In Conversation: What’s the difference between statutory audit and assurance?
Published: 8 August 2025
11 minute read
Following on from the FRC's recent podcast episode on exploring 'What is an Audit', Kate O'Neill, Director of Stakeholder Engagement and Corporate Affairs, is joined once again by Project Directors, Ramana McConnon and Peter Kitson, to delve into the key differences between audit and assurance. They also unpack the FRC's regulatory role in assurance, and the standards that govern it.
Transcript
Hello there and welcome to another FRC 'In Conversation' podcast. My name is Kate O'Neill. I'm the Director of Stakeholder Engagement and Corporate Affairs here at the FRC. And today's podcast is a follow up to a podcast that was very well received and it was called 'What is an audit?' And I guess we really recommend that people go back and listen to that, as it may be a first listen for you on us going through what's involved in an audit, because I think it's clear that people have different understanding of what's an audit, what's required of them, and how to have better conversations between companies and those providing the audit services.
00:45
And today I'm joined again by the two directors who were on that podcast. Ramana McConnon, Project Director, Audit and Assurance and Peter Kitson, Project Director of Audit and Assurance here at the FRC. Welcome, Ramana and Peter. Thanks. Very glad to be here. You very much, Kate. Glad to be back again. Yeah, I mean, I guess you were perhaps as surprised as I was that the podcast.
01:05
'What is that audit' was so well received. And also the feedback was gosh, thanks for doing it because really understand the role of audit and its importance better. But I guess today we're talking about slightly different angle on this topic, which is what's the difference between a statutory audit and assurance. And I guess we did cover in the previous podcast a statutory audit.
01:27
But just for those people who perhaps haven't yet heard it, Peter, do you want to kick us off with what is a statutory audit? So a statutory audit is something that's essentially required by law. You can sort of think of it as part of the quid pro quo for the privilege of incorporation. It's there to close the gap between what management are doing and what the owners of the business want to know, and it's sort of essentially created as a way of making sure that that information gap is closed.
01:55
And there's a sort of central register of legal identities that's held at Companies House, which you could almost think of as a sort of birth and death register for artificial persons. And it's that information that comes from the audit that provides that public information for people who want to do business with that company, that that artificial person is actually alive, so to speak.
02:15
Really good analogy. And also, I guess as we talked about in the last podcast, you know, people rely on the audit for providing capital, helping companies grow, helping them scale up because, you know, they've received that statutory sign off, that the accounts that the management and board have signed off on are indeed correct. Yes. True. In fact. Yeah.
02:36
So more and more, we're hearing about assurance on perhaps some people finding a new topic sustainability, cyber, AI. Ramana, a lot of people might be saying while both in the statutory audit and why do I need separate or different assurance around that. Yeah, sure. It's a good question, Kate. I suppose the relationship between audit assurance, they're not two separate cousins.
02:58
It's more the audit is a special case of the more general assurance engagement. So an assurance engagement has certain defining criteria. I'll run through them very quickly. Apologies if it's a little bit technical, but I think it does help bring out the difference between the more familiar audit. And then we can explore how assurance differs. So you have a three party relationship in both.
03:15
In the case of an audit, that will be the management, the uses of financial statements and the auditor. That will be the three parties and assurance will be very similar. The management uses and then the assurance provider, but largely the same thing that you have the subject matter. So again an audit that's the financial statements or the financial performance and position of the entity in assurance.
03:33
That could be more or less anything. I mean it could be sustainability information, it could be some gender pay gap reporting. It could be the governance over an AI system. It could be anything that the company feels users might want a bit of extra assurance over. The third one to be the criteria. I think we'll put it explore this a bit later.
03:50
In the case of an audit, it's quite straightforward. It's the financial reporting framework. So it's the principles and guidelines. But that subject matter is reported against. And that's what I know what it's about. But I'll go in and see if the financial statements are in line with the criteria. And again in assurance rather than being just 1 or 2 options, IFRS or UK GAAP, there's hundreds if not thousands of different criteria or framework.
04:10
So that's definitely a big area in terms of the amount of variation. You can say that. Fourthly, you have sufficient appropriate evidence. Again here. Put it back in more familiar territory between audit and assurance. In both cases, it's the usual sorts of things, which I think we explored on the last podcast. Things like third party information, which might cooperate or contradict the assertions made by management.
04:29
Evidence can be all sorts of things. So I think we covered that last time, so I got too much time. Thanks Ramana. Peter, on audit and assurance and Ramana just said we'll go into a bit more detail about the criteria issues. Do they follow the same principles based on professional skepticism and judgment, or those two things more applied just in the statutory audit space?
