Requirements
Applicability of ASAE 3000
18
The assurance practitioner shall not represent compliance with this ASAE unless the assurance practitioner has complied with the requirements of this ASAE and ASAE 3000, adapted as necessary in the case of direct engagements. ASAE 3000 contains requirements and application and other explanatory material specific to attestation assurance engagements but it also applies to direct assurance engagements, adapted as necessary in the engagement circumstances.[18] If this ASAE makes reference to a requirement in ASAE 3000, that requirement shall be applied to both attestation and direct engagements, unless specified otherwise. (Ref: Para. A6)
See ASAE 3000, paragraph 2.
Acceptance and Continuance
Preconditions for the Assurance Engagement
20
See ASAE 3000, paragraphs 21-30.
Assessing the Appropriateness of the Subject Matter
21
When establishing whether the preconditions for an assurance engagement as required by ASAE 3000 are present, the assurance practitioner is required to assess the appropriateness of the subject matter.[21] In doing so, the assurance practitioner shall determine whether the control components and specific controls are identifiable, the controls are capable of consistent evaluation against the control objectives and the scope of the controls within the assurance engagement provide an appropriate basis for that engagement. If the subject matter is not appropriate, the assurance practitioner shall not accept the engagement or, if this is determined after accepting the engagement, either withdraw from the engagement or issue a modified conclusion. (Ref: Para. A15)
See ASAE 3000, paragraph 24(b)(i).
Assessing the Suitability of the Criteria
22
When establishing whether the preconditions for an assurance engagement as required by ASAE 3000 are present, the assurance practitioner shall determine the suitability of the criteria expected to be applied, whether the criteria are provided by the engaging party, as in an attestation engagement, or are to be identified, selected or developed by the assurance practitioner, as in a direct engagement, including that they exhibit the characteristics set out in ASAE 3000.[22] The main criteria are: (Ref: Para. A16-A26)
- control objectives, for evaluating the design of the controls; and
- controls, necessary to achieve the control objectives, as designed, for evaluating the description of the system, implementation of controls or operating effectiveness.
See ASAE 3000, paragraph 24(b).
23
If the assurance practitioner considers that the identified criteria are unsuitable, the assurance practitioner shall either:
- agree on suitable criteria with the engaging party prior to accepting or continuing with the engagement. If unable to agree on suitable criteria, the assurance practitioner shall withdraw from the engagement; or
- issue a modified conclusion, either qualified or a disclaimer depending on the extent of the unsuitable criteria, if the assurance practitioner is required to perform the engagement using the unsuitable criteria, such as under a legislative mandate.
Agreeing on the Terms of the Engagement
24
The parties to the engagement shall agree on the terms of the assurance engagement in writing, as required by ASAE 3000,[23] and the assurance practitioner shall obtain the agreement of the responsible party, if they are a party to the engagement, that it acknowledges and understands its responsibility: (Ref: Para. A27)
- in an attestation engagement,
- for evaluating the suitability of the design of controls to achieve the identified control objectives, and if applicable, the presentation of the description, implementation and/or operating effectiveness of controls, as designed, which are the subject matter of the assurance engagement, and providing a written Statement regarding the outcome of that evaluation;
- for having a reasonable basis for the written Statement; (Ref: Para. A37-A39)
- in both an attestation and a direct engagement:
- for identifying suitable control objectives and whether they were specified by law, regulation, contract, another party (for example, a user group or a professional body) or developed by the responsible party or assurance practitioner;
- for identifying the risks that threaten achievement of those control objectives;
- for designing controls to mitigate those risks so they will not prevent achievement of the identified control objectives, and therefore the control objectives will be achieved;
- if included in the scope of the engagement:
- for preparing a description of the system, including identification of any controls operated by a third party, service or sub-service organisation, which may be material to the engagement, and whether the inclusive or carve-out method has been used in relation to those third party controls;
- for implementing the controls as designed; or
- for the operation of the controls as designed throughout the period;
- to provide the assurance practitioner with:
- access to all information, such as records, documentation and other matters of which the responsible party is aware are relevant to the system and the controls within that system;
- additional information that the assurance practitioner may request from the responsible party for the purposes of the assurance engagement; and
- unrestricted access to persons within the entity from whom the assurance practitioner determines it necessary to obtain evidence;
- if controls are designed to be operated by a third party, service or sub-service organisation, which may be material to the engagement, to obtain either:
- a reasonable or limited assurance report, as appropriate, on the design and, if included in the scope of the engagement, the description of controls and/or implementation or operating effectiveness of controls, which covers the relevant controls at the third party; or
- access to all information relevant to the design, description, implementation and/or operation of those controls, any additional information requested and access to persons from whom to obtain evidence at the third party.
See ASAE 3000, paragraph 27.
25
The terms of engagement shall identify: (Ref: Para. A28-A36)
- the purpose of the engagement;
- whether the engagement is a reasonable or limited assurance engagement;
- whether the engagement is an attestation or direct engagement and, in the case of an attestation engagement, the form of the responsible party’s or evaluator’s evaluation of the controls or Statement and whether that Statement will be available to intended users or only referenced in the assurance report; (Ref: Para. A28)
- the subject matter of the engagement, including identification of the system and the component/s of control to be addressed and the functional and physical boundaries of that system and whether the subject matter includes description, implementation or operating effectiveness of controls, in addition to design; (Ref: Para. A29-A31, A34)
- the date or time period to be covered by the engagement; (Ref: Para. A32)
- if a third party operates controls on behalf of the entity which are integral to the system included in the scope of the assurance engagement, whether the inclusive or carve-out method has been used in relation to those third party controls;
- the criteria against which the design of controls will be assessed, expressed either as control objectives or as the overall objectives which those control objectives seek to address, including the source of those objectives or the party who is to provide or develop those objectives; (Ref: Para. A33-A34)
- the intended users of the assurance report;
- the content of the assurance report, including whether it will be a short-form or long‑form report, including additional information such as the specific control objectives, the related controls, tests of controls conducted or detailed findings; and (Ref: Para. A35-A36)
- any other matters required by law or regulation to be included in the terms of engagement.
