Letter

KPMG IFRG Limited
International Federation of Accountants 545 Fifth Avenue, 14th Floor IAASB Exposure Draft, Proposed ISAE 3000 (Revised), Assurance Engagements Other
Than Audits or Reviews of Historical Financial Information
We are pleased to have the opportunity to comment on the above Exposure Draft issued by the International Auditing and Assurance Standards Board (IAASB). We have consulted with, and this letter represents the views of, the KPMG network. Overall, we consider that the proposed revised standard includes significant improvements to terminology and concepts in a number of areas, and as a result will be of greater benefit to practitioners than the extant standard. Our overarching comments are included below. Appendix 1 to this letter provides further information regarding these overarching comments and also our responses to the specific questions posed in the Exposure Draft. Appendix 2 includes additional comments on specific paragraphs in the proposed standard. Overarching comments
Relationship between ISAE 3000 and the International Framework for Assurance
Engagements
We support the IAASB’s aims in drafting proposed ISAE 3000 on a stand-alone basis, and agree that this is of particular importance given the IAASB’s intention to extend the use of ISAE 3000 to other “competent practitioners” rather than being restricted to professional accountants in public practice. However, a stand-alone ISAE 3000 does raise a question regarding the purpose of the Framework in relation to ISAE 3000. Accordingly, as described in Appendix 1, we recommend that the IAASB include a statement within the proposed standard that refers to the Framework and clarifies the purpose of the Framework in relation to ISAE 3000. KPMG IFRG Limited, a UK company limited by guarantee, is a member of Registered office: Tricor Suite, 7th Floor, 52-54 Gracechurch Street, KPMG International Cooperative, a Swiss entity. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 We also recommend that the IAASB explore expanding the scope of the Framework so that it encompasses all standards issued by the IAASB (i.e., assurance and related services, including compilation engagements and agreed-upon procedures engagements). Expanding the Framework in this way can help practitioners and other relevant parties better understand the concepts underlying the standards by comparing and contrasting different engagement types, for example, direct versus attestation engagements, or direct versus compilation engagements. This may help provide a greater degree of clarity as to the value of each engagement type. It also may assist practitioners in determining which engagement type would be the most appropriate to perform in a particular set of circumstances. Separating the requirements and guidance for attestation and direct engagements
The proposed standard appears to be drafted primarily in contemplation of attestation engagements, and includes limited content to reflect applicability to direct engagements. Also, as detailed in our response in Appendix 1, a number of the concepts included in the proposed standard are not tailored appropriately for direct engagements. Furthermore, we believe that there are many individual practitioners whose practices focus on either attestation or direct engagements and, therefore, are likely to derive greater value from the proposed standard if the requirements for each type of engagement are separated. Accordingly, we recommend that the IAASB separate material included in the proposed standard that is specific either to attestation or to direct engagements. This may be achieved by, for example, addressing each engagement type within its own section of the standard itself, or by issuing separate standards for each engagement type. We consider that this approach would provide better support to practitioners in performing high quality assurance engagements of both types, and also would align with the IAASB’s stated intention for the standard to avoid being unwieldy. Limited assurance
We welcome the enhancements made by the IAASB to the proposed standard to improve understanding of, and support consistent application of the concept of limited assurance. In particular, we support: • The removal of the terminology of “positive” and “negative” to describe reasonable and limited assurance conclusions respectively; • The establishment of a threshold level of assurance based on the meaningfulness, in the practitioner’s judgment, of limited assurance to intended users, as well as the alignment of the principle of meaningfulness to the requirement for an engagement to have a rational purpose; • Additional clarifications relating to the principle of stating that a conclusion is “based on the • The introduction of enhanced material in the standard regarding the importance of including a summary of procedures performed in an assurance report, in order to provide context for the conclusion to an intended user. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 We also acknowledge the considerations that the IAASB has given to alternative forms of expression of the assurance conclusion, including exploration of more positive statements such as “plausible”, or “appears credible” and concur with the IAASB’s conclusion not to pursue such amended wording. However, although we believe the enhancements will be helpful in understanding the concepts underpinning limited assurance, we recognize the potential ongoing challenges in practical application of the following concepts: • Defining limited assurance by reference to its relationship with reasonable assurance, i.e. the proposed standard explains that engagement risk for a limited assurance engagement is reduced to a level that is acceptable in the circumstances of the engagement but that the risk remains greater than for a reasonable assurance engagement; • Reflecting limited assurance as a range, rather than a specific level of assurance, which ordinarily is not subject to quantification; and • The apparent disconnect between limited assurance engagements following a risk-based approach (which includes requirements to consider areas where material misstatements are likely to arise; to consider whether sufficient appropriate evidence has been obtained, and to consider performing further evidence-gathering procedures, if not) and the limited assurance conclusion expressed in the form of “nothing came to our attention”. Given the above challenges, we consider it critical that further guidance is provided to practitioners to help them better understand how the procedures performed for a limited assurance engagement, as compared to a reasonable assurance engagement, may differ. In particular, it would be helpful if the standard more clearly explained that there may be differences with respect to: • The types of procedures