SAE 3100 (Revised)

Assurance Engagements on Compliance

Mandatory Date:
{{ matches.count }} matches for: {{ matches.query }}

Statement of Authority

Issued 03/17 Compiled 05/22

STANDARD ON ASSURANCE ENGAGEMENTS 3100 (REVISED)

Compliance Engagements (SAE 3100 (Revised))

This Standard was issued on 9 March 2017 by the New Zealand Auditing and Assurance Standards Board of the External Reporting Board pursuant to section 12(b) of the Financial Reporting Act 2013.

This Standard is a disallowable instrument for the purposes of the Legislation Act 2012, and pursuant to section 27(1) of the Financial Reporting Act 2013 takes effect on 5 April 2017.

An assurance practitioner that is required to apply this Standard is required to apply it for assurance engagements beginning on or after 1 January 2018. However, early adoption is permitted.

In finalising this Standard, the New Zealand Auditing and Assurance Standards Board has carried out appropriate consultation in accordance with section 22(1) of the Financial Reporting Act 2013.

This Standard has been issued as a result of International Standard on Assurance Engagements (New Zealand) 3000 being revised.

This Standard, when applied, supersedes Standard on Assurance Engagements 3100 Compliance Engagements.

This compilation was prepared in May 2022 and incorporates amendments up to and including May 2022.

Copyright

© External Reporting Board (“XRB”) 2017

This XRB standard contains copyright material. Reproduction within New Zealand in unaltered form (retaining this notice) is permitted for personal and non-commercial use subject to the inclusion of an acknowledgment of the source.

Requests and enquiries concerning reproduction and rights for commercial purposes within New Zealand should be addressed to the Chief Executive, External Reporting Board at the following email address: enquiries@xrb.govt.nz

ISBN 978-0-947505-35-6

How to Read this Standard

Standard on Assurance Engagements (SAE) 3100 (Revised), Compliance Engagements should be read in conjunction with International Standard on Assurance Engagements (New Zealand) (ISAE (NZ)) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information.

Table of pronouncements – SAE 3100 (Revised) Compliance Engagements

This table lists the pronouncements establishing and amending SAE 3100 (Revised).

Pronouncements

Date approved

Effective date

SAE 3100 (Revised) Compliance Engagements

February 2017

This Standard on Assurance Engagements is effective for assurance engagements commencing on or after 1 January 2018. Early adoption is permitted.

Conforming Amendments to Auditing and Assurance Standards as a result of the revised Professional and Ethical Standard 1

June 2020

Effective on 15 July 2020

Annual Improvements and Conforming and Consequential Amendments to Domestic Assurance Standards

May 2022

Effective for assurance engagements for periods beginning on or after 15 December 2022

 

Table of Amended Paragraphs in SAE 3100 (Revised)

Paragraph affected

How affected

By…[date]

9, 19, 46, A19, A65

Amended

Conforming Amendments to Auditing and Assurance Standards as a result of the revised Professional and Ethical Standard 1 [June 2020]

8, 9, 17, 28, 56, A7,

A65, Appendix 4,

Appendix 5, Appendix 6

Amended

Annual Improvements and Conforming and Consequential Amendments to Domestic Assurance Standards [May 2022]

1. This Standard on Assurance Engagements applies to limited and reasonable assurance engagements to provide an assurance report on an entity’s compliance with the compliance requirements as evaluated against the suitable criteria. (Ref: Para. A1)

Scope

2. This Standard on Assurance Engagements (SAE) deals with assurance engagements to provide an assurance report on whether the entity has complied in all material respects with the compliance requirements, throughout the specified period or as at a specified date, using the criteria.

3. This SAE addresses assurance engagements on compliance: (Ref: Para. A2-A5)

  1. With the compliance requirements;

  2. Providing a limited or reasonable assurance conclusion;

  3. For either restricted use, by those charged with governance of the entity or specified third parties, or to be publicly available; and

  4. Either based on an attestation engagement or a direct engagement. (Ref: Para. 17(a), 17(h), A4)

  5. Where this SAE makes reference to a requirement, that requirement applies to both attestation and direct engagements, unless specified otherwise.

4. Agreed-upon procedures engagements, where procedures are conducted and factual findings are reported but no conclusion is provided, and consulting engagements, for the purpose of providing advice, on compliance are not assurance engagements and are not dealt with in this SAE.

Nature of a Compliance Engagement

5. Compliance engagements are conducted in both the private and public sector, in either case the engaging party will usually be the entity responsible for meeting the compliance requirements which are subject to the compliance engagement. In these circumstances terms of engagement are agreed with the engaging party.

6. An entity may have an obligation to comply with externally and/or internally established compliance requirements. These compliance requirements may be established through law and regulation, contractual arrangements or internally established requirements, for example company policies. A table showing the nature of assurance engagements on compliance is contained in Appendix 3.

Relationship with ISAE (NZ) 3000 (Revised), Other Pronouncements and Other Requirements

7. The assurance practitioner is required to comply with ISAE (NZ) 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ISAE (NZ) 3000 (Revised)) and this SAE when performing compliance engagements. This SAE supplements, but does not replace, ISAE (NZ) 3000 (Revised), and expands on how ISAE (NZ) 3000 (Revised) is to be applied in a compliance engagement. This SAE applies the requirements in ISAE (NZ) 3000 (Revised) to attestation engagements and adapts those requirements, as necessary, to direct engagements on compliance. ISAE (NZ) 3000 (Revised) includes requirements in relation to such topics as engagement acceptance, planning, obtaining evidence and documentation that apply to all assurance engagements, including engagements conducted in accordance with this SAE. Framework for Assurance Engagements (EG Au1A), which defines and describes the elements and objectives of an assurance engagement, provides the context for understanding this SAE and ISAE (NZ) 3000 (Revised).

8. An assurance engagement performed in accordance with ISAE (NZ) 3000 (Revised) measures or evaluates the underlying subject matter against suitable criteria. In a compliance engagement the assurance practitioner determines whether compliance requirements have been met by evaluating the subject matter against the compliance requirements, using the criteria. The criteria may be the compliance requirements, or a subset thereof. A table explaining the terminology applied in this SAE is contained in Appendix 2.

9. Compliance with ISAE (NZ) 3000 (Revised) requires, among other things, compliance with the provisions of Professional and Ethical Standard 1 International Code of Ethics for Assurance Practitioners (including International Independence Standards) (New Zealand) or other professional requirements, or requirements in law or regulation, that are at least as demanding1. It also requires the lead assurance practitioner2 to be a member of a firm that applies Professional and Ethical Standard 3 3 or requirements in law or regulation, that are at least as demanding related to assurance engagements.

10. An assurance engagement performed under this SAE may be part of a larger engagement. In such circumstances, this SAE is relevant only to the portion of the engagement relating to assurance on compliance.

11. If multiple standards are applicable to the assurance engagement, the assurance practitioner applies, in addition to ISAE (NZ) 3000 (Revised), either:

  1. If the engagement can be separated into parts, the standard relevant to each part of the engagement, including this SAE for the part on compliance; or

  2. If the engagement cannot be separated into parts, the standard which is most directly relevant to the subject matter.

12. Assurance conclusions on compliance may be required by Regulators, Government or other users in conjunction with assurance conclusions on financial reports, other historical financial information, and compliance with other requirements, controls and/or other subject matters. In these engagements the subject matter and criteria against which that subject matter is evaluated and the level of assurance sought may vary, in which case different standards will apply. Assurance reports can include separate sections for each subject matter, criteria or level of assurance in order that the different matters concluded upon are clearly differentiated.

13. A table showing the New Zealand Auditing and Assurance Standard Board’s (NZAuASB) Standards to apply to compliance engagements depending on the subject matter and engagement circumstances is contained in Appendix 4. (Ref: Para. A1)

Effective Date

14. This Standard on Assurance Engagements is effective for assurance engagements beginning on or after 1 January 2018. Early adoption of this SAE is permitted. This SAE supersedes Standard on Assurance Engagements 3100, Compliance Engagements.

1 See ISAE (NZ) 3000 (Revised), paragraphs 3(a) and 20.

2 The term “lead assurance practitioner” is referred to in Professional and Ethical Standard 1 and Professional and Ethical Standard 3 as the “engagement partner”.

3 See ISAE (NZ) 3000 (Revised), paragraphs 3(b) and 31(a). Professional and Ethical Standard 3, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements

15.In conducting a compliance engagement, the objectives of the assurance practitioner are:

  1. To obtain reasonable or limited assurance, about whether the entity has complied in all material respects, with compliance requirements as evaluated against the suitable criteria;

  2. To express a conclusion4 through a written report on the matters in (a) above which expresses either a reasonable or limited assurance conclusion and describes the basis for the conclusion; and/or

  3. To communicate further as required by this SAE and any other relevant ISAEs (NZ) or SAEs.

16. In conducting the assurance engagement, the objectives of the assurance practitioner under ISAE (NZ) 3000 (Revised)5 include: “to obtain either reasonable or limited assurance, as appropriate, about whether the subject matter information is free from material misstatement”. The subject matter information in a compliance engagement is the outcome of the evaluation6 of compliance with the compliance requirements, as evaluated against the criteria. The evaluation is conducted:

  1. In an attestation engagement on compliance, by the responsible party or evaluator, and presented in a Statement7, which addresses whether the compliance requirements have been met. The objective of the assurance practitioner is to obtain reasonable or limited assurance about whether the Statement is free from material misstatement, although the assurance practitioner’s conclusion may be expressed in terms of whether the compliance requirements have been met; or

  2. In a direct engagement on compliance, by the assurance practitioner and presented in the assurance conclusion, therefore, no Statement is prepared by the responsible party. The objective of the assurance practitioner is to obtain reasonable or limited assurance about whether the compliance requirements have been met.

4 The term conclusion also extends to include an opinion expressed in a reasonable assurance engagement.

5 See ISAE (NZ) 3000 (Revised), paragraph 10.

6 The term evaluation includes the concept of measurement for quantification aspects of a compliance engagement.

7 See SAE 3100 (Revised), paragraph 17(z) for definition of the term Statement.

17. For the purposes of this SAE, the following terms have the meanings attributed below:

Attestation engagement on compliance

A reasonable or limited assurance engagement in which a party other than the assurance practitioner, being the responsible party or evaluator, evaluates compliance with the compliance requirements. The outcome of that evaluation is provided in a Statement, which may either be available to the intended users or may be presented by the assurance practitioner in the assurance report. In an attestation engagement on compliance, the assurance practitioner’s conclusion addresses whether the Statement is free from material misstatement. The assurance practitioner’s conclusion may be phrased in terms of: (Ref: Para. 3(d), A4)

  1. The compliance outcome and the criteria; or

  2. A Statement made by the appropriate party.

Compliance activity (subject matter or underlying subject matter) The activity that is undertaken to meet the compliance requirement(s).
Compliance engagement An assurance engagement in which an assurance practitioner expresses a conclusion after evaluating an entity’s compliance with the compliance requirements.

Compliance framework

A framework adopted by the entity, which is designed to ensure that the entity achieves compliance, and includes governance structures, programmes, processes, systems, controls and procedures.
Compliance outcome (subject matter information) The outcome of the evaluation of the underlying subject matter (compliance activity) against the compliance requirements, using the criteria. The compliance outcome is the Statement of the responsible party or evaluator in an attestation engagement on compliance, or the assurance practitioner’s conclusion in a direct engagement on compliance, providing the outcome of their evaluation.
Compliance requirement(s) The requirements established in law, regulations, other statutory requirements (e.g., Financial Markets Authority’s Standard Conditions for derivatives issuer licences), contractual arrangements, ministerial directives, industry or professional obligations or internally via entity policies, procedures and frameworks. (Ref: Appendix 1)
Criteria The benchmark, framework or legislation used to evaluate whether the compliance requirements have been met. The “applicable criteria” are the criteria used for the particular engagement. (Ref: Para. 23, A13, Appendix 1)
Direct engagement on compliance

A reasonable or limited assurance engagement in which the assurance practitioner evaluates whether the compliance requirements have been met. The compliance outcome of the assurance practitioner’s evaluation (the subject matter information) is expressed in the assurance practitioner’s conclusion.

Engaging party

The party(ies) that engages the assurance practitioner to perform the assurance engagement.

Entity The legal entity, economic entity, or the identifiable portion of a legal or economic entity, or combination of legal or other entities or portions of those entities (for example, a joint venture) to which the compliance requirements relate.
Evaluator The party(ies) who evaluates the underlying subject matter (compliance activities) against the criteria. The evaluator possesses expertise in the underlying subject matter.
Firm A sole assurance practitioner, partnership or corporation or other entity of assurance practitioners, or public sector equivalent.
Intended Users The individual(s) or organisation(s), or group(s) thereof that the assurance practitioner expects will use the assurance report. In some cases, there may be intended users other than those to whom the assurance report is addressed.
Internal audit function A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.
Limited assurance engagement An assurance engagement in which the assurance practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance engagement, as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the assurance practitioner’s attention to cause the assurance practitioner to believe the compliance requirements have not been met, in all material respects. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the assurance practitioner’s professional judgement, meaningful. To be meaningful, the level of assurance obtained by the assurance practitioner is likely to enhance the intended users’ confidence about the compliance outcome to a degree that is clearly more than inconsequential.
Long-form report

Assurance report including other information and explanations that are intended to meet the information needs of users but not to affect the assurance practitioner’s conclusion. In addition to the matters required to be contained in the assurance practitioner’s report, as set out in paragraph 56, long-form reports may describe in detail matters such as:

  1. the terms of the engagement;

  2. the criteria being used and the specific compliance activities designed to meet each compliance requirement;

  3. descriptions of the procedures that were performed;

  4. findings relating to the procedures that were performed or particular aspects of the engagement;

  5. details of the qualifications and experience of the assurance practitioner and others involved with the engagement;

  6. disclosure of materiality levels; or

  7. recommendations.