Acceptance of a Change in the Terms of the Engagement
See ASAE 3000, paragraph 29.
Assurance Report Prescribed by Law or Regulation
27
If law or regulation prescribes the criteria for evaluation of the relevant controls or the form and content of the assurance report, the assurance practitioner evaluates the criteria and form and content of the assurance report. If the criteria are unsuitable or if intended users might misunderstand the assurance report, the assurance practitioner shall:
- not accept the engagement unless additional explanation in the report mitigates these circumstances; or
- not include any reference within the assurance report to the engagement having been conducted in accordance with ASAE 3000 or this ASAE, if required to accept the engagement by law or regulation.
Quality Control
28
The assurance practitioner shall implement quality control procedures as required by ASAE 3000.[25]
See ASAE 3000, paragraphs 31-36.
Professional Scepticism, Professional Judgement and Assurance Skills and Techniques
29
The assurance practitioner shall apply professional scepticism, exercise professional judgement and apply assurance skills and techniques in planning and performing an assurance engagement on controls as required by ASAE 3000.[26] In applying professional scepticism, the assurance practitioner shall recognise the possibility that a deficiency in design, misstatement in the description of the system, deficiency in implementation or deviation in the operating effectiveness of controls due to fraud could exist, notwithstanding the assurance practitioner’s past experience of the honesty and integrity of the entity’s management and those charged with governance.
See ASAE 3000, paragraphs 37-39.
30
The assurance practitioner shall discuss with the engagement team how and where the entity’s controls may be susceptible to circumvention due to fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity.
Planning and Performing the Engagement
Planning
See ASAE 3000, paragraph 40.
32
In planning the engagement, if the scope of the engagement is based on overall control objectives, then the assurance practitioner shall identify, select or develop specific control objectives, to achieve the agreed overall control objectives against which the design of controls can be tested. If a description of the system is included in the scope of the engagement the specific control objectives are ordinarily included in that description. In an attestation engagement, if there is no description, the specific control objectives ordinarily are identified in documentation on which the responsible party’s Statement is based. However, in a direct engagement, where the responsible party does not explicitly evaluate the controls for the purposes of the engagement or provide a Statement on the outcome of that evaluation, if there is no description, the assurance practitioner shall take a more active role in identifying, selecting or developing specific control objectives against which to evaluate the design of controls. (Ref: Para. A44-A45)
33
The assurance practitioner shall identify the controls relevant to the achievement of each specific control objective, which are either, identified in the terms of the engagement, or identified, selected or developed in planning the engagement under paragraph 32.
Materiality
34
The assurance practitioner shall consider materiality, as required by ASAE 3000,[28] when determining the nature, timing and extent of procedures.
See ASAE 3000, paragraph 44.
35
The assurance practitioner shall identify a control or combination of controls as material if it is fundamental to the achievement of a control objective, included in the scope of the engagement, by mitigating the risks that threaten achievement of that objective. During the engagement the assurance practitioner shall reassess the materiality of the controls if matters come to their attention which indicate that the basis on which the materiality of those controls was determined has changed. (Ref: Para. A47-A52)
36
The assurance practitioner shall also consider materiality when evaluating the effect of accumulated deficiencies in the design, and if applicable, misstatements in the description of the system, deficiencies in implementation or deviations in operating effectiveness of controls as designed. Material deficiencies, misstatements and deviations are those which could reasonably be expected to influence relevant decisions of the intended users. (Ref: Para. A49-A50)
Obtaining an Understanding of the Entity’s System and Other Engagement Circumstances and Identifying and Assessing Risks of Material Misstatement
37
The assurance practitioner shall obtain an understanding of the system, including controls, or the control components within the system that are included in the scope of the engagement, and other engagement circumstances, and on the basis of that understanding, the assurance practitioner shall: (Ref: Para. A53-A55)
- for a direct engagement, consider whether the identification, selection or development of control objectives is appropriate, and/or select or develop further suitable control objectives; and
- for both attestation and direct engagements:
- identify the risks that threaten achievement of the control objectives;
- identify the controls designed to mitigate those risks;
- identify and assess the risk that: (Ref: Para. A56-A66)
- the controls are not suitably designed to achieve the control objectives identified;
- the description (if included in the scope of the engagement) does not fairly present the system as designed;
- the controls were not implemented (if included in the scope of the engagement) as designed; and
- the controls were not operating effectively (if included in the scope of the engagement) throughout the period; and
- identify the characteristics of the controls identified as a basis for designing assurance procedures to respond to the risks identified in paragraph 37(b)(iii).
38
When understanding the system within which the controls operate, the assurance practitioner shall consider other components of control beyond the components being reported upon, which may impact on the design, implementation or operating effectiveness of those controls. (Ref: Para. A67-A69)
Identifying Risks of Fraud
39
When performing risk assessment procedures and related activities to obtain an understanding of the system and other engagement circumstances, the assurance practitioner shall perform the following procedures, to obtain information for use in identifying the risks of the control objectives not being achieved due to fraud: (Ref: Para. A70)
- make enquiries of management regarding:
- management’s assessment of the risk that controls may be circumvented due to fraud, including the nature, extent and frequency of such assessment;
- management’s process for identifying and responding to the risks of fraud;
- management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud; and
- management’s communication, if any, to employees regarding its views on corrupt or fraudulent business practices and unethical behaviour;
- make enquiries of those charged with governance, management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity;
- make enquiries of the internal audit function, where it exists, to determine whether it has knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud;
- obtain an understanding of how those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks;
- consider whether other information obtained by the assurance practitioner indicates risks of control objectives not being achieved due to fraud, for which mitigating controls are necessary;
- evaluate whether the information obtained from the other risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present; and
- identify controls over matters for which decisions or actions are not routine, such as adjustments to records, development of estimates and activities outside the normal course of business.
