The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
IASE (UK) 3000 Jul 2020 - Feedback Statement & Impact Assessment
Financial Reporting Council The Financial Reporting Council (FRC) is the UK's independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. The FRC sets the UK Corporate Governance and Stewardship Codes and UK standards for accounting and actuarial work; monitors and takes action to promote the quality of corporate reporting; and operates independent enforcement arrangements for accountants and actuaries. As the Competent Authority for audit in the UK the FRC sets auditing and ethical standards and monitors and enforces audit quality.
The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.
The Financial Reporting Council Limited 2020 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 8th Floor, 125 London Wall, London EC2Y 5AS
Introduction
1The Financial Reporting Council (FRC) is committed to acting as a proportionate and principles-based regulator, and balances the need to minimise the impact of regulatory requirements on business, while working to support the delivery of high-quality audit and assurance work to maintain investor and wider stakeholder confidence.
2In March 2020, the FRC consulted on the adoption of International Standard on Assurance Engagements (ISAE) 3000 in the UK. ISAE 3000 was developed by the International Auditing and Assurance Standard Board (IAASB) and contains requirements and application and other explanatory material specific to reasonable and limited assurance attestation engagements, other than audits or reviews of historical financial information1.
3ISAE 3000 was first issued in 2003 and revised in 2013. We believe it is now in the public interest for this standard to be adopted by the FRC. It will provide a standard for the conduct of public interest assurance engagements that the FRC may be requested to regulate in response to the outcome of recent and future reviews of the scope of auditors' responsibilities. Although the FRC has not previously adopted ISAE 3000, we have used it as the basis for the development of other specific assurance standards, including the Client Asset Assurance Standard. Based on that experience we are satisfied that ISAE 3000 provides an appropriate standard for the conduct of other assurance engagements.
4A small number of edits were proposed in the exposure draft to reflect that in the UK assurance practitioners would be subject to the FRC's Ethical Standard and the ethical pronouncements of their professional body, and that the FRC is not adopting the other, subject matter specific, ISAEs issued by the IAASB. No edits were proposed that would result in non-compliance with the IAASB's requirements in ISAE 3000 when applying that standard alone. As explained below, in response to comments received to the consultation, we have clarified in the final standard that compliance with the FRC's Ethical Standard will be required when applying ISAE (UK) 3000 for any assurance engagements that the FRC specifies to be "public interest assurance engagements" (for which an audit level of independence is appropriate) - the FRC does not intended to mandate application of the standard to assurance engagements that are not specified as public interest assurance engagements. It may, however, be applied voluntarily to other assurance engagements that meet the conditions set out in the standard. We have also reintroduced references to other subject matter specific ISAEs so that practitioners who wish to voluntarily apply those other ISAEs in the UK can do and also assert compliance with ISAE (UK) 30002 should they wish to do so rather than asserting compliance with the international version of ISAE 3000.
5ISAE (UK) 3000 is a principles based standard that is designed to be capable of being applied effectively to a broad range of subject matters. Requirements and guidance are included to cover both reasonable assurance and limited assurance attestation engagements. Attestation engagements are those in which a party other than the practitioner measures or evaluates the underlying subject matter against criteria. The practitioner's conclusion addresses whether the subject matter information is free from material misstatement. ISAE (UK) 3000 could, with adaptation and supplementation as necessary in the circumstances, be applied also to reasonable and limited assurance direct engagements, in which the practitioner measures or evaluates the underlying subject matter against the criteria.
Reasonable and limited assurance engagements
6A reasonable assurance engagement is one in which the practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the practitioner's conclusion. The practitioner's conclusion is expressed in a form that conveys the practitioner's opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.
7A limited assurance engagement is one in which the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner's attention to cause the practitioner to believe the subject matter information is materially misstated. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the practitioner's professional judgment, meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users' confidence about the subject matter information to a degree that is clearly more than inconsequential.
Scope of application
8As explained in paragraph 4, we propose to mandate compliance with ISAE (UK) 3000 only for specified public interest assurance engagements. We are not mandating compliance with the standard for all engagements for which there is a requirement in UK law or regulation for an assurance report to be provided by an auditor or other assurance practitioner. Currently we have not specified any such engagements, but it is anticipated that this may change in the future in light of recent reviews and recommendations for the scope of auditors' responsibilities and other developments. Adopting ISAE 3000 now will help provide for any such specification, where necessary, in a timely manner. When determining whether a particular type of assurance engagement should be specified as a "public interest assurance engagement", for which mandatory application of ISAE (UK) 3000 would be required, the FRC will consider whether it is necessary to consult on the appropriateness of that specification and how the standard should be applied.
