Home > Risk > Just what is “reasonable assurance”?

Just what is “reasonable assurance”?

Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.

Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.

There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.

Auditing Standard Number 5 (AS5) says:

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…….. The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment……………….. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”

AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:

“While exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”

The guidance continues:

“The independent auditor’s objective is to obtain sufficient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of field work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”

OK, what does this all mean? There are some key phrases:

  • “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
  • “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”

It all comes down to the judgment of a prudent person or official.

AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.

What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.

“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”

So, let’s see if we can come up with something that makes practical sense.

Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.

How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.

If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.

But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.

Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.

OK, so what does this all mean?

As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.

Where am I going with this?

I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.

I welcome your comments and perspectives.

PS. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.

  1. Graham
    August 13, 2013 at 7:54 AM

    I find your comment very interesting, however it all comes down to what is the definition of reasonable.
    Reasonable is not a scientific term and so one cannot define it unequivocally. It has too much wriggle room since it dependant not only on the circumstances that are being looked at but also the qualities of the auditor.
    It would be OK (reasonable) to define the qualities expected of an auditor in terms of experience and qualification and the judgment ability he/she should have, but this is not easy and most auditors would not have all of them or would have more or different ones.
    Two qualified, experienced people both with plenty of common sense could have a different view on whether something is reasonable.

    So it goes round in circles and I don’t think that there is a ‘reasonable’ answer.

  2. Lawrence Ellefson
    August 13, 2013 at 7:57 AM

    It’s the same standard we apply in criminal law where the government is required to provide evidence “beyond a reasonable doubt”. The problem is, one persons definition of “reasonable doubt” or “reasonable assurance” may be different than another persons definition. This will always be an issue as long as human “reason” is required.

  3. Jim DeLoach
    August 13, 2013 at 9:09 AM

    Lawrence gets to a key point. The reality of “reasonable assurance” is that, when we make a judgment, at the end of the day the question will be whether that judgment will hold up under scrutiny by others (in a court of law, a PCAOB inspection or a regulatory review) given the facts and evidence we had available and the scope of our fact gathering.

  4. August 13, 2013 at 2:56 PM

    The real question here is whose judgement is being used. We auditors use our professional judgement, so in that sense we are being the ‘reasonable person’. Ultimately this comes to risk appetite both in terms of managing the business risk being assessed and the assurance that this assessment of risk is accurate. Auditors do apply their own judgement as to what is reasonable, but contextualise it to the business being audited. If a company or client organisation has a strong risk appetite, for argument’s sake say Enron, that is clearly outside of reasonable, then it is the auditor’s responsibility to say that this is ‘unreasonable’ by public standards. This is what the UK IIA is saying in its ethical and professional guidance that I think you were critical of in a previous post of yours. Yes internal auditors have a public and moral duty.

    In the UK we have the legal use of reasonable being defined as what would the average person on the Clapham Omnibus think. A quaint British way of expressing common sense.

  5. August 13, 2013 at 7:06 PM

    After years of SOX, PCI, and 27002 “audits” from both sides of the table I am convinced that the only reasonableness that should be expected is the perception of assurance. Unless, of course, quantitative methodologies are applied to validate qualitative opinions. FAIRiq can enable such validations.

    From my experience, both PCI and SOX control compliance expectations are unevenly applied with strict interpretations being forced only onto household name brands.

  6. Jan Blanckaert
    August 14, 2013 at 8:09 AM

    it’s all sound a bit too academic to me .
    The goal is not just that the objectives are achieved but they should be achieved efficiently . And to give an opinion of reasonable assurance that objectives are reached efficiently , is may be a bit too much for the majority of the auditors ( as all surprises in enterprise results remind us daily ).
    I believe when we discuss too much on a high conceptual level , the discussion become of little added value for the front line employees( trying to contribute achieving the enterprise objectives by servicing the needs of the it’s enterprise customers) .

  7. tpkatsa
    September 9, 2015 at 2:13 PM

    I agree that “reasonable assurance” is difficult to quantify. In my understanding the term describes a likelihood of control objectives being met. Obviously, it’s more than a coin flip (50%), but seems to be less than say, “three-nines reliability.” (99.999%). Personally I interpret “reasonable assurance” as a confidence level somewhere between 80% and 95%.

    I drive my car because I have “reasonable assurance” that my car has been built properly and will perform as intended. An accident is probably survivable provided I’m wearing my seat belt and don’t get into the very unlikely situation of being hit head-on by a bus. There are no guarantees, but I take the risk because I am in control of the car, and my chances of surviving an accident are usually good.

    However, a standard of “reasonable assurance” is generally not sufficient, for example, for commercial flight operations serving the public. Would you want to be a passenger on an airplane if there were only “reasonable assurance” that its air frame, engines and avionics were correctly maintained and serviced, or only “reasonable assurance” that its pilots had undergone the training required to safety operate the aircraft? Probably not. For airline operations we generally want four nines reliability or better (99.9999%), and we want more than a “reasonable assurance” that crews are properly certificated.

    “Reasonable assurance” is usually “good enough” in those fields where things that go wrong are unlikely to involve the loss of human life or limb. The greater the probability that a mishap will result in the loss of human life or limb, the less satisfactory “reasonable assurance” becomes.

    Thomas K

  1. December 28, 2020 at 10:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: