Just What Is Reasonable Assurance?

Norman Marks

compliance with reasonable assurance during an auditDo we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.

Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.

There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.

Auditing Standard Number 5 (AS5) says:

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment…When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”

AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:

“While exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”

The guidance continues:

“The independent auditor’s objective is to obtain sufficient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of field work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”

OK, what does this all mean?

There are some key phrases:

  • “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
  • “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”

It all comes down to the judgment of a prudent person or official.

AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.

What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.

“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”

So, let’s see if we can come up with something that makes practical sense

Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.

How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.

If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.

But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.

Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.

Where am I going with this?

As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.

I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.

I welcome your comments and perspectives.

P.S. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.



audit , awareness

Recommended for you:

13 Scary Statistics On Employee Engagement [INFOGRAPHIC]

Jacob Shriar

There is a serious problem with the way we work.

Most employees are disengaged and not passionate about the work they do. This is costing companies a ton of money in lost productivity, absenteeism, and turnover. It’s also harmful to employees, because they’re more stressed out than ever.

The thing that bothers me the most about it, is that it’s all so easy to fix. I can’t figure out why managers aren’t more proactive about this. Besides the human element of caring for our employees, it’s costing them money, so they should care more about fixing it. Something as simple as saying thank you to your employees can have a huge effect on their engagement, not to mention it’s good for your level of happiness.

The infographic that we put together has some pretty shocking statistics in it, but there are a few common themes. Employees feel overworked, overwhelmed, and they don’t like what they do. Companies are noticing it, with 75% of them saying they can’t attract the right talent, and 83% of them feeling that their employer brand isn’t compelling. Companies that want to fix this need to be smart, and patient. This doesn’t happen overnight, but like I mentioned, it’s easy to do. Being patient might be the hardest thing for companies, and I understand how frustrating it can be not to see results right away, but it’s important that you invest in this, because the ROI of employee engagement is huge.

Here are 4 simple (and free) things you can do to get that passion back into employees. These are all based on research from Deloitte.

1.  Encourage side projects

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload. Let them explore their own passions and interests, and work on side projects. Ideally, they wouldn’t have to be related to the company, but if you’re worried about them wasting time, you can set that boundary that it has to be related to the company. What this does, is give them autonomy, and let them improve on their skills (mastery), two of the biggest motivators for work.

Employees feel overworked and underappreciated, so as leaders, we need to stop overloading them to the point where they can’t handle the workload.

2.  Encourage workers to engage with customers

At Wistia, a video hosting company, they make everyone in the company do customer support during their onboarding, and they often rotate people into customer support. When I asked Chris, their CEO, why they do this, he mentioned to me that it’s so every single person in the company understands how their customers are using their product. What pains they’re having, what they like about it, it gets everyone on the same page. It keeps all employees in the loop, and can really motivate you to work when you’re talking directly with customers.

3.  Encourage workers to work cross-functionally

Both Apple and Google have created common areas in their offices, specifically and strategically located, so that different workers that don’t normally interact with each other can have a chance to chat.

This isn’t a coincidence. It’s meant for that collaborative learning, and building those relationships with your colleagues.

4.  Encourage networking in their industry

This is similar to number 2 on the list, but it’s important for employees to grow and learn more about what they do. It helps them build that passion for their industry. It’s important to go to networking events, and encourage your employees to participate in these things. Websites like Eventbrite or Meetup have lots of great resources, and most of the events on there are free.

13 Disturbing Facts About Employee Engagement [Infographic]

What do you do to increase employee engagement? Let me know your thoughts in the comments!

Did you like today’s post? If so you’ll love our frequent newsletter! Sign up here and receive The Switch and Shift Change Playbook, by Shawn Murphy, as our thanks to you!

This infographic was crafted with love by Officevibe, the employee survey tool that helps companies improve their corporate wellness, and have a better organizational culture.


Recommended for you:

Supply Chain Fraud: The Threat from Within

Lindsey LaManna

Supply chain fraud – whether perpetrated by suppliers, subcontractors, employees, or some combination of those – can take many forms. Among the most common are:

  • Falsified labor
  • Inflated bills or expense accounts
  • Bribery and corruption
  • Phantom vendor accounts or invoices
  • Bid rigging
  • Grey markets (counterfeit or knockoff products)
  • Failure to meet specifications (resulting in substandard or dangerous goods)
  • Unauthorized disbursements

LSAP_Smart Supply Chains_graphics_briefook inside

Perhaps the most damaging sources of supply chain fraud are internal, especially collusion between an employee and a supplier. Such partnerships help fraudsters evade independent checks and other controls, enabling them to steal larger amounts. The median loss from fraud committed
by a single thief was US$80,000, according to the Association of Certified Fraud Examiners (ACFE).