9As the standard is designed to be capable of general application to a range of types of assurance engagement, the FRC will review the need for further subject matter specific guidance to assist with the application of the standard to any specific types of engagement for which ISAE (UK) 3000 is mandated to be applied.
Effective date
10It was proposed in the consultation that the effective date should be for assurance reports dated on or after 15 September 2020. While we recognised this would be a relatively short time after the standard is finalised, we explained that application of the standard will be mandatory only if specific mandatory assurance reporting requirements are established by that date. Currently there are no such assurance reporting requirements. However, having the standard ready and 'effective' will help provide for any such specification (which may be later than 15 September 2020), where necessary, in a timely manner.
Conforming amendments to other FRC standards
11Conforming amendments are being made to the scope of ISQC (UK) 1 to identify that it applies for public interest assurance engagements specified to be undertaken in compliance with ISAE (UK) 3000. ISQC (UK) 1 will also apply for firms that voluntarily apply ISAE (UK) 3000, unless those firms apply other professional requirements, or requirements in law or regulation, regarding the firm's responsibility for its system of quality control, that are at least as demanding as ISQC (UK) 1. The FRC's Ethical Standard will apply for engagements that have been specified as "public interest assurance engagements" where an audit level of independence is appropriate.
Responses to the Consultation
12The FRC's consultation closed on 22 May 2020. We received six responses – two from professional bodies and four from audit firms, which are listed in the Appendix to this Statement3. Our expectation was that comments would be limited given that the international standard is already applied voluntarily in the UK for some assurance engagements, and the FRC was not proposing substantive modifications to the requirements and application material in the international standard nor proposing further substantive FRC supplementary material.
13A summary of the responses received to the specific questions asked in the consultation, and the FRC's response to those, are set out below.
Q1. Do you agree with the proposed adoption of ISAE 3000? If not, please explain why.
Summary of Responses
All respondents were generally supportive of the adoption of ISAE 3000 by the FRC. However, there was a general concern that it was not sufficiently clear as to which particular types of assurance engagement would be mandated to be within scope and, therefore, difficult to comment on whether the proposed scope was appropriate. Concerns were also raised about the proposed changes to the standard to require compliance with the FRC Ethical Standard (rather than the IESBA Code) for all assurance engagements to which ISAE (UK) 3000 would apply, and the removal of references to the subject matter specific ISAEs that the FRC is not adopting. These concerns and other matters raised in responses are covered below.
FRC Response
As described below, in finalising standard, the FRC has clarified and further edited the FRC's changes to the text to address concerns raised the consultation responses. These do not make substantive changes to the procedures to be undertaken by practitioners, which remain consistent with the underlying international standard, and accordingly we have determined that re-exposure of the standard is not necessary. When determining whether a particular type of assurance engagement should be specified as a "public interest assurance engagement", for which mandatory application of ISAE (UK) 3000 would be required, the FRC will consider whether it is necessary to consult on the appropriateness of that specification and how the standard should be applied.
Q2. Do you agree that ISAE (UK) 3000 should be mandated only for certain specific types of assurance engagement as described above, with voluntary application permitted for other assurance engagements; or should it be mandated for all assurance engagements for which the FRC has not issued specific performance standards? If the latter, please explain why.
Summary of Responses
No respondents suggested that the standard should be mandated for all assurance engagements for which the FRC has not issued specific performance standards. It was also identified that there could be a lack of clarity as to whether some types of engagement that might be considered "assurance" engagements would meet the pre-conditions set out in ISAE 3000 for application of that standard.
As identified above re Q1, there was a general concern that it was not sufficiently clear as to which particular types of assurance engagement would be mandated to be within scope and, therefore, it was difficult for respondents to comment on whether the proposed scope was appropriate. In the consultation, the FRC said that mandated assurance engagements "will ordinarily be particular engagements for which there is a requirement in law or regulation for an assurance report to be provided by an auditor or other assurance practitioner, or where a clear need has been identified to serve the public interest." This raised concern that the FRC might mandate application of the standard for all reporting engagements required by law or regulation where the FRC had not already issued a performance standard, which was not the FRC's intention.
