Figure 8 — The assurance engagement process: Planning
During the planning stage, the audit team leader assesses whether the emissions, energy, offsets or production information or compliance matters can be audited and what the most efficient and effective way of conducting the assurance engagement will be.
Thorough planning allows the audit team leader to develop tailored assurance procedures to address the assurance risks identified. These procedures form the basis of the assurance engagement plan, which assists the audit team leader to gather sufficient appropriate evidence to support the conclusion in the assurance engagement report.
Having conducted the preparing procedures and agreed the assurance engagement terms, the audit team leader now conducts a risk assessment to understand and evaluate the risks inherent in what is to be audited—the audited body’s emissions, energy, offsets, production or other information or other compliance requirement—and its related underlying systems, processes and controls.
The purpose of the risk assessment is to determine which areas of the assurance engagement are likely to involve higher levels of risk of material non-compliance or misstatement. The audit team leader uses this information to design assurance procedures that reduce the risks to an acceptable level and form the basis of the assurance conclusion.
The risks identified and procedures developed must be documented in the assurance engagement plan on the audit file. The 'audit file' is the electronic or hard copy file maintained by the auditor containing the documentation of the audit procedures. Additional guidance on what an assurance engagement plan should contain is included in
section 5.3.8 of this handbook.
The risk assessment is required to be performed by the audit team leader, so that the auditor specifically develops an understanding of the audit risk, inherent risk, detection risk and control risk associated with the audited body’s compliance with the relevant legislation and its related systems, processes and controls. The specific risks are explained below.
Audit risk is simply the risk that the audit team leader will issue the wrong assurance conclusion. For example, the risk that an adverse conclusion is not reached because the audit team leader fails to detect material misstatement(s) in the audited body’s reported emissions, energy, offsets, production or process flow diagrams or detect material non‑compliance with requirements or activity descriptions, which are being assured. Audit risk is therefore the risk to the audit team leader’s firm of signing off on an incorrect assurance conclusion.
For example, the audit team leader may issue an unqualified assurance conclusion when a qualified or an adverse assurance conclusion should have been issued. This might occur where a material misstatement exists in the reported information or a material non‑compliance with requirements exists, but remains undetected. This may be due to inadequate planning, resulting in insufficient procedures being performed to gather sufficient appropriate evidence.
Audit risk is unavoidable in practice, as it is not possible for an audit team leader to obtain absolute assurance that all material misstatements or non-compliance have been detected. However, it can be mitigated through effective and thorough preparing, planning, performing and reporting procedures, as outlined in this handbook.
Inherent risk can be expressed as the inherent likelihood of there being material misstatements in the emissions, energy, offsets, production or other information reported, or there being non-compliance with relevant requirements, despite the impact of any mitigating controls implemented by the audited body.
Inherent risk is dependent on a combination of wide-ranging factors, from those that affect the audited body as a whole (for example, the scope and complexity of the operations) to those that affect single measurements or calculations (for example, the reliability of electricity meters or emissions estimates).
Detection risk is the risk that the audit team leader will not detect a misstatement or non‑compliance that exists that could be material, either individually or when aggregated with other misstatements or non-compliance. Detection risk increases if assurance procedures are performed in an ineffective manner, or if procedures are designed poorly.
For example, an audit team leader is reviewing the accuracy of an emissions calculation, but has not reviewed or tested the source data supporting the calculation. In this instance, detection risk would increase as the calculation may be performed accurately, but if the underlying data is unreliable (for example, due to transcription errors in supporting spreadsheets or unreliable estimates made in preparing the input data), the audit team leader could miss a material misstatement in the reported emissions and energy information.
Control risk is the risk that a misstatement or non-compliance could occur and that it could be material and will not be detected and corrected or prevented by the audited body’s internal control systems.
For example, a transcription error during manual data entry from a spreadsheet into a reporting tool such as the Emissions and Energy Reporting System (EERS), which has not been picked up by the manual review of the EERS submission performed by management.
It is highly likely that through this process the audit team leader will identify either significant risks, or areas of the assurance engagement where there are likely to be significant risks.
Rather than seek to address these risks now, the audit team leader must use the risk assessment process to design the mix of assurance procedures necessary to address the identified risks during the performing stage. These assurance procedures are then documented in the assurance engagement plan. See section 5.3.8 of this handbook for further guidance on the assurance engagement plan.