Costs increase along with the number of perpetrators involved. Fraud involving two thieves had a median loss of US$200,000; fraud involving three people had a median loss of US$355,000; and fraud with four or more had a median loss of more than US$500,000, according to ACFE.

Build a culture to fight fraud

The most effective method to fight internal supply chain theft is to create a culture dedicated to fighting it. Here are a few ways to do it:

  • Make sure the board and C-level executives understand the critical nature of the supply chain and the risk of fraud throughout the procurement lifecycle.
  • Market the organization’s supply chain policies internally and among contractors.
  • Institute policies that prohibit conflicts of interest, and cross-check employee and supplier data to uncover potential conflicts.
  • Define the rules for accepting gifts from suppliers and insist that all gifts be documented.
  • Require two employees to sign off on any proposed changes to suppliers.
  • Watch for staff defections to suppliers, and pay close attention to any supplier that has recently poached an employee.

About Lindsey LaManna

Lindsey LaManna is Social and Reporting Manager for the Digitalist Magazine by SAP Global Marketing. Follow @LindseyLaManna on Twitter, on LinkedIn or Google+.


Recommended for you:

The Future Of Supplier Collaboration: 9 Things CPOs Want Their Managers To Know Now

Sundar Kamak

As a sourcing or procurement manager, you may think there’s nothing new about supplier collaboration. Your chief procurement officer (CPO) most likely disagrees.
Forward-thinking CPOs acknowledge the benefit of supplier partnerships. They not only value collaboration, but require a revolution in how their buying organization conducts its business and operations. “Procurement must start looking to suppliers for inspiration and new capability, stop prescribing specifications and start tapping into the expertise of suppliers,” writes David Rae in Procurement Leaders. The CEO expects it of your CPO, and your CPO expects it of you. For sourcing managers, this can be a lot of pressure.

Here are nine things your CPO wants you to know about how supplier collaboration is changing – and why it matters to your company’s future and your own future.

1. The need for supplier collaboration in procurement is greater than ever

Over half (65%) of procurement practitioners say procurement at their company is becoming more collaborative with suppliers, according to The Future of Procurement, Making Collaboration Pay Off, by Oxford Economics. Why? Because the pace of business has increased exponentially, and businesses must be able to respond to new market demands with agility and innovation. In this climate, buyers are relying on suppliers more than ever before. And buyers aren’t collaborating with suppliers merely as providers of materials and goods, but as strategic partners that can help create products that are competitive differentiators.

Supplier collaboration itself isn’t new. What’s new is that it’s taken on a much greater urgency and importance.

2. You’re probably not realizing the full collective power of your supplier relationships

Supplier collaboration has always been a function of maintaining a delicate balance between demand and supply. For the most part, the primary focus of the supplier relationship is ensuring the right materials are available at the right time and location. However, sourcing managers with a narrow focus on delivery are missing out on one of the greatest advantages of forging collaborative supplier partnerships: an opportunity to drive synergies that are otherwise perceived as impossible within the confines of the business. The game-changer is when you drive those synergies with thousands, not hundreds of suppliers. Look at the Apple Store as a prime example of collaboration en masse. Without the apps, the iPhone is just another ordinary phone!

3. Collaboration comes in more than one flavor

Suppliers don’t just collaborate with you to provide a critical component or service. They also work with your engineers to help ensure costs are optimized from the buyer’s perspective as well as the supplier’s side. They may even take over the provisioning of an entire end-to-end solution. Or co-design with your R&D team through joint research and development. These forms of collaboration aren’t new, but they are becoming more common and more critical. And they are becoming more impactful, because once you start extending any of these collaboration models to more and more suppliers, your capabilities as a business increase by orders of magnitude. If one good supplier can enable your company to build its brand, expand its reach, and establish its position as a market leader – imagine what’s possible when you work collaboratively with hundreds or thousands of suppliers.

4. Keeping product sustainability top of mind pays off

Facing increasing demand for sustainable products and production, companies are relying on suppliers to answer this new market requirement.

As a sourcing manager, you may need to go outside your comfort zone to think about new, innovative ways to collaborate for achieving sustainability. Recently, I heard from an acquaintance who is a CPO of a leading services company. His organization is currently collaborating with one of the largest suppliers in the world to adhere to regulatory mandates and consumer demand for “lean and green” lightbulbs. Although this approach was interesting to me, what really struck me was his observation on how this co-innovation with the supplier is spawning cost and resource optimization and the delivery of competitive products. As reported by Andrew Winston in The Harvard Business Review, Target and Walmart partnered to launch the Personal Care Sustainability Summit last year. So even competitors are collaborating with each other and with their suppliers in the name of sustainability.

5. Co-marketing is a win-win

Look at your list of suppliers. Does anyone have a brand that is bigger than your company’s? Believe it or not, almost all of us do. So why not seize the opportunity to raise your and your supplier’s brand profile in the marketplace?