Obtaining an Understanding of the Internal Audit Function
40
In planning the engagement, the assurance practitioner shall determine whether the entity has an internal audit function. If so the assurance practitioner shall obtain an understanding of the internal audit function and perform a preliminary assessment regarding: (Ref: Para. A71)
- its impact on the system and the components of control within that system, including the control environment, risk assessment, information and communication, monitoring activities and control activities in relation to the system; and
- its effect on procedures to be performed by the assurance practitioner.
See ASAE 3000, paragraph 55.
42
The use of internal auditors to provide direct assistance is prohibited in an assurance engagement conducted in accordance with this ASAE. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the assurance practitioner.[30] This prohibition does not preclude reliance on the work of the internal audit function to modify the nature or timing, or reduce the extent, of assurance procedures to be performed directly by the assurance practitioner. (Ref: Para. A71)
Determining Whether and to What Extent to Use the Work of the Internal Audit Function
43
If the assurance practitioner’s evaluation of the internal audit function confirms that the work of the internal audit function can be used for purposes of the engagement, then the assurance practitioner shall determine the planned effect of the work of the internal audit function on the nature, timing or extent of the assurance practitioner’s procedures and in doing so, shall consider: (Ref: Para. A72)
- the nature and scope of work performed, or to be performed, on controls within the system by the internal audit function;
- the significance of that work to the assurance practitioner’s conclusions; and
- the degree of subjectivity involved in the evaluation of the evidence obtained in support of those conclusions.
Documentation of the System
44
When obtaining an understanding of the system, if a description of the system is not prepared by the responsible party, the assurance practitioner shall document the system, to the extent considered appropriate as a basis for planning the engagement, which ordinarily includes identification of:
- the control objectives; and
- the controls designed to achieve those objectives.
Obtaining Evidence
45
Based on the assurance practitioner’s understanding obtained under paragraph 37 the assurance practitioner shall perform assurance procedures to respond to assessed risks identified in paragraph 37(b)(iii) to obtain limited or reasonable assurance to support the assurance practitioner’s conclusion. (Ref: Para. A73-A77)
46
The assurance practitioner shall design and perform additional procedures, the nature, timing and extent of which are responsive to the risks of material deficiency in the design, misstatement in the description, deficiency in the implementation or deviation in operating effectiveness of controls, having regard to the level of assurance required, reasonable or limited, as appropriate. (Ref: Para. A77)
Responses to Assessed Risks of Fraud
47
The assurance practitioner shall treat those assessed risks of control objectives not being achieved due to fraud as significant risks and accordingly, the assurance practitioner shall design and perform further assurance procedures, on controls designed to mitigate such risks, whose nature, timing and extent are responsive to those assessed risks, having regard to the level of assurance required, reasonable or limited, as appropriate.
Obtaining Evidence Regarding the Design of Controls
48
The assurance practitioner shall determine which of the controls at the entity are necessary to achieve the control objectives, whether those controls are presented in the entity’s description of its system or identified by the assurance practitioner, and shall assess whether those controls were suitably designed. This determination shall include: (Ref: Para. A78-A84)
- identifying the risks that threaten achievement of the control objectives;
- evaluating whether the controls as designed would be sufficient to mitigate those risks when operating effectively, in all material respects; and
- for engagements over a period, evaluating whether any changes in controls as designed during the period would be sufficient to mitigate those risks, in all material respects.
49
Limited Assurance | Reasonable Assurance |
L. In assessing the suitability of the design of controls, the assurance practitioner shall, at a minimum:
|
R. In assessing the suitability of the design of controls, the assurance practitioner shall:
|
50
Limited Assurance | Reasonable Assurance |
L. If the assurance practitioner becomes aware of a matter(s) that causes the assurance practitioner to believe that a material deficiency in the design of controls may exist, the assurance practitioner shall design and perform additional assurance procedures until the assurance practitioner has obtained sufficient appropriate evidence to conclude on whether the design is suitable. The performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. | R. In circumstances where the assurance practitioner obtains evidence which is inconsistent with the evidence on which the assurance practitioner originally based the assessment of the risk that the design of controls may be unsuitable, the assurance practitioner shall revise the assessment and modify the planned procedures accordingly. |
Obtaining Evidence Regarding the Description
51
If the scope of the engagement includes assurance on the entity’s description of the system, the assurance practitioner shall obtain and read that description, and shall evaluate whether those aspects of the description included in the scope of the engagement are fairly presented, including whether: (Ref: Para. A86)
- the functions and services of the system are adequately identified;
- the geographic, operational or functional boundaries of the system are appropriate in the circumstances of the engagement;
- the date or time period covered by the description is appropriate;
- the components of control covered by the description are appropriate for the scope of the engagement;
- controls are described in sufficient detail to enable them to be identified for testing;
- in the case of a report covering operating effectiveness of controls, changes to the system or to controls during the period covered by the description are described adequately;
- the description does not omit or distort information relevant to the scope of the system or the controls being described;
- in the case of a service organisation, complementary user entity or client controls necessary to achieve the control objectives, are adequately described, including their importance in achieving the relevant objectives; (Ref: Para. A87)
- controls are described as designed and, if included in the scope of the engagement, as implemented; and
- functions outsourced to a third party or service organisation, if any, are adequately described, including whether the inclusive method or the carve‑out method has been used in relation to them.