that may be performed, in terms of: • Nature, for example, for a particular subject matter, a practitioner may decide that for a limited assurance engagement, procedures may be limited primarily to inquiry and analytical review; • Extent, for example, for a specific subject matter, a practitioner may consider it necessary to carry out inspection procedures at operational sites, however, the practitioner may determine that these same procedures may be carried out at a restricted number of sites for a limited assurance engagement than for a reasonable assurance engagement. • The persuasiveness of evidence that would be obtained from each of the different types of procedures set out in the proposed standard, i.e. the quality and quantity of evidence that would be expected to be obtained; and • The interaction of the different elements of the engagement circumstances (for example, the nature of the underlying subject matter; the particular criteria applied; the needs of the intended users, as well as whether a reasonable or limited assurance conclusion is to be KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 provided) and the effects of these elements on the nature and extent of procedures that a practitioner determines it necessary to perform. For example, it may be helpful to explain that for limited assurance engagements involving certain subject matters, such as information derived from historical financial information subject to the rigor and related controls of double-entry bookkeeping, it may be appropriate to limit the nature of the primary procedures performed to those that provide less persuasive evidence e.g., analytical procedures and inquiry, which is the approach taken by the exposure draft of proposed ISRE 2400, Engagements to Review Financial Statements. However, for other subject matters, limiting the nature of procedures in this way may not be appropriate, and it may be necessary to perform particular procedures that provide more persuasive evidence to respond effectively to assessed risks, for example, observation, or re-calculation. It would be helpful if the proposed standard (or an expanded Framework since these concepts apply to engagements performed in accordance with IAASB standards more generally) addressed and expanded on the above principles. This would pave the way for more specific guidance in standards that address specific subject matters. It also would help explain why the procedures may differ in one set of standards that address specific subject matters versus another. Applicability of the standard to other competent practitioners
We consider the IAASB’s intention to broaden the use of the standard to other competent practitioners in addition to professional accountants in public practice to be appropriate. In this regard, we support the introduction of requirements for this wider group of practitioners to comply with either quality and ethical standards issued by the IESBA and the IAASB or that are as least as demanding as these standards, as we consider this to be critical to the achievement of consistent and high quality assurance engagements. However, we are concerned with the practical application of this requirement since ethical standards can vary quite significantly; the determination of what is equivalent is difficult, and other practitioners may not be subject to the same external monitoring as professional accountants. We recognize that such considerations are beyond the remit of the IAASB, however, we believe that the IAASB may take the following actions to help with implementation of the requirement and also make the issue more transparent: • Require the practitioner to make an explicit statement in the assurance report that the ethical standards applied (when these standards are not the IESBA Code) are at least as demanding as the IESBA Code; • Encourage IFAC to sponsor the development of a publication that summarizes the key features of the IESBA Code and ISQC 1 and why they are critical to the quality of assurance engagements. This type of publication may be helpful for users of assurance services in assessing practitioners providing assurance services and the quality of their work. It also may be useful to practitioners when assessing and comparing other professional standards or applicable legal or regulatory requirements to those of the IESBA and the IAASB. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 We also suggest that the IAASB give consideration to broadening the use of International Standard on Related Services (ISRS) 4400, Engagements to Perform Agreed-Upon Procedures Regarding Financial Information to other competent practitioners on a consistent basis. Considerations regarding the value of auditor reporting and implications for engagements
performed in accordance with ISAE 3000
Various debates are currently taking place, involving multiple parties, about audit quality, which address matters including proposed changes to the scope and extent of auditor communications, in particular, the auditor’s report. For example, the IAASB recently issued a consultation paper entitled Enhancing the Value of Auditor Reporting: Exploring Options for Change, which considers various proposals for enhancements to the form and content of the auditor’s report to respond to stakeholder calls for change in order to address both the “expectation gap”, and the “information gap” (as defined in the consultation paper). We note that concepts such as the expectation gap and the information gap may be of particular relevance to practitioner communications in the context of ISAE 3000 reporting since stakeholders in such engagements may be less familiar with assurance concepts in general than stakeholders in audit engagements. We recommend that the IAASB consider whether comments received in response to the consultation paper in respect of the auditor’s report also are of wider relevance to other assurance reports since the structure and content of the reports in ISAE 3000 engagements are based on the principles underlying the auditor’s report. Matters to consider may include, for example, the communication of findings and recommendations resulting from the assurance engagement – please refer to Appendix 2 for further information. Please contact Sylvia Smith at +44 (0)20 7694 8871 if you wish to discuss any of the issues raised in this letter. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 Appendix 1 – Responses to specific questions included in the proposed Standard
Our responses to the questions in the proposed Standard are set out below. 1. Do respondents believe that the nature and extent of requirements in proposed ISAE
3000 would enable consistent high quality assurance engagements while being
sufficiently flexible given the broad range of engagements to which proposed ISAE
3000 will apply.