One respondent (audit firm) commented that If the standard is used voluntarily, and/or the scope and type of assurance services to which it applies are unlimited, it may cause confusion amongst company stakeholders who might be uncertain as to which information is and is not assured, and whether that information is assured from one year to the next.
Five respondents (the two professional bodies and three of the audit firms) also linked concern with the scope of the application of the assurance standard with the scope of application of the FRC Ethical Standard (this is considered in the responses to Q3 below).
FRC Response
In the final standard we have clarified that it is required to be applied to "public interest assurance engagements" specified by the FRC. Currently we have not specified any such public interest assurance engagements but adopting ISAE 3000 now will help provide for any such specification, where necessary in the future in a timely manner. One of the criteria for making such a specification would be that an audit level of independence of the practitioner is appropriate and would be expected by users of the practitioner's report (see also Q3 below).
ISAE 3000 is already applied voluntarily in the UK and the standard includes conditions that are required to be satisfied for it to be applied. The assurance report is required to include an identification or description of the subject matter information and, where appropriate, the underlying subject matter. We do not believe that application of the standard on a voluntary basis would result in confusion as to which information is and is not assured. Accordingly, we are not introducing a prohibition on its voluntary application. However, the changes we have made in the finalising ISAE (UK) 3000 means that it could be applied in all circumstances in the UK where the international version is currently used and we encourage firms to use, and therefore refer in their reports to, the UK version of the standard.
Q3. Do you agree with the proposed adaptations to the text highlighted in the exposure draft? If not, please explain why and describe the changes you would wish to see.
Summary of Responses
Five respondents (the two professional bodies and three of the audit firms) expressed concern with the proposed standard requiring compliance also with the FRC Ethical Standard, particularly as they were not clear which specific assurance engagements ISAE (UK) 3000 would be mandated for. The FRC Ethical Standard sets a high level of independence requirements that are appropriate for audits and for other public interest assurance engagements where users of the practitioner's report would expect an audit level of independence. The international version of ISAE 3000 requires compliance with applicable sections, for assurance engagements other than audits, of the International Ethical Standards Board for Accountants' Code of Ethics (the IESBA Code) – these are in some respects less stringent than the FRC Ethical Standard, although designed to provide an appropriate level of independence for assurance engagements other than audits.
The concerns of respondents to the FRC's consultation included that requiring compliance with the FRC's Ethical Standard would disproportionately hinder their ability to provide assurance engagements to entities, including those that they do not audit and for which an audit level of independence was not necessary (e.g. by restricting the nature of certain other services that could be provided to those entities). It was suggested that this could result in an unreasonable restriction in choice for entities needing other assurance services, and that some firms could decide to only undertake other assurance engagements for entities that they audit (and therefore would already be complying with FRC Ethical Standard) further restricting choice. One audit firm expressed the view that compliance with the ethical code of the ICAEW, or an equivalent ethics code, would be sufficient and appropriate.
Another concern with the proposed adaptations in the exposure draft was the removal of the references to subject matter specific ISAEs issued by the IAASB, but which the FRC was not proposing to adopt. The IAASB's subject matter specific ISAEs are required to be applied in conjunction with ISAE 3000. One of the audit firms identified that excluding the references to them would prevent ISAE (UK) 3000 being used voluntarily in conjunction with those subject matter specific ISAEs.
One of the audit firms also identified that any standard must be consistent with proposed recommendations, principles and reforms in relation to operational separation of audit firms.
FRC Response
As explained in the response to Q2 above, in the final standard we have clarified that it is required to be applied to "public interest assurance engagements" specified by the FRC (noting that none have yet been specified). We have further amended the standard so that compliance with the FRC Ethical Standard is only mandated for any such specified public interest assurance engagements. We consider this to be appropriate and proportionate as one of the criteria for specification as a "public interest assurance engagement" will be that an audit level of independence is appropriate and would be expected by users of the practitioner's report. Practitioners are also required to comply with the ethical pronouncements established by their relevant professional body.
For all other assurance engagements performed in accordance with ISAE (UK) 3000, the practitioner is required to comply with the provisions of the ethical pronouncements established by the assurance practitioner's relevant professional body for assurance engagements and, if more demanding, the provisions of the of the IESBA Code related to assurance engagements, or with other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. In essence this should reflect the position of practitioners who are currently applying the international standard voluntarily in the UK. The professional accountancy bodies in the UK generally undertake to base their ethical codes on the IESBA Code. However, we believe the specific reference to the IESBA Code is appropriate as a condition for asserting compliance with ISAE 3000 (or a standard based on it) is that practitioners comply with the relevant sections of the IESBA Code or other requirements that are at least as demanding.