52
Limited Assurance | Reasonable Assurance |
L. The assurance practitioner shall determine whether the system has been described as designed and, if included in the scope of the engagement, as implemented, at a minimum through making enquiries. If the assurance practitioner determines that additional assurance procedures, such as inspection of records and documentation or observation of controls, are required to dispel or confirm a suspicion that a material misstatement in the description of the system exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. (Ref: Para.A87-A88)) | R. The assurance practitioner shall determine whether the system has been described as designed and, if included in the scope of the engagement, as implemented through other procedures in combination with enquiries. Those other procedures shall include inspection of records and other documentation evidencing the manner in which the system was designed, and if included in the scope of the engagement, observation of the controls which have been implemented. (Ref: Para. A87-A88) |
Obtaining Evidence Regarding Implementation of Controls
53
If implementation is included in the scope of the engagement, the assurance practitioner shall obtain sufficient appropriate evidence that the controls identified as necessary to achieving the identified control objectives, were implemented as designed as at the specified date. Consequently, the assurance practitioner’s evaluation of the design of controls often influences the nature, timing and extent of tests of implementation. (Ref: Para. A89-A90)
54
Limited Assurance |
Reasonable Assurance |
|
|
54
Limited Assurance | Reasonable Assurance |
L - The assurance procedures to test implementation of controls shall include, at a minimum, making enquiries and observation. If the assurance practitioner determines that additional assurance procedures, such as the inspection of records and documentation, are required to dispel or confirm a suspicion that a material deficiency in the implementation of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. |
R - The assurance procedures to test implementation of controls shall include enquiry of management or others within the entity and observation and/or inspection of records and other documentation, regarding the manner in which the controls were implemented. Procedures may include determining: (Ref: Para. A90)
|
55
When designing and performing tests of implementation, the assurance practitioner shall determine whether controls implemented depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the implementation of those indirect controls.
Obtaining Evidence Regarding Operating Effectiveness of Controls
56
When reporting on operating effectiveness over the period, the assurance practitioner shall test those controls that the assurance practitioner has determined are necessary to achieve the control objectives identified, and assess their operating effectiveness throughout the period. Consequently, the assurance practitioner’s evaluation of the design of controls often influences the nature, timing and extent of tests of operating effectiveness. Evidence obtained in prior engagements about the satisfactory operation of material controls in prior periods does not provide a basis for a reduction in testing of those controls, even if it is supplemented with evidence obtained during the current period. (Ref: Para. A91-A95, A104)
57
Limited Assurance | Reasonable Assurance |
L - The nature, timing and extent of tests of operating effectiveness, shall ordinarily be limited to discussion with entity personnel, observation of the system in operation and walk-through for an appropriate number of instances of material controls in operation to identify any deviations from the specified design. Alternatively, the results of exception reporting, monitoring or other management controls may be examined to provide evidence about the operation of the control rather than directly testing it. (Ref: Para. A94) | R - The nature, timing and extent of tests of operating effectiveness, shall ordinarily include, in addition to discussion with entity personnel and observation of the system in operation for deviations from the specified design, re-performance of control procedures, or other examination and follow up of the application of controls, on a test basis to provide sufficient appropriate evidence on which to base an opinion. The results of exception reporting, monitoring or other management controls may be examined to reduce the extent of direct testing of the operation of the control but shall not eliminate it entirely. (Ref: Para. A94) |
58
Limited Assurance | Reasonable Assurance |
L - The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material deviations in the operating effectiveness of controls. If the assurance practitioner determines that additional assurance procedures are required to dispel or confirm a suspicion that a material deviation in the operating effectiveness of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. (Ref: Para. A93, A101) | R - The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material deviations in the operating effectiveness of controls. (Ref: Para. A94-A95, A101) |
59
Limited Assurance | Reasonable Assurance |
R - When determining the extent of tests of controls, the assurance practitioner shall consider matters including the characteristics of the population to be tested, which includes the nature of controls, the frequency of their application (for example, monthly, daily, a number of times per day), and the expected rate of deviation. Some controls operate continuously, while others operate only at particular times, so the tests of operating effectiveness shall be performed over a period of time that is adequate to determine that the control procedures are operating effectively. (Ref: Para. A95-A100, A102) |
60
If a material control did not operate during the period, because the circumstances necessary to trigger that control did not arise, the assurance practitioner shall conclude that the controls, necessary to achieve the control objectives, operated effectively as designed if the assurance practitioner obtained sufficient appropriate evidence that the circumstances necessary to trigger the control were adequately monitored by the entity and those circumstances did not arise during the period. (Ref: Para. A100)
61
Where control procedures have changed during the period subject to examination, the assurance practitioner shall test the operating effectiveness of both the superseded control(s) and the new control(s) and consider whether the new controls have been in place for a sufficient period to assess their effectiveness.
Sampling
62
When the assurance practitioner uses sampling to select controls for testing operating effectiveness over a period, the assurance practitioner shall: (Ref: Para. A102-A107)
- consider the purpose of the procedure and the characteristics of the controls from which the sample will be drawn when designing the sample;
- determine a sample size sufficient to reduce sampling risk to an acceptably low level;
- select items for the sample in such a way that each sampling unit in the population has a chance of selection and the sample is representative of the population; and
- if unable to apply the designed procedures, or suitable alternative procedures, to a selected item, treat that item as a deviation.