In general, we agree with the approach taken in the proposed standard in that it identifies itself as an “umbrella” standard for assurance engagements other than audits or reviews of historical financial information and it requires compliance with the requirements set out therein, as well as with requirements established by other subject matter-specific ISAEs. We consider that this approach enables consistent high quality assurance engagements to be performed. We also consider that the proposed standard generally achieves an appropriate balance between providing clear information and establishing appropriate requirements regarding key concepts, whilst remaining sufficiently flexible to address the broad range of engagements contemplated by the standard. However, we believe it would be helpful if the relationship between ISAE 3000 and the Framework were clarified. We therefore recommend that the IAASB include a statement within proposed ISAE 3000 that refers to the Framework and its purpose in relation to ISAE 3000. 2. With respect to the levels of assurance:
(a) Does proposed ISAE 3000 properly define, and explain the difference between,
reasonable assurance engagements and limited assurance engagements?
We consider that the proposed revisions to the definitions of reasonable assurance and limited assurance are appropriate, and we support the removal of terminology describing a “positive form” and “negative form” of conclusion for each, respectively. We support the description of a threshold level of limited assurance based on the meaningfulness, in the practitioner’s professional judgment, of such assurance to intended users, and the alignment of this concept with the requirement for an assurance engagement to have a rational purpose. We consider this to be a conceptual improvement to the threshold set out in the extant standard of “likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential”. “Meaningfulness” remains a difficult principle for all the parties involved in an assurance engagement to fully understand, however, we consider the material set out in paragraph A2 of the proposed standard, regarding factors to consider when determining whether the level of assurance contemplated would be meaningful to intended users, and also A53, regarding considerations as to whether the engagement has a rational purpose, to be helpful. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 (b) Are the requirements and other material in proposed ISAE 3000 appropriate to
both reasonable assurance engagements and limited assurance engagements?
We recognize the IAASB’s intention that a risk-based approach is taken for both reasonable and limited assurance engagements, which includes consideration of areas where material misstatements are likely to arise, and follows the principles of obtaining sufficient appropriate evidence on which to base the assurance conclusion. However, we are unclear as to how certain of the elements of a risk-based approach are to be applied to a limited assurance engagement, for example, the requirement, in paragraph 44, to evaluate the sufficiency and appropriateness of evidence (see question 5). In addition to these conceptual difficulties regarding the application of a risk-based approach to a limited assurance engagement, we also consider that the proposed standard does not adequately explore similarities and differences in procedures performed for a limited assurance engagement when compared to a reasonable assurance engagement. The application material states that the practitioner selects a combination of procedures, which include inspection; observation; confirmation; re-calculation; re-performance; analytical procedures, and inquiry, to obtain reasonable or limited assurance, as appropriate, however, it further states only that the practitioner is required to apply professional judgment to determine the nature, timing and extent of procedures in accordance with the circumstances of the engagement. We recognize the IAASB’s intention for the standard to be flexible, and furthermore we acknowledge that, since the standard has such broad applicability to a wide range of subject matters, and several factors are relevant when determining the procedures to perform, including the risk of material misstatement of the subject matter information, and the persuasiveness of evidence to be obtained from a particular procedure, it would not be appropriate to prescribe or limit the evidence-gathering to specific types of procedures, for a limited assurance engagement, since this may fail to take into account the underlying nature of the way the subject matter information is captured, measured and reported. However, as set out in our overarching comments, given the ongoing potential challenges with the practical application of the concepts underpinning limited assurance, we consider it very important that the IAASB provide further conceptual guidance as to whether procedures may be more limited in nature or in extent for a limited assurance engagement than for a reasonable assurance engagement. In addition to the above, we consider that the proposed standard should reinforce the risk-based approach for both reasonable and limited assurance engagements and provide guidance to help practitioners understand and reconcile the different intended approaches in connection with the identification of and response to risks for each engagement type. In connection with this, we believe it would be helpful if the proposed standard provide guidance regarding addressing the risk of material misstatement including consideration KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 of the risk of material misstatement at both the overall subject matter information level and also at the assertion level. Furthermore, paragraph 42(c) of the proposed standard introduces the principle of a “trigger point” for a limited assurance engagement, i.e. the point at which the practitioner is required to perform additional procedures to confirm or dispel a concern, when they become aware of a matter that causes them to believe that the subject matter information may be materially misstated. We consider that this concept is likely to cause confusion in practice, and accordingly, we suggest that the IAASB provide further explanation and clarification of the concept, in particular regarding the meaning of “may” when stating “may be materially misstated” in relation to a limited assurance engagement, and the intended extent of additional procedures that a practitioner should perform. (c) Should proposed ISAE 3000 require, for limited assurance, the practitioner to
obtain an understanding of internal control over the preparation of the subject
matter information?