The assurance practitioner may find it helpful to consider the significance of providing such information to meet the needs of the intended users. As required by paragraph 57, additional information is clearly separated from the assurance practitioner’s conclusion and worded in such a manner as to make it clear that it is not intended to alter or detract from that conclusion.

Material in the context of a compliance engagement
  1. in relation to potential (for risk assessment purposes) or detected (for evaluation purposes) matter(s) of non-compliance– instance(s) of non-compliance that are significant, individually or collectively, in the context of the entity’s compliance with compliance requirements, and that might influence relevant decisions of intended users or affect the assurance practitioner’s conclusion; and/or

  2. in relation to the compliance framework and controls – instance(s) of deficiency that are significant in the context of the entity’s control environment and that may raise the compliance engagement risk sufficiently to affect the assurance practitioner’s conclusion.

Misstatement For attestation engagements on compliance, a difference between the Statement and the assurance practitioner’s evaluation of compliance with the compliance requirements. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions.
Non-compliance For both attestation and direct engagements on compliance, a failure to meet a compliance requirement in whole or in part.
Professional judgement The application of relevant training, knowledge and experience, within the context provided by assurance and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the engagement.
Professional scepticism An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement or non-compliance, and a critical assessment of evidence.
Reasonable assurance engagement An assurance engagement in which the assurance practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the assurance practitioner’s conclusion. The assurance practitioner’s conclusion is expressed in a form that conveys the assurance practitioner’s opinion on the outcome of the evaluation of the compliance activities against compliance requirements.
Representation Statement by the responsible party, either oral or written, provided to the assurance practitioner to confirm certain matters or to support other evidence. A representation is additional to but may be provided in combination with the responsible party’s or evaluator’s Statement provided in an attestation engagement, as set out in paragraph 16(a).
Responsible party The party(ies) responsible for the underlying subject matter, being the compliance activity(ies) in a compliance engagement.
Short-form report Assurance report including only the matters required under paragraph 56 of this SAE.
Statement The outcome in writing of the responsible party or evaluator’s evaluation of compliance with the compliance requirements, provided to the assurance practitioner in an attestation engagement. A Statement is the subject matter information in an attestation engagement on compliance.

Applicability of ISAE (NZ) 3000 (Revised)

18. The assurance practitioner shall not represent compliance with this SAE unless the assurance practitioner has complied with the requirements of this SAE and ISAE (NZ) 3000 (Revised), adapted as necessary in the case of direct engagements. ISAE (NZ) 3000 (Revised) contains requirements and application and other explanatory material specific to attestation assurance engagements but it also applies to direct assurance engagements, adapted as necessary in the engagement circumstances.8 If this SAE makes reference to a requirement in ISAE (NZ) 3000 (Revised), that requirement shall be applied to both attestation and direct engagements, unless specified otherwise. (Ref: Para. A1, Appendix 4)

Ethical Requirements

19. As required by ISAE (NZ) 3000 (Revised), the assurance practitioner shall comply with Professional and Ethical Standard 19, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. (Ref: Para. A6)

Acceptance and Continuance

Preconditions for the Assurance Engagement

20.The assurance practitioner shall accept or continue a compliance engagement only in the circumstances required by ISAE (NZ) 3000 (Revised), including that the preconditions for an assurance engagement are present, unless required to accept the engagement by law or regulation.

Appropriateness of the Subject Matter

21. When establishing whether the preconditions for an assurance engagement as required by ISAE (NZ) 3000 (Revised) are present, the assurance practitioner is required to assess the appropriateness of the subject matter.10 In doing so, the assurance practitioner shall determine whether the compliance activities which are to be evaluated are appropriate in addressing the needs of users, that is whether the performance of those activities determines whether the compliance requirements have been met. (Ref: Para. A9-A11)

22. If the subject matter is not appropriate, the assurance practitioner shall not accept the engagement or, if this is determined after accepting the engagement, either withdraw from the engagement or issue a modified conclusion.

Assessing the Suitability of the Criteria

23. When establishing whether the preconditions for an assurance engagement as required by ISAE (NZ) 3000 (Revised) are present, the assurance practitioner shall determine the suitability of the criteria expected to be applied, whether the criteria are provided by the engaging party, as in an attestation engagement, or are to be identified by the assurance practitioner, as in a direct engagement, including that they exhibit the characteristics set out in ISAE (NZ) 3000 (Revised).11 (Ref: Para. 17(g), A12).

Agreeing on the Terms of the Engagement

24. ISAE (NZ) 3000 (Revised)12 requires the parties to the engagement to agree on the terms of the assurance engagement in writing. The assurance practitioner shall obtain the agreement of the responsible party, that it acknowledges and understands its responsibility:

  1. In an attestation engagement, for evaluating the compliance activity against the compliance requirements and providing a written Statement regarding the outcome of that evaluation and for having a reasonable basis for the written Statement;

  2. For identifying suitable compliance requirements and whether they were specified by law, regulation, contract, another party (for example, a user group or a professional body) or developed by the responsible party;

  3. For providing the assurance practitioner with:

    1. Access to all information, such as records, documentation and other matters of which the responsible party is aware are relevant to the compliance engagement;

    2. Additional information that the assurance practitioner may request from the responsible party for the purposes of the assurance engagement; and

    3. Unrestricted access to persons within the entity from whom the assurance practitioner determines it necessary to obtain evidence.

25. The terms of engagement shall identify:

  1. The scope of the engagement;

  2. Whether the engagement is a reasonable or limited assurance engagement;

  3. Whether the engagement is an attestation or direct engagement and, in the case of an attestation engagement, the form of the responsible party’s or evaluator’s evaluation of the compliance activity or Statement and whether that Statement will be available to intended users or only referenced in the assurance report; (Ref: Para. A16, A20)

  4. The specified period or specified date to be covered by the engagement; (Ref: Para. A17)

  5. The compliance requirements against which the compliance activity will be evaluated;

  6. The intended users of the assurance report;

  7. The content of the assurance report, including whether it will be a short-form or long form report, including additional information such as the compliance requirements, procedures conducted, detailed findings and recommendations to meet the needs of the intended users; and (Ref: Par. A20)

  8. Any other matters required by law or regulation (e.g., reporting all matters of non- compliance identified to the regulator) to be included in the terms of engagement. (Ref: Para. 27)

Acceptance of a Change in the Terms of the Engagement

26. If the engaging party requests a change in the terms of the engagement before the completion of the engagement, the assurance practitioner shall be satisfied that there is a reasonable justification for the change as required by ISAE (NZ) 3000 (Revised).13

Assurance Report Prescribed by Law or Regulation

27. If law or regulation prescribe the compliance requirements for evaluation or the form and content of the assurance report, the assurance practitioner evaluates the compliance requirements and form and content of the assurance report. If the compliance requirements are unsuitable or if intended users might misunderstand the assurance report, the assurance practitioner shall (Ref: Para. A16, A52):

  1. Not accept the engagement unless additional explanation in the assurance report mitigates these circumstances; or

  2. Not include any reference within the assurance report to the engagement having been conducted in accordance with ISAE (NZ) 3000 (Revised) or this SAE, if required to accept the engagement by law or regulation.

Quality Management

28. The assurance practitioner shall implement quality management procedures as required by ISAE (NZ) 3000 (Revised).14

Professional Scepticism, Professional Judgement and Assurance Skills and Techniques

29. The assurance practitioner shall apply professional scepticism, exercise professional judgement and apply assurance skills and techniques in planning and performing an assurance engagement on compliance as required by ISAE (NZ) 3000 (Revised).15 In applying professional scepticism, the assurance practitioner shall recognise the possibility that matters of non-compliance due to fraud could exist, notwithstanding the assurance practitioner’s past experience of the honesty and integrity of the entity’s management and those charged with governance.

Planning and Performing the Engagement

Planning

30. The assurance practitioner shall plan the engagement so that it will be performed in an effective manner as required by ISAE (NZ) 3000 (Revised).16 (Ref: Para. A22)

Materiality

31. The assurance practitioner shall consider materiality, as required by ISAE (NZ) 3000 (Revised),17 when determining the nature, timing and extent of procedures. (Ref: Para. A24-A29)

Obtaining an Understanding of the Compliance Framework and Compliance Requirements

Limited Assurance

Reasonable Assurance

32L The assurance practitioner shall obtain an understanding of the entity’s compliance framework and its key elements, the compliance requirements which are included in the scope of the engagement, and other engagement circumstances, and on the basis of that understanding, the assurance practitioner shall (Ref: Para. A30- A32):

  1. For a direct engagement, consider whether the identification of criteria is appropriate;

  2. For both attestation and direct engagements:

    1. Identify areas where the risks that may cause non- compliance with each of the compliance requirements to be concluded upon are likely to arise; and

    2. Respond to the risks identified in paragraph 32L(b)(i) and use as a basis for designing and performing assurance procedures.

32R The assurance practitioner shall obtain an understanding of the entity’s compliance framework and its key elements, the compliance requirements which are included in the scope of the engagement, and other engagement circumstances, and on the basis of that understanding, the assurance practitioner shall (Ref: Para. A30-A32):

  1. For a direct engagement, consider whether the identification of criteria is appropriate;

  2. For both attestation and direct engagements:

    1. Identify and assess the risks that may cause non-compliance with each of the compliance requirements to be concluded upon; and

    2. Respond to the risks identified in paragraph 32R(b)(i) and use as a basis for designing and performing assurance procedures; and

  3. Obtain an understanding of the relevant internal controls over the compliance activity to meet the compliance requirements, evaluate the design of those controls and determine whether they have been implemented.

Identifying Risks of Fraud

33. When performing risk assessment procedures and related activities to obtain an understanding of the compliance framework and other engagement circumstances, the assurance practitioner shall obtain sufficient information for use in identifying the risks of the compliance requirements not being met due to fraud. (Ref: Para. A33-A34)

Obtaining an Understanding of the Internal Audit Function

34.The assurance practitioner shall determine whether the entity has an internal audit function and, if so, makes further enquiries to obtain an understanding of the activities and main findings of the internal audit function with respect to the compliance engagement. (Ref: Para. A35)

35.The assurance practitioner shall consider based on the compliance engagement circumstances whether it is appropriate to use the work of the internal audit function.

36. If the assurance practitioner plans to use the work of the internal audit function in accordance with paragraph 37, the assurance practitioner shall evaluate it as required by ISAE (NZ) 3000 (Revised).18

Using the Work of the Internal Audit Function

37. If the assurance practitioner’s evaluation of the internal audit function confirms that the work of the internal audit function can be used for purposes of the compliance engagement, then the assurance practitioner shall determine the planned effect of the work of the internal audit function on the nature, timing or extent of the assurance practitioner’s procedures and in doing so, shall consider: (Ref: Para. A36, A43-A44)

  1. The nature and scope of work performed, or to be performed, on the compliance framework by the internal audit function;

  2. The significance of that work to the assurance practitioner’s conclusions;

  3. The degree of subjectivity involved in the evaluation of the evidence obtained in support of those conclusions; and

  4. Re-performing some of the work of the internal audit function that is planned to be used. 

Obtaining Evidence

38. Based on the assurance practitioner’s understanding obtained under paragraph 32L and 32R the assurance practitioner shall perform assurance procedures to respond to identified or assessed risks in paragraph 32L(b) to obtain limited or 32R(b) to obtain reasonable assurance to support the assurance practitioner’s conclusion. (Ref: Para. A37-A39)

39. The assurance practitioner shall design and perform additional procedures, the nature, timing and extent of which are responsive to the risks of material deficiency in the compliance framework or matters of non-compliance with compliance requirements, having regard to the level of assurance required, reasonable or limited, as appropriate. (Ref: Para. A40)

Responses to Assessed Risks of Fraud

40. The assurance practitioner shall treat those assessed risks of compliance requirements not being met due to fraud as significant risks. Accordingly, the assurance practitioner shall design and perform procedures, on controls designed to mitigate such risks, and whose nature, timing and extent are responsive to those assessed risks. In doing this the assurance practitioner shall have regard to the level of assurance required, reasonable or limited, as appropriate. (Ref: Para. A34)

Obtaining Evidence Regarding the Compliance Activity

41.When reporting on compliance throughout the specified period or as at a specified date, the assurance practitioner shall evaluate those compliance activities that the assurance practitioner has determined are necessary to meet the compliance requirements identified, and assess their compliance throughout the specified period or as at a specified date. (Ref: Para. A37)

 

Limited Assurance

Reasonable Assurance

42L. The nature, timing and extent of evaluation of compliance activities, shall be limited to:

  1. discussion and enquiries with entity personnel; and

  2. observation of the activity in operation for compliance; and

  3. walk-through for an appropriate number of material compliance activities to identify any instances of non-compliance.

The results of exception reporting, monitoring or other management controls may be examined to provide evidence about the operation of the compliance activity rather than directly testing it. (Ref: Para. A37)

42R. The nature, timing and extent of testing and evaluation of compliance activities, shall include:

  1. discussion and enquiries with entity personnel; and

  2. observation of the activity in operation for compliance; and

  3. re-performance on a test basis of compliance activities; or

  4. other examination and follow up of the application of compliance activities, on a test basis to provide sufficient appropriate evidence on which to base a conclusion.