Evaluating the Evidence Obtained
63
ASAE 3000[31] requires the assurance practitioner to accumulate uncorrected misstatements identified during the engagement other than those that are clearly trivial. Misstatements in an engagement on controls include:
- deficiencies in the suitability of the design of controls to achieve the control objectives;
- misstatements in the description of the system;
- deficiencies in the implementation of controls as designed; and
- deviations in the operating effectiveness of controls as designed.
See ASAE 3000, paragraph 51.
Deficiencies in Design of Controls
64
Where the assurance practitioner is unable to identify controls which are suitable or controls as designed are not suitable to achieve the identified control objective/s, this shall constitute a deficiency in the design of controls. The assurance practitioner shall accumulate deficiencies in the design of controls, other than those which are clearly trivial, and identify any compensating controls in the design which may mitigate those deficiencies in achieving the identified control objectives. The existence of compensating controls may be identified during the course of the engagement even if they were not identified in the design at the outset. The assurance practitioner shall assess the design deficiencies and determine whether they have a material impact on achieving the control objectives on which the assurance practitioner is required to conclude.
Misstatements in the Description of the System
65
If misstatements, such as insufficient detail to meet the needs of users or controls are described differently to the controls designed, are identified by the assurance practitioner in the description of the system, the assurance practitioner shall advise the responsible party of those inaccuracies, inadequacies or omissions, other than those which are clearly trivial. The assurance practitioner shall provide the responsible party with the opportunity to amend the description, unless prohibited by legislation or the terms of the engagement, so that it reflects the system as designed at a point in time and/or during the period.
66
If the responsible party declines to amend the description when misstatements are identified, the assurance practitioner shall consider the materiality of the misstatements and their impact on the assurance conclusion. If the assurance conclusion is to be modified with respect to the fair presentation of the description of the system, the assurance practitioner shall consider whether the description can provide a basis for testing the design, implementation or operating effectiveness of the system.
Deficiencies in Implementation of Controls
67
The assurance practitioner shall accumulate any deficiencies in implementation of controls as designed, identified during the engagement, other than those which are clearly trivial, and assess whether the combined deficiencies will have a material impact on the implementation of controls as designed.
Deviations in Operating Effectiveness of Controls
68
The assurance practitioner shall investigate the nature and cause of any deviations from the design identified in the operation of the controls, other than those which are clearly trivial, and shall determine whether: (Ref: Para. A108-A109)
- identified deviations are within the expected rate of deviation and are acceptable; therefore, the testing that has been performed provides an appropriate basis for a reasonable or limited assurance conclusion, as applicable, that the control operated effectively throughout the period;
- additional testing of the control or of other compensating or indirect controls is necessary to reach a reasonable or limited assurance conclusion, as applicable, on whether the controls relative to a particular control objective operated effectively throughout the period; or
- the testing that has been performed provides an appropriate basis for a reasonable or limited assurance conclusion, as applicable, that the control/s did not operate effectively throughout the period.
69
In the extremely rare circumstances when the assurance practitioner considers a deviation discovered in a sample to be an anomaly and no other deviations have been identified that lead the assurance practitioner to conclude that the relevant control is not operating effectively throughout the period, the assurance practitioner shall obtain a high degree of certainty that such deviation is not representative of the population. The assurance practitioner shall obtain this degree of certainty by performing additional procedures to obtain sufficient appropriate evidence that the deviation is anomalous.
70
The assurance practitioner shall accumulate deviations in the operating effectiveness of controls identified during the engagement, other than those which are clearly trivial, and identify any compensating controls which may mitigate those deviations.
71
The assurance practitioner shall assess the impact of the combined control deviations and determine whether they will have a material impact on the operation of the system as designed in achieving the identified control objectives. (Ref: Para. A108-A109)
Indication of Fraud
72
If the assurance practitioner identifies a misstatement in the description, deficiency in the design or implementation of a control or a deviation in the operating effectiveness of that control, the assurance practitioner shall evaluate whether such a misstatement, deficiency or deviation is indicative of fraud. If there is such an indication, the assurance practitioner shall respond appropriately. (Ref: Para. A110)
73
If the assurance practitioner confirms that, the controls are not suitably designed, the description is materially misstated, the controls were not implemented as designed or did not operate effectively throughout the period or is unable to reach a conclusion, as a result of fraud the assurance practitioner shall modify the assurance conclusion accordingly.
Non-compliance with Laws or Regulations
74
If the assurance practitioner becomes aware of information concerning an instance of non‑compliance or suspected non-compliance with respect to laws and regulations, whether due to the controls themselves not meeting compliance requirements or a failure of controls to prevent or detect non-compliance by the entity, the assurance practitioner shall:
- discuss the matter with management and, if those matters are intentional or material, those charged with governance, unless management or those charged with governance are suspected of involvement in the non‑compliance, in which case a level of authority above those suspected of involvement;
- determine whether the assurance practitioner has a responsibility to report the identified or suspected non-compliance to parties outside of the entity and, if necessary, seek legal advice;
- if sufficient information regarding suspected non-compliance cannot be obtained, evaluate the effect of insufficient evidence on the assurance report;
- evaluate the implications of non-compliance in relation to other aspects of the engagement, including the risk assessment and the reliability of written representations; and
- consider the impact on the assurance practitioner’s conclusion of identified non‑compliance.
Work Performed by an Assurance Practitioner’s Expert
75
When the assurance practitioner plans to use the work of an assurance practitioner’s expert, the assurance practitioner shall comply with the requirements in ASAE 3000.[32] (Ref: Para. A111)
See ASAE 3000, paragraph 52.
Work Performed by Another Assurance Practitioner or a Responsible Party’s or Evaluator’s Expert
See ASAE 3000, paragraphs 53-54.