Obtaining an understanding of internal control over the preparation of the subject matter information is described in paragraph 37 of the proposed standard as forming part of the wider understanding of the underlying subject matter and other engagement circumstances that the practitioner is required to obtain in order to design and perform procedures to achieve the objectives of the engagement. The related application material, paragraph A92, explains that such understanding provides the practitioner with a frame of reference for exercising professional judgment throughout the engagement. Firstly, we note that we consider that the concept of understanding of internal control over the preparation of the subject matter information is applicable only to attestation engagements, and appears counter-intuitive when performing a direct engagement in which the practitioner prepares the subject matter information. We consider the terminology used in the proposed standard in relation to this requirement to be very similar to that used by ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment. ISA 315 discusses the required understanding of the entity and its environment, including the entity’s internal control, and requires the auditor to obtain an understanding of internal control relevant to the audit. This includes evaluation of the design of those controls and determination as to whether they have been implemented. In performing such an evaluation and determination, the ISA explicitly states that the auditor is required to perform procedures in addition to inquiry of the entity’s personnel (ISA 315, paragraphs 12 and 13). We are unclear whether, in using similar terminology, it is the intention of the IAASB that the concepts contemplated in respect of an engagement performed in accordance with proposed ISAE 3000 are intended to be analogous to those set out in ISA 315. Accordingly, it is difficult for us to form a view at this time as to whether an understanding of internal control should be required for a limited assurance engagement, KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 without further clarification from the IAASB as to the intended meaning of the terminology of “understanding of internal control” used in this context. Further to the above, we highlight certain differences in terminology used in proposed ISAE 3000 to terminology used in proposed ISRE 2400, Engagements to Review Financial Statements, with regard to the practitioner’s understanding. Proposed ISRE 2400, paragraph 43(a) states that the practitioner is required to obtain an understanding of the entity and its environment, including the entity’s accounting system and accounting records relevant to the review. The related application material (paragraph A78) explains that this understanding is to be sufficient to perform the review engagement and to meet the practitioner’s objectives, and clarifies that the breadth and depth of this overall understanding is less than that possessed by management. Paragraph A79 provides examples of factors the practitioner may consider when obtaining this understanding, but does not cite internal control as such a factor. Rather, it describes the “tone at the top” and the entity’s control environment more generally as being a factor. We are unclear whether these differences in terminology are intentional. Accordingly, we recommend that proposed ISAE 3000 adopts a consistent approach, when applicable, and subject to any subsequent amendments made to proposed ISRE 2400 further to exposure, in respect of the requirements and guidance set out above since the underlying principles apply equally to engagements contemplated by both standards. We suggest, therefore, that the following actions are taken in respect of proposed ISAE 3000: • The terminology of “entity and its environment” is reconciled to “subject matter and • Proposed ISAE 3000 clarify, in paragraph A92, that the understanding of the underlying subject matter and other engagement circumstances would include developing an understanding of the “system, process or methodology and related underlying records” (which we consider analogous to “accounting system and accounting records” used in ISRE 2400) applied by management in the preparation of the subject matter information, for an attestation engagement; • Similar to the approach taken by proposed ISRE 2400, the application material also identify matters about which the practitioner develops an understanding, as well as provide guidance as to factors that may affect the depth of understanding obtained; • The IAASB explore the inclusion of “tone at the top” and the entity’s control environment as an appropriate factor to include when developing an understanding of the system, process or methodology. Such consideration should include determining whether this is considered to have a more overarching or general meaning than “internal control” as described above; and • A92 be amended to explain that determining the appropriate depth of understanding of the underlying subject matter and other engagement circumstances is a matter of professional judgment for the practitioner, and is expected to vary according to the nature of the underlying subject matter, the criteria used, the needs of the intended users, and other engagement circumstances, as well as based on the level of KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 assurance to be provided. We consider that inclusion of such material to support the requirement is important to afford practitioners sufficient flexibility in applying the standard. 3. With respect to attestation and direct engagements:
(a) Do respondents agree with the proposed change in terminology from “assertion-
based engagements” to “attestation engagements” as well as those from “direct-
reporting engagements” to “direct engagements”?
(b) Does proposed ISAE 3000 properly define, and explain the difference between,
direct engagements and attestation engagements?
