AFM 208: Introduction to Assurance

Estimated study time: 16 minutes

Table of contents

Sources and References

Primary textbook — Arens, Alvin A., Randal J. Elder, Mark S. Beasley, and Chris E. Hogan. Auditing and Assurance Services: An Integrated Approach, 17th ed. Pearson, 2020. Supplementary — CPA Canada Handbook — Assurance (CAS standards, CSAE 3000, CSQC 1); Louwers, Timothy J., et al. Auditing and Assurance Services, 7th ed. McGraw-Hill, 2018. Standards and guidance — Canadian Auditing Standards (CAS), based on International Standards on Auditing (ISA), issued by the International Auditing and Assurance Standards Board (IAASB); CPA Code of Professional Conduct (CPA Ontario); PCAOB Auditing Standards (for US-listed entities).

Chapter 1: The Concept of Assurance

What is Assurance?

In everyday language, assurance means confidence or certainty. In the professional context, an assurance engagement is a structured process in which a practitioner evaluates a subject matter against a stated criterion and communicates the resulting conclusion to an intended user, thereby increasing the user’s confidence in the reliability of that subject matter.

Assurance engagement: An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users, other than the responsible party, about the outcome of the evaluation or measurement of a subject matter against criteria (CSAE 3000.12).

The key elements of any assurance engagement are:

  1. A three-party relationship: The responsible party (who prepares the subject matter), the practitioner (who evaluates it), and the intended users (who rely on the conclusion)
  2. A subject matter: What is being evaluated — financial statements, internal controls, sustainability disclosures, compliance with regulations, etc.
  3. Suitable criteria: The benchmark against which the subject matter is measured — accounting standards (IFRS, ASPE), regulatory requirements, or agreed-upon criteria
  4. Evidence: The information gathered by the practitioner to support the conclusion
  5. A written report: The formal communication of the practitioner’s conclusion

Why Demand for Assurance Exists

Assurance arises from a fundamental conflict of interest: those who prepare information (management) are not the same as those who rely on it (shareholders, lenders, regulators). This is the classic principal-agent problem, first articulated by Jensen and Meckling (1976). When principals (owners) delegate authority to agents (managers), they cannot perfectly observe agent behavior, creating the potential for:

  • Moral hazard: The agent taking actions not in the principal’s interest
  • Information asymmetry: The agent knowing more about the business than the principal
  • Adverse selection: The inability of the principal to distinguish truthful from misleading reports without independent verification

Assurance services reduce these problems by providing an independent check on management’s representations. They are demanded because they increase the credibility of reported information, which in turn reduces the cost of capital for the reporting entity and the risk of loss for external users.

Example: A bank considering a $10 million loan to a corporation will be much more willing to lend — and at a lower interest rate — if the corporation's financial statements have been independently audited by a credible CPA firm. The audit reduces the bank's uncertainty about the accuracy of the financial data and the risk of default.

Supply of Assurance Services

In Canada, the supply of statutory audit and most high-value assurance engagements is restricted to Chartered Professional Accountants (CPAs) licensed under provincial legislation. CPA firms provide assurance services through a network of audit partners and staff, supported by quality control frameworks mandated by Canadian Standard on Quality Control 1 (CSQC 1).

The market for assurance includes:

  • The Big Four firms (Deloitte, PwC, EY, KPMG) serving large public companies and financial institutions
  • Mid-size national and regional firms serving private companies and not-for-profit entities
  • Small local practices serving owner-managed businesses and smaller organizations

Chapter 2: Classification of Assurance Engagements

Audit vs. Review vs. Other Assurance

The level of assurance a practitioner provides — and the procedures required to support it — depends on the nature of the engagement. Three fundamental levels exist:

Engagement TypeLevel of AssuranceExpression
AuditReasonable (high) assurancePositive opinion (“In our opinion, the financial statements present fairly…”)
ReviewLimited assuranceNegative assurance (“Nothing has come to our attention to indicate that the statements are not prepared in accordance with…”)
CompilationNo assuranceFactual report only

Reasonable Assurance Engagements — The Financial Statement Audit

An audit of financial statements is the most common and most rigorous assurance engagement. The auditor obtains sufficient appropriate evidence to reduce audit risk to an acceptably low level and then expresses an opinion on whether the financial statements as a whole are free from material misstatement, whether due to fraud or error.

