Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.
Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.
There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.
Auditing Standard Number 5 (AS5) says:
“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment…When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”
AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:
“While exercising due professional care, the auditor must plan and perform the audit to obtain sufﬁcient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the ﬁnancial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the ﬁnancial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”
The guidance continues:
“The independent auditor’s objective is to obtain sufﬁcient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of ﬁeld work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”
OK, what does this all mean?
There are some key phrases:
- “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
- “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”
It all comes down to the judgment of a prudent person or official.
AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.
What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.
“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”
So, let’s see if we can come up with something that makes practical sense
Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.
How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.
If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.
But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.
Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.
Where am I going with this?
As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.
I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.
I welcome your comments and perspectives.
P.S. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.