Take Intel, for example. The laptop you’re working on right now may very well have an “Intel inside” sticker on it. That’s co-marketing at work. Consistently ranked as one of the world’s top 100 most valuable brands by Millward Brown Optimor, this largest supplier of microprocessors is world-renowned for its technology and innovation. For many companies that buy supplies from Intel, the decision to co-market is a strategic approach to convey that the product is reliable and provides real value for their computing needs.

6. Suppliers get to choose their customers, too

Increased competition for high-performing suppliers is changing the way procurement operates, say 58% of procurement executives in the Oxford Economics study. Buyers have a responsibility to the supplier – and to their CEO – to be a customer of choice. When the economy is going well, you might be able to dictate the supplier’s goods and services – and sometimes even the service delivery model. When times get tough (and they can very quickly), suppliers will typically reevaluate your organization’s needs to see whether they can continue service in a fiscally responsible manner. To secure suppliers’ attention in favorable and challenging economic conditions, your organization should establish collaborative and mutually productive partnerships with them.

7. Suppliers can help simplify operations

Cost optimization will always be one of your performance metrics; however, that is only one small part of the entire puzzle. What will help your organization get noticed is leveraging the supplier relationship to innovate new and better ways of managing the product line and operating the business while balancing risk and cost optimization. Ask yourself: Which functions are no longer needed? Can they be outsourced to a supplier that can perform them better? What can be automated?

8. Suppliers have a better grasp of your sourcing categories than you do

Understand your category like never before so that your organization can realize the full potential of its supplier investments while delivering products that are consistent and of high quality. How? By leveraging the wisdom of your suppliers. To be blunt: they know more than you do. Tap into that knowledge to gain a solid understanding of the product, market category, suppliers’ capabilities, and shifting dynamics in the industry, If a buyer does not understand these areas deeply, no amount of collaboration will empower a supplier to help your company innovate as well as optimize costs and resources.

9. Remember that there’s something in it for you as well

All of us want to do strategic, impactful work. Sourcing managers with aspirations of becoming CPOs should move beyond writing contracts and pushing PO requests by building strategic procurement skill sets. For example, a working knowledge in analytics allows you to choose suppliers that can shape the market and help a product succeed – and can catch the eye of the senior leadership team.

Sundar Kamak is global vice president of solutions marketing at Ariba, an SAP company.

For more on supplier collaboration, read Making Collaboration Pay Off, part of a series on the Future of Procurement, by Oxford Economics.


Recommended for you:

4 Biggest Risks In NOT Using Social Media

April Crichlow

These days social media is critical for success in business. Early adopters have made great strides, using it to engage with customers online and find new clients. For the laggards — typically small businesses that think they don’t have the resources or need for social media — the question looms: “Is social media a fad, or is it here to stay?”

Unfortunately for these companies, social media is here to stay. There are four major risks in not using social platforms as a business tool:

  1. You risk being out of the loop. Social media is a key channel for consumers collecting information and connecting with other consumers. It is also a great opportunity for companies to engage with current customers, as well as potential customers, all over the world. By not using social media, you run the risk of losing customers, credibility, and crucial information that can benefit your business. Even if you choose not to actively participate in discussions, you need be aware and stay informed regarding conversations about your company. Don’t stick your head in the ground and hope for social media to “blow on by.”
  1. You can’t respond to negative comments about your business. When customers are not satisfied with your product or service, one of the first things many will do is complain on Twitter or Facebook, or they will write a bad review online. If you are not actively keeping tabs on these discussions and reviews, they can hurt your reputation and cost you potential business. How can you protect your brand if you don’t know what’s being said about it online? Social media is now the default platform for customer service. Instead of calling an 800 number, consumers want to send businesses a tweet or post something on a Facebook page. When they can’t find you online, they will go to a review site such a Yelp or Merchant Circle to complain and warn other customers. However, if they have a relationship with your company, they are much less likely to take such actions and will instead send you an email or a private message about the problem.
  1. You risk missing the positive comments about your business. Customers also leave positive feedback online about companies with which they do business. However, if they believe their comments won’t be read by the companies they are praising, satisfied customers are less likely to leave feedback.
  1. You risk giving your competitors an unfair advantage. If your competitors are active on social media and you are not, your rivals have a leg up on winning business from potential customers. You don’t allow for comparisons and can’t answer questions in real time. Unless your product or service is overwhelmingly superior, this is one risk you cannot afford to take!

Social media is an excellent forum to participate in discussions happening right now about your business and your industry. Building an active presence on social sites offers numerous opportunities to promote your products and services, provide outlets for customer service, and check up on your competition. It’s not too late to start using social media as a business tool…but one day soon, it might be.

If you are an SAP partner and would like to learn more about this topic, join me on Dec 1st for How to Spend 15 Minutes a Day on Social Without Breaking a Sweat. Register now: (s-user) #SAPMarketingAcademy


Recommended for you: