What are audit assertions?
"Trade receivables may be misstated" is the risk description on roughly a third of the files we see during peer review. It reads like a risk, but it is not one. It does not tell the senior what to test, it does not pin the procedure to a direction of testing, and it does not survive a reviewer asking which assertion is actually at risk. Under ISA 315.12 (a), that sentence is a tick box exercise, not an assessment.
Assertions are the representations management embeds in the FS, whether stated explicitly or implied by the numbers on the page. ISA 315 .A190 categorises them into three groups: assertions about account balances at period end (existence, rights and obligations, completeness, valuation and allocation), assertions about classes of transactions during the period (occurrence, completeness, accuracy, cutoff, classification), and assertions about presentation and disclosure (occurrence, completeness, classification and understandability, accuracy and valuation).
Assertions give the auditor precision. Specifying whether the risk is existence or valuation or completeness (and each of the others in turn) determines the direction of testing, the type of evidence needed, and the procedures to perform. ISA 315.12 (a) requires risks identified at the assertion level for exactly this reason.
The most common file breakdown is not a missing assertion. It is a mismatch between the risk identified and the assertion tested. A team identifies a valuation risk on inventory but then tests existence through a stock count. The count confirms the inventory is there. It says nothing about whether the carrying amount is correct.
Key Points
- Assertions are categories of what could go wrong in the FS. They frame the auditor's entire testing approach.
- They split into three groups: account balances at period end, classes of transactions during the period, and presentation and disclosure.
- Every audit procedure must link to at least one assertion. A procedure that does not address a specific assertion produces evidence of uncertain value.
- The most common finding is a mismatch. The risk identified and the assertion the procedures actually test do not line up. A missing assertion is rarer than a mismatched one.
Why it matters in practice
The AFM has repeatedly flagged audit files where risk descriptions are too generic to drive meaningful procedures. "Revenue is a significant account" is not an assertion-level risk. "Revenue occurrence is at risk because the entity has pressure to meet analyst targets and can backdate sales orders" is. The specificity forces a response. Test occurrence by selecting recorded sales and tracing to delivery evidence, not by performing a completeness test on the sales listing.
The payables example illustrates the confusion most clearly. Teams routinely test the existence of payables by confirming balances with suppliers. Existence is rarely the risk for liabilities. Management's incentive is to understate liabilities, which makes completeness the dominant assertion. Testing completeness requires starting from sources outside the ledger (subsequent payments, goods received notes, supplier statements) and tracing back to the recorded balance.
In our experience, the assertion framework collapses most often in year two of an engagement. The prior-year risk assessment gets copied across, the team SALYs the procedures, and nobody revisits whether the assertion that mattered last year is still the assertion that matters this year. This is the finding that generates more RNs from our EQCR partner than any other single topic, and it is genuinely tedious to fix properly, which is why it keeps happening.
Key standard references
- ISA 315.12 (a): Requirement to identify and assess risks of material misstatement at the assertion level.
- ISA 315 .A190-A202: Categories of assertions for account balances, transaction classes, and presentation and disclosure.
- ISA 300.9 : The audit plan shall include a description of the nature, timing, and extent of planned risk assessment procedures and further audit procedures at the assertion level.
Related terms
Related tools
Related reading
Frequently asked questions
What are the main categories of audit assertions?
ISA 315.A190 splits assertions into three categories: assertions about account balances at period end (existence, rights and obligations, completeness, valuation and allocation), assertions about classes of transactions (occurrence, completeness, accuracy, cutoff, classification), and assertions about presentation and disclosure (occurrence, completeness, classification and understandability, accuracy and valuation).
Why must risks be identified at the assertion level?
ISA 315.12(a) requires assertion-level risk identification because a generic risk ('revenue may be misstated') does not tell you which assertion is at risk. Without specifying whether the risk is occurrence, completeness, accuracy, or cutoff, the procedures designed in response may test the wrong thing entirely.
What is the difference between assertions and audit objectives?
Assertions are management's representations embedded in the financial statements. Audit objectives are what the auditor sets out to achieve when testing those assertions. The assertion is 'this receivable exists.' The audit objective is 'obtain sufficient appropriate evidence that the receivable exists.' One belongs to management, the other to the auditor.