Company X, a solid waste disposal company operating landfill facilities, prepared a statement of its greenhouse and energy information for the reporting year ending 30 June 2012. The statement was prepared in accordance with management’s greenhouse gas manual which was their interpretation of the NGER Measurement Determination. Company X requested that the audit team leader provide assurance over the 2011–12 greenhouse and energy statement.
This case study focuses on the process the audit team leader might take in observing Company X’s systems, processes and controls (see section 3.10(c) of the NGER Audit Determination): one of the elements of performing the risk assessment.
The audit team leader observed the controls surrounding Company X’s systems and processes for calculating greenhouse gas emissions resulting from landfill facilities.
Specifically, the audit team leader observed that management’s calculation of greenhouse gas emissions relied heavily on management estimates and assumptions made using tonnage information. This approach was necessary due to operational limitations that made directly measuring greenhouse gas emissions impractical.
The audit team leader made enquiries into whether the weighbridges used to measure the waste tonnage and equipment used in compositional testing had been calibrated.
It was noted that the weighbridges and equipment used by Company X to measure tonnes and composition of waste respectively were not regularly calibrated. The audit team leader assessed these as significant control weaknesses, which greatly increased the risk of misstatement in the reported greenhouse gas emissions from the landfill facilities.
The audit team leader documented the findings of the risk assessment on the assurance engagement file and planned to perform additional evidence gathering during the performing stage, due to the control weaknesses identified.
Preliminary analytical procedures are an example of an important tool the audit team leader can use in the risk assessment. They are used to develop the audit team leader's understanding of the risks inherent in the reported emissions, energy, offsets, production, other information or compliance matter to be assured.
The results of the preliminary analytical procedures performed should allow the audit team leader to develop a preliminary assessment of the likely areas where there are risks of material misstatement of the reported emissions, energy, offsets, production or other information or non-compliance with the relevant legislation. This information is then incorporated into the development of assurance procedures and the assurance engagement plan.
Preliminary analytical procedures are not only concerned with the accuracy and quantity of emissions, energy, offsets, production or other information to be assured, but also with the complexity of calculations, the accuracy of underlying data and the completeness of emissions, energy, offsets or production sources.
Typical preliminary analytical procedures may include:
Refer to section 5.4.3 of this handbook for further guidance on analytical procedures.
Section 3.11 of the NGER Audit Determination lists the requirements for assessing systems and processes.
The audit team leader must assess the audited body’s systems and processes. This assessment should be accompanied by an assessment of the controls the audited body has in place to mitigate the risk of material misstatement in the subject matter or of material non-compliance.
The purpose of assessing the systems, processes and controls is to better understand which areas of the assurance engagement are likely to involve higher levels of risk, due to insufficient or poor internal controls over the accuracy and completeness of the reported information or the audited body’s compliance with the relevant requirements.
The audit team leader can then design assurance procedures to tackle these risks. This process is important for the audit team leader to be able to perform the assurance engagement effectively by investing more time looking at areas which are more likely to contain errors, misstatements or non-compliance.
The initial risk assessment could include:
Depending on the scope and complexity of the assurance engagement, there may be a need for further targeted risk assessment procedures. The audit team leader needs to apply professional judgement to determine if additional procedures are required.
The audited body’s systems and processes are designed to provide assurance to management, and those charged with governance, of the achievement of the audited body’s risk management objectives. These systems and processes can be grouped and termed the audited body’s 'internal control system'.
The internal control system is typically designed to address business risks that threaten the achievement of the audited body’s objectives; including the objective of complying with the relevant legislation and regulations.
Section 3.9 of the NGER Audit Determination outlines the requirements for risk assessment.
The audit team leader tests the operating effectiveness of the audited body’s controls used to prevent, detect or correct non-compliance or misstatements in the subject matter, if the audit team leader seeks to rely on those controls to reduce direct testing (tests of detail) of the subject matter.
Guidance is given below on the procedures that could be performed to assess the internal control system as part of the risk assessment. Refer to section 5.4.2 of this handbook for guidance on tests of controls.
An assessment of the internal control system would include an evaluation of each of the following components of the internal control system:
The audit team leader finds that there are no effective internal systems, processes and controls and so cannot place any reliance on them.
This does not mean that the assurance engagement is not possible, but it will mean that additional tests of detail (checking source documentation such as invoices) will be required to gain the comfort necessary to support the assurance engagement report.