Work Performed by the Internal Audit Function
Using the Work of the Internal Audit Function
77
In order for the assurance practitioner to use specific work of the internal audit function, the assurance practitioner shall determine its adequacy for the assurance practitioner’s purposes in accordance with ASAE 3000.[34] In doing so, the assurance practitioner shall evaluate whether: (Ref: Para. A114)
- the work was performed by internal auditors having adequate technical training and proficiency;
- the work was properly supervised, reviewed and documented;
- adequate evidence has been obtained to enable the internal auditors to draw reasonable conclusions;
- conclusions reached are appropriate in the circumstances and any reports prepared by the internal auditors are consistent with the results of the work performed; and
- exceptions relevant to the engagement or unusual matters disclosed by the internal auditors are properly resolved.
See ASAE 3000, paragraph 55.
78
Although the assurance practitioner may consider the results of any tests of the operating effectiveness of controls conducted by the internal audit function when evaluating operating effectiveness, the assurance practitioner shall remain responsible for obtaining sufficient appropriate evidence to support the assurance practitioner’s conclusion and, if appropriate, corroborate the results of such tests. When evaluating whether sufficient appropriate evidence has been obtained, the assurance practitioner shall consider that evidence obtained through direct personal knowledge, observation, re-performance and inspection is more persuasive than information obtained indirectly, from internal audit or from management or other entity personnel. Further, judgements about the sufficiency and appropriateness of evidence obtained and other factors affecting the assurance practitioner’s conclusion, such as the materiality of identified control deficiencies or deviations, shall be those of the assurance practitioner. (Ref: Para. A114)
Effect on the Assurance Report
79
If the work of the internal audit function has been used, the assurance practitioner shall make no reference to that work in the section of the assurance report that contains the assurance practitioner’s conclusion. (Ref: Para. A115)
Written Representations
80
The assurance practitioner shall request the responsible party, or other relevant person(s) within the entity, and any third party or service organisation(s), who are responsible for material controls for which the inclusive method has been used, to provide written representations, in addition to those required by ASAE 3000,[35] that the responsible party (or third party or service organisation, as applicable):
- in the case of an attestation engagement, reaffirms their Statement regarding the outcome of the responsible party’s evaluation of the controls against the control objectives with respect to the suitability of the design, and if included in the scope of the engagement, fair presentation of the description, implementation as designed and/or operating effectiveness, at a point in time or throughout the period as appropriate;
- acknowledges its responsibility for establishing and maintaining the entity’s system, including identifying the risks that threaten achievement of the identified control objectives, and designing, implementing and maintaining controls to mitigate those risks, including the risk of fraud, so that those risks will not prevent achievement of the control objectives and therefore that the identified control objectives will be achieved;
- has provided the assurance practitioner with all relevant information and access agreed to, as set out in paragraph 24(b)(v);
- has disclosed to the assurance practitioner any of the following of which it is aware may be relevant to the engagement:
- deficiencies in the design of controls to achieve the identified control objectives;
- uncorrected misstatements, including omissions, in the description of the system;
- deficiencies in the implementation of controls as designed;
- instances where controls have not operated effectively as designed, including instances of non-compliance or suspected non-compliance with laws and regulations, fraud or suspected fraud;
- any events subsequent to the period covered by the assurance practitioner’s report up to the date of the assurance report that could have a significant effect on the assurance practitioner’s report; and
- The identity of any third parties who operate controls on behalf of the entity, which form part of the system, and whether the carve-out method or inclusive method has been used in the description in relation to those controls and related control objectives.
See ASAE 3000, paragraph 56.
See ASAE 3000, paragraphs 58-60.
Subsequent Events
82
Assurance procedures required to be conducted under ASAE 3000,[37] to identify all matters up to the date of the assurance report that may have caused the assurance practitioner to amend the assurance report on the design and/or description, implementation or operating effectiveness of controls, shall include enquiry as to whether the responsible party is aware of any events subsequent to the period covered by the assurance engagement up to the date of the assurance practitioner’s report that may have caused the assurance practitioner to amend the assurance report. If the assurance practitioner is aware of such an event, remedial action is either not taken or is not effective in mitigating the impact on the assurance conclusion and information about that event is not disclosed by the responsible party, the assurance practitioner shall disclose the subsequent event in the assurance practitioner’s report. If the event may impact the assurance conclusion, the assurance practitioner shall gather further evidence sufficient to determine whether the assurance conclusion remains appropriate or a modified assurance conclusion is required. (Ref: Para. A119-A123)
See ASAE 3000, paragraph 61.
Other Information
83
When any documents, that the assurance practitioner is aware of will contain the assurance practitioner’s report on controls, also include other information, the assurance practitioner shall read that other information and respond to any material inconsistencies identified with the entity’s system or an apparent misstatement of fact, in accordance with ASAE 3000.[38] (Ref: Para. A124-A126)
See ASAE 3000, paragraph 62.
Forming the Assurance Conclusion
84
The assurance practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary, attempt to obtain further evidence. If the assurance practitioner is unable to obtain necessary further evidence, the assurance practitioner shall consider the implications for the assurance practitioner’s conclusion in accordance with ASAE 3000.[39] The assurance practitioner shall qualify their conclusion if the possible effects of undetected misstatements, deficiencies or deviations due to an inability to obtain sufficient appropriate evidence could be material, and shall disclaim their conclusion if the possible effects could be both material and pervasive.
See ASAE 3000, paragraph 66.
85
When the assurance practitioner forms a conclusion in accordance with ASAE 3000,[40] the assurance practitioner shall evaluate the materiality, individually and in aggregate whether due to fraud or error, of any: (Ref: Para. A127)
- deficiencies in the design of controls to achieve the identified control objectives;
- uncorrected misstatements in the description of the system;
- deficiencies in the implementation of controls as designed; and
- deviations in the operating effectiveness of controls.