We support the proposed changes in terminology and consider that the proposed revised definitions provide greater clarity regarding each of these two forms of engagement and will help practitioners to distinguish between them. We consider that the equivalent definitions in the extant standard, and accompanying Framework, combine the principles regarding which party performs the measurement or evaluation role; whether an explicit assertion from the responsible party is required, as well as the appropriate form of wording used to convey the assurance conclusion. Accordingly, it is currently difficult to classify certain engagement types that appear to contain elements of both assertion-based and direct reporting engagements (as defined by the extant standard), for example, engagements performed in accordance with ISAE 3402, Assurance Reports on Controls at a Service Organization in which a practitioner provides assurance over subject matter information that is accompanied by a management assertion, but for which the assurance conclusion is worded in the direct reporting form. Furthermore, the terminology of “responsible party”, which, in the extant standard, may refer both to the responsible party for the subject matter, as well as for the subject matter information, causes confusion in application. We consider that the proposed revised definitions are significantly enhanced as a result of the introduction of a defined role of “measurer or evaluator” (and consequent restriction in application of the term “responsible party” to the underlying subject matter) and basing the classification of the engagement type on whether the measurer or evaluator role is performed by the practitioner or by another party. We also consider the inclusion of the material at paragraph A68, which sets out that engagement quality control policies and procedures are particularly important for a direct engagement because of the threats to objectivity that the multiple roles performed by the practitioner (of measurer/ evaluator, obtaining sufficient appropriate evidence regarding the measurement or evaluation and also, in certain direct engagements, the selection of criteria) can pose, as well as potential safeguards to reduce or eliminate such risks, to be helpful in distinguishing between the two forms of engagement. However we suggest that the IAASB explore providing further guidance in respect of the following: KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 • In addition to contrasting between direct and attestation engagements, it would also be helpful for the practitioner to have access to information that compares and contrasts a direct engagement in accordance with the proposed standard with a compilation engagement, for example, to explain that the value of a direct engagement lies both in the independence of the practitioner from the underlying subject matter, the engaging party, intended users and the responsible party, as well as in the application of assurance skills and techniques. As noted in our overarching comments, such conceptual issues may be more appropriately expounded in the Framework; • The proposed standard highlights that, for a direct engagement, the practitioner is independent of the underlying subject matter, and therein lies a portion of the value, but is not independent of the subject matter information. However, the standard does not provide further guidance as to how this lack of independence in respect of the subject matter information is communicated to users of the assurance report. Furthermore, although we acknowledge the inclusion of additional material to help practitioners understand the difference between the engagement types, for example, the proposed standard contains, at various points, requirements and guidance specific to each type of engagement, which also compare and contrast between each engagement type, we consider that there are certain fundamental differences in concepts between the two types of assurance engagements. The proposed standard currently combines these, and we are concerned that this may lead to confusion and inconsistency in practice. These matters are outlined in our response to the next question. (c) Are the objectives, requirements and other material in the proposed ISAE 3000
appropriate to both direct and attestation engagements? In particular:
In a direct engagement when the practitioner’s conclusion is the subject
matter information, do respondents believe that the practitioner’s objective
in paragraph 6(a) (that is, to obtain either reasonable assurance or limited
assurance about whether the subject matter information is free of material
misstatement) is appropriate in light of the definition of a misstatement (see
paragraph 8(n))?
The proposed standard appears to be drafted primarily in contemplation of attestation engagements, although certain distinctions between the approach required for an attestation engagement and a direct engagement are explained, for example, we consider that sufficient guidance is provided such that the practitioner’s objective in paragraph 6a is clearly appropriate and applicable, in light of the definition of a misstatement, to both an attestation and a direct engagement. However, we believe that there are many individual practitioners whose practices focus on either attestation or direct engagements, and, therefore, are likely to derive greater value from the proposed standard if they are able to access more easily the material relevant to each type of engagement. Accordingly, we recommend that the IAASB separate material included in the proposed standard that is specific to either attestation or to direct engagements, for example, by KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 separating the material addressing each engagement type within the standard itself, or by issuing separate standards addressing each engagement type. Furthermore, although we believe that many of the key concepts underpinning the objectives, requirements and other material set out in the proposed standard are applicable to both direct and attestation engagements, we highlight that there are certain fundamental differences in concepts between the two types of assurance engagements, which the proposed standard currently combines. We are concerned that this may lead to confusion and inconsistency in practice. For example: • As described earlier, the requirement for the practitioner to obtain, in a reasonable assurance engagement, an understanding of internal control over the preparation of the subject matter information appears counter-intuitive in the context of a direct engagement; • We agree that the IAASB’s definition of misstatement is appropriate for both attestation and direct engagements, since a user would not distinguish, for a direct engagement, between a misstatement that arises from a practitioner’s measurement or evaluation of a subject matter and the failure of the practitioner to detect such a misstatement. However, certain requirements in respect of misstatements appear to relate only to attestation engagements and it is difficult to understand how these requirements would transpose to direct engagements, for example, the requirement set out in paragraph 43 for the practitioner to accumulate uncorrected misstatements identified during the engagement as well as the requirement in paragraph 56b, for the practitioner to evaluate whether these are material overall, when forming the assurance conclusion; • The standard does not explore the interaction of a direct engagement process with a limited assurance engagement. Providing a conclusion in the form of “nothing came to our attention” may be more difficult for a user to interpret when the practitioner has performed the role of measurer or evaluator. Furthermore, for a direct engagement, the subject matter information itself may be the practitioner’s conclusion, which appears to create a logical disconnect in attempting to form a conclusion using the required form of wording; • The standard does not provide sufficient guidance regarding modification of the assurance report when performing a direct engagement, for example, qualifying or disclaiming the assurance conclusion, which again appears to be counter-intuitive in many engagement circumstances when the practitioner has performed the role of measurer or evaluator, or when the practitioner’s conclusion is the subject matter information; • The written representation requirements are not sufficiently distinguished between the two forms of engagement, to reflect the different nature of written representations practitioners may require for each type of engagement. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 We suggest that the IAASB give further consideration to the above matters, and explore inclusion of further guidance within the proposed standard. Conversely, the standard appears to contemplate certain differences in the approach to obtaining evidence to support the assurance conclusion for an attestation engagement as opposed to a direct engagement, for example, paragraph A94 notes that factors affecting the combination of procedures chosen by the practitioner to obtain assurance include whether the engagement is a direct or an attestation engagement. We are concerned that as currently drafted, paragraph A94 may be misleading, for example, it may be taken to mean that when the practitioner performs the role of measurer or evaluator the practitioner does not need to obtain the same level of assurance over the subject matter information as in an engagement where another party performs the measurer or evaluator role. We consider that this would be an incorrect interpretation of the standard. Accordingly, we suggest that the proposed standard clarify that the requirement to obtain sufficient appropriate evidence would apply equally for each type of engagement, and that the difference is rather that the nature, timing and extent of procedures to obtain that evidence may vary according to the type of engagement. In some direct engagements the practitioner may select or develop the
applicable criteria. Do respondents believe the requirements and
guidance in proposed ISAE 3000 appropriately address such
circumstances?