The results of exception reporting, monitoring or other management controls may be examined to reduce the extent of direct testing and evaluation of the operation of the compliance activity but shall not eliminate it entirely. (Ref: Para. A37)

43L. The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material non-compliance with the compliance requirements. If the assurance practitioner determines that additional assurance procedures are required to dispel or confirm a suspicion that a material matter of non-compliance exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone. (Ref: Para. A39-A40, A46)

43R. The assurance practitioner shall apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material non-compliance with the compliance requirements. (Ref: Para. A39, A46)

 

44R. When determining the extent of testing and evaluation of compliance activities, the assurance practitioner shall consider matters including the characteristics of the population to be tested and evaluated, which includes the nature of the compliance activity, the frequency of their occurrence (for example, monthly, daily, a number of times per day), and the expected rate of matter(s) of non-compliance. Some compliance activities operate continuously, while others operate only at particular times, so the testing and evaluation of compliance shall be performed throughout the specified period of time that is sufficient to allow the practitioner to conclude. (Ref: Para. A40)

Sampling

45. When the assurance practitioner uses sampling to test compliance, the assurance practitioner shall: (Ref: Para. 44R)

  1. Consider the purpose of the procedure and the characteristics of the compliance activity from which the sample will be drawn when designing the sample;

  2. Determine a sample size sufficient to reduce sampling risk to an acceptably low level;

  3. Select items for the sample in such a way that each sampling unit in the population has a chance of selection and the sample is representative of the population; and

  4. If unable to apply the designed procedures, or suitable alternative procedures, to a selected item, treat that item as a deviation.

Non-compliance with Laws or Regulations

46. If the assurance practitioner becomes aware of information concerning an instance of non-compliance or suspected non-compliance with respect to laws and regulations, the assurance practitioner shall comply with Professional and Ethical Standard 1, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. (Ref. Para. A65)

Work Performed by an Assurance Practitioner’s Expert

47. When the assurance practitioner plans to use the work of an assurance practitioner’s expert, the assurance practitioner shall comply with the requirements in ISAE (NZ) 3000 (Revised).19 (Ref: Para. A41)

Work Performed by Another Assurance Practitioner or a Responsible Party’s or Evaluator’s Expert

48. If the assurance practitioner plans to use information prepared using the work of another assurance practitioner or a responsible party’s or evaluator’s expert, as evidence, the assurance practitioner shall comply with the requirements of ISAE (NZ) 3000 (Revised).20 (Ref: Para. A42-A43)

Evaluation of Evidence

49. In an attestation engagement on compliance the assurance practitioner shall accumulate instances of non-compliance identified by the entity and the assurance practitioner, other than those that are clearly trivial, in order to form a conclusion on the Statement. In a direct engagement on compliance the assurance practitioner shall accumulate identified matters of non-compliance other than those that are clearly trivial in order to provide a conclusion.

50. The assurance practitioner shall evaluate individually and in aggregate, whether the matter of non-compliance with the compliance requirements is material. (Ref: Para. A45)

Written Representations

51. The assurance practitioner shall request the responsible party, or other relevant person(s) within the entity to provide written representations, in addition to those required by ISAE (NZ) 3000 (Revised),21 that the responsible party (Ref: Para. A46):

  1. In the case of an attestation engagement, reaffirms their Statement regarding the outcome of the responsible party’s evaluation of the compliance activity against the compliance requirements throughout the specified period or as at a specified date;

  2. Acknowledges its responsibility for the compliance activity, including identifying the risks that threaten the compliance requirements being met, and designing, implementing and maintaining internal controls to mitigate those risks, including the risk of fraud, so that those risks will not prevent achievement of the compliance requirements;

  3. Has provided the assurance practitioner with all relevant information and access agreed to, as set out in paragraph 24(c)(i);

  4. Has disclosed to the assurance practitioner any of the following of which it is aware may be relevant to the engagement:

    1. Instances of non-compliance with the compliance requirements; or

    2. Any events subsequent to the specified period or as at the specified date covered by the assurance practitioner’s conclusion up to the date of the assurance report that could have a significant effect on the assurance practitioner’s conclusion.

    3. The assurance practitioner shall evaluate written representations in accordance with ISAE (NZ) 3000 (Revised). (Ref: Para. A47)

Subsequent Events

52. When relevant to the compliance engagement, the assurance practitioner shall consider the effect on the compliance outcome of events up to the date of the assurance report, and shall respond appropriately to facts that become known to the assurance practitioner after the date of the assurance conclusion, that had they been known to the assurance practitioner at that date, may have caused the assurance practitioner to amend the assurance conclusion. The extent of consideration of subsequent events depends on the potential for such events to impact the assurance practitioner’s conclusion. The assurance practitioner has no responsibility to perform any procedures regarding the compliance outcome after the date of the assurance report. (Ref: Para. A49-A50)

Forming the Assurance Conclusion

53. The assurance practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary, attempt to obtain further evidence. If the assurance practitioner is unable to obtain necessary further evidence, the assurance practitioner shall consider the implications for the assurance practitioner’s conclusion in accordance with ISAE (NZ) 3000 (Revised).22 The assurance practitioner shall qualify their conclusion if the possible effects of undetected matters of non-compliance with the compliance requirements due to an inability to obtain sufficient appropriate evidence could be material, and shall disclaim their conclusion if the possible effects could be both material and pervasive. 

54. When the assurance practitioner forms a conclusion in accordance with ISAE (NZ) 3000 (Revised),23 the assurance practitioner shall evaluate the materiality, individually and in aggregate whether due to fraud or error, of any matter(s) of non-compliance with the compliance requirements. If the matters of non-compliance identified are: (Ref: Para. A45-A46)

  1. Material but not pervasive, the assurance practitioner shall qualify their assurance conclusion with respect to the relevant matter; or

  2. Material and pervasive, the assurance practitioner shall issue an adverse conclusion.

Preparing the Assurance Report

55. The assurance practitioner shall prepare the assurance report in accordance with ISAE (NZ) 3000 (Revised)24 for attestation engagements and shall also apply those requirements for direct engagements.

Assurance Report Content

56. For both attestation and direct engagements, the assurance practitioner shall include in the assurance report the basic elements required by ISAE (NZ) 3000 (Revised),25 which are at a minimum:

  • A title, indicating that it is an independent assurance report; An addressee;

  • An identification of whether reasonable or limited assurance has been obtained by the assurance practitioner;

  • Identification of the compliance requirements;

  • Whether the assurance practitioner is reporting on compliance throughout the specified period or as at a specified date;

  • In the case of an attestation engagement, reference to the responsible party’s Statement as required by paragraph 24(a) and whether that Statement is available to intended users by accompanying the assurance report, reproduction in the assurance report or another identified source;

  • Identification of the overall and/or specific criteria used for evaluating the compliance activity;

  • If appropriate, a description of any significant inherent limitations associated with the evaluation of the compliance activity against the compliance requirements;

  • A statement that the responsible party or evaluator is responsible for:

  1. In an attestation engagement:

    1. Providing a Statement with respect to the outcome of the evaluation of the compliance activity against the compliance requirements;

    2. Identifying the compliance requirements (where not identified by Parliament, the Government, law or regulation, or another party, for example, a user group or a professional body); and

  2. In both an attestation and a direct engagement:

    1. The compliance activity covered by the assurance practitioner’s report;

    2. Identifying, designing and implementing controls to enable the compliance requirements to be met and to monitor ongoing compliance;

  • A statement that the assurance practitioner’s responsibility is to express a conclusion on whether the compliance requirements have, in all material respects, been met;

  • A statement that the engagement was performed in accordance with Standard on Assurance Engagements 3100 (Revised) Compliance Engagements;

  • A statement that the firm of which the assurance practitioner is a member applies Professional and Ethical Standard 3, or other professional requirements, or requirements in law and regulation, that are at least as demanding as Professional and Ethical Standard

  • If the assurance practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law and regulation, applied that are at least as demanding as Professional and Ethical Standard 3;

  • A statement that the assurance practitioner complies with the independence and other relevant ethical requirements related to assurance engagements.

  • An informative summary of the work performed as a basis for the assurance practitioner’s conclusion. In the case of a limited assurance engagement, an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed shall state that (Ref: Para. A53-A57):

  1. The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and

  2. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed;

  • When the criteria used to evaluate the compliance requirements are available only to specific intended users, or are relevant only for a specific purpose, a statement restricting the use of the assurance report to those intended users or that purpose; (Ref: Para. A58)

  • Either, the assurance practitioner’s opinion for a reasonable assurance engagement or the assurance practitioner’s conclusion for a limited assurance engagement about whether, in all material respects the entity complied with the compliance requirements throughout the specified period or as at a specified date;

  • When the assurance practitioner expresses a modified conclusion, the assurance report shall contain:

  • A section (entitled: Basis for Qualified/Adverse/Disclaimer of Conclusion/Opinion) that

  • provides a description of the matter(s) giving rise to the modification; and A section that contains the assurance practitioner’s modified conclusion;

  • The assurance practitioner’s signature, the date of the assurance report and the location in the jurisdiction where the assurance practitioner practices.

  • A statement as to the existence of any relationship (other than that of assurance practitioner) which the assurance practitioner has with, or any interests which the assurance practitioner has in, the entity or any of its subsidiaries. Appendix 8 provides an example of wording that may be used in the assurance practitioner’s report to identify any relationships with, or interests in, the entity.

57. If the assurance practitioner provides a long-form assurance report to meet the information needs of users, as agreed in the terms of engagement, or as required by law or regulation, the assurance practitioner’s report shall include a separate section, or an attachment, containing any other information and explanations that are not intended to affect the assurance practitioner’s conclusion and are clearly identified as such. (Ref: Para. A51)

58. If the assurance practitioner is required to conclude on other subject matters under different NZAuASB standards in conjunction with an engagement to report under this SAE, the assurance report shall include a separate section for each subject matter in the assurance report, clearly differentiated by appropriate section headings.

Emphasis of Matter and Other Matter Paragraphs

59. The assurance practitioner shall include an Emphasis of Matter or Other Matter paragraph in the circumstances provided for in ISAE (NZ) 3000 (Revised)26 for an attestation engagement. In a direct engagement, if the assurance practitioner considers it necessary to communicate a matter that, in the assurance practitioner’s judgement, is relevant to intended users’ understanding of the engagement, the assurance practitioner’s responsibilities or the assurance report, the assurance practitioner shall include in the assurance report an Other Matter paragraph, with an appropriate heading, that clearly indicates the assurance practitioner’s conclusion is not modified in respect of the matter.

Modified Conclusions

60. If the assurance practitioner concludes that the compliance activity has not met the compliance requirements throughout the specified period or as at a specified date; or the assurance practitioner is unable to obtain sufficient appropriate evidence, the assurance practitioner’s conclusion shall be modified, and the assurance practitioner’s report shall include a section with a clear description of all the reasons for the modification. (Ref: Para. A59-A61)

Scope Limitation

61. When a scope limitation is imposed by the circumstances of the particular engagement, the assurance practitioner shall attempt to perform alternative procedures to overcome the limitation. When a scope limitation exists and remains unresolved, the wording of the assurance practitioner’s conclusion shall indicate that it is qualified as to the effects of any instances of non-compliance with the compliance requirements, which might have been identified had the limitation not existed. If the effect of the unresolved scope limitation is both material and pervasive, the assurance practitioner shall express a disclaimer of conclusion. (Ref: Para. A62)

Other Communication Responsibilities

62. The assurance practitioner shall consider whether, pursuant to the terms of the engagement, if applicable, and other engagement circumstances, any matter has come to the attention of the assurance practitioner that is to be communicated with the responsible party, the evaluator, the engaging party, those charged with governance or others, as required by ISAE (NZ) 3000 (Revised).27 If during the course of the engagement the assurance practitioner identifies any matters of non-compliance with the entity’s compliance requirements other than those which are clearly trivial, the assurance practitioner shall communicate on a timely basis to an appropriate level of management or those charged with governance those matters of non-compliance. (Ref: Para. A64)

63. In limited circumstances the assurance practitioner may be required by law or regulation and the terms of the engagement to report all instances of non-compliance with the compliance requirements to the regulator.

64. If the assurance practitioner has identified a fraud or has obtained information that indicates that a fraud may exist, the assurance practitioner shall communicate these matters on a timely basis to the appropriate level of management or those charged with governance in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities. The assurance practitioner shall determine whether there is a responsibility to report the occurrence or suspicion to a party outside the entity. (Ref: Para. A63)

65. The assurance practitioner shall design engagement procedures to gather sufficient appropriate evidence to form a conclusion in accordance with the terms of the engagement. In the absence of a specific requirement in the terms of engagement the assurance practitioner does not have a responsibility to design procedures to identify matters outside the scope of the engagement that may be appropriate to report to management or those charged with governance.

Documentation

66. The assurance practitioner shall prepare documentation in accordance with ISAE (NZ) 3000 (Revised).28 In documenting the nature, timing and extent of procedures performed as required by ISAE (NZ) 3000 (Revised), the assurance practitioner shall record (Ref: Para. A65):

  1. The identifying characteristics of the compliance activity being tested;

  2. Who performed the work and the date such work was completed; and

  3. Who reviewed the work performed and the date and extent of such review.

67.If the assurance practitioner uses specific work of the internal audit function, the assurance practitioner shall document the conclusions reached regarding the evaluation of the adequacy of the work of the internal audit function, and the procedures performed by the assurance practitioner on that work.

8 See ISAE (NZ) 3000 (Revised), paragraph 2.

9 See ISAE (NZ) 3000 (Revised), paragraph 20.

10See ISAE (NZ) 3000 (Revised), paragraph 24(b)(i).

11 See ISAE (NZ) 3000 (Revised), paragraph 24(b).

12 See ISAE (NZ) 3000 (Revised), paragraph 27.

13 See ISAE (NZ) 3000 (Revised), paragraph 29.

14 See ISAE (NZ) 3000 (Revised), paragraphs 31-36.

15 See ISAE (NZ) 3000 (Revised), paragraphs 37-39.

16 See ISAE (NZ) 3000 (Revised), paragraph 40.

17See ISAE (NZ) 3000 (Revised), paragraph 44.