See ASAE 3000, paragraphs 64-65.
86
The assurance practitioner shall identify any compensating or indirect controls which may mitigate the deficiencies or deviations identified and impact on the evaluation of material deficiencies or deviations.
87
The assurance practitioner shall assess the impact of uncorrected deficiencies in the design, misstatements in the description, deficiencies in the implementation or deviations in operating effectiveness of controls, which are material individually or in combination, on the assurance practitioner’s conclusion on the suitability of the design of the controls, and/or fair presentation of the description, implementation as designed or operating effectiveness of controls. If the deficiencies or deviations identified are: (Ref: Para. A127-A128)
- material but not pervasive, the assurance practitioner shall qualify their assurance conclusion with respect to the relevant matter; or
- material and pervasive, the assurance practitioner shall issue an adverse conclusion. If those material and pervasive deficiencies relate to the design, the assurance practitioner shall issue a modified report without performing any tests of operating effectiveness, as any conclusion on the operating effectiveness of controls based on an unsuitable design may be misleading.
Preparing the Assurance Report
88
The assurance practitioner shall prepare the assurance report in accordance with ASAE 3000[41] for attestation engagements and shall also apply those requirements for direct engagements.
See ASAE 3000, paragraphs 67-69.
Assurance Report Content
89
For both attestation and direct engagements, the assurance practitioner shall include in the assurance report the basic elements required by ASAE 3000,[42] which are at a minimum: (Ref: Para. A139)
- a title, indicating that it is an independent assurance report;
- an addressee;
- an identification of whether reasonable or limited assurance has been obtained by the assurance practitioner;
- identification of the controls which comprise the underlying subject matter of the engagement including:
- the distinguishing features of the system, boundaries of the system and the control components within that system which was subject to the assurance engagement;
- the date/s or period covered by the assurance engagement;
- the description of the system, if included in the scope of the engagement, and any parts of the description that are not covered by the assurance practitioner’s conclusion;
- in the case of an attestation engagement, reference to the responsible party’s Statement as required by paragraph 24(a)(i) and whether that Statement is available to intended users by accompanying the assurance report, reproduction in the assurance report or another identified source;
- if functions relevant to the system of controls are performed by a third party:
- the nature of activities performed by the third party and whether the inclusive method or the carve‑out method has been used in relation to the relevant controls operating at the third party;
- where the carve‑out method has been used, a statement that the assurance engagement excludes the control objectives and related controls at relevant third parties, and that the assurance practitioner’s procedures did not extend to controls at the third party; and
- where the inclusive method has been used, a statement that the assurance engagement includes control objectives and related controls at the third party, and that the assurance practitioner’s procedures extended to controls at the third party.
- identification of the overall and/or specific control objectives used as criteria for evaluating the design of controls and the party specifying those control objectives; (Ref: Para. A132)
- if appropriate, a description of any significant inherent limitations associated with the evaluation of the design of the controls against the control objectives;
- when the control objectives are designed for a specific purpose, a statement alerting users to this fact and that, as a result, the description and/or responsible party’s or evaluator’s Statement may not be suitable for another purpose; (Ref: Para. A133-A134, A140)
- a statement that the responsible party or evaluator is responsible for:
- in an attestation engagement:
- providing a Statement with respect to the outcome of the evaluation of the design against the identified control objectives, and, as applicable, the description, implementation and/or operating effectiveness of controls against the design;
- identifying the control objectives (where not identified by law or regulation, or another party, for example, a user group or a professional body); and
- in both an attestation and a direct engagement:
- the functions or services within the entity’s system covered by the assurance practitioner’s report;
- preparing the description of the entity’s system, if included in the scope of the engagement, including the completeness, accuracy and method of presentation of that description; and
- designing and, if included in the scope of the engagement, implementing or operating effectively controls to achieve the control objectives relevant to the entity’s system;
- in an attestation engagement:
- a statement that the assurance practitioner’s responsibility is to express a conclusion on the design of controls related to the overall and/or specific control objectives relevant to the entity’s system, and, if included in the scope of the engagement:
- the entity’s description of the system;
- the implementation of the controls as designed; and/or
- the operating effectiveness of those controls;
- a statement that the engagement was performed in accordance with ASAE 3150 Assurance Engagements on Controls;
- a statement that the firm of which the assurance practitioner is a member applies ASQC 1;
- a statement that the assurance practitioner complies with the independence and other relevant ethical requirements related to assurance engagements;
- a summary of the work performed by the assurance practitioner to obtain reasonable or limited assurance and a statement of the assurance practitioner’s belief that the evidence obtained is sufficient and appropriate to provide a basis for the assurance practitioner’s conclusion, and, if applicable, a statement that the assurance practitioner has not performed any procedures regarding the implementation or operating effectiveness of controls and therefore no conclusion is expressed thereon. In the case of a limited assurance engagement, in which an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance practitioner’s conclusion, the summary of the work performed shall state that: (Ref: Para. A135-A138)
- the procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and
- consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed;
- a statement of the limitations of controls and, if applicable, of the risk of projecting to other periods the outcome of any evaluation of the operating effectiveness of controls; (Ref: Para. A129)
- either, the assurance practitioner’s opinion for a reasonable assurance engagement or the assurance practitioner’s conclusion for a limited assurance engagement about whether, in all material respects:
- for a report on design of controls:
- the controls were suitably designed to achieve the identified control objectives; and
- if included in the scope of the engagement, the description fairly presents the system as designed;
- as at a specified date
- for a report on design and implementation of controls:
- the controls were suitably designed to achieve the identified control objectives;
- if included in the scope of the engagement, the description fairly presents the system as designed; and
- the controls, necessary to achieve the control objectives, were implemented as designed;
- as at a specified date;
- for a report on design and operating effectiveness of controls:
- the controls were suitably designed to achieve the identified control objectives;
- if included in the scope of the engagement, the description fairly presents the system as designed; and
- the controls, necessary to achieve the control objectives, operated effectively as designed;
- throughout the period;
- when the assurance practitioner expresses a modified conclusion, the assurance report shall contain:
- a section (entitled: Basis for Qualified/Adverse/Disclaimer of Conclusion/Opinion) that provides a description of the matter(s) giving rise to the modification; and
- a section that contains the assurance practitioner’s modified conclusion;
- for a report on design of controls:
- the assurance practitioner’s signature, the date of the assurance report and the location in the jurisdiction where the assurance practitioner practices.
