The International Framework for Assurance Engagements further differentiates assurance engagements inkhổng lồ two types. The differentiation is based on who initially measures or evaluates the subject of interest (subject matter) & provides information about it.
In an attestation (also known as assertion-based engagement), the responsible các buổi party carries out the measurement or evaluation of the subject matter & reports the information. This subject matter information contains the responsible party’s assertion (for example: "The subject matter information is fairly stated as of date/month/year"). The work the practitioner performs is lớn give sầu an assurance conclusion on this assertion.
Sometimes, management may engage another third party to carry out the measurement or evaluation of the subject matter. The assurance practitioner will need khổng lồ underst& the split of responsibilities between management và the third tiệc nhỏ preparer - for example, are management in any case, required khổng lồ take responsibility for the third party’s evaluation and assertion – to determine how best lớn structure and contract for the engagement.
Bạn đang xem: Subject matter là gì
Both the subject matter information including the responsible party’s assertion và the practitioner’s assurance report are made available together to lớn the intended users. Attestation engagements are a familiar khung of assurance engagement, as audits và đánh giá of financial statements have sầu been structured as attestation engagements: management reports the financial performance và position in the annual accounts, asserts the information as being true & fair, and the practitioner gives a conclusion on the assertion.
In a direct (direct reporting) engagement, the responsible buổi tiệc nhỏ does not present the subject matter information in a report in a direct engagement. Instead the practitioner reports directly on the subject matter & provides the intended users with an assurance report containing the subject matter information.
An example of a direct engagement would be a Sarbanes-Oxley engagement khổng lồ report on the effective control over the financial reporting process.
A direct assurance conclusion would be constructed as: "In our opinion the company maintained, in all material respects, effective sầu internal control over financial reporting as of date/month/year, based on the criteria established in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)."
Attestation vs direct
Practitioners more commonly perform assertion-based engagements. This is because, ultimately, management (as the responsible party) are responsible for their business &, therefore, should be in a position to present relevant assertions in the subject matter information. They are also in a better position khổng lồ understand who would use the information, what users want lớn see, in what format, và for what purpose.
Service organisation assurance reports are a well-established example of attestation assurance engagements. Service organisation management is responsible for the preparation of the mô tả tìm kiếm of its system và of the accompanying service organisation’s statement, including the completeness, accuracy and method of presentation of that mô tả tìm kiếm và statement.
The service organisation"s written assertion as to the description’s fair presentation of the system, the suitability of kiến thiết & the controls và the operating effectiveness of the control may be attached to the description of the service organisation"s system or may be included in the mô tả tìm kiếm if clearly segregated from the description, for example, through the use of headings.
It would be difficult for an assurance provider khổng lồ accept an engagement khổng lồ provide assurance over controls without such an assertion and description, not only because the risk of providing assurance over controls over which management themselves had made no assertion would be very high but also because the user of the report would not know which controls were in the scope of the assurance – the subject matter would not be identifiable.
In contrast, an engagement to lớn provide assurance over client assets in accordance with the FRC’s CASS standard is a direct assurance engagement.
These engagements are acceptable lớn practitioners because the standard requires management lớn provide written representations lớn the assurance provider confirming, aước ao other matters, that:they acknowledge their responsibility for maintaining CASS records and systems of control in accordance with the rules of the FCA; và that the regulated entity has complied, as far as management are aware, with all relevant CASS Rules throughout the period and at the period end, other than in respect of those breaches which they have sầu notified lớn the CASS auditor.
It could be argued that, absent a description of the systems and controls relevant lớn compliance with the client asset rules, the subject matter of a CASS assurance engagement is not identifiable. However, the CASS regime, & related assurance requirement, is well-established và the degree of prescription in the assurance standard pre-supposes a common core of controls in operation at all regulated entities.
It is perhaps easiest khổng lồ underst& the concept of direct reporting engagements in the context of regulatory compliance assurance where, whether or not a compliance statement is required ot be made and/or published by management, the responsibility both for compliance and for regular monitoring of compliance clearly rests with management as a matter of regulation.
However, ISAE 3000 (Revised)and the ISAAB"s Amended International Framework for Assurance Engagementsseem lớn envisage direct reporting scenarquả táo where the assurance practitioner measures quantitative information and presents this in the assurance report alongside an assurance conclusion.
It is less easy lớn understand how the structure of such direct engagements can be compatible with the relevant independence requirements, & many practitioners are cautious about accepting such engagements except where a direct report is required by law or regulation.