to perform the assurance engagement.

Entity’s system (or the system)―The policies and procedures designed and implemented by the entity to provide the functions or services covered by the assurance practitioner’s report, including the control objectives which address the overall objectives relevant to those functions or services and the controls designed to mitigate the risks that threaten achievement of those objectives.

Evaluator―The party(ies) who evaluates the underlying subject matter against the criteria. The evaluator possesses expertise in the underlying subject matter.

Firm―A sole assurance practitioner, partnership or corporation or other entity of individual assurance practitioners. “Firm” should be read as referring to its public sector equivalents where relevant.

Fraud―An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.

Fraud risk factors―Events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.

Implementation―The process of putting controls into effect by deployment or roll-out of controls to enable their operation as designed.

Inclusive method―A method of dealing with the controls operating at a third party, which are integral to the system or control component which is subject to the assurance engagement, whereby the third party’s relevant control objectives and related controls are included in the scope of the assurance practitioner’s engagement.

Indirect controls―Controls which do not directly address the risks of a control objective not being achieved, but have an impact on the effectiveness of direct controls in detecting, preventing or correcting a failure to achieve a control objective on a timely basis.

Intended users―The individual(s) or organisation(s), or group(s) thereof that the assurance practitioner expects will use the assurance report. In some cases, there may be intended users other than those to whom the assurance report is addressed.

Internal audit function―A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.

Internal auditors―Those individuals who perform the activities of the internal audit function. Internal auditors may belong to an internal audit department or equivalent function, out-sourcing entity or co-sourced from both internal and out-sourced resources.

Limited assurance engagement―An assurance engagement in which the assurance practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance engagement, as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the assurance practitioner’s attention to cause the assurance practitioner to believe the subject matter information or subject matter is materially misstated. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the assurance practitioner’s professional judgement, meaningful. To be meaningful, the level of assurance obtained by the assurance practitioner is likely to enhance the intended users’ confidence about the subject matter information or subject matter to a degree that is clearly more than inconsequential.

Long-form report―Assurance report including other information and explanations that are intended to meet the information needs of users but not to affect the assurance practitioner’s conclusion. In addition to the matters required to be contained in the assurance practitioner’s report, as set out in paragraph 89, long-form reports may describe in detail matters such as:

1. the terms of the engagement;
2. the criteria being used, such as the specific control objectives and controls as designed to achieve each objective;
3. descriptions of the tests of controls that were performed;
4. findings relating to the the tests of controls that were performed or particular aspects of the engagement;
5. details of the qualifications and experience of the assurance practitioner and others involved with the engagement;
6. disclosure of materiality levels; or
7. recommendations.

The assurance practitioner may find it helpful to consider the significance of providing such information to meet the needs of the intended users. As required by paragraph 90, additional information is clearly separated from the assurance practitioner’s conclusion and worded in such a manner as make it clear that it is not intended to alter or detract from that conclusion.

Material control―A control which is necessary to mitigate the risk of a control objective not being achieved and for which there are no or insufficient compensating controls. The relevant control objectives are those at the level to be concluded on in the assurance report, whether overall or specific control objectives.

Misstatement―

1. In an attestation engagement, a difference between the responsible party or evaluator’s Statement^[16] and the appropriate evaluation of the design of controls against the control objectives^[17], and/or the description, implementation or operating effectiveness of controls against the design^[17], which is expressed either as a misstatement in the responsible party or evaluator’s Statement, or as a deficiency in the suitability of the design, misstatement in the description, deficiency in implementation or deviation in operating effectiveness of controls.
2. In a direct engagement, a difference between the design and a design suitable to achieve the control objectives^[17] and/or a difference between the description, implementation or operating effectiveness of controls and the design,^[17] in so far as it is suitable, which is expressed as a deficiency in the suitability of the design of controls to achieve the control objectives, misstatement in the description, deficiency in the implementation or deviation in the operating effectiveness of controls as designed.

Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions.

Misstatement in the description of the system―An inaccuracy, inadequacy or omission in the description, including in the identification of the boundaries and other identifying characteristics of the system, the control components described, the areas of activity encompassed and the controls as designed and/or implemented.