18See ISAE (NZ) 3000 (Revised), paragraph 55.

19 See ISAE (NZ) 3000 (Revised), paragraph 52.

20 See ISAE (NZ) 3000 (Revised), paragraphs 53-54.

21 See ISAE (NZ) 3000 (Revised), paragraph 56.

22 See ISAE (NZ) 3000 (Revised), paragraph 66.

23 See ISAE (NZ) 3000 (Revised), paragraphs 64-65.

24 See ISAE (NZ) 3000 (Revised), paragraphs 67-69.

25See ISAE (NZ) 3000 (Revised), paragraph 69 - NZ69.1.

26 See ISAE (NZ) 3000 (Revised), paragraph 73.

27 See ISAE (NZ) 3000 (Revised), paragraph 78.

28 See ISAE (NZ) 3000 (Revised), paragraphs 79-83.

Introduction (Ref: Para. 1-13)

A1. Engagements which are covered by this SAE and those that are covered by other subject matter specific ISAEs (NZ) have been further illustrated at Appendix 4.

A2. The primary purpose of an assurance engagement is the conduct of assurance procedures to provide an assurance conclusion. However, the assurance practitioner is not precluded from providing recommendations for improvements to the compliance framework or compliance activities in conjunction with or as a result of conducting an assurance engagement to report on compliance.

A3. In a direct engagement, the assurance practitioner evaluates the compliance activity conducted by the responsible party to meet the compliance requirement. In an attestation engagement, the responsible party evaluates the compliance activity against the compliance requirements and provides a statement on the compliance outcome.

A4. The primary practical difference for the assurance practitioner between an attestation and a direct engagement is the additional work effort for a direct engagement when planning the engagement and understanding the compliance framework and other engagement circumstances (e.g., criteria to be applied). In a direct engagement the assurance practitioner selects, or is required to use, the criteria which address the purpose or overall objective of the compliance engagement. This difference affects the assurance practitioner’s work effort in planning a direct engagement if the compliance requirements have not been identified or documented and in understanding the entity’s compliance framework where a description is not available.

A5. In a three party relationship, which is an element of an assurance engagement,29 the responsible party may or may not be the engaging party, but is responsible for the compliance activities which are the underlying subject matter of the engagement and is a separate party from the intended users. The responsible party and the intended users may both be internal to the entity, for example if the responsible party is at an operational level of management and the intended users are at the level of those charged with governance, such as the Board or Audit Committee. See Appendix 1 for a discussion of how each of these roles relate to an assurance engagement on compliance.

Ethical Requirements (Ref: Para. 19)

A6. The assurance practitioner, in order to comply with relevant ethical requirements gives consideration to whether the assurance practitioner has provided internal audit or consulting services with respect to the compliance framework or implementation of controls at the entity, as any such past or current engagements may impact on the assurance practitioner’s independence and are likely to preclude acceptance of the engagement.

Acceptance and Continuance

Competence and Capabilities to Perform the Engagement

A7. Relevant competence and capabilities, including having sufficient time to perform the compliance engagement, as required by ISAE (NZ) 3000 (Revised)30 by persons who are to perform the engagement, include matters such as the following:

  • Knowledge of the relevant industry, compliance frameworks, the nature of the overall compliance requirements (for example: emissions quantification or regulatory compliance).

  • An understanding of controls, IT and systems.

  • Experience in evaluating risks as they relate to the compliance requirements.

  • Experience in the design and execution of tests of compliance and the evaluation of the results.

Rational Purpose

A8. When considering the acceptance of a limited assurance engagement on compliance, ISAE (NZ) 3000 (Revised)31 requires the assurance practitioner to determine whether a meaningful level of assurance is expected to be able to be obtained, which may include whether a limited assurance engagement is likely to be meaningful to users. In making this assessment, consideration is given to the intended users of the assurance report and whether they are likely to understand the limitations of a limited assurance engagement, including the need to read the assurance report in detail to understand the assurance procedures performed and the assurance obtained.

Assessing the Appropriateness of the Subject Matter (Ref: Para. 21)

A9. An appropriate subject matter is:

  1. Identifiable, and capable of consistent evaluation against the identified criteria; and

  2. Able to be subjected to procedures for gathering sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate.

A10. Examples of subject matters that may be appropriate for a compliance engagement include compliance with the following:

  • Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act).

  • Student Fee Protection Rules 2013

A11. For further guidance on assessing the appropriateness of the subject matter refer to Appendix 3 and ISAE (NZ) 3000 (Revised)32.

Assessing the Suitability of the Criteria (Ref: Para. 23)

A12. Where the criteria are prescribed by legislation or regulation the criteria will ordinarily be deemed to be suitable for the purposes of the compliance engagement. In limited circumstances where this is not the case, the assurance practitioner needs to assess the suitability of the criteria.

A13. In the context of a compliance engagement, examples of criteria include:

  • Externally imposed criteria under law or directives, including:

    • Legislation.

    • Regulation.

    • Other statutory requirements.

    • Ministerial directives.

    • Industry or professional obligations (professional standards or guidance, codes of practice or conduct).

    • Enforceable contractual obligations.

    • Enforceable undertakings.

  • Internally imposed criteria, as determined by management, including:

    • Organisational policies and procedures.

    • Frameworks, for example, compliance framework based on ISO 19600 – Compliance Management Systems

A14. Criteria need to be identified by the parties to the engagement and agreed by the engaging party and the assurance practitioner. The assurance practitioner may need to discuss the criteria to be used with those charged with governance, management and the intended users of the report. Criteria can be either established or specifically developed. The assurance practitioner normally concludes that established criteria embodied in laws or regulations or issued by professional bodies, associations or other recognised authorities that follow due process are suitable when the criteria are consistent with the objective. Other criteria may be agreed to by the intended users of the assurance practitioner’s report, or a party entitled to act on their behalf, and may also be specifically developed for the engagement.

A15. In situations where the criteria have been specifically developed for the engagement, the assurance practitioner may obtain from the intended users or a party entitled to act on their behalf, acknowledgment that the specifically developed criteria are sufficient for the user’s purposes. (Ref: Para. 23)

Agreeing on the Terms of the Engagement (Ref: Para. 24-25)

A16. When agreeing whether the engagement is to be conducted as an attestation or direct engagement, the assurance practitioner considers factors such as whether:

  1. there is a regulatory requirement or users need an evaluation of the compliance activity by the responsible party or evaluator (Ref: Para. 27); or

  2. the entity has the resources and expertise to prepare a suitable description or documentation of the compliance activity, compliance requirements and related

controls and conduct a meaningful evaluation of the compliance outcome.

A17. The needs of users and the period in which the compliance activity has been in place are considered in agreeing the specified date or the specified period to be covered by the assurance engagement, so that the report is not likely to be misleading.

A18. If the criteria are available when agreeing the terms of engagement, they may be listed or attached to the engagement letter or other written terms.

A19. Where relevant, the terms of the engagement could also include a reference to, and description of, the auditor’s responsibility in accordance with:

  • Professional and Ethical Standard 1; and/or

  • applicable law or regulation, and

  • obligations to report identified or suspected matters of non-compliance with laws and regulations to an appropriate authority outside the entity is required or appropriate in the circumstances.

A20. When agreeing whether the report will be in long-form, including matters such as evaluation of compliance procedures and detailed findings, the assurance practitioner considers both the needs of users and the risks of users misunderstanding the context of the procedures conducted or the findings reported. Reporting evaluation of compliance procedures and findings may be appropriate where the users are knowledgeable with respect to assurance and the compliance requirements and, therefore, not likely to misinterpret those findings.

A21. Illustrative examples of engagement letters are contained in Appendix 5.

Planning and Performing the Engagement

Planning (Ref: Para. 30)

A22. The nature and extent of planning activities will vary with the compliance engagement circumstances, for example the size and complexity of the compliance activity and requirements, the assurance practitioner’s previous experience with this area and the entity as a whole. Examples of the main matters to be considered when developing the engagement plan include:

  1. Matters affecting the industry in which the entity operates, for example economic conditions, laws and regulations, and technology;

  2. Risks to which the entity is exposed that are relevant to the compliance activity being examined;

  3. The quality of the control environment within the entity and the role of the governing body, audit committee and internal audit function;

  4. Knowledge of the entity’s internal control structure obtained during other engagements;

  5. The extent of recent changes if any, in the entity, its operations or its compliance framework;

  6. Methods adopted by management to evaluate the effectiveness of the compliance framework;

  7. Preliminary judgements about significant risk;

  8. The nature and extent of evidence likely to be available;

  9. The nature of control procedures relevant to the compliance activity and their relationship to the compliance framework taken as a whole;

  10. The assurance practitioner’s preliminary judgement about the effectiveness of the compliance framework taken as a whole and of the control procedures within the framework;

  11. The terms of the compliance engagement;

  12. The characteristics of the compliance activity and the identified criteria;

  13. Identification of intended users and their needs, and consideration of materiality and the components of compliance engagement risk; and

  14. Personnel and expertise requirements, including the nature and extent of involvement by experts.

A23. The assurance practitioner may decide to discuss elements of planning with management or other appropriate party when determining the scope of the engagement or to facilitate the conduct and management of the engagement (for example, to co-ordinate some of the planned procedures with the work of the entity’s personnel). Although these discussions often occur, the overall engagement strategy and the engagement plan remain the assurance practitioner’s responsibility. When discussing matters included in the overall engagement strategy or engagement plan, care is required in order not to compromise the effectiveness of the engagement. For example, discussing the nature and timing of detailed procedures with the entity may compromise the effectiveness of the engagement by making the procedures too predictable.

Materiality (Ref: Para. 31)

A24. The same considerations in both limited and reasonable assurance engagements are applied regarding what represents a material compliance requirement, since such judgements are not affected by the level of assurance being obtained.

A25. Materiality of the compliance requirements is considered at the planning stage, and is reassessed during the engagement based on the findings. The materiality of any identified deficiencies in the compliance framework and/or non-compliance with compliance requirements is considered when evaluating the findings of the compliance engagement.

A26. Materiality is considered when determining the nature, timing and extent of evidence gathering procedures, and when evaluating whether a matter of non-compliance is material. In considering materiality, the assurance practitioner understands and assesses what factors might influence the decisions of the intended users.

A27. Materiality is considered when evaluating the effect of accumulated deficiencies in the compliance framework or matters of non-compliance with the compliance requirements. Material deficiencies or matters of non-compliance are those which could significantly impact the compliance requirements being met and reasonably be expected to influence relevant decisions of the intended users.

A28. Materiality is considered in the context of quantitative and qualitative factors, such as relative magnitude of instances of detected or suspected matter(s) of non-compliance, the nature and extent of the effect of these factors on the evaluation of compliance with the compliance requirements, and the interests of the intended users. The assessment of

materiality and the relative importance of quantitative and qualitative factors in a particular engagement are matters for the assurance practitioner’s professional judgement, taking into account specific regulatory reporting requirements.

A29. Quantitative and qualitative factors which the assurance practitioner may consider when assessing materiality include:

  • The magnitude of the instances of detected or suspected matter(s) of non-compliance with the compliance requirements.

  • The financial impact of the matter(s) of non-compliance on the entity as a whole.

  • The nature of the matter(s) of non-compliance – one off or systemic.

  • Evidence of a robust compliance framework in place to detect, rectify and report matter(s) of non-compliance.

  • Commonly accepted practices within the relevant industry.

  • The nature of relevant transactions, whether they involve high volumes, large dollar values and complex transactions relative to the compliance activity as a whole.

  • The extent of interest shown in particular aspects of the compliance activity by, for example, governing body, regulatory authorities and agencies or the public.

Obtaining an Understanding of the Compliance Framework and Compliance Requirements (Ref: Para. 32)

A30. The assurance practitioner’s understanding of the compliance framework and compliance requirements, ordinarily, has a lesser depth for a limited assurance engagement than for a reasonable assurance engagement. The assurance practitioner’s procedures to obtain this understanding may include:

  • Review and understand the relevant compliance requirements.

  • Enquiring of those within the entity who, in the assurance practitioner’s judgement, may have relevant information.

  • Observing operations.

  • Inspecting documents, reports, printed and electronic records.

  • Re-performing compliance procedures.

A31. The nature and extent of procedures to gain this understanding are a matter for the assurance practitioner’s professional judgement and will depend on factors such as:

  1. The entity’s size and complexity;

  2. The nature of the activity to be examined, including the compliance requirement(s) to which the compliance procedures are directed and the risk that those compliance requirements will not be met;

  3. The extent to which IT is used; and

  4. The documentation available.

A32. The nature and extent of planning and subsequent evidence-gathering procedures will vary with the engagement circumstances, and the maturity of the entity’s compliance framework.

Elements of an entity’s compliance framework ordinarily include the following:

  • Procedures for identifying and updating compliance requirements.

  • Staff training and awareness programmes.

  • Procedures for assessing the impact of compliance requirements on the entity’s key business activities.

  • Controls embedded within key business processes designed to ensure compliance with requirements.

  • Processes to identify and monitor the implementation of further mitigating actions required to ensure that compliance requirements are met.

  • A monitoring plan to test key compliance controls on a periodic basis and report exceptions.

  • Procedures for identifying, assessing, rectifying and reporting matters of non- compliance.

  • Periodic sign off by management and/or external third party outsourced service providers33 as to compliance with requirements.

  • A compliance governance structure that establishes responsibility for the oversight of compliance control activities with those charged with governance, typically a Board Audit, Risk Management or Compliance Committee.

Identifying Risks of Fraud (Ref: Para. 33,40)

A33. Management is in a unique position to perpetrate fraud because of their ability to manipulate the entity’s records or prepare fraudulent reports by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is nevertheless present in all entities. Due to the unpredictable way in which such override could occur, it is a risk that compliance requirements will not be met due to fraud and thus is a significant risk.