We consider that it would be helpful for the proposed standard to further emphasize and explore professional services risk, i.e. independence and objectivity, and related safeguards in respect of direct engagements in which the practitioner selects or develops the criteria, as this is a key area of professional services risk. For example, it may be helpful to establish a requirement, based on the guidance material included in paragraph A10 regarding discussing the choice of criteria with the appropriate party(ies), and/or for the appropriate party(ies) formally to sign up to the criteria selected or developed, at the start of the engagement. 4. With respect to describing the practitioner’s procedures in the assurance report:
(a) Is the requirement to include a summary of the work performed as the basis for
the practitioner’s conclusion appropriate”?
We consider the requirement to include a summary of the work performed as the basis for the practitioner’s conclusion to be appropriate, in particular, for a limited assurance engagement, as well as for a reasonable assurance engagement. The standard describes the level of assurance for a limited assurance engagement as not ordinarily being susceptible to quantification, and accordingly, we consider that the concept of limited assurance refers to a range rather than a specific level of assurance. Since the practitioner’s conclusion is expressed in a form that begins with the phrase “based on the procedures performed”, we consider it of particular importance to include KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 a sufficiently detailed summary of those procedures, in order to provide context to enable intended users to understand the level of assurance conveyed by the conclusion and to avoid misinterpretation thereof. (b) Is the requirement, in the case of limited assurance engagements, to state that the
practitioner’s procedures are more limited than for a reasonable assurance
engagement and consequently they do not enable the practitioner to obtain the
assurance necessary to become aware of all significant matters that might be
identified in a reasonable assurance engagement, appropriate?
Yes. In connection with the difficulties in conceptual understanding that intended users may have regarding the level of assurance conveyed by a limited assurance conclusion, we consider it very important that the assurance report includes an explicit statement that highlights that these procedures are more limited than for a reasonable assurance engagement and that consequently, they do not enable the practitioner to obtain the assurance necessary to become aware of all significant matters that might be identified in a reasonable assurance engagement. (c) Should further requirements or guidance be included regarding the level of detail
needed for the summary of the practitioner’s procedures in a limited assurance
engagement?
We agree with the approach taken by the proposed standard that this is a matter for the professional judgment of the practitioner. The application material set out at paragraph A150 acknowledges that infinite variations in procedures are possible, and that in practice, these are difficult to communicate clearly and unambiguously. The guidance refers practitioners to ISA 700, Forming an Opinion and Reporting on Financial Statements and ISREs for further guidance and examples. However, this approach does not appear to be consistent with the IAASB’s stated principle that, insofar as is possible, proposed ISAE 3000 should stand alone. In particular, we are concerned that practitioners are referred to other standards that they may not be familiar with. Accordingly, we suggest that the appropriate material set out in those standards is included in the application material to proposed ISAE 3000. 5. Do respondents believe that the form of the practitioner’s conclusion in a limited
assurance engagement (that is, “based on the procedures performed, nothing has come
to the practitioner’s attention to cause the practitioner to believe that the subject
matter information is materially misstated”) communicates adequately the assurance
obtained by the practitioner?
We consider that there is a general inconsistency between the form of expression of the conclusion of “nothing came to my attention” and the risk-based approach that is envisaged by the IAASB, in particular, requirements to consider areas where material misstatements are likely to arise, to consider whether sufficient appropriate evidence has been obtained, and to consider performing further evidence-gathering procedures, if not. This form of expression appears counter-intuitive, in particular, in the context of a direct engagement. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 However, we acknowledge the considerations that the IAASB has given to alternative forms of expression of the conclusion, including exploration of more positive statements such as “plausible”, or “appears credible”. We concur with the IAASB’s conclusion not to pursue such amended wording and instead consider the enhancements the IAASB has made to the proposed standard, as described in our overarching comments, to be appropriate at this time. We therefore agree with the form of the practitioner’s conclusion in the proposed standard on the basis that this form of wording differentiates a limited assurance conclusion from a reasonable assurance conclusion and helps to convey to intended users that a lower level of assurance is provided by a limited assurance conclusion than by a reasonable assurance conclusion. Furthermore, the form is consistent with that used in other extant assurance standards that also contemplate limited assurance, such as ISRE 2400, Engagements to Review Financial Statements and ISRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the Entity. 6. With respect to those applying the standard:
(a) Do respondents agree with the approach taken in proposed ISAE 3000 regarding
application of the standard by competent practitioners other than professional
accountants in public practice?
