The purpose of an assurance engagement is to collect enough evidence to reach a conclusion. This conclusion gives a level of assurance about whether an audited body has followed the relevant legislation.

The requirements for conducting an assurance engagement are set out in the National Greenhouse and Energy Reporting (Audit) Determination 2009.

Levels of assurance

The higher the level of assurance, the more confident someone can be in what was audited.

The 2 main levels of assurance are:

  • reasonable assurance
  • limited assurance.

Absolute assurance means there is no assurance engagement risk. Reducing the risk to zero is very rare.

To give a higher level of assurance, an auditor must do a more in-depth and rigorous assessment.

Reasonable assurance engagement

Reasonable assurance means reducing assurance engagement risk to an acceptably low level. This allows the auditor to make a positive statement in their conclusion.

Reasonable assurance means a high level of confidence but not absolute certainty.

To reach reasonable assurance, an auditor must gather sufficient evidence.

Auditors use reasonable assurance for most audits.

Limited assurance engagement

Limited assurance means reducing assurance engagement risk to a level that is acceptable in the circumstances of the assurance engagement. The risk is still greater than it is for a reasonable assurance engagement. This leads to a negative statement in the auditor's conclusion.

Evidence-gathering procedures are limited in comparison with a reasonable assurance engagement.

Phases of the assurance process

An assurance engagement's purpose is to get an independent conclusion on whether the audited body has complied with legislation.

The assurance process is made up of 4 key phases.

Preparing

During the preparing phase, the auditor must decide whether they can conduct the engagement.

As part of this phase, the auditor:

  1. assesses the risks of accepting the engagement
  2. checks whether they are independent of the audited body
  3. selects the audit team and has each member sign an independence and conduct declaration
  4. considers whether they need to include an external expert in the audit team
  5. accepts or rejects the engagement terms.

Subsection 3.3(2) of the Determination explains the minimum requirements for the engagement terms.

For the engagement to begin, the engagement terms must be agreed in writing by the audit team leader and the person appointing the audit team leader.

Planning

During the planning phases, the auditor assesses whether the assurance engagement is possible by evaluating:

  • what will be audited (the subject matter)
  • what it will be audited against (the criteria).

Thorough planning allows the auditor to develop audit procedures for the performing phase.

During this phase, the auditor:

  1. builds an understanding of the audited body and environment by:
    • performing risk assessment procedures
    • performing preliminary analytical procedures
    • assessing the audited body's systems, processes and controls
    • assessing the suitability of the criteria.
  2. sets materiality
  3. designs the assurance procedures according to the risks identified during the planning phase
  4. prepares an assurance engagement plan
  5. discusses information gaps and risks with us or the audited body and addresses gaps.

The audit team leader conducts a risk assessment to help them understand and evaluate the risks involved in the audit. Section 3.9 of the Determination lists the requirements for risk assessments.

Risks include:

  • Audit risk: the risk that the audit team leader will issue the wrong conclusion.
  • Inherent risk: the possibility of there being an error in what's being audited despite the audited body putting in controls. For example, the reliability of electricity meters.
  • Detection risk: the risk that the audit team leader will not detect an error or non-compliance that exists. For instance, an audit team leader checks if the emissions calculation is accurate but doesn't review the data that supports the calculation.
  • Control risk: the risk that an error could happen and not be detected, corrected or prevented by the audited body's internal control system.

Based on the risk assessment, it's likely the audit team leader will find significant risks.

Rather than try to address these risks, the audit team leader should plan how they will manage these risks using different assurance procedures during the performing phase.

The higher the level of risk, the more detailed the procedures need to be. The procedures should gather enough evidence to lower the risk to an acceptable level.

The audit team leader should document these assurance procedures in the assurance engagement plan.

The audit team leader must assess the audited body's systems and processes. As part of this, they should assess the controls the audited body has in place to manage the risk of errors or non-compliance.

By doing this assessment, the audit team leader knows which areas of the assurance engagement are likely to involve higher levels of risk. These risks may occur because of poor internal controls.

To assess the internal control system, the audit team leader needs to evaluate:

  • the overall control environment, for example, the attitude senior staff have towards risk management
  • the audited body's risk assessment process, for example, risk registers or risk management functions like internal audit
  • the information system, for example, how the audited body collects and reports information and monitors for inaccurate reporting
  • control activities, for example, signoffs performed over reported information at a facility
  • monitoring of controls, for example, how the audited body monitors the ongoing efficiency of controls.

Section 3.11 of the Determination lists the requirements for assessing systems and processes.

The audit team leader must confirm their initial assessment of the audited body's criteria and subject matter.

Criteria is the relevant legislation, particularly the Determination and the methods under the Australian Carbon Credit Unit Scheme.

The audited body should document its interpretation and application of the criteria. The audit team leader must assess whether the audited body's criteria is consistent with the requirements of the relevant legislation.

The audit team leader must document their assessment of the audited body's interpretation and application of the criteria during the risk assessment.

The subject matter is the matters to be audited. For example, the information prepared by the audited body under the appropriate legislation.