A34. The assurance practitioner may consider undertaking the following procedures to obtain sufficient appropriate evidence of the risk of fraud in relation to the compliance requirements:

  1. Make enquiries of management with respect to compliance regarding:

    1. Management’s assessment of the risk that controls may be circumvented due to fraud, including the nature, extent and frequency of such assessment;

    2. Management’s process for identifying and responding to the risks of fraud;

    3. Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud; and

    4. Management’s communication, if any, to employees regarding its views on corrupt or fraudulent business practices and unethical behaviour;

  2. Make enquiries of those charged with governance, management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud with respect to compliance affecting the entity;

  3. Make enquiries of the internal audit function, where it exists, to determine whether it has knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud;

  4. Obtain an understanding of how those charged with governance exercise oversight of processes for identifying and responding to the risks of fraud in the entity and the internal controls that have been established to mitigate these risks as far as they relate to the compliance requirements;

  5. Consider whether other information obtained by the assurance practitioner indicates risks of compliance requirements not being met due to fraud, for which mitigating controls are necessary;

  6. Evaluate whether the information obtained from the other risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present; and

  7. Identify controls over matters for which decisions or actions are not routine, such as adjustments to records, development of estimates and activities outside the normal course of business.

Obtaining an Understanding of the Internal Audit Function (Ref: Para. 34-37)

A35. In obtaining an understanding of the compliance framework, including controls, the assurance practitioner determines whether the entity has an internal audit function and its effect on the controls within the compliance framework. The internal audit function ordinarily forms part of the entity’s internal control and governance structures. The responsibilities of the internal audit function may include, for example, monitoring of internal control, risk management, and review of compliance with laws and regulations, and is considered as part of the assurance practitioner’s assessment of risk.

A36. An effective internal audit function may enable the assurance practitioner to modify the nature and/or timing, and/or reduce the extent of assurance procedures performed, but cannot eliminate them entirely.

Obtaining Evidence (Ref: Para. 41-45)

A37. Compliance engagements require the application of assurance skills and techniques to gather sufficient appropriate evidence as part of an iterative, systematic assurance engagement process. As the assurance practitioner performs planned procedures, the evidence obtained may differ significantly from that on which the planned procedures were based and cause the assurance practitioner to perform additional procedures.

A38. When compliance requirements apply throughout a specified period, the assurance practitioner may consider the nature and frequency of the compliance activities undertaken, and modify the nature, timing and extent of evaluation and/or testing to be undertaken on compliance activities. Knowledge of non-compliance observed in prior periods is likely to lead the assurance practitioner to increase the extent of evaluation and/or testing throughout the specified period.

A39. The assurance practitioner may become aware of a matter(s) that causes the assurance practitioner to believe that there are deficiencies in the compliance framework or the compliance activity is not compliant with the compliance requirements. In such cases, the assurance practitioner may investigate such differences by, for example, enquiring of the appropriate party(ies) or performing other procedures as appropriate in the circumstances.

Limited and Reasonable Assurance Engagements (Ref: Para. 42)

A40. The level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, therefore the procedures the assurance practitioner performs in a limited assurance engagement are different in nature and timing from, and are less in extent than for, a reasonable assurance engagement. The primary differences between the assurance practitioner’s overall responses to assessed risks and further procedures conducted in a reasonable assurance engagement and a limited assurance engagement on compliance include:

  1. The emphasis placed on the nature of various procedures as a source of evidence will likely differ, depending on the engagement circumstances. For example, the assurance practitioner may judge it to be appropriate in the circumstances of a particular limited assurance engagement to place relatively greater emphasis on indirect evaluation of compliance activities, such as enquiries of the entity’s personnel, and relatively less emphasis, on evaluation of compliance activities, such as observation, re-performance or inspection, than may be the case for a reasonable assurance engagement.

  2. In a limited assurance engagement, the further procedures performed are less in extent than in a reasonable assurance engagement in that those procedures may involve:

    1. Selecting fewer items for examination;

    2. Performing fewer types of procedures; or

    3. Performing procedures at fewer locations.

Work Performed by an Assurance Practitioner’s Expert (Ref: Para. 47)

A41. ISAE (NZ) 3000 (Revised)34 provides application material for the circumstances where an assurance practitioner’s expert is involved in the engagement. This material may also be used as guidance when using the work of another assurance practitioner or a responsible party’s or evaluator’s expert.

Work Performed by Another Assurance Practitioner or a Responsible Party’s or Evaluator’s Expert (Ref: Para. 48)

A42. When information on compliance activities to be used as evidence has been prepared using the work of a responsible party’s or evaluator’s expert, the nature, timing and extent of procedures with respect to the work of the responsible party’s or evaluator’s expert may be affected by such matters as:

  1. The nature and complexity of the compliance activity to which the expert’s work relates;

  2. The risks of a material deficiency in the compliance framework or non-compliance with the compliance requirements throughout the specified period or as at a specified date;

  3. The availability of alternative sources of evidence or mitigating controls;

  4. The nature, scope and objectives of the expert’s work;

  5. Whether the expert is employed by the entity, or is a party engaged by it to provide relevant services;

  6. The extent to which the responsible party or evaluator can exercise control or influence over the work of the expert;

  7. Whether the expert is subject to technical performance standards or other professional or industry requirements;

  8. The nature and extent of any controls within the entity over the expert’s work;

  9. The assurance practitioner’s knowledge and experience of the expert’s field of expertise; and

  10. The assurance practitioner’s previous experience of the work of that expert.

Work Performed by the Internal Audit Function (Ref: Para. 34-37)

A43. The nature, timing and extent of the assurance practitioner’s procedures on specific work of the internal auditors will depend on the assurance practitioner’s assessment of the significance of that work to the assurance practitioner’s conclusions, the evaluation of the internal audit function and the evaluation of the specific work of the internal auditors. Such procedures may include:

  1. Examination of evidence of the operation of the compliance activity already examined by the internal auditors;

  2. Examination of evidence of the operation of other instances of the same compliance activity;

  3. Examination of the outcomes of monitoring of controls by internal auditors; and

  4. Observation of procedures performed by the internal auditors.

A44. Irrespective of the degree of autonomy and objectivity of the internal audit function, such a function is not independent of the entity as is required of the assurance practitioner when performing the compliance engagement. The assurance practitioner has sole responsibility for the conclusion expressed in the assurance report, and that responsibility is not reduced by the assurance practitioner’s use of the work of the internal auditors.

Evaluation of Evidence

A45. In evaluating any matter(s) of non-compliance (corrected or un-corrected) with the compliance requirements materiality is considered as specified in the terms of the engagement where relevant, any relevant legislative, regulatory or other (e.g., contractual) requirements which may apply and the effect on the decisions of the intended users of the assurance report and the assurance practitioner’s conclusion. (Ref: Para. 49-50)

A46. For both reasonable and limited assurance engagements, if the assurance practitioner becomes aware of a matter that leads the assurance practitioner to question whether a material matter of non-compliance exists, the assurance practitioner would ordinarily pursue the matter by performing other evidence gathering procedures sufficient to enable the assurance practitioner to form a conclusion. (Ref: Para. 43)

Written Representations (Ref: Para. 51)

A47. For application material on using written representations refer to ISAE (NZ) 3000 (Revised).35

A48. The person(s) from whom the assurance practitioner requests written representations will ordinarily be a member of senior management or those charged with governance. However, because management and governance structures vary by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics, it is not possible for this SAE to specify for all engagements the appropriate person(s) from whom to request written representations. The process to identify the appropriate person(s) from whom to request written representations requires the exercise of professional judgement.

Subsequent Events (Ref: Para 52)

A49. Assurance procedures with respect to the identification of subsequent events after period end are limited to examination of relevant reports, for example reports on compliance procedures, minutes of relevant committees and enquiry of management or other personnel as to significant matter(s) of non-compliance with compliance requirements.

A50. The assurance practitioner does not have any responsibility to perform procedures or make any enquiry after the date of the report. If however, after the date of the report, the assurance practitioner becomes aware of a matter identified, the assurance practitioner may consider re-issuing the report. In an attestation engagement where the report has already been issued, the new report includes an Emphasis of Matter discussing the reason for the new report. In a direct engagement, the new report discusses the reason for the new report under a heading “Subsequent Events”.

Preparing the Assurance Report (Ref: Para. 55-58)

Assurance Report Content

A51. The assurance practitioner may expand the report to include other information not intended as a qualification of the assurance practitioner’s conclusion. If the report includes other information it is a long-form report as the information is additional to the basic elements required in paragraph 56 for a short-form report. This additional information may be required by regulation or agreed in the terms of the engagement to meet the needs of users. When considering whether to include any such information the assurance practitioner assesses the materiality of that information in the context of the objectives of the engagement. Other information is not to be worded in such a manner that it may be regarded as a qualification of the assurance practitioner’s conclusion and may include for example:

  • Relevant background information and historical context.

  • The assurance approach.

  • Underlying facts and criteria applied.

  • Disclosure of materiality levels.

  • Findings relating to particular aspects of the compliance engagement.

  • Analysis of the causes of non-compliance with the compliance requirements.

  • Recommendations for improvements to address identified compliance framework deficiencies.

A52. In some circumstances, the form and/or content of the assurance report is prescribed by law or regulation. In such cases, the assurance practitioner compares the prescribed report with the reporting requirements under this SAE to ensure the minimum basic elements have been met. (Ref: Para. 27)

Summary of the Work Performed (Ref: Para 56(n))

A53. The summary of the work performed helps the intended users understand the nature of the assurance conveyed by the assurance report. For many assurance engagements, infinite variations in procedures are possible in theory. It may be appropriate to include in the summary a statement that the work performed included evaluating the suitability of the criteria and the compliance requirements and the risks that threaten those compliance requirements not being met. ISAE (NZ) 3000 (Revised) provides application material on reporting on the applicable criteria.

A54. In a limited assurance engagement an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance conveyed by the conclusion, therefore the summary of the work performed is ordinarily more detailed than for a reasonable assurance engagement and identifies the limitations on the nature, timing, and extent of procedures. It also may be appropriate to indicate certain procedures that were not performed that would ordinarily be performed in a reasonable assurance engagement. However, a complete identification of all such procedures may not be possible because the assurance practitioner’s required understanding and consideration of engagement risk is less than in a reasonable assurance engagement.

A55. Factors to consider in determining the level of detail to be provided in the summary of the work performed include:

  1. Circumstances specific to the entity (e.g., the maturity of the entity’s compliance framework compared to those typical in the industry sector);

  2. Specific engagement circumstances affecting the nature and extent of the procedures performed; and

  3. The intended users’ expectations of the level of detail to be provided in the report, based on market practice, or applicable law or regulation.

A56. It is important that the summary be written in an objective way that allows intended users to understand the work done as the basis for the assurance practitioner’s conclusion. In most cases this will not involve detailing the entire work plan, but on the other hand it is important for it not to be so summarised as to be ambiguous, nor written in a way that is overstated or embellished.

A57. Illustrative examples of assurance practitioner’s reports are contained in Appendix 6.

Intended Users and Specific Purpose of the Assurance Report (Ref: Para. 56(o))

A58. If the assurance practitioner’s report on compliance has been prepared for a specific purpose and is only relevant to the intended users, this is stated in the assurance practitioner’s report. In addition, the assurance practitioner may consider it appropriate to include wording that specifically restricts distribution of the assurance report other than to intended users, its use by others, or its use for other purposes.

Modified Conclusions (Ref: Para. 60-61)

A59. Modifications to the assurance report may be made in the following circumstances:

  1. a qualified conclusion may be issued if the following matters are material but not pervasive:

    1. Unsuitable criteria mandated by legislation or regulation where the assurance practitioner is unable to resign from the engagement;

    2. Scope limitation;

    3. Non-compliance with the compliance requirements; 

    4. Misstatement in the Statement;

  2. an adverse conclusion may be issued if the following matters are both material and pervasive:

    1. unsuitable criteria mandated by legislation or regulation where the assurance practitioner is unable to resign from the engagement;

    2. Non-compliance with the compliance requirements; 

    3. Misstatement in the Statement;

  3. a disclaimer may be issued if there is a limitation of scope which is both material and pervasive.

A60. Illustrative examples of elements of modified assurance practitioner’s reports are contained in Appendix 7.

A61. Even if the assurance practitioner has expressed an adverse conclusion or a disclaimer of conclusion, it may be appropriate to describe in the basis for modification paragraph the reasons for any other matters of which the assurance practitioner is aware that would have required a modification to the conclusion, and the effects thereof.

A62. When expressing a disclaimer of conclusion, because of a scope limitation, it is not ordinarily appropriate to identify the procedures that were performed nor include statements describing the characteristics of the assurance practitioner’s engagement; to do so might overshadow the disclaimer of conclusion.

Other Communication Responsibilities (Ref: Para. 62-65)

A63. Appropriate actions to respond to the circumstances identified in paragraph 65 may include:

  • Obtaining legal advice about the consequences of different courses of action.

  • Communicating with those charged with governance of the entity.

  • Communicating with third parties (e.g., a regulator) when required to do so.

  • Modifying the assurance practitioner’s conclusion, or adding an Other Matter paragraph.

  • Withdrawing from the engagement.

A64. Certain matters identified during the course of the engagement may be of such importance that they would be communicated to those charged with governance. Unless stated otherwise in the terms of engagement, less important matters would be reported to a level of management that has the authority to take appropriate action.

A65. Professional and Ethical Standard 136, sets out the approach to be taken by an assurance practitioner who encounters or is made aware of matter(s) of non-compliance or suspected matter(s) of non-compliance with laws or regulations, In these circumstances, the assurance practitioner shall consider the appropriate response to the identified matter(s) of non-compliance with laws and regulations in accordance with Professional and Ethical Standard 1.