To facilitate voluntarily using ISAE (UK) 3000 in conjunction with subject matter specific ISAEs issued by the IAASB we have reinstated the references to those other ISAEs. However, we have added a paragraph and footnotes to clarify that the FRC has not adopted or promulgated those ISAEs, but they may be complied with voluntarily in the UK unless the FRC has issued a subject matter specific standard for the same subject matter as the ISAE, in which circumstances the FRC standard is required to be complied with.
We do not believe the final standard will be inconsistent with proposed recommendations, principles and reforms in relation to operational separation of audit firms.
Q4. Do you believe any further adaptations should be made? If yes, please explain them.
Summary of Responses
Five respondents (the two professional bodies and three of the audit firms) stated that further adaptions were not needed. The other audit firm did not suggest that further adaptations were necessarily needed but recommended delaying finalisation of the standard until the various reviews of auditor responsibilities are completed and the outcomes known, which would enable a better assessment of the likely implications to be made.
One respondent (an audit firm) suggested that separate guidance on applying the standard to specific subject matters would be helpful to ensure consistency, quality and comprehensibility of reporting. It was suggested that such guidance could leverage off and upon the IAASB's Extended External Reporting (EER) guidance as well as IAASB's other ISAEs.
FRC Response
We have not made any further adaptations beyond those described in the responses to Q1-Q3 above.
As the standard is designed to be capable of general application to a range of types of assurance engagement, the FRC will review the need for further subject matter specific guidance to assist with the application of the standard to any specific types of engagement for which ISAE (UK) 3000 is mandated to be applied.
Q5. Do you agree with the proposed effective date for assurance reports dated on or after 15 September 2020? If not, please explain what date would be appropriate.
Summary of Responses
Two respondents (one professional body and one audit firm) stated that the proposed effective date was not appropriate. The other respondents all expressed concerns. Generally, all respondents were unable to consider the appropriateness of the proposed date without a clearer understanding of the scope of the standard and which assurance engagements it would be mandated for.
FRC Response
In the consultation we recognised the proposed effective date would be a relatively short time after the standard is finalised, but we explained that application of the standard will be mandatory only if specific mandatory assurance reporting requirements are established by that date. Currently there are no such assurance reporting requirements. However, having the standard ready and 'effective' helps provide for any such specification (which may be later than 15 September 2020), where necessary, in a timely manner.
Impact Assessment
The FRC does not believe that the adoption of ISAE 3000 will result in significant additional costs for business beyond those necessary to fulfil legal or regulatory reporting requirements and the expectations of stakeholders. This is because the FRC is proposing to mandate compliance with the standard only for the conduct of specified "public interest assurance engagements" that the FRC may be requested to regulate in response to the outcome of recent and future reviews of the scope of auditors' responsibilities. Such requirements for an assurance report will normally indicate the level of assurance to be obtained by the practitioner 'reasonable' or 'limited' either explicitly or by the nature of the conclusion/opinion the practitioner is required to give. This standard will provide clarity as to what is meant by a reasonable or limited assurance engagement and the related requirements.
As the standard is designed for general application, the FRC will review the need for further subject matter specific guidance to assist with the application of the standard to specific types of engagement for which ISAE (UK) 3000 is mandated to be applied.
Assurance practitioners have in the past been free to use the international version of the standard (ISAE 3000 as issued by the IAASB) and do so. There should be no significant impact on costs for any such engagements where is ISAE (UK) 3000 used voluntarily in place of the international version of the standard as we are not adding any additional requirements to the international standard.
Financial Reporting Council July 2020
Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS
+44 (0)20 7492 2300 www.frc.org.uk
-
In the UK, International Standards on Auditing (UK) (ISAS (UK)) apply to audits of financial statements; International Standard on Review Engagements (UK and Ireland) 2410 applies to review of interim financial information by the independent auditor of the entity. ↩
-
Subject matter specific ISAEs are written on the basis they will be applied in conjunction with ISAE 3000. ↩
-
Copies of the responses can be seen at: https://www.frc.org.uk/consultation-list/2020/proposal-to-adopt-(in-the-uk)-isae-3000-isae-3000) ↩