Refer to the performing stage for guidance on substantive tests of details (section 5.4.5 of this handbook).
The audit team leader is able to design a suitable mix of assurance procedures to perform the assurance engagement. The knowledge gained of the audited body’s reporting process will be useful in evaluating the results of the assurance procedures.
The audit team leader finds the performance of the manual controls applied in the reporting process are not documented.
The audit team leader must evaluate whether there is sufficient evidence to be able to place reliance on the effective operation of the manual control.
This issue is common where there are manual reviews of information or reports which are not subsequently marked as reviewed or signed off.
The audit team leader may not be able to place reliance on the operation of a control where there is no documentation to support its operation. This could be raised with the audited body’s management separately from the auditor’s report as a process improvement recommendation.
During the planning stage the audit team leader must confirm their initial assessment of the audited body’s criteria and subject matter. It is vital for the audit team leader to recognise the wide-ranging effect of this assessment. Initially it has the potential to affect the terms of the engagement and during the planning stage the criteria and subject matter need to be considered in developing the assurance procedures and documenting the assurance engagement plan.
The criteria for the purposes of assurance engagements conducted under the NGER Audit Determination is the relevant legislation and subordinate legislation, particularly the NGER Measurement Determination and the methods under the Emissions Reduction Fund (see section 1.4 in this handbook for further information regarding criteria for audits under the different schemes administered by the Clean Energy Regulator). Without the frame of reference provided by suitable criteria, any conclusion reached by the audit team leader is open to individual interpretation and misunderstanding.
The audited body should document its interpretation and application of the criteria and the audit team leader must assess whether the audited body’s criteria is consistent with the requirements of the relevant legislation.
The audit team leader must document their assessment of the audited body’s interpretation and application of the criteria during the risk assessment.
In the event that the auditor’s assessment indicates the audited body’s interpretation and application of the criteria is not suitable, the auditor should discuss the impact of the required changes to the criteria with the audited body.
If the criteria are not altered, the auditor must consider whether they are able to reach an assurance engagement conclusion and if not the auditor may need to proceed to the reporting stage or consider withdrawing from the engagement.
The term ‘subject matter’ mentioned in this guidance is equivalent to ‘matters to be audited’ as stated in the NGER Audit Determination.
The subject matter is the information prepared by the audited body under the appropriate legislation or the audited body’s compliance with other requirements of the legislation (see section 1.4 of this handbook for further information regarding the subject matter for audits under the different schemes administered by the Clean Energy Regulator).
The manner in which the subject matter is agreed differs between engagements and will be one of the following:
The assurance conclusion is the audit team leader’s independent assessment of the matter to be audited against the criteria. Thus the auditor must assess whether the subject matter is appropriate. At a minimum, where the matter to be audited is emissions and energy information reported by the audited body to the Clean Energy Regulator, this assessment would include:
In the event that the assurance engagement is being performed prior to submission of information to EERS, the auditor must perform a more thorough assessment of the subject matter against the characteristics shown in the table below.
Identifiable, and capable of consistent evaluation or measurement against the identified criteria.
The subject matter should be sufficiently clear and unambiguous to be evaluated against the audited body’s criteria consistently by different parties.
For example, greenhouse gas emissions information from the consumption of natural gas prepared using the audited body’s Criterion A (invoices) and measured using default emission factors could be considered to be identifiable and capable of consistent evaluation, due to the specificity of the NGER Activity data and emissions factors used.
The information about the subject matter can be subjected to procedures for gathering sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate.
The auditor should be able to seek reliable information to support their assurance of the subject matter.
For instance, this may be third party supplier invoices, or readings taken from regularly calibrated internal metering systems.
Audit team leaders must assess and document their findings on the appropriateness of the audited body’s subject matter using the characteristics above as part of the risk assessment.
If the auditor concludes that the subject matter is not appropriate, they should discuss the inadequacies with management and only proceed with the engagement if the inadequacies can be addressed to the audit team leader’s satisfaction. If this is not the case, the auditor may be required to report that they are unable to form a conclusion or withdraw from the engagement.
Materiality is a concept used by auditors in determining the nature, timing and extent of procedures required, and to assess the relative significance of identified misstatements or non-compliance in the context of the overall reported information or compliance requirements. Information is material if its misstatement or non-compliance could influence the decisions of users of the greenhouse and energy information.