Documentation (Ref: Para. 66-67)

A66. For application material on preparing and maintaining documentation refer ISAE (NZ) 3000 (Revised).37

29See EG Au1A Framework for Assurance Engagements.

30 See ISAE (NZ) 3000 (Revised) paragraph 32.

31 See ISAE (NZ) 3000 (Revised) paragraph 24(b)(vi).

32 See ISAE (NZ) 3000 (Revised), paragraph 24(b)(i).

33Refer to ISA (NZ) 402, Audit Considerations Relating to and Entity Using a Service Organisation, for further guidance.

34 See ISAE (NZ) 3000 (Revised), paragraphs A120-A134.

35 See ISAE (NZ) 3000 (Revised), paragraphs A136-A139.

36 See Professional and Ethical Standard 1, Section 260, Responding to Non-Compliance with Laws and Regulations

37 See ISAE (NZ) 3000 (Revised), paragraphs A193-A200.

(Ref: Para A5)

ROLES AND RESPONSIBILITIES – DIRECT AND ATTESTATION COMPLIANCE ENGAGEMENTS

The diagram below illustrates the relationships in a direct and attestation compliance engagement conducted by an Assurance Practitioner.

image

Under a direct engagement, the Assurance Practitioner evaluates the compliance activity, conducted by the responsible party to meet the compliance requirement.

Under an attestation engagement, the Responsible Party evaluates the compliance activity against the compliance requirements and provides a statement on the compliance outcome.

In both attestation and direct engagements the Assurance Practitioner evaluates the compliance activity against the compliance requirement(s) using the criteria, and obtains assurance on which to base their assurance conclusion. The compliance assurance report is provided to the intended users.

TERMINOLOGY TABLE - ISAE (NZ) 3000 (REVISED) AND SAE 3100 (REVISED)

(Ref: Para. 8)

Terminology as applied in ISAEs (NZ)

ISAE (NZ) 3000 (Revised)

SAE 3100 (Revised)

Objective

To obtain either reasonable assurance or limited assurance, as appropriate, about whether the subject matter information is free from material misstatement…..;

To obtain reasonable or limited assurance, about whether the entity has complied in all material respects, with compliance requirements as evaluated against the suitable criteria.

Criteria

The benchmarks used to measure or evaluate the underlying subject matter. The “applicable criteria” are the criteria used for the particular engagement.

The benchmark, framework or legislation used to evaluate whether the compliance requirements have been met. The “applicable criteria” are the criteria used for the particular engagement.

Compliance Requirement(s)

No equivalent term.

The specific requirements established in law, regulations, other statutory requirements (e.g., sections 27-29 of the Non- bank Deposit Takers Act 2013 requirements for establishing and maintaining a risk management framework) contractual arrangements, ministerial directives, industry or professional obligations or internally via company policies, procedures and frameworks.

Subject Matter Information

The outcome of the measurement or evaluation of the underlying subject matter against the criteria, i.e., the information that results from applying the criteria to the underlying subject matter.

Compliance Outcome:

The outcome of the evaluation of the compliance activity (underlying subject matter) against the compliance requirements, using the criteria. The compliance outcome is the Statement of the responsible party or evaluator in an attestation compliance engagement, or the assurance practitioner’s conclusion in a direct compliance engagement, providing the outcome of their evaluation.

Underlying Subject Matter

The phenomenon that is measured or evaluated by applying criteria.

Compliance Activity:

The activity that is undertaken to meet the compliance requirement(s).

EXAMPLES: NATURE OF ASSURANCE ENGAGEMENTS ON COMPLIANCE

Examples of assurance engagements which may be conducted with respect to compliance is set out in the following table:

(Ref: Para.6, A11)

Scope of Engagement

Compliance Requirement

Subject Matter /

Compliance Activity

Criteria for Evaluating Compliance Activity

Compliance Outcome of the Evaluation (Subject Matter Information)

Assurance Conclusion

Compliance of a Real Estate Agent with the requirements of the Real Estate Agents Act 2008 (the Act) and Real Estate Agents (Audit) Regulations 2009 in respect of identified Trust accounts

Applicable compliance requirements as specified under section 22 of the Act and the Regulations in respect of identified Trust accounts

Trustee Account procedures

Trustee Bank Account and cash book procedures

Section 22 of the Act and the Regulations in respect of identified Trust accounts

Evaluator’s Statement or assurance practitioner’s conclusion whether the Real Estate Agent has complied in all material respects with the Act in respect of identified Trust accounts.

Reasonable Assurance – complied in all material respects with the compliance requirements.

Compliance of an Electricity Distribution Business with part 4 of the Commerce Act 1986 in respect of the default price-quality path determination return

Set by the Commerce Commission.

Requirements are set in Subpart 9 of Part 4 of the Commerce Act 1986

As an example:

Components of the default price-quality path determination return procedures by the supplier of electricity covering:

  • price setting;

  • price increases;

  • reliability of service;

  • information disclosure.

Set in Subpart 9 of Part 4 of the Commerce Act 1986

Evaluator’s Statement or assurance practitioner’s conclusion whether the EDB has complied in all material respects with the requirements of the default/ customised price-quality regulation and information disclosure

Reasonable Assurance – complied in all material respects with requirements of Part 4 of the Commerce Act 1986

 

Scope of Engagement

Compliance Requirement

Subject Matter /

Compliance Activity

Criteria for Evaluating Compliance Activity

Compliance Outcome of the Evaluation (Subject Matter Information)

Assurance Conclusion

Compliance of a non- bank deposit taker (NBDT) with the risk management framework as set out in sections 27- 29 of the Non-bank Deposit Takers Act (2013)

Applicable compliance requirements as specified in sections 27-29 of the Non- bank Deposit Takers Act (2013)

Licensed NBDTs maintenance of a risk management programme that complies with the Non-bank Deposit Takers Act 2013, and the NBDT’s compliance with that risk management programme.

Sections 27-29 of the Non-bank Deposit Takers Act (2013)

Evaluator’s Statement or assurance practitioner’s conclusion whether the NBDT has a risk management programme that complies with the Act in all material respects, and that the NBDT has complied in all material respects with its risk management programme

Limited Assurance – nothing has come to our attention that causes us to believe that for [the period] the NBDT’s risk management programme did not comply, in all material respects, with the requirements set out in sections 27-29 of the Non- bank Deposit Takers Act 2013, and that the NBDT did not comply in all material respects with its risk management programme

STANDARDS APPLICABLE TO EXAMPLE ENGAGEMENTS ON COMPLIANCE

(Ref: para. 13)

 

APPLICABLE NZAuASB STANDARDS FOR ASSURANCE ENGAGEMENTS OR RELATED SERVICES

ISAE (NZ) 3000 (Revised)

Assurance Engagements(not Historical Financial Info)

SAE 3100

Compliance Engagements (This SAE)

ISAE (NZ) 3402

Controls at a Service Organisation

SAE 3150

Controls Engagements

ISRS (NZ) 4400

Agreed-upon Procedures Engagements

Subject Matter of Compliance Assurance Engagement

1. Entity’s compliance with:

         

- Laws and regulation

     X

     X

     

- Contractual obligations

     X

     X

     

- Policies and procedures

     X

     X

     

2. Entity’s controls38 over compliance with requirements39

     X

   

     X

 

3. Entity’s compliance with requirements specifying controls

     X

     X

     

4. Procedures restricted to those specified by engaging party

       

     X

38 The subject matter of the assurance engagement determines which ISAE (NZ) or SAE to apply.

39 Where controls not specified in law, regulation or quasi-regulation.

EXAMPLE ENGAGEMENT LETTERS

(Ref: Para. A21)

The following examples of assurance practitioner’s engagement letters are for guidance only and are not intended to be exhaustive or applicable to all situations.

Example 1: Engagement Letter for an Attestation Engagement for Limited Assurance on ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria]

To [the appropriate representative of management or those charged with governance of ABC or the engaging party]:

[Objective and scope of the engagement]

You have requested that we undertake a limited assurance engagement on ABC’s Statement [which will accompany our report] of compliance with the [compliance requirements], in all material respects, as evaluated against the [suitable criteria], which you will provide and which will accompany our report, [throughout the specified period or as at a specified date] for the purpose of reporting to [identify intended users: the Board of Directors/Regulator/Customers of ABC].

We are pleased to confirm our acceptance and our understanding of this limited assurance engagement by means of this letter. Our assurance engagement will be conducted with the objective of reaching a conclusion on whether [ABC’s Statement40] of compliance with the [compliance requirements] is, in all material respects, fairly presented as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[Our Independence and Quality Management]

We will comply with the independence and other relevant ethical requirements relating to assurance engagements, and apply Professional and Ethical Standard 3, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements in undertaking this assurance engagement.

[Responsibilities of the assurance practitioner]

We will conduct our assurance engagement in accordance with Standard on Assurance Engagements (SAE) 3100 (Revised) Compliance Engagements. That standard requires that we comply with ethical requirements applicable to assurance engagements and plan and perform procedures to obtain limited assurance about whether anything has come to our attention that causes us to believe that [ABC’s Statement] is not fairly presented in that compliance with the [compliance requirements] as evaluated against the [suitable criteria] have not been met, in all material respects.

An assurance engagement on compliance involves performing procedures to obtain evidence about the compliance with the [compliance requirements] as evaluated against the [suitable criteria]. The procedures selected depend on the assurance practitioner’s professional judgement, including identifying areas where the risk of material deficiencies in the compliance framework or misstatements in ABC’s Statement are likely to arise. We will perform procedures primarily consisting of discussion and enquiries of management and others within the entity, as appropriate, observation and walkthroughs of compliance activities and evaluation of the evidence obtained about compliance with the [compliance requirements] as evaluated against the [suitable criteria] as provided in ABC’s Statement. We will also perform additional procedures if we become aware of matters that cause us to believe there are deficiencies in the compliance framework or misstatements in ABC’s Statement. The procedures selected depend on what we consider necessary applying our professional judgement, including the assessment of risks of material deficiencies in the compliance framework or misstatements in ABC’s Statement.

Because of the inherent limitations of an assurance engagement, together with the inherent limitations of any system of internal control there is an unavoidable risk that some deficiencies in the compliance framework or misstatements in ABC’s Statement may not be detected, even though the engagement is properly planned and performed in accordance with Standards on Assurance Engagements.

The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement and consequently the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed. Therefore there is a higher risk than there would be in a reasonable assurance engagement, that any material deficiencies in the compliance framework and relevant controls that exist may not be revealed by the engagement, even though the engagement is properly performed in accordance with SAE 3100 (Revised). In expressing our conclusion, our report on ABC’s Statement of compliance with the [compliance requirements] as evaluated against the suitable criteria will expressly disclaim any reasonable assurance conclusion on the compliance framework and relevant controls.

[Responsibilities of the responsible party/ management/ those charged with governance]

Our assurance engagement will be conducted on the basis that [the responsible party/ management/ those charged with governance] acknowledge and understand that they have responsibility:

  1. for the preparation of a written Statement [which will be attached to our report] that ABC has complied [throughout the specified period or at a specified date], in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria];

  2. for identification of the [compliance requirements] if not identified by law or regulation;

  3. for the identification of risks that threaten the [compliance requirements] identified above not being met and for controls which will mitigate those risks and monitor ongoing compliance; and

  4. to provide us with:

    1. access to all information of which those charged with governance and management are aware that is relevant to ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria];

    2. additional information that we may request from those charged with governance and management for the purposes of this assurance engagement; and

    3. unrestricted access to persons within the entity from whom we determine it necessary to obtain evidence.

As part of our engagement, we will request from [the responsible party/ management/ those charged with governance] written confirmation concerning representations made to us in connection with the engagement.

[Assurance Report]

The format of the report will be in accordance with SAE 3100 (Revised) with respect to limited assurance engagements [and will be in long form, including assurance procedures, findings and recommendations]. An example of the proposed report is contained in the appendix to this letter.

[Our report will be issued [frequency] and will cover [the specified period or will be at a specified date].41

[ABC’s Statement] will be attached to the limited assurance report and our conclusion will be phrased in terms of whether anything has come to our attention that causes us to believe that [ABC’s Statement] is not fairly presented and compliance with the [compliance requirements] as evaluated against the [suitable criteria] have not been met, in all material respects [throughout the specified period or as at a specified date].

[Use of the Assurance Report]42

[Our report will be prepared for the use of ABC and [intended users] for [purpose] and may not be suitable for any other purpose.

The assurance report will be prepared for this purpose only and we disclaim any assumption of responsibility for any reliance on our report to any person other than ABC and [intended users], or for any purpose other than that for which it was prepared.]

We look forward to full cooperation from your staff during our assurance engagement.

[Other relevant information]

[Insert other information, such as fee arrangements, billings and other specific terms, as appropriate.]

Please sign and return the attached copy of this letter to indicate your acknowledgement of, and agreement with, the arrangements for our assurance engagement to report on ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria], including our respective responsibilities.

Yours faithfully, (signed)

Name and Title

Date

Acknowledged on behalf of [engaging party] (signed)

Name and Title

Date

 

Example 2: Engagement Letter for an Attestation Engagement for Reasonable Assurance on ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria]

To [the appropriate representative of management or those charged with governance of ABC or the engaging party]:

[Objective and scope of the engagement]

You have requested that we undertake a reasonable assurance engagement on ABC’s Statement [which will accompany our report] of compliance with the [compliance requirements] as evaluated against the [suitable criteria], in all material respects, which you will provide and which will accompany our report, [throughout the specified period or as at a specified date] for the purpose of reporting to [identify intended users: the Board of Directors/Regulator/Customers of ABC].

