A term of art in the audit profession that is tossed around but not well-understood is “reasonable assurance.” What does it actually mean when an audit report attests with reasonable assurance that the financial reporting or internal controls are reliable?
Accountants, auditors, their clients, and even regulators generally acknowledge that it is impossible to assert with absolute certainty that an event will or will not occur or even whether or not it has already occurred.
All professions accept that some form of judgment is involved when rendering an opinion, and that those judgments aren't always perfectly accurate. In the U.S. criminal justice system, for example, a very high burden of proof—“beyond a reasonable doubt”—is required to convict an individual, yet glaring mistakes still occur under this system. Even in the world of science, where research, carefully controlled experiments, and peer-reviewed results are expected to lead to a closer approximation of truth, presumptions are in continual flux and can be upended by new evidence.
The operative word in the term is “reasonable.” The auditor does not provide absolute assurance. Absolutes are not attainable due to factors such as the need for professional judgment, the use of testing, the inherent limitations of internal control, the reliance in accounting on estimates, and the fact that audit evidence is generally persuasive rather than conclusive.
The term “reasonable assurance” leaves much to the imagination and too much wiggle room for many critics of audit reports. The accounting and audit professions contend that an audit conducted in accordance with Generally Accepted Auditing Standards (GAAS) provides reasonable assurance, but not “absolute” assurance, that the assessed financial statements are free of material mis-statements.
The audit profession has made an effort to close the expectation gap between the levels of assurance that readers presume an audit report can deliver, and the level of assurance that it actually provides. It has updated auditing standards to provide more explicit guidance and, in conjunction with regulators, provided more active oversight and dispensed more disciplinary measures for issuing erroneous reports.
Still, the standards and definitions don't provide much in the way of clarity and concreteness.
Accountants and auditors, like other domain experts including technology professionals and lawyers, are prone to the use of jargon and abstract terminology that, at best, causes the eyes of the layperson to glaze over and, at worst, is designed to confuse or mislead.
How High Is a “High Level?”
Reduced to its core, the auditor is required to obtain reasonable assurance whether financial statements give a true and fair view of an organization's financial position. In others words, the auditor is to be reasonably sure that financial statements are free from material mis-statements. The concept of reasonable assurance has historically applied to the issuance of financial statements, but more recently it has been used in assessing internal controls and the responsibility for detecting fraud.
The accounting and audit profession should continue to strive for a more descriptive and concrete definition of reasonable assurance so that investors and other financial statement users are more certain on what an audit opinion delivers.
The relevant standard in the U.S. is Audit Section 110.02, Responsibilities and Functions of the Independent Auditor, adopted by the Public Company Accounting Oversight Board, which states that “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material mis-statement …” Discussion of what this requires is cited to and found in other standards, particularly AU Section 230.10, Due Professional Care in the Performance of Work:
The exercise of due professional care allows the auditor to obtain reasonable assurance about whether the financial statements are free of material mis-statement, whether caused by error or fraud, or whether any material weaknesses exist as of the date of management's assessment. Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Although not absolute assurance, reasonable assurance is a high level of assurance.
Similarly, Auditing Standard No. 5, pertaining to An Audit of Internal Control Over Financial Reporting, says that:
Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assessment (emphasis added and citing AU 230).
Additional language in the standards does provide a little more clarity:
The independent auditor's objective is to obtain sufficient appropriate evidential matter to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. (AU 230).
When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with Generally Accepted Accounting Principles. (AS 5).
Clear? What is clear is that despite the assurance, the idea that there are no mis-statements and the financial statements are therefore absolutely reliable and relevant for the user is no slam dunk. On the other hand, reasonable assurance is a level of confirmation higher than the ordinary duty owed by others outside the profession. The professional auditor is expected to have performed the engagement to the best possible extent given the circumstances to be reasonable sure that financial statements are free from material mis-statement with the disclaimer that there might be some mis-statements (including fraud) that go undetected.
The concept of reasonable assurance is significant because it should guide assessments of the validity and reliability of the financial statements by external auditors, as well as the effectiveness of internal control by management and internal audit. Consequently it comes into play in determining auditor negligence and professional liability.
To better understand reasonable assurance, perhaps it can help to scrutinize more closely why absolute assurance is not possible. Auditors are unable to obtain absolute assurance not because they conduct engagements with insufficient care, but because limitations inherent in the process restrict the ability to guarantee absolute assurance.
Such intrinsic limitations of an audit include:
Inherent limitations of an accounting system:Use of judgment in establishing estimates
Room for more than one possible interpretation of requirements
Degree of uncertainty and complexity of the transactions involved
Negative effects of subjective decisions and bias on the part of management
Existence of fraud committed by the entity's management or employees and thus concealment through collusion of important information that would indicate fraud
Use of sampling techniques in conducting different audit procedures.
Practical and/or legal limitations to obtain sufficient audit evidence
Limitations as agreed upon in engagement letter or as applied or forced by the management
Cost-benefit limitations; i.e., the audit engagement requires resources which might not be available, or the cost of gaining additional assurance will be higher than the benefit gained
Reasonable assurance would appear to be determined on an audit-by-audit basis specific to the factors of the engagement. A review of case law involving auditor liability unfortunately does not shed much light on the concept as the analyses are fact-specific and provide little interpretation.
The accounting and audit profession should continue to strive for a more descriptive and concrete definition of reasonable assurance so that investors and other financial statement users are more certain on what an audit opinion delivers. If auditors themselves do not have a good grasp of the concept they potentially may not require as much evidence to achieve reasonable assurance, especially in areas where they believe the risk is low.
Ultimately, reasonable assurance boils down to the judgment of a prudent professional or official that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate. External and internal auditors should be prepared to express opinions on the adequacy of financial statements, internal control, as well as the management of risk and governance processes. Auditors do rely on their common sense and exercise judgment in performing their professional duties; but more specificity on what this means can prove valuable.