The subject matter differs between assurance engagements. It will be one of the following:

  • the subject matter is specified by us in a notice to the audited body for audits carried out under:
    • sections 73, 73A, 74, 74A, 74B or 74C of the National Greenhouse and Energy Reporting Act 2007 (NGER Act)
    • sections 214 or 215 of the Carbon Credits (Carbon Farming Initiative) Act 2011
    • Part 6, Division 3 of the Carbon Credits (Carbon Farming Initiative) Rule 2015
    • sections 28, 36, 42 or 49 of the National Greenhouse and Energy Reporting (Safeguard Mechanism) Rule 2015.
  • the subject matter is agreed between the audit team leader and us in an audit carried out under section 74 of the NGER Act
  • the subject matter for exemption certificate audits contained in relevant legislation
  • the subject matter is agreed between the audited body and the audit team leader voluntarily.

The conclusion is the audit team leader's independent assessment of the subject matter against the criteria.

Materiality refers to the significance of misstatements in information. Misstatements are errors, omissions or misrepresentations.

Not all misstatements are material. It depends on the size, nature and impact of the misstatement. A misstatement is considered material if it could influence the decisions of people using greenhouse and energy information.

There are 2 types of materiality:

  • Quantitative materiality: the specific threshold or level of misstatements that could impact how people using the information make decisions.
  • Qualitative materiality: looks at the broader context and impact of misstatements and how they affect people's understanding of the information.

Auditors focus on material misstatements during their audits.

Section 3.6 of the Determination lists the requirements of the assurance engagement plan. Requirements include:

  • the assurance engagement terms
  • items that need particular attention during the audit
  • timeframes
  • role of each member of the audit team
  • a summary of audit procedures that will be completed during the performing phase.

The auditor must consider the nature, timing and extent of evidence-gathering procedures in developing the assurance engagement plan.

The plan should include any actions the audit team leader thinks the audited body should take before the performing phase of the engagement.

The contents of the assurance engagement plan are not fixed. The assurance procedures are expected to change throughout the engagement depending on the results of the procedures.

Section 3.8 of the Determination requires the audit team leader to review the assurance engagement plan and amend it if the assurance procedures change.

Performing

During the performing phase, the audit team completes the procedures developed during the planning phase. These procedures should help the auditor:

  • reduce the assurance risk to an acceptable level
  • gather enough evidence to give a conclusion about whether the audited body has complied with all relevant legislation.

There are 5 steps to performing analytical procedures:

  1. assess the reliability of data
  2. develop an independent expectation
  3. define a significant difference in threshold
  4. compute the differences
  5. investigate differences and conclude.

Evidence-gathering techniques include:

  • External confirmation: getting confirmation from a third party. For example, checking reported information with a third party.
  • Inspection: examining records and documents. For example, reviewing internal metering systems to check they exist and are functioning properly.
  • Observation: looking at a process or procedure being performed by the audited body. Generally, this is conducted when the process doesn't leave an audit trail of documents. For example, touring facilities or observing the collection and reporting of data.
  • Enquiry: asking personnel of the audited body to explain how they make decisions. For example, discussing how they made decisions while doing calculations.
  • Re-calculation: conducting independent calculations to confirm the audited body's calculations to check accuracy. It also involves checking the completeness of source documents and records. For example, re-computing the audited body's greenhouse gas emissions calculations.

Section 3.9 onwards of the Determination outlines how to perform an assurance engagement.

For more information, watch our webinar on audit evidence.

Importance of documentation

Assurance documentation is a key part of an assurance engagement.

Documentation helps auditors review and evaluate the evidence and proposed conclusion before the assurance engagement report is finalised.

The documentation must provide:

  • a sufficient appropriate record of the basis for the audit team leader's report
  • evidence the assurance engagement was performed in accordance with the Determination.

Documentation should also show how the audit team followed other guidance like ASAE 3000.

An experienced auditor with no previous connection to the engagement should be able to use the documentation to understand:

  • the nature, timing, and extent of the procedures performed, including details of who performed and reviewed the assurance work and when
  • the results of the procedures and evidence obtained
  • significant matters arising during the engagement and the conclusions reached.

Documentation must be kept for 5 years after the date the assurance engagement report is signed.

Reporting

During the reporting phase, the audit team leader prepares a final report.

The auditor uses the evidence gained during the performing phase to evaluate the final reported greenhouse and energy information (subject matter) against the legislation and methodology (the criteria).

During this phase, the auditor:

  1. reassesses materiality and engagement risks
  2. assesses subsequent events
  3. prepares a summary of uncorrected errors
  4. gets management representation
  5. issues an assurance engagement report.

An assurance engagement report must include:

  • a cover sheet
  • Part A (audit opinion)
  • Part B (detailed findings).

For guidance, you can watch our webinar on Part B of assurance engagement audit reports.

Sections 3.17 to 3.23 of the Determination sets out the requirements for reporting on an assurance engagement.

The three-party relationship

For an audit to be independent, a third-party relationship must exist between us, the audited body and the audit team leader.

This relationship must exist where:

  • we are the intended users of the audit report
  • the audited body must comply with legislation related to schemes administered by us
  • the audit team leader is responsible for either:
    • independently assessing information and providing an assurance conclusion
    • performing verification engagement procedures in line with engagement terms.

The circumstances surrounding the relationship may be different from where the engagement started because either:

  • we required the audited body to seek an audit for compliance purposes
  • we appointed the audit team leader on the basis of a risk management approach
  • the audited body sought the audit voluntarily.

If we need the audited body to obtain an audit as part of a compliance audit, the three-party relationship remains the same. It also remains the same if we appoint the audit team leader for audits under our audit program.

If the audited body sought the audit voluntarily, the directors of that body are the intended users of the audit report.

Templates and guides