We are pleased to confirm our acceptance and our understanding of this reasonable assurance engagement by means of this letter. Our assurance engagement will be conducted with the objective of expressing an opinion on whether [ABC’s Statement]43 that the entity has complied with the [compliance requirements] is, in all material respects, fairly presented as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[Our Independence and Quality Management]

We will comply with the independence and other relevant ethical requirements relating to assurance engagements, and apply Professional and Ethical Standard 3, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements in undertaking this assurance engagement.

[Responsibilities of the assurance practitioner]

We will conduct our assurance engagement in accordance with Standard on Assurance Engagements (SAE) 3100 (Revised) Compliance Engagements. That standard requires that we comply with ethical requirements applicable to assurance engagements and plan and perform procedures to obtain reasonable assurance about whether, [ABC’s Statement] is fairly stated, in all material respects.

An assurance engagement on compliance involves performing procedures to obtain evidence about ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria]. We will perform procedures to obtain evidence about compliance activities and controls implemented to meet the [compliance requirements]. The procedures selected depend on the assurance practitioner’s professional judgement, including the identification and assessment of risks of material deficiencies in the compliance framework or misstatements in ABC’s Statement.

Because of the inherent limitations of an assurance engagement, together with the inherent limitations of any system of internal control there is an unavoidable risk that some deficiencies in the compliance framework or misstatements in ABC’s Statement may not be detected, even though the engagement is properly planned and performed in accordance with Standards on Assurance Engagements.

[Responsibilities of the responsible party/ management/ those charged with governance]

Our assurance engagement will be conducted on the basis that [the responsible party/management/those charged with governance] acknowledge and understand that they have responsibility:

  1. for the preparation of a written Statement [which will be attached to our report] that ABC has complied [throughout the specified period or as at a specified date], in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria];

  2. identification of the [compliance requirements] if not identified by law or regulation;

  3. for the identification of risks that threaten the [compliance requirements] identified above being met and controls which will mitigate those risks and monitor ongoing compliance; and

  4. to provide us with:

    1. access to all information of which those charged with governance and management are aware that is relevant to ABC’s Statement of compliance with the [compliance requirements] as evaluated against the suitable criteria;

    2. additional information that we may request from those charged with governance and management for the purposes of this assurance engagement; and

    3. unrestricted access to persons within the entity from whom we determine it necessary to obtain evidence.

As part of our engagement, we will request from [the responsible party/ management/ those charged with governance] written confirmation concerning representations made to us in connection with the engagement.

[Assurance Report]

The format of the report will be in accordance with SAE 3100 (Revised) with respect to reasonable assurance engagements [and will be in long form, including assurance procedures, findings and recommendations]. An example of the proposed report is contained in the appendix to this letter.

[Our report will be issued [frequency] and will cover [the specified period or will be at a specified date].44

[ABC’s Statement] will be attached to the reasonable assurance report and our opinion will be phrased in terms of whether [ABC’s Statement] that the entity has complied with the [compliance requirements] is, in all material respects, fairly presented as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date].

[Use of the Assurance Report]45

[Our report will be prepared for the use of ABC and [intended users] for [purpose] and may not be suitable for any other purpose.

The assurance report will be prepared for this purpose only and we disclaim any assumption of responsibility for any reliance on our report to any person other than ABC and [intended users], or for any purpose other than that for which it was prepared.]

We look forward to full cooperation from your staff during our assurance engagement.

[Other relevant information]

[Insert other information, such as fee arrangements, billings and other specific terms, as appropriate.]

Please sign and return the attached copy of this letter to indicate your acknowledgement of, and agreement with, the arrangements for our assurance engagement to report on ABC’s Statement of compliance with the [compliance requirements] as evaluated against the [suitable criteria], including our respective responsibilities.

Yours faithfully, (signed)

Name and Title

Date

Acknowledged on behalf of [ABC/engaging party] (signed)

Name and Title

Date

 

Example 3: Engagement Letter for a Direct Engagement for Reasonable Assurance on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria]

To [the appropriate representative of management or those charged with governance of ABC or the engaging party]:

[Objective and scope of the engagement]

You have requested that we undertake a reasonable assurance engagement to report on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria], in all material respects, [throughout the specified period or as at a specified date] for the purpose of reporting to [identify intended users: the Board of Directors/Regulator/Customers of ABC].

We are pleased to confirm our acceptance and our understanding of this reasonable assurance engagement by means of this letter. Our assurance engagement will be conducted with the objective of expressing an opinion on ABC’s compliance with the [compliance requirements], in all material respects, as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[Our Independence and Quality Management]

We will comply with the independence and other relevant ethical requirements relating to assurance engagements, and apply Professional and Ethical Standard 3, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements in undertaking this assurance engagement.

[Responsibilities of the assurance practitioner]

We will conduct our assurance engagement in accordance with Standard on Assurance Engagements SAE 3100 (Revised) Compliance Engagements. That standard requires that we comply with ethical requirements applicable to assurance engagements and plan and perform procedures to obtain reasonable assurance about whether ABC has complied with the [compliance requirements], in all material respects, as evaluated against the [suitable criteria].

An assurance engagement on compliance involves performing procedures to obtain evidence about ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria]. We will perform procedures to obtain evidence about compliance activities and controls implemented to meet the [compliance requirements]. The procedures selected depend on the assurance practitioner’s professional judgement, including the identification and assessment of risks of material deficiencies in the compliance framework or material non-compliance with the [compliance requirements] as evaluated against the [suitable criteria]. Because of the inherent limitations of an assurance engagement, together with the inherent limitations of any system of internal control there is an unavoidable risk that some deficiencies in the compliance framework or non-compliance by ABC with the [compliance requirements] may not be detected, even though the engagement is properly planned and performed in accordance with Standards on Assurance Engagements.

[Responsibilities of the responsible party/ management/ those charged with governance]

Our assurance engagement will be conducted on the basis that [the responsible party/management/those charged with governance] acknowledge and understand that they have responsibility:

  1. for compliance with the [compliance requirements] as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date];

  2. for the identification of risks that threaten the [compliance requirements] identified above being met and for controls which will mitigate those risks and monitor ongoing compliance; and

  3. to provide us with:

    1. access to all information of which those charged with governance and management are aware that is relevant to ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria];

    2. additional information that we may request from those charged with governance and management for the purposes of this assurance engagement; and

    3. unrestricted access to persons within the entity from whom we determine it necessary to obtain evidence.

As part of our engagement, we will request from [the responsible party/ management/ those charged with governance] written confirmation concerning representations made to us in connection with the engagement.

[Assurance Report]

The format of the report will be in accordance with SAE 3100 (Revised) with respect to reasonable assurance engagements [and will be in long form, including assurance procedures, findings and recommendations]. An example of the proposed report is contained in the appendix to this letter.

[Use of the Assurance Report]46

[Our report will be prepared for the use of ABC and [intended users] for [purpose], and may not be suitable for any other purpose.

The assurance report will be prepared for this purpose only and we disclaim any assumption of responsibility for any reliance on our report to any person other than ABC and [intended users], or for any purpose other than that for which it was prepared.]

We look forward to full cooperation from your staff during our assurance engagement.

[Other relevant information]

[Insert other information, such as fee arrangements, billings and other specific terms, as appropriate.]

Please sign and return the attached copy of this letter to indicate your acknowledgement of, and agreement with, the arrangements for our assurance engagement to report on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria], including our respective responsibilities.

Yours faithfully, (signed)

Name and Title

Date

Acknowledged on behalf of [engaging party] (signed)

Name and Title

Date

40 This attestation example engagement letter is expressed in terms of the responsible party’s or evaluator’s Statement of compliance. If a Statement is not provided the assurance practitioner’s conclusion would be expressed in terms of whether the compliance requirements have been met.

41 Insert this sentence for recurring engagements.

42 Insert this section if the report is to be for restricted use only.

43 This attestation example engagement letter is expressed in terms of the responsible party’s or evaluator’s Statement of compliance. If a Statement is not provided the assurance practitioner’s conclusion would be expressed in terms of whether the compliance requirements have been met.

44 Insert this sentence for recurring engagements.

45 Insert this section if the report is to be for restricted use only.

46 Insert this section if the report is to be for restricted use only.

EXAMPLE ASSURANCE REPORTS ON COMPLIANCE

(Ref: Para. A57)

The following examples of reports are for guidance only and are not intended to be exhaustive or applicable to all situations. They can be applied to both attestation and direct engagements. These examples are short-form reports but may be converted to long-form reports by inclusion of additional information as indicated.

Example 1: Limited Assurance Report on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria] (Direct engagement)

Independent Assurance Report [Appropriate Addressee]

Conclusion

We have undertaken a limited assurance engagement on ABC’s compliance, in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date]. Based on the procedures we have performed and the evidence we have obtained, nothing has come to our attention that causes us to believe that ABC, has not complied in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[For a long-form report include a separate section, under an appropriate heading, or reference to an attachment for any additional information agreed in the terms of engagement to be provided to users, for example:

  • Terms of the engagement.

  • Criteria and compliance requirements being used.

  • Descriptions of the tests of compliance that were performed.

  • Findings relating to the tests of compliance that were performed or particular aspects of the engagement.

  • Details of the qualifications and experience of the assurance practitioner and others involved with the engagement.

  • Disclosure of materiality levels.

  • Recommendations for improvements to the compliance framework or processes around particular compliance activities.

Basis for Conclusion

We conducted our engagement in accordance with Standard on Assurance Engagements (SAE) 3100 (Revised) Compliance Engagements issued by the New Zealand Auditing and Assurance Standards Board.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our conclusion.

ABC’s Responsibilities

ABC is responsible for:

  1. The compliance activity undertaken to meet the [compliance requirements].

  2. Identification of risks that threaten the [compliance requirements] identified above being met and controls which will mitigate those risks and monitor ongoing compliance.

Our Independence and Quality Management

We have complied with the independence and other ethical requirements of Professional and Ethical Standard 1 International Code of Ethics for Assurance Practitioners (including International Independence Standards) (New Zealand) issued by the New Zealand Auditing and Assurance Standards Board, which is founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour.

The firm applies Professional and Ethical Standard 347, which requires the firm to design, implement and operate a system of quality management including policies or procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Assurance Practitioner’s Responsibilities

Our responsibility is to express a limited assurance conclusion on ABC’s compliance, in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date]. SAE 3100 (Revised) requires that we plan and perform our procedures to obtain limited assurance about whether anything has come to our attention that, ABC has not complied, in all material respects, with the [compliance requirements], as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date].

In a limited assurance engagement, the assurance practitioner performs procedures, primarily consisting of discussion and enquiries of management and others within the entity, as appropriate, and observation and walk-throughs, and evaluates the evidence obtained. The procedures selected depend on our judgement, including identifying areas where the risk of material non-compliance with the [compliance requirements] is likely to arise.

[Insert an informative summary of the nature, timing and extent of procedures performed that, in the assurance practitioner’s judgement, provides additional information that may be relevant to the users’ understanding of the basis for the assurance practitioner’s conclusion. The following section has been provided as guidance, and the example procedures are not an exhaustive list of either the type, or extent, of the procedures which may be important for the users’ understanding of the work performed.48

Given the circumstances of the engagement, in performing the procedures listed above we:

  • Through discussion, enquiries and observation, obtained an understanding of ABC’s compliance framework and internal control environment to meet the [compliance requirements] as evaluated against the [suitable criteria].

  • Through discussion, enquiries, observation and walk throughs, obtained an understanding of relevant [compliance activities] that are undertaken to meet the [compliance requirements], as evaluated against the [suitable criteria].

The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement and consequently the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed. Accordingly, we do not express a reasonable assurance opinion on compliance with the compliance requirements.

Other than in our capacity as the independent assurance practitioners we have no relationship with, or interests in, ABC.

Inherent Limitations

Because of the inherent limitations of an assurance engagement, together with the internal control structure it is possible that fraud, error, or non-compliance with compliance requirements may occur and not be detected.

A limited assurance engagement [throughout the specified period or as at a specified date] does not provide assurance on whether compliance with the [compliance requirements] will continue in the future.

[Restricted Use]49

[This report has been prepared for use by [intended users] for the purpose of [explain purpose]. We disclaim any assumption of responsibility for any reliance on this report to any person other than [intended users], or for any other purpose other than that for which it was prepared.]

[Assurance practitioner’s signature]50

[Date of the assurance practitioner’s assurance report]

[Assurance practitioner’s location]51

 

Example 2: Reasonable Assurance Report on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria] (Direct engagement)

Independent Assurance Report [Appropriate Addressee] Opinion

We have undertaken a reasonable assurance engagement on ABC’s compliance, in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date].

In our opinion, ABC has complied, in all material respects with the [compliance requirements] as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[For a long-form report, include a separate section, under an appropriate heading, or reference to an attachment for any additional information agreed in the terms of engagement to be provided to users, for example:

  • Terms of the engagement.

  • Criteria and compliance requirements being used.

  • Descriptions of the tests of compliance that were performed.

  • Findings relating to the tests of compliance that were performed or particular aspects of the engagement.

  • Details of the qualifications and experience of the assurance practitioner and others involved with the engagement.

  • Disclosure of materiality levels.

  • Recommendations for improvements to the compliance framework or processes around particular compliance activities.]

Basis for Opinion

We conducted our engagement in accordance with Standard on Assurance Engagements (SAE) 3100 (Revised) Compliance Engagements issued by the New Zealand Auditing and Assurance Standards Board.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

ABC’s Responsibilities

ABC is responsible for:

The compliance activity undertaken to meet the [compliance requirements].

Identification of risks that threaten the [compliance requirements] identified above being met and controls which will mitigate those risks and monitor ongoing compliance.