Reasonable assurance: A high (but not absolute) level of assurance. Absolute assurance is not attainable because of inherent limitations of an audit, including sampling, the use of judgment, and the fact that much of the evidence is persuasive rather than conclusive.

Limited Assurance Engagements — The Review

In a review engagement, the practitioner applies analytical procedures and makes inquiries of management, but does not perform the detailed testing (inspections, confirmations, recalculations) that characterize an audit. The resulting “limited assurance” is lower than audit-level assurance but still provides meaningful value to users who do not require a full audit.

Other Assurance Engagements

CAS and CSAE 3000 also govern assurance on subject matters other than historical financial statements, including:

  • Internal control reports (e.g., SOX 404 opinions in the US context; similar internal control assurance in Canada)
  • Sustainability and ESG reporting (assurance on greenhouse gas emissions inventories, social impact disclosures)
  • Compliance engagements (assurance that an entity has complied with specified laws or contract terms)
  • Prospective financial information (comfort letters, examination of forecasts)

Forms of Audit Reports and Their Implications

The standard unmodified (clean) audit opinion states that financial statements present fairly, in all material respects, in accordance with the applicable financial reporting framework. When the auditor cannot issue a clean opinion, they issue a modified report:

ModificationCauseEffect on Opinion
QualifiedMaterial misstatement or scope limitation — but not pervasive“Except for” the matter described…
AdverseMaterial and pervasive misstatementStatements do not present fairly
DisclaimerScope limitation so significant that no opinion can be formedAuditor does not express an opinion

Chapter 3: Responsibilities of the Assurance Practitioner

Professional Skepticism and Judgment

The auditor’s most important attribute is professional skepticism: a critical mindset that neither assumes management’s representations are truthful nor presumes them false, but demands corroborating evidence before accepting any significant assertion.

Professional skepticism: An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence (CAS 200.13(l)).

Professional skepticism is not cynicism. The auditor approaches management with good faith while maintaining vigilance for red flags such as:

  • Unusual transactions near period-end
  • Aggressive revenue recognition
  • Management override of controls
  • Significant estimates with wide uncertainty ranges

Auditor Independence

Independence is the cornerstone of the audit’s value. An auditor who is financially or otherwise dependent on the client cannot credibly challenge management’s representations. Independence has two components:

  1. Independence of mind: The actual mental state — freedom from pressures that compromise judgment
  2. Independence in appearance: The reasonable observer’s perception — avoiding situations that would cause an informed third party to conclude independence is compromised

The CPA Code of Professional Conduct identifies a range of threats to independence (self-interest, self-review, advocacy, familiarity, and intimidation) and requires practitioners to apply safeguards to reduce them to an acceptable level.

Ethical Principles for Assurance Practitioners

The International Ethics Standards Board for Accountants (IESBA) Code, adopted by CPA Canada, establishes five fundamental principles:

  1. Integrity: Honest and straightforward dealing in all professional and business relationships
  2. Objectivity: Freedom from bias, conflict of interest, or undue influence of others
  3. Professional competence and due care: Maintaining knowledge and skill at the level required to ensure competent professional service
  4. Confidentiality: Not disclosing information acquired through professional relationships without proper authority, except where there is a legal or professional duty to do so
  5. Professional behavior: Compliance with relevant laws and regulations; avoiding any action that discredits the profession

Auditor Responsibilities Regarding Fraud

CAS 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements) makes clear that management bears primary responsibility for preventing and detecting fraud, but the auditor bears responsibility for obtaining reasonable assurance that the financial statements are free from material misstatement due to fraud.