See ASAE 3000, paragraph 69.
90
If the assurance practitioner is required to provide a long-form assurance report to meet the information needs of users, as agreed in the terms of engagement, or as required by law or regulation, the assurance practitioner’s report shall include a separate section, or an attachment, containing any other information and explanations that are not intended to affect the assurance practitioner’s conclusion and are clearly identified as such. (Ref: Para. A130-A131)
91
If the assurance practitioner is required to conclude on other subject matters under different AUASB standards in conjunction with an engagement to report under this ASAE, the assurance report shall include a separate section for each subject matter in the assurance report, clearly differentiated by appropriate section headings.
Emphasis of Matter and Other Matter Paragraphs
92
The assurance practitioner shall include an Emphasis of Matter or Other Matter paragraph in the circumstances provided for in ASAE 3000[43] for an attestation engagement. In a direct engagement, if the assurance practitioner considers it necessary to communicate a matter that, in the assurance practitioner’s judgement, is relevant to intended users’ understanding of the engagement, the assurance practitioner’s responsibilities or the assurance report, the assurance practitioner shall include in the assurance report an Other Matter paragraph, with an appropriate heading, that clearly indicates the assurance practitioner’s conclusion is not modified in respect of the matter. (Ref: Para. A122-A123, A149)
See ASAE 3000, paragraph 73.
Modified Conclusions
93
If the assurance practitioner concludes that:
- the controls were not suitably designed to achieve the control objectives, in all material respects;
- the entity’s description does not fairly present, in all material respects, the system as designed;
- the controls were not implemented as designed, in all material respects;
- the controls tested, which were those necessary to achieve the control objectives, did not operate effectively, in all material respects throughout the period; or
- the assurance practitioner is unable to obtain sufficient appropriate evidence;
the assurance practitioner’s conclusion shall be modified, and the assurance practitioner’s report shall include a section with a clear description of all the reasons for the modification. (Ref: Para. A141-A148)
Scope Limitation
94
A limitation on the scope of the assurance practitioner’s work may be imposed by the terms of the engagement or by the circumstances of the particular engagement. When the limitation is imposed by the terms of the engagement, and the assurance practitioner believes that an inability to form an opinion or reach a conclusion would need to be expressed, the engagement shall not be accepted or continued past the current period, unless required to do so by law or regulation.
95
When a scope limitation is imposed by the circumstances of the particular engagement, the assurance practitioner shall attempt to perform alternative procedures to overcome the limitation. When a scope limitation exists and remains unresolved, the wording of the assurance practitioner’s conclusion shall indicate that it is qualified as to the effects of any evidence that the controls are not suitably designed, the description is not fairly presented, the controls are not implemented as designed or not operating effectively, which might have been identified had the limitation not existed. If the effect of the unresolved scope limitation is both material and pervasive, the assurance practitioner shall express a disclaimer of conclusion. (Ref: Para. A148)
Other Communication Responsibilities
96
The assurance practitioner shall consider whether, pursuant to the terms of the engagement and other engagement circumstances, any matter has come to the attention of the assurance practitioner that is to be communicated with the responsible party, the evaluator, the engaging party, those charged with governance or others, as required by ASAE 3000.[44] If during the course of the engagement the assurance practitioner identifies any control design deficiencies, deficiencies in implementation or deviations in operating effectiveness, other than those which are clearly trivial, the assurance practitioner shall report to an appropriate level of management or those charged with governance on a timely basis those control deficiencies or deviations. (Ref: Para. A149-A150)
See ASAE 3000, paragraph 78.
97
If the assurance practitioner has identified a fraud or has obtained information that indicates that a fraud may exist, the assurance practitioner shall communicate these matters on a timely basis to the appropriate level of management or those charged with governance in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. The assurance practitioner shall determine whether there is a responsibility to report the occurrence or suspicion to a party outside the entity. (Ref: Para. A150)
98
The assurance practitioner shall design engagement procedures to gather sufficient appropriate evidence to form a conclusion in accordance with the terms of the engagement. In the absence of a specific requirement in the terms of engagement the assurance practitioner does not have a responsibility to design procedures to identify matters outside the scope of the engagement that may be appropriate to report to management or those charged with governance.
Documentation
99
The assurance practitioner shall prepare documentation in accordance with ASAE 3000.[45] In documenting the nature, timing and extent of procedures performed as required by ASAE 3000, the assurance practitioner shall record: (Ref: Para. A151)
- the identifying characteristics of the controls being tested;
- who performed the work and the date such work was completed; and
- who reviewed the work performed and the date and extent of such review.
See ASAE 3000, paragraphs 79-83.
100
If the assurance practitioner uses specific work of the internal audit function, the assurance practitioner shall document the conclusions reached regarding the evaluation of the adequacy of the work of the internal audit function, and the procedures performed by the assurance practitioner on that work.