Trust is paramount in any industry. However, sometimes changes occur or questions arise that prompt managers, owners and other company stakeholders to confirm the validity of an organization's business processes and adherence to governance standards. To get that information, they may request a review from a firm that offers assurance services. Assurance reporting summarizes results from that evaluation that determines whether the organization succeeded at meeting the assurance objective.
How Independent Assurance Reporting Works
When a requesting party hires a firm to provide assurance services, they must define the subject matter at the heart of the request. The assurance reviewer must understand the reasoning behind requesting the assurance report and the requestor's relationship with the entity under investigation. That helps them understand the criteria upon which they should base their assurance report conclusions.
After establishing the scope of the investigation, the requestor must outline the terms under which the assurance reviewer should produce their report in an engagement letter. Both the requestor and reviewer must agree to the terms of the letter. These terms will form the basis of the investigation. Therefore, the language of the engagement letter must:
- Be unambiguous and easily understood
- Contain specifics about the client under review and the subject matter
- Offer explicit details about what is and isn't in scope, including any limitations around the investigation
After reviewing all essential information, the reviewing assurance services firm provides a report that includes the criteria used to evaluate the claims of the requestor and descriptions of any limitations encountered during the review.
Considerations for Assurance Reporting
To produce an accurate report, the assurance reviewer must first consider whether statements or assertions made by the requestor are appropriate. In addition, the assurer must question the requestor about any errors, misstatements, or other issues that might skew the results.
If there is a problem, then the requestor may take the opportunity to change their statements or update supporting documentation. However, if the requestor refuses to make the necessary changes, the reviewer must account for that in their assurance report.
When an assurance reviewer accepts the assignment, they must take steps to make sure they abide by their industry's ethical and professional standards. In addition, the evaluator must make every effort to carry out their legal, contractual, professional, or regulatory responsibilities.
In the end, the final report produced by the assurance reviewer must conform to the standards outlined in the engagement letter. In addition, the reviewer should provide supporting documentation on how they arrived at their assurance conclusion. The assurance report should make clear:
- Who requested the report
- Who's allowed to access the report
- Who can rely on the report for specific purposes per the terms of the engagement letter
Additional information that the assurance report must contain includes restrictions on replicating some or all of the report and supporting documents. Assurance reviewers can use guidelines outlined in AAF 04/06 (risk and liability) when determining restrictions to place around distributing, using and relying on the report. Industry regulations and contractual terms may impact the decisions of the assurance reviewer on the availability of the report and its distribution.
Importance of Consistent Wording in Assurance Reporting
When drafting the assurance report, the assurance reviewer must maintain awareness of how they use and apply specific language throughout the document. For example, language that implies insurance ' including words like opinion or conclusion ' should only appear concerning the subject matter outlined in the engagement letter.
In addition, the wording an assurance reviewer uses to discuss issues related to the subject matter ' like processes and controls around information flows ' should be distinct from the language used to write the assurance conclusion. A better practice might be to create a separate, private report to outline those conclusions and provide it to management as a separate highlights memo. You can also turn the observations into a separate appendix to the assurance report that clarifies that the information did not affect the reviewer's final assurance conclusion.
Standard requirements around the language a reviewer should use in an assurance report include:
- Staying consistent with the scope of the work outlined in the engagement letter
- Using the same terminology throughout
- Sticking with language consistent with assurance, so the reader understands the basis of the conclusion, whether it's selected data, process and controls, or the entire report
To maintain a proper level of consistency around language, the assurance reviewer should initiate discussions with clients around the wording to use within the report and the assertions that form the basis of the assurance review.
Assurance Reporting Qualifications
Sometimes the evidence uncovered during the assurance does not meet the levels required to issue a specific conclusion. That can be due to:
- The destruction of documents
- The nature of the work performed
- Limitations imposed by the client
If there's not enough evidence present, that shouldn't be a reason for the reviewer to make changes to the scope of the engagement. Instead, they must decide whether they will:
- Issue a qualified or adverse conclusion
- Add a disclaimer to the conclusion
- Withdraw from the engagement
Other responsibilities the assurance reviewer must consider is whether information related to governance should be elevated to the attention of those charged with governance oversight. In addition, the reviewer should consider the information given to them by the client or other users and possibly highlight information that conflicts with the assurance report's conclusion. The reviewer should only sign off on an assurance report if they have sufficient evidence to support the assurance conclusion.
Covering Errors, Fraud or Illegal Acts in Assurance Reporting
As part of the assurance investigation, the reviewer might come across evidence of fraud, illegal acts, or other errors tied to an organization's systems, employees, or managers that affect areas responsible for interacting with users.
It's the requestor's responsibility to figure out whether those issues were properly disclosed to affected users. If that doesn't happen, then the assurance reviewer must decide whether to take the conclusions to someone of equal or higher authority to the requestor, resign from the engagement or pursue another action.
Support Thorough Assurance Reporting
Diligent's solutions help organizations meet the compliance and regulatory standard for their specific industry. Companies use the software to help ensure they obtain positive results from assurance reporting requests. Contact us if you'd like a personal demonstration of the benefits of incorporating Diligent technology into your organization.
Subscribe to the Diligent GRC Newsletter for governance, risk and compliance guides, news and insights. You can expect to hear from industry thought leaders and discover best practices to stay ahead of the curve.