Misstatement is defined in the NGER Audit Determination as follows: 'Misstatement, in relation to a matter being audited under an assurance engagement, means an error, omission or misrepresentation in the matter relating to compliance with the NGER Act or the NGER Regulations, or the CFI legislation or associated provisions.'
An evaluation of whether a misstatement or non-compliance is material is based on the audit team leader's assessment of:
The materiality of misstatements or non-compliance must be considered individually and in aggregate with all other qualitative and quantitative misstatements or non-compliance.
Quantitative materiality is used to define a level or threshold of misstatements or non‑compliance which may affect the decisions of a user of the greenhouse and energy information, and therefore be material. The NGER Audit Determination does not set a quantitative materiality threshold and audit team leaders must use professional judgement in setting the level of materiality.
As a starting point for determining materiality, a percentage may be applied to a chosen benchmark. The benchmark that is appropriate for determining materiality for the report or application as a whole or for the compliance matter will depend on the circumstances and subject matter of the engagement. In the absence of other circumstances, the benchmark chosen is in the context of the assurance being sought: if the subject matter of the engagement is at a group level, the materiality will be based on benchmarks for the group; and if assurance is on a single facility, then the benchmark will be at a facility level.
Examples of benchmarks for overall materiality which may be appropriate, depending on the nature of the engagement, include:
The percentage applied to the benchmark to determine overall materiality will depend on the circumstances of the engagement and the amounts or volumes which may influence the decisions of users.
Performance materiality is usually set below the overall materiality so that the aggregated uncorrected or undetected misstatement is not likely to exceed overall materiality. If only one source is reported, it may be appropriate for performance materiality to be set at the same amount as overall materiality. It is not simply a mechanical calculation but involves the exercise of professional judgement.
Overall, materiality and performance materiality, including the percentages and benchmarks on which they are based, are documented in the assurance engagement plan.
Qualitative materiality is used to define a level of misstatement or non-compliance that does not relate to a magnitude of greenhouse gases or energy. In determining qualitative materiality, an auditor needs to consider the misstatement in the context of information that is relevant to users of the greenhouse and energy information and regulatory reporting.
An assessment of qualitative materiality must include an assessment of whether the misstatement or non-compliance is significant to the particular audited body, whether it is pervasive, and the effect it has on the information or the audited body’s compliance as a whole. In combination these considerations should determine whether the misstatement or non-compliance may affect the decisions of a user of the information.
Examples of qualitative factors are:
Materiality needs to be considered during the risk assessment phase and revised during the course of the assurance engagement so that the extent and type of procedures conducted adequately reflect the risk of material misstatements in the reported information or non‑compliance.
Auditors must document materiality for the subject matter as a whole and for specific matters (such as particular emissions or compliance requirements) if appropriate, as well as any subsequent revision to materiality during the audit.
Any misstatements or non-compliance identified that are considered immaterial individually or in combination with other misstatements or non-compliance must be summarised and discussed with management and reported in Part B of the audit report. See section 5.5.3 of this handbook for further guidance on the summary of uncorrected errors.
An audit team leader’s assessment of materiality and the audited body’s assessment of uncertainty are separate concepts.
Materiality refers to the audit team leader’s assessment of the significance of a misstatement or non-compliance in the context of the reported greenhouse and energy information or the compliance requirements. Information is judged as material if its omission, misstatement or non-compliance could influence the decisions of users of the greenhouse and energy information such as the Clean Energy Regulator.
Uncertainty refers to the audited body’s assessment of the potential level of inaccuracy in their reported greenhouse and energy information. The audited body should be following the guidance on the calculation of statistical uncertainty contained in the NGER Measurement Determination.
The two concepts can be confused as they are often both expressed in percentage terms. This is most commonly found in a situation where the audited body’s assessment of uncertainty in percentage terms is greater than the audit team leader assessment of materiality.
In such situations, the audit team leader must:
The auditor finds lots of small errors, but no individually material errors. How does this impact the assurance engagement report?
The auditor must maintain a summary of uncorrected errors throughout the assurance engagement.
The cumulative and individual value of the errors must be considered during the completion phase. For a reasonable or limited assurance conclusion to be issued, sufficient adjustments should be made by the audited body to the final reported information such that the sum of errors noted is immaterial and no individually material errors remain.
The final reported information does not contain errors noted which are either individually, or in aggregate, material to the reported information as a whole.
If the relevant information has already been submitted to the Clean Energy Regulator, the auditor and audited body