What is an Assurance Engagement?
ISAE 3000.12(a) defines an assurance engagement by five elements. All five must be present: (1) a three-party relationship between the practitioner, the responsible party, and the intended users; (2) an appropriate subject matter; (3) suitable criteria against which the subject matter is evaluated; (4) sufficient appropriate evidence; and (5) a written assurance report containing the practitioner’s conclusion. If any element is absent, the engagement is not an assurance engagement.
ISAE 3000 is the umbrella standard. Specific ISAEs sit underneath it for particular subject matters: ISAE 3402 for service organisation controls (SOC reports), ISAE 3410 for greenhouse gas statements, and ISAE 3420 for pro forma financial information. When no specific ISAE exists for the subject matter — as is currently the case for many sustainability and ESG topics — ISAE 3000 applies directly.
An assurance engagement can provide either reasonable assurance (positive-form conclusion) or limited assurance (negative-form conclusion). The level of assurance determines the nature and extent of procedures but not whether the engagement qualifies as assurance. Both levels require all five elements.
Key Points
- Five elements must all be present under ISAE 3000.12(a): three-party relationship, subject matter, criteria, evidence, and a written conclusion.
- ISAE 3000 is the umbrella — specific ISAEs (3402, 3410, 3420) apply when the subject matter is covered; otherwise ISAE 3000 applies directly.
- Both reasonable and limited assurance are assurance engagements. Agreed-upon procedures are not.
- ISAE 3000.24 preconditions must be confirmed before accepting any assurance engagement.
Why it matters in practice
The most frequent error is accepting engagements without confirming all five elements are present. ISAE 3000.24 requires the practitioner to assess preconditions before acceptance: Is the subject matter appropriate? Are the criteria suitable? Will the practitioner have access to sufficient evidence? If any precondition is not met, the engagement should not be accepted as an assurance engagement.
On ISAE 3402 engagements, practitioners frequently test control design only and present the report as Type 2, which requires testing operating effectiveness over a period. A Type 1 report covers design and implementation at a point in time. A Type 2 report covers design plus operating effectiveness over a period. Misclassifying the report type misleads the user auditors who rely on it.
Misclassifying an engagement at acceptance is difficult to correct after work begins. If the engagement letter describes an assurance engagement but the subject matter lacks suitable criteria, the practitioner cannot issue an assurance report. The work performed may have value, but it cannot support the conclusion the engagement letter promised. Getting the classification right at acceptance prevents this problem.
Key standard references
- ISAE 3000.12(a): Defines the five elements required for an assurance engagement.
- ISAE 3000.24: Preconditions the practitioner must assess before accepting an assurance engagement.
- ISAE 3402.16: Distinguishes Type 1 (design and implementation) from Type 2 (operating effectiveness) reports.
- ISAE 3000.33: Establishes the practitioner’s responsibility for the assurance conclusion.
Related terms
Related reading
Frequently asked questions
What are the five elements of an assurance engagement?
ISAE 3000.12(a) requires: (1) a three-party relationship (practitioner, responsible party, intended users), (2) subject matter, (3) suitable criteria, (4) sufficient appropriate evidence, and (5) a written assurance report with a conclusion.
Are agreed-upon procedures an assurance engagement?
No. An agreed-upon procedures engagement under ISRS 4400 lacks a conclusion — the practitioner reports findings only. That missing element places it outside the assurance framework.