Our Independence and Quality Management

We have complied with the independence and other ethical requirements of Professional and Ethical Standard 1 International Code of Ethics for Assurance Practitioners (including International Independence Standards) (New Zealand) issued by the New Zealand Auditing and

Assurance Standards Board, which is founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour.

The firm applies Professional and Ethical Standard 3 which requires the firm to design, implement and operate a system of quality management including policies or procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Assurance Practitioner’s Responsibilities

Our responsibility is to express an opinion on ABC’s compliance, in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date]. SAE 3100 (Revised) requires that we plan and perform our procedures to obtain reasonable assurance about whether ABC has complied ,in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date].

An assurance engagement to report on ABC’s compliance with the [compliance requirements] involves performing procedures to obtain evidence about the compliance activity and controls implemented to meet the [compliance requirements]. The procedures selected depend on our judgement, including the identification and assessment of risks of material non-compliance with the [compliance requirements] as evaluated against the [suitable criteria].

Other than in our capacity as the independent assurance practitioners we have no relationship with, or interests in, ABC.

Inherent Limitations

Because of the inherent limitations of an assurance engagement, together with the internal control structure it is possible that fraud, error, or non-compliance with compliance requirements may occur and not be detected.

A reasonable assurance engagement [throughout the specified period or as at a specified date] does not provide assurance on whether compliance with the [compliance requirements] will continue in the future.

[Restricted Use]52

[This report has been prepared for use by [intended users] for the purpose of [explain purpose]. We disclaim any assumption of responsibility for any reliance on this report to any person other than [intended users], or for any other purpose other than that for which it was prepared.]

[Assurance practitioner’s signature]53

[Date of the assurance practitioner’s assurance report] [Assurance practitioner’s location]54

 

Example 3: Reasonable Assurance Report on ABC’s Statement of Compliance with the [compliance requirements] as evaluated against the [suitable criteria] (Attestation engagement)

Independent Assurance Report [Appropriate Addressee] Opinion

We have undertaken a reasonable assurance engagement on ABC’s Statement of compliance, in all material respects, with the [compliance requirements], as evaluated against the [suitable criteria], [throughout the specified period or as at a specified date]. This Statement will accompany our report, for the purpose of reporting to [identify intended users].

In our opinion, ABC’s Statement55 that the entity has complied with the [compliance requirements] is, in all material respects, fairly presented as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

[For a long form report, include a separate section, under an appropriate heading, or reference to an attachment for any additional information agreed in the terms of engagement to be provided to users, for example:

Terms of the engagement.

Criteria and compliance requirements being used. Descriptions of the tests of compliance that were performed.

Findings relating to the tests of compliance that were performed or particular aspects of the engagement.

Details of the qualifications and experience of the assurance practitioner and others involved with the engagement.

Disclosure of materiality levels.

Recommendations for improvements to the compliance framework or processes around particular compliance activities.]

Basis for Opinion

We conducted our engagement in accordance with Standard on Assurance Engagements (SAE) 3100 (Revised) Compliance Engagements issued by the New Zealand Auditing and Assurance Standards Board.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

ABC’s Responsibilities

ABC is responsible for:

Providing a Statement with respect to the outcome of the evaluation of the compliance activity against the compliance requirements which accompanies this independent assurance report. Identification of the compliance requirements if not identified by law and regulation. The compliance activity undertaken to meet the [compliance requirements].

Identification of risks that threaten the [compliance requirements] identified above not being met, and controls which will mitigate those risks and monitor ongoing compliance.

Our Independence and Quality Management

We have complied with the independence and other ethical requirements of Professional and Ethical Standard 1 International Code of Ethics for Assurance Practitioners (including International Independence Standards) (New Zealand) issued by the New Zealand Auditing and Assurance Standards Board, which is founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour.

The firm applies Professional and Ethical Standard 3, which requires the firm to design, implement and operate a system of quality management including policies or procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Assurance Practitioner’s Responsibilities

Our responsibility is to express an opinion, on ABC’s Statement of the entity’s compliance with the [compliance requirements], in all material respects as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date]. SAE 3100 (Revised) requires that we plan and perform our procedures to obtain reasonable assurance about whether, ABC’s Statement that the entity has complied with the [compliance requirements] is, in all material respects, fairly presented, as evaluated against the [suitable criteria] [throughout the specified period or as at a specified date].

An assurance engagement to report on ABC’s Statement of the entity’s compliance with the [compliance requirements] involves performing procedures to obtain evidence about the compliance activity and controls implemented to meet the [compliance requirements]. The procedures selected depend on our judgement, including the identification and assessment of risks of material misstatements in ABC’s Statement are likely to arise.

Other than in our capacity as the independent assurance practitioners we have no relationship with, or interests in, ABC.

Inherent Limitations

Because of the inherent limitations of an assurance engagement, together with the internal control structure it is possible that fraud, error, or non-compliance with compliance requirements may occur and not be detected.

A reasonable assurance engagement [throughout the specified period or as at a specified date] does not provide assurance on whether compliance with the [compliance requirements] will continue in the future.

[Restricted Use]56

[This report has been prepared for use by [intended users] for the purpose of [explain purpose]. We disclaim any assumption of responsibility for any reliance on this report to any person other than [intended users], or for any other purpose other than that for which it was prepared.]

[Assurance practitioner’s signature]57

[Date of the assurance practitioner’s assurance report] [Assurance practitioner’s location]58

 

47 Professional and Ethical Standard 3 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements

48 The procedures are to be summarised but not to the extent that they are ambiguous, nor described in a way that is overstated or embellished or that implies that reasonable assurance has been obtained. It is important that the description of the procedures does not give the impression that an agreed-upon procedures engagement has been undertaken, and in most cases will not detail the entire work plan.

49 Insert section if the report is restricted use.

50 The assurance practitioner’s report needs to be signed in one or more of the following ways: name of the assurance practitioner’s firm, name of the assurance practitioner’s company or the personal name of the assurance practitioner as appropriate.

51 The assurance practitioner’s address includes the location in the jurisdiction where the assurance practitioner practices.

52 Insert section if the report is restricted use.

53 The assurance practitioner’s report needs to be signed in one or more of the following ways: name of the assurance practitioner’s firm, name of the assurance practitioner’s company or the personal name of the assurance practitioner as appropriate.

54 The assurance practitioner’s address includes the location in the jurisdiction where the assurance practitioner practices.

55 This attestation example report assumes the responsible party provides a Statement of Compliance, if this is not provided the assurance practitioner’s conclusion would be expressed in terms of whether the compliance requirements have been met.

56 Insert section if the report is restricted use.

57 The assurance practitioner’s report needs to be signed in one or more of the following ways: name of the assurance practitioner’s firm, name of the assurance practitioner’s company or the personal name of the assurance practitioner as appropriate.

58 The assurance practitioner’s address includes the location in the jurisdiction where the assurance practitioner practices.

(Ref: Para. A60)

EXAMPLE MODIFIED ASSURANCE REPORTS ON COMPLIANCE

The following examples of modified reasonable and limited assurance reports are for guidance only and are not intended to be exhaustive or applicable to all situations.

Example 1: Qualified reasonable assurance opinion – a material (but not pervasive) misstatement in ABC’s Statement on the entity’s compliance with the [compliance requirements] (Attestation engagement)

Qualified Opinion

In our opinion, except for the effects of the matter(s) described in the Basis for Qualified Opinion paragraph, the Statement by ABC that the entity has complied with the [compliance requirements] is, in all material respects, fairly presented as evaluated against the [suitable criteria] [as at [date]/ throughout the specified period from [date] to [date]].

Basis for Qualified Opinion

We identified a material matter in ABC’s Statement in relation to [non-compliance with section XX of Act/Regulation XX]. This has the effect of the [Trustee bank account and cash book procedures not being completed throughout the specified period] as required. We were unable to satisfy ourselves by as to ABC’s compliance with this requirement, therefore qualify our opinion in this regard.

Assurance Practitioner’s Responsibilities

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our qualified opinion.

Example 2: Adverse reasonable assurance opinion – ABC non-compliant with the compliance requirements throughout the specified period (Direct engagement)

Adverse Opinion

In our opinion, ABC has not complied, in all material respects, with the [compliance requirements], as evaluated against the [suitable criteria], throughout the specified period from [date] to [date].

Basis for Adverse Opinion

We have identified a material matter in relation to [section XX of Act/Regulation XX] with regard to the procedures and controls regarding ABC’s bank accounts and other assets were not completed and effective throughout the specified period [date] to [date]. This has the effect of

ABC not meeting the [conditions imposed under section XX of Act/Regulation XX] and being non-compliant in this regard.

Assurance Practitioner’s Responsibilities

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our adverse opinion.

Example 3: Disclaimer of reasonable assurance opinion – the assurance practitioner is unable to obtain sufficient appropriate evidence of compliance with the [compliance requirements] (Direct engagement)

Disclaimer of Opinion

Because of the significance of the matter described in the Basis for Disclaimer of Opinion section of our report, we do not express an opinion on ABC’s compliance with [compliance requirements] as evaluated against the [suitable criteria] throughout the period from [date] to [date]..

Basis for Disclaimer of Opinion

ABC’s computer systems were subject to a cyber-attack on [date] in which a substantial amount of ABC’s data was destroyed and no back up data retrievable, throughout the period from [date] to [date]. Due to this event we were unable to conduct testing of compliance activities or walk- throughs relevant to [compliance requirements] throughout the specified period, which would be necessary to form an opinion on whether ABC was complaint with [compliance requirements] throughout the period.

Assurance Practitioner’s Responsibilities

Because of the matter described in the Basis for Disclaimer of Opinion paragraph, we are not able to obtain sufficient appropriate evidence to provide a basis for a reasonable assurance opinion on ABC’s compliance with the [compliance requirements] as evaluated against the [suitable criteria].

Example 4: Qualified limited assurance conclusion – the assurance practitioner is unable to obtain sufficient appropriate evidence of compliance with the [compliance requirements] (Direct engagement)

Qualified Conclusion

Based on the procedures we have performed and the evidence we have obtained, except for the effects of the matter described in the Basis for Qualified Conclusion paragraph, nothing has come to our attention that causes us to believe that, ABC has not complied, in all material respects, with the [compliance requirements] as evaluated against the [suitable criteria] throughout the specified period from [date] to [date].

Basis for Qualified Conclusion

We were unable to obtain sufficient appropriate evidence about ABC’s compliance with [section XX of Act/Regulation XX]. This has the effect of [the Trustee bank account and cash book procedures not being completed in relation to section XX of Act/Regulation XX] throughout the specified period as required. We were unable to satisfy ourselves by alternate procedures, therefore qualify our conclusion in this regard.

Assurance Practitioner’s Responsibilities

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our qualified conclusion.

(Ref: Para. 56(s))

Existence of any Other Relationship of the Assurance Practitioner with the Entity

Paragraph 56(s) of this SAE requires the assurance practitioner to state in the assurance practitioner’s report for the assurance engagement the existence of any relationships (other than that of assurance practitioner) which the assurance practitioner has with, or any interests the assurance practitioner has in, the entity or any of its subsidiaries.

The material below sets out an example of wording which can be used in the assurance practitioner’s report where the assurance practitioner has a relationship with (other than that of assurance practitioner), or interests in, an entity or any of its subsidiaries.

“Our firm carried out other assignments for the (entity) in the area of advice and special consultancy projects. In addition to this, principals and employees of our firm deal with the (entity) on normal terms within the ordinary course of the activities of the (entity). The firm has no other relationship with, or interests in, the (entity).”

This conformity statement accompanies but is not part of SAE 3100 (Revised).

Conformity with International Standards on Assurance Engagements

There is no equivalent International Standard on Assurance Engagements (ISAE), issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard- setting board of the International Federation of Accountants (IFAC).

Comparison with Australian Standards on Assurance Engagements

In Australia, the Australian Auditing and Assurance Standards Board (AUASB) has issued Auditing Standard on Assurance Engagements 3100 Compliance Engagements.

Equivalent paragraphs 46 and 56(s) have not been added to ASAE 3100.

Non-compliance with Laws or Regulations
  • Paragraph 46 If the assurance practitioner becomes aware of information concerning an instance of non-compliance or suspected non-compliance with respect to laws and regulations, the assurance practitioner shall comply with PES 1 (Revised), or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. (Ref. Para. A65)

Existence of any Relationship with the Entity

  • Paragraph 56(s) A statement as to the existence of any relationship (other than that of assurance practitioner) which the assurance practitioner has with, or any interests which the assurance practitioner has in, the entity or any of its subsidiaries. Appendix 8 provides an example of wording that may be used in the assurance practitioner’s report to identify any relationships with, or interests in, the entity.

Paragraph 38 of ASAE 3100 is deleted in SAE 3100 (Revised)

Prohibition of use of internal auditors to provide direct assistance in a compliance engagement

  • Paragraph 38. The use of internal auditors to provide direct assistance is prohibited in an assurance engagement conducted in accordance with this ASAE. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the assurance practitioner. This prohibition does not preclude reliance on the work of the internal audit function to modify the nature or timing, or reduce the extent, of assurance procedures to be performed directly by the assurance practitioner. (Ref: Para. A36)

Difference in ethical requirements

Paragraphs 9 and 19 of ASAE 3100 and SAE 3100 (Revised) differ in their acceptable ethical requirements.

While ASAE 3100 requires the assurance practitioner to comply with ASA 102 and for the lead assurance practitioner to be a member of a firm that applies ASQC1, SAE 3100 (Revised) requires the assurance practitioner to comply with Professional and Ethical Standard 1 (Revised) and the lead assurance practitioner to be a member of a firm that applies Professional and Ethical Standard 3 (Amended) or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. SAE 3100 (Revised) requirements are consistent with requirements included in the ISAE 3000 (Revised) issued by the IAASB.