The fraud triangle (Cressey, 1953) identifies three conditions that commonly coexist when fraud occurs:

  1. Incentive/Pressure: Financial targets, debt covenants, bonus schemes
  2. Opportunity: Weak internal controls, override by management, lack of segregation of duties
  3. Rationalization: The perpetrator’s ability to justify the behavior (“I was just borrowing it,” “They deserved it”)

Auditors use knowledge of these conditions to assess fraud risk and design appropriate procedures.

Chapter 4: Conducting a Financial Statement Audit

Audit Risk and Materiality

Audit risk is the risk that the auditor expresses an inappropriate opinion — specifically, that a material misstatement exists and the auditor fails to detect it. The audit risk model is:

\[ AR = IR \times CR \times DR \]

Where:

  • \( AR \) = Audit risk (the target level the auditor sets, typically very low, e.g., 5%)
  • \( IR \) = Inherent risk (the risk of a material misstatement, assuming no controls)
  • \( CR \) = Control risk (the risk that internal controls fail to prevent or detect a misstatement)
  • \( DR \) = Detection risk (the risk that the auditor’s procedures fail to detect a misstatement)

The auditor cannot change inherent risk (it is a property of the client’s environment and transactions). The auditor can assess control risk by testing internal controls, and then set detection risk accordingly, designing procedures that will bring overall audit risk to an acceptable level.

Materiality: Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality thresholds are commonly set as a percentage of a base (e.g., 5% of pre-tax income, 0.5% of total assets, or 1% of revenue), with the base chosen to reflect what users care most about.

Performance Materiality

Auditors set performance materiality below the overall materiality threshold. This provides a buffer: if individual misstatements are each below performance materiality, their aggregate is unlikely to exceed overall materiality.

Phases of the Audit

Phase 1: Client Acceptance and Engagement Planning

Before accepting a new client, the audit firm performs:

  • Client background investigation: understanding the entity’s industry, ownership, and reputation
  • Independence check: confirming no prohibited relationships exist
  • Risk assessment at the firm level: whether the audit is within the firm’s competence

Once accepted, the engagement partner and team prepare an audit plan that identifies:

  • The audit scope and objectives
  • Key areas of risk (accounts or assertions where material misstatement is most likely)
  • The nature, timing, and extent of planned audit procedures
  • Staffing and timing

Phase 2: Understanding the Entity and Assessing Risks

CAS 315 requires the auditor to understand the entity and its environment — the industry, regulatory context, business model, related parties, and internal control system — sufficiently to identify and assess the risks of material misstatement (RMM) at both the financial statement level and the assertion level.

Financial statement assertions are management’s implicit claims embedded in the financial statements:

AssertionMeaning
Existence/OccurrenceAssets and liabilities exist; transactions actually occurred
CompletenessAll transactions that should be recorded are recorded
Accuracy/ValuationAmounts are mathematically correct and properly valued
ClassificationItems are recorded in the appropriate accounts
Cut-offTransactions are recorded in the correct period
Rights and ObligationsThe entity has rights to assets and obligations for liabilities
Presentation and DisclosureItems are properly disclosed in the notes

Phase 3: Tests of Controls and Substantive Procedures

Once risks are identified, the auditor designs procedures to address them. There are two broad categories:

Tests of Controls evaluate whether internal controls are designed appropriately and operating effectively throughout the period. When controls are effective, the auditor can reduce substantive testing.

Substantive procedures gather evidence directly about the amounts and disclosures in the financial statements. They include:

  • Analytical procedures: Comparing current-year balances to prior years, industry norms, or internally consistent expectations (e.g., if gross margin historically is 40% but is now 55%, why?)
  • Tests of details: Direct examination of transactions and balances, including:
    • Inspection of documents (contracts, invoices, shipping records)
    • Observation of physical assets or processes (e.g., inventory count)
    • Confirmation (sending requests to third parties — banks, customers — to confirm balances)
    • Recalculation (recomputing mathematical accuracy)
    • Reperformance (re-executing a process to verify it was performed correctly)
    • Inquiry of management and other personnel
Example — Accounts Receivable Audit: The primary assertions for accounts receivable are existence (the customers owe the amounts shown), valuation (the amounts are collectible), and cut-off (sales are recorded in the correct period). The auditor might: (1) confirm a sample of balances directly with customers; (2) examine subsequent cash receipts to verify collection; (3) review the aging schedule and evaluate the adequacy of the allowance for doubtful accounts; and (4) inspect a sample of sales invoices around the year-end date to verify proper cut-off.