04:48
There's quite a lot of commonality between what you're supposed to do during an audit and what you're supposed to do during an assurance engagement. The key thing, I mean, obviously professional skepticism and professional judgment are key, but probably the thing that's most important is the concept of independence, the idea of the auditor or the assurance practitioner is independent of the entity that they're engaged to do the assurance engagement for.
05:14
And that's really quite important from an FRC point of view, because we have this concept of a public interest assurance engagement. So there will be certain classes of assurance engagement that are deemed to be so important that we not only issue our own performance standards like the ISAs UK for statutory audits, but also those engagements subject to the FRC ethical standard to ensure that the practitioner that not only has an independent mindset, that they're free of some of the pitfalls that they might have in terms of in working with the entity that they're providing the assurance for, but also that there's a maintenance of an impression of independence by users as well, so
05:55
that the whole thing is was aboveboard as it possibly can be, and so that users can have confidence in what the insurance providers are having to say. It's interesting that you're weaving those standards in, because a lot of what you've just said at the commonalities there come a professional perspective and an expectation perspective when people are engaging auditors for either statutory audit or assurance, but let's explore a bit
06:18
the type of topics that assurance can be obtained from. And some of them of I really recently developed. So it's an expectation and I'll ask you to start off on this Ramana, that this landscape could be ever expanding depending on those topics that become like AI evolve very quickly, sustainability that covers a lot of different things with users of audit and people who rely on audit
06:41
an assurance expect there to be evermore growing assurance topics. I think really whenever there's an information gap, there is the potential for assurance to bring some benefit. It won't be proportionate in all cases by any means. But that sort of age of principle dynamic where a certain people are managing assets on behalf of the others, and then the asset owners may not know what's going on with those assets, or may want to have access information that lends itself to a sort of independent assurance provider.
07:06
If the benefits outweigh the costs, which is not a straightforward consideration. Some of the areas we see as obviously financial audit, sustainability reporting, again, somewhere that the market might add a capital base. So they want that reporting to be as robust as possible. But then it could be narrower things like the controls or what's the governance arrangements over an AI system.
07:24
And that one, as we see growing quite quickly. And it speaks to the range of interest, because I think management would also be really interested in the question of whether they can trust a new system that they've developed. They might want to obtain assurance for their own benefit, never mind sort of satisfying stakeholders external to the organisation. Yeah.
07:39
And Peter, I mean, has some of these topics developed. Would assurance be following the market developing to form views on whether the way a company's addressing something like sustainability or perhaps use of AI or how they are managing the cyber risk. Does this mean the hard and fast rules are not going to be quite there yet? Because these are evolving markets. I think there is an element of that that the key question is really the extent to which a framework exists for assessing whether the subject being assured is sort of regarded as correct or true and fair, what other type of yardstick you'd want to apply?
08:17
So there's a sort of dynamic element. There's the extent to which these subject matter, sort of what you might call the equivalence in accounting standards, the expectations that users have around what is regarded as accurate. So and when you talk about that, where the users of the accounts and reporting really want to get a better sense of how the company is using third party suppliers, how it's addressing these things under its own steam. Definitely.
08:43
There's a strong sense of does the market need this assurance as well? That will also drive practice. If there's a demand for some sort of framework assurance around that framework, then the money will be found for it and a new market will be created on the assurance side. I mean, then there's the technical issues of how do we go about assuring this, what are the technical considerations that we need to be considering?
09:06
And that's where the assurance standard setters need to start putting their thinking caps on. And I'm going to get onto that in a minute. I mean, at the FRC both in the audit and assurance team, can you talk us through the FRC's regulatory role in relation to assurance. Because I guess, you know, the FRC covers the supervisory part of the regulatory model, while Peter and Ramana, you're part of the audit and assurance team, the things about standards, things about how they should be applied.
09:34
So does the FRC wear a number of different hat in this area? Yes it does. Obviously. You know, Ramana and I still work on the standard setting side of things. Probably the key difference between assurance engagements and audits is that not all assurance engagements will necessarily be within the remit of FRC standards. If it's not a public interest assurance engagement, then you know, the assurance provider is governed by the ethical requirements of their professional body.
10:05
So if they're a member of the ICAEW, it would be the ICAEW code rather than the ethical standard. So that to some extent sort of limits the sort of regulatory remit of what we do. I guess the professional body, supervisory team in our supervision division would be closely working with the professional bodies. So there's no kind of arbitrage or divergence between public interest entity assurance models and smaller, less complex ones.
10:32
Exactly, exactly. And you know, we don't have a sort of inspection regime for insurance engagements in the same way that we do for audit. So there's no equivalent to AQR. But we do have, you know, enforcement responsibilities over assurance engagements that especially those that are public interest assurance ones. So if we heard intelligence of some sort of issue that required further investigation through the press or through complaints, then we could start investigating that.