Overall control objectives―Explicit or implicit assertions by the responsible party with respect to the subject matter, that in an assurance engagement on controls, represent the broad objectives or purpose of the controls, in the context of the control component and system included in the scope of the engagement.

Population―The entire set of instances of a particular control from which a sample is selected and about which the assurance practitioner wishes to draw conclusions.

Pervasive―The effect or possible effect on the system of controls of, identified or undetected, deficiencies in the design of controls, misstatements in the description, deficiencies in implementation as designed or deviations in operating effectiveness as designed. Pervasive effects on the controls system are those that, in the assurance practitioner’s judgement:

1. Are not confined to certain overall or specific control objectives, areas of activity, components of controls or controls; or
2. If so confined, represent or could represent a substantial proportion of the system of controls included in the scope of the engagement.

Reasonable assurance engagement―An assurance engagement in which the assurance practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the assurance practitioner’s conclusion. The assurance practitioner’s conclusion is expressed in a form that conveys the assurance practitioner’s opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.

Representation―Statement by the responsible party, either oral or written, provided to the assurance practitioner to confirm certain matters or to support other evidence. A representation is additional to but may be provided in combination with the responsible party’s or evaluator’s Statement provided in an attestation engagement, as set out in paragraph 17(rr).

Responsible party―The party responsible for the underlying subject matter, being the design, description, implementation or operating effectiveness of controls in an assurance engagement on controls.

Sampling―The application of assurance procedures to less than 100% of items within a population of relevance to the engagement such that all sampling units have a chance of selection in order to provide the assurance practitioner with a reasonable basis on which to draw conclusions about the entire population.

Sampling risk―The risk that the assurance practitioner’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same assurance procedure. Sampling risk can lead to two types of erroneous conclusions:

1. That the controls are designed more suitably, the description is presented more fairly or the controls are operating more effectively than they actually are. The assurance practitioner is primarily concerned with this type of erroneous conclusion because it affects the engagement’s effectiveness and is more likely to lead to an inappropriate assurance conclusion.
2. That controls are less effective than they actually are. This type of erroneous conclusion affects the engagement’s efficiency as it would usually lead to additional work to draw a conclusion.

Service organisation―A third party organisation (or segment of a third party organisation) that provides services to user entities that are likely to be relevant to user entities’ internal control as it relates to relevant external reporting, whether financial, emissions and energy, carbon offsets, compliance or other reporting.

Short-form report―Assurance report including only the matters required under paragraph 89 of this ASAE.

Specific control objective―Control objective expressed in sufficient detail such that controls can be designed to achieve that objective directly without further breakdown.

Statement―The outcome in writing of the responsible party or evaluator’s evaluation of the suitability of the design of controls to achieve the control objectives, and, if included in the scope of the engagement, the fair presentation of the description of the system, implementation of controls as designed or operating effectiveness of controls as designed, provided to the assurance practitioner in an attestation engagement. A Statement is the subject matter information in an attestation engagement on controls.

Subject matter information―The outcome of the measurement or evaluation of the underlying subject matter against the criteria. In an assurance engagement on controls the subject matter information is the Statement of the responsible party or evaluator in an attestation engagement or the assurance practitioner’s conclusion in a direct engagement, providing the outcome of their evaluation.

Subject matter or underlying subject matter―The controls within the system designed to achieve the control objectives, and, if included in the scope of the engagement, the description of the system, the controls implemented or the controls in operation.

System―The function or service at the entity, location or operational facility for which the controls are being reported upon by the assurance practitioner.

Test of controls―A procedure designed to evaluate the design, description, implementation or operating effectiveness of controls in achieving the identified control objectives.

Tolerable rate of deviation―A rate of deviation in the operation of control procedures as designed in respect of which the assurance practitioner seeks to obtain an appropriate level of assurance that the rate of deviation set by the assurance practitioner is not exceeded by the actual rate of deviation in the population.

User entity―An entity that uses a service organisation.