Phase 4: Completing the Audit and Forming a Conclusion

Near completion, the auditor:

  • Evaluates the aggregate of uncorrected misstatements identified during the audit
  • Reviews going concern indicators (CAS 570)
  • Reads subsequent events for any facts requiring disclosure or adjustment (CAS 560)
  • Obtains management representations (a formal letter in which management confirms its responsibilities and any matters the auditor has discussed with them)
  • Reviews engagement documentation for completeness

The engagement partner then forms a conclusion on the overall fairness of the financial statements and drafts the auditor’s report.

Chapter 5: Internal Controls and the Auditor

What are Internal Controls?

Internal controls are the policies, procedures, and processes an organization uses to safeguard assets, ensure the reliability of financial reporting, promote operational efficiency, and encourage compliance with laws and regulations. The COSO Internal Control — Integrated Framework (2013) is the dominant model. It organizes internal controls into five components:

  1. Control Environment: The tone at the top — management’s philosophy, ethical values, governance structure, and commitment to competence
  2. Risk Assessment: The entity’s process for identifying and analyzing risks to achieving its objectives
  3. Control Activities: The specific policies and procedures (authorizations, reconciliations, segregation of duties, physical safeguards, IT controls) that reduce risk
  4. Information and Communication: Systems that capture and communicate relevant information to support financial reporting
  5. Monitoring: Ongoing and separate evaluations of the control system’s effectiveness

Segregation of Duties

A fundamental principle of internal control is that no single individual should have the ability to commit an error or fraud and conceal it. The key functions that should be separated are:

  • Authorization: Approving transactions
  • Recording: Entering transactions into the accounting records
  • Custody: Having physical access to assets

When segregation of duties is not possible (common in small organizations), management must compensate with other controls such as supervisory review and detailed reconciliations.

Information Technology Controls

Most modern financial systems rely heavily on IT. The auditor must understand and test IT general controls (ITGCs) — controls over the IT environment itself — including:

  • Access controls (who can access which systems and data)
  • Change management (how software and configurations are modified)
  • Operations controls (backup and recovery procedures)

Weakness in ITGCs can undermine the reliability of all automated application controls and reports.

Chapter 6: Audit Tasks for the Novice Auditor

The Audit Junior’s Role

Entry-level auditors are assigned specific procedural tasks within a larger audit program designed by senior staff and managers. These tasks typically include:

  • Footing and cross-footing: Verifying arithmetic totals on schedules and financial statements
  • Vouching: Tracing recorded amounts back to supporting documents (e.g., from the general ledger entry to the original invoice)
  • Tracing: Moving forward from a source document to the recorded entry (tests completeness)
  • Confirmation procedures: Drafting and sending confirmation requests to third parties; following up on exceptions
  • Inventory observation: Attending and counting a sample of inventory items at year-end, comparing counts to client records
  • Bank reconciliation review: Verifying that the reconciliation between the bank statement and book balance is complete and correct
  • Analytical procedures: Computing ratios and comparing them to prior-year figures, budget, or industry data; investigating significant unexplained differences

Working Paper Documentation

All audit procedures must be documented in the audit file (workpapers). Well-prepared workpapers:

  • Identify the procedure performed and the evidence examined
  • State the objective the procedure addresses (which assertion for which account)
  • Record the conclusion reached (“Balance appears fairly stated” or “Exception noted: see cross-reference”)
  • Include a sign-off by the preparer and reviewer

The requirement to document arises from both quality control standards (CSQC 1) and the regulatory environment: regulators such as the Canadian Public Accountability Board (CPAB) conduct inspections of audit files, and legally challenged engagements often turn on the adequacy of documentation.

Back to top