What is Reasonable Assurance?
ISA 200.5 defines reasonable assurance as a high, but not absolute, level of assurance. It is achieved by reducing audit risk to an acceptably low level through the audit risk model defined in ISA 200.17. The auditor assesses inherent risk and control risk for each significant class of transactions, account balance, and disclosure, then designs substantive procedures and tests of controls to reduce detection risk so that overall audit risk is acceptably low.
The conclusion is expressed in positive form: “In our opinion, the financial statements present fairly, in all material respects…” This contrasts with limited assurance’s negative form (“nothing has come to our attention”). The positive form reflects the higher level of evidence obtained and the more extensive procedures performed.
ISA 330.6 requires the auditor to design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement. The risk assessment drives the response. Higher assessed risk requires more persuasive evidence, not simply more of the same procedures.
Key Points
- High but not absolute — ISA 200.5 acknowledges inherent limitations that prevent certainty.
- Achieved through the audit risk model (ISA 200.17): assess inherent and control risk, then reduce detection risk through responsive procedures.
- Positive-form opinion reflects the higher evidence threshold compared to limited assurance.
- ISA 200.A53 lists inherent limitations: selective testing, persuasive evidence, internal control limitations, and professional judgment.
Why it matters in practice
Practitioners sometimes treat “reasonable assurance” as “enough work to feel comfortable.” That is not what the standard requires. ISA 200.17 requires the auditor to reduce audit risk to an acceptably low level through a structured process: assess risks, design responses, perform procedures, evaluate results. “Feeling comfortable” is not a substitute for completing that process.
FRC inspection reports consistently flag files where practitioners issued unmodified opinions without sufficient appropriate evidence on significant areas. The most common pattern: the team performed procedures, but the procedures did not address the assessed risks. Testing the existence of revenue when the risk relates to cut-off does not reduce detection risk for the identified risk, no matter how thoroughly existence was tested.
ISA 200.A53 explains why reasonable assurance cannot be absolute. Audits use selective testing rather than examining every transaction. Evidence is persuasive rather than conclusive. Internal controls have inherent limitations. And the auditor exercises professional judgment throughout. These are not deficiencies in the audit — they are structural characteristics of the engagement that the standard explicitly acknowledges.
Key standard references
- ISA 200.5: Defines reasonable assurance as a high, but not absolute, level of assurance.
- ISA 200.17: Establishes the audit risk model as the mechanism for achieving reasonable assurance.
- ISA 200.A53: Lists the inherent limitations that prevent absolute assurance.
- ISA 330.6: Requires further audit procedures responsive to the assessed risks of material misstatement.
Related terms
Frequently asked questions
Why isn't reasonable assurance absolute?
ISA 200.A53 lists inherent limitations: selective testing (not every transaction examined), persuasive rather than conclusive evidence, inherent limitations of internal control, and the use of professional judgment. Absolute assurance is impossible.
How does the auditor achieve reasonable assurance?
By reducing audit risk to an acceptably low level through the audit risk model (ISA 200.17). The auditor assesses inherent and control risk, then designs procedures to reduce detection risk so that overall audit risk is acceptably low.