We consider the approach taken by the IAASB to broaden the applicability of the standard to other competent practitioners, in addition to professional accountants in public practice, i.e. members of an IFAC member body, to be appropriate. We acknowledge the IAASB’s intention to extend applicability of the standard since the expertise in a number of the subject matters contemplated by the standard may not be confined to the “traditional” users of the standard. Furthermore we recognize the IAASB’s intention to enable all competent practitioners to apply ISAE 3000 to benchmark their work effort on assurance engagements, and to better reflect the work performed, particularly where other component practitioners already perform assurance engagements of the types addressed by ISAE 3000. We support the inclusion of the following specific requirements in the proposed standard, which the IAASB describes as measures that are in the public interest and are an integral part of high quality assurance engagements. The IAASB acknowledges that these requirements are intended to equate to those already in place for professional accountants in public practice. We consider these aspects very important since compliance with assurance standards alone may not be sufficient to result in high quality assurance engagements: • The practitioner is required to comply with Parts A and B of the IESBA Code related to assurance engagements, or other professional requirements, or requirements imposed by laws or regulations, that are at least as demanding; • The engagement partner is required to be a member of a firm that applies ISQC 1, or other professional requirements, or requirements in laws and regulations, that are at least as demanding as ISQC1; and KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 • The engagement partner is required to have specialist knowledge and competence in assurance skills and techniques (which the standard clearly distinguishes from expertise in the underlying subject matter and its evaluation or measurement) developed through extensive training and practical application. However, as set out in our overarching comments, we are concerned with the practical application of the above requirements. Although we recognize that such considerations are beyond the remit of the IAASB, we suggest that the IAASB could take certain actions to help with the implementation of the above requirements. These relate to requiring the practitioner to make an explicit statement in the assurance report that the ethical standards applied (when these standards are not the IESBA Code) are at least as demanding as the IESBA Code, and encouraging IFAC to sponsor the development of a publication that summarises the key features of the IESBA Code. Furthermore, we suggest that the IAASB give consideration to broadening the use of International Standard on Related Services (ISRS) 4400, Engagements to Perform Agreed-Upon Procedures Regarding Financial Information to other competent practitioners on a consistent basis. Please refer also to our overarching comments in respect of the applicability of the Framework. (b) Do respondents agree with the proposed definition of “practitioner”?
We consider the proposed definition to be appropriate, in particular, as a result of the approach taken by the IAASB to broaden the applicability of the standard to other competent practitioners in addition to professional accountants in public practice. As described above, we support the inclusion, within the definition itself, of commentary to explain that the practitioner applies assurance skills and techniques, which also are defined and clearly distinguished from expertise in the underlying subject matter, or expertise in the measurement or evaluation of the subject matter, as we consider this aspect to be fundamental to the role and responsibilities of an assurance practitioner. In connection with the above, we highlight that the proposed standard makes reference to “competent” practitioners. The concept of “professional competence and due care” is described in Section 130 of the IESBA Code and accordingly we suggest including a definition of “competent” within proposed ISAE 3000 based on the requirements and principles set out in the IESBA Code. This may be of particular relevance to practitioners other than professional accountants in public practice who are not applying the IESBA Code, but are applying a set of requirements and guidance that they have determined to be at least as demanding as those of the IESBA Code. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 Other Matters
Materiality
The proposed standard introduces the concept of qualitative factors in considering materiality, and also discusses, in relation to quantitative materiality factors, the application of a quantity less than materiality when planning and performing the engagement, in order to address aggregation risk. However, the concept of such a lower materiality level in relation to quantitative materiality factors also may be helpful when considering materiality in relation to qualitative factors. We therefore suggest that it would be beneficial for the IAASB to further explore the concept in this context. Assurance Conclusion
We recommend that the IAASB provide clarification and guidance regarding the expression of the assurance conclusion, and alternative forms of wording that may be used, for example “in compliance with”, when the criteria relate to compliance with certain terms or conditions; “properly prepared”, when the criteria describe a process or methodology for the preparation and/or presentation of the subject matter information, and “fairly stated”, when the principles of fair presentation are embodied in the criteria. Application of Principles from the Clarified ISAs
In considering the nature and extent of requirements to include in the proposed standard, we understand that all requirements in the clarified ISAs were reviewed to determine whether an equivalent requirement, adapted as appropriate, should be reflected in the proposed revised standard, although in a manner such that ISAE 3000 is not unwieldy. In general we consider that the balance achieved is appropriate, however we highlight the following matters for further consideration by the IAASB Consideration of Fraud