11:00
So in many ways it's similar to what we do on audit, but without the inspection side of things. So I mean, we have standards for assurance, Ramana, in the UK, I mean, we've spoken previously about ISAs. Do you think over time there will be formalised standards, much in the same way as ISAs for assurance? There are some. But because of the sort of very wide ranging scope of what assurance can cover, it's more a case of get specialist standards springing up, but that can change over time.
11:29
So previously, the IAASB had a standard for the assurance of greenhouse gas statements very specific, very technical, very quantitative reporting, and an equivalent standard that then in the last couple of years they released ISA 5000, which is a more general sustainability assurance standard. They're actually now withdrawn that previous standard greenhouse gases. So there can be shifting limits and perimeter standards.
11:51
The FRC in the UK does issue a few assurance standards, so we're actually currently consulting on a UK version of ISA 5000. We have a UK version of ISA 3000, which is a sort of general purpose, a current standard which can in theory be used for pretty much any assurance engagement or in some cases you may find this more specialist one works better.
12:11
And then we have SIRs standards for investment reporting and ISQC standards which are again assurance standards but for quite specific, quite narrow pieces of reporting in the financial services space to help markets function. So we do issue standards largely, as Peter says, for what are known as public interest assurance engagements. But then outside the FRC you have a really wide range.
12:31
So the ISAs standards have been, I think, their number in the thousands, they can be about the width of a surgeon scalpel. All the way up to what's a good quality management system. So they really range very widely. Is it just the accountancy firms who will continue to dominate in this space? I mean, you mentioned Ramana, Peter, that some of these vary the assurance by some very technical, whether it's about sustainability or other topics, but is it just going to be the usual suspects with accounting audit firms who continue to work in this space?
13:02
Peter, do you want to kick us off? That's a very interesting issue because I think if you sort of take something like sustainable assurance, there's very much a sort of mixed economy in terms of how that's provided at the moment. There's an awful lot of assurance providers who aren't necessarily from an accounting background, but do have the necessary sort of technical expertise for understanding how sustainability disclosures are put together, while at the same time you have the sort of the audit firms who are putting this as part of their offering, and they're very much developing their expertise in sustainability space while also leveraging their knowledge of assurance provision.
13:39
So it's very much a mixed mode of providing that information. I mean, I think Ramana was sort of able to speak a bit greater depth in terms of the relevant assurance frameworks there and how they've been put together. But I think we've had a recent market study on the market for sustainability assurance providers, which I think demonstrates quite clearly the extent to which nontraditional assurance providers are providing assurance in the sustainability space.
14:05
It could sound like, I guess, to users of audit and assurance services that this is just going to keep growing. What would you say to the clients of these firms who need assurance, either on a statutory or other basis? Is it going back to your helpful podcast? 'What is an audit' to give them the tools that they can have these conversations to make sure that the range of the engagement is proportionate and I guess scalable, Ramana, because the different size, the different complexity of entity should dictate how the audit and assurance work should be undertaken.
14:40
That's exactly right, Kate. I mean, I suppose statutory audit it's a special case. It's it's in the name statutory where it's required by law. Outside of that, it's the company's decision whether or not it makes commercial sense to obtain assurance. In some cases, they may feel that sort of reduces cost of capital and therefore makes sense and that might outweigh the cost of obtaining the assurance.
14:58
In other cases, they may feel that in order to trust their own controls or systems or covenants processes, they feel they want that extra second pair of eyes on them. And I think that the benefits that bring to their business will outweigh the cost. In other cases, they absolutely might not decide that. They might feel they have robust internal three largest defense staff to satisfy themselves.
15:17
They might feel that their stakeholder base is clamoring for this information. And then in those cases, they might absolutely decide we can just report it without assurance. So it really is a case by case basis, I think. It's a really important point because I guess if you know your stakeholders, whether they're capital providers in whatever form, but your other stakeholders as employees, consumers, suppliers, if you know them well and what their expectations are, would you both agree that that should be driving your thinking about the level and volume of the type of reporting and assurance you're looking to get?
15:52
Absolutely. I mean, I think the central concept here is materiality, the idea that it's information that might have an impact on decision making by users and if the reporting or the assurance is around things which are material, then you probably need to question what's being done in the first place. It's really about understanding what's relevant to users in terms of making those judgments of what you need to do, and at what level. Ramana you reminded us that we've just concluded a consultation on ISA 5000 and I guess the next step of that consultation will be putting together the feedback statement based on what I'm sure is a very wide range of input, which is always appreciated from our stakeholder universe on such an important topic.
16:30
Ramana and Peter, thank you so much for the time today. I think this series of really helping people understand, you know, sometimes the nuances, but sometimes the actual point and purpose of audit ensures is always welcome. Thanks again.