Although there is material in the proposed standard addressing communication of fraud, suspected fraud and bias, the proposed standard may benefit from enhanced requirements and guidance regarding considerations in respect of fraud throughout the assurance engagement, as contemplated by ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. This is critical as a result of the broader applicability of the standard to practitioners who may not be familiar with fraud concepts. We suggest the IAASB consider inclusion of, in particular, material relating to the following: • Definitions of fraud and guidance regarding the characteristics of fraud and types of fraud, i.e. fraudulent preparation of subject matter information as well as misappropriation of assets; • Examples of fraud risk factors, in the form of incentives or pressures, opportunities and attitudes or rationalizations, for each of the above types of fraud; KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 • Guidance regarding procedures to address the assessed risks of material misstatement due to • Examples of circumstances that indicate the possibility of fraud; • Roles and responsibilities of the practitioner in respect of: • Performing risk assessment procedures and related activities; • Identification of the risks of material misstatement due to fraud; • Evaluation of evidence obtained; and • Linking requirements and guidance regarding professional skepticism and professional judgment to the above matters in respect of fraud. We suggest the IAASB consider, in the context of fraud considerations, inclusion of explicit requirements regarding the roles and responsibilities of the practitioner, as well as related application material. Furthermore, the proposed standard establishes requirements and guidance regarding communication of fraud to management and those charged with governance as well as “other parties”. It would also be helpful to include clearer material regarding communication to appropriate parties outside the entity e.g. regulatory and enforcement authorities, when relevant. Consideration of Laws and Regulations and Litigation and Claims
Similarly, guidance regarding consideration of laws and regulations and litigation and claims, as contemplated by ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements may also be helpful for many engagement types. We suggest the IAASB consider material addressing laws and regulations that have a direct effect on the subject matter information, and those that do not have a direct effect, but compliance with which may be fundamental to the subject matter information and the underlying subject matter. Additionally, the standard would benefit from a definition of non-compliance, as well as material regarding the roles and responsibilities of the practitioner in this regard. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000
Appendix 2 – Additional Comments
Professional Skepticism and Professional Judgment
We consider the placement of paragraphs 33 and 34 (which address the application of professional scepticism and professional judgment during an assurance engagement) immediately prior to the planning and performing the engagement section, but after the sections addressing ethical requirements and acceptance and continuance, may not be the most appropriate, since this may be interpreted to mean that practitioners do not need to exercise professional skepticism or professional judgment in respect of these aspects of the engagement. Accordingly, we suggest to move these requirements to the beginning of the standard, as such placement would make clear that these are overarching requirements and are applicable throughout an engagement. Measurer or Evaluator Role
The standard is unclear as to the skills required and professional services risks involved in performing the measurer/evaluator role. Certain requirements and guidance suggest that the standard considers this role to consist of a specific skill set, with discrete professional services risks, however, other requirements and guidance appear to be contradictory and either appear to assign no incremental value or risk to this role, or suggest that only assurance skills and techniques are applied by the practitioner in performing this role, and that this role can be performed at the same time as accumulating sufficient appropriate evidence. Accordingly, we recommend that the IAASB provide clarification regarding this role, and the specific skills and techniques that would be applied in performing the role. Findings and Recommendations
Paragraph 59 and related application material at A140 discuss “long form” reports and information that may be included in such reports, for example, the terms of the engagement; the applicable criteria; findings; details of qualifications and experience of the practitioner and others involved with the engagement; disclosure of materiality levels, and, in some cases, recommendations. Paragraph 59 requires that such information be clearly separated from the assurance conclusion and that the wording is to make clear that such information is not intended to detract from the practitioner’s conclusion. The application material states that the consideration as to whether to include such information depends on its significance to the information needs of the intended users. We agree with this principle, however, we consider it to be of fundamental importance and accordingly, we suggest to give this more prominence, by making this a requirement. Furthermore, we suggest the IAASB explore whether provision of information in relation to matters such as findings in respect of shortcomings in a process and related recommendations are indeed of relevance to intended users, or whether they would be more likely to cause confusion and detract from the assurance conclusion or cause concerns over its validity, even when clearly separated. KPMG IFRG Limited
KPMG submission on Exposure Draft ISAE 3000 We highlight that the matters identified for communication in a “long form” style of report are similar to those suggested during the various discussions regarding audit quality and potential changes to the scope and content of the auditor’s report, to address the “expectation gap” and the “information gap”, as described in our overarching comments. We note that concepts such as the expectation gap and the information gap may be of particular relevance to practitioner communications in the context of ISAE 3000 reporting since stakeholders in such engagements may be less familiar with assurance concepts in general than stakeholders in audit engagements. We recommend that the IAASB consider whether comments received in response to the consultation paper in respect of the auditor’s report also are of wider relevance to other assurance reports since the structure and content of the reports in ISAE 3000 engagements are based on the principles underlying the auditor’s report. Conforming Amendments
In addition to the conforming amendments to the Framework, to ISAE 3402, Assurance Reports on Controls at a Service Organization and to the Exposure Draft of Proposed ISAE 3410, Assurance Engagements on Greenhouse Gas Statements, we highlight that conforming amendments will also be necessary in respect of the IESBA Code, since certain concepts and terminology conventions are in accordance with the extant standard, for example, in respect of “assertion-based” and “direct reporting” engagements.

Source: http://www.ifac.org/sites/default/files/publications/exposure-drafts/comments/05483-45-KPMG%20Comment%20Letter%20-%20ED%20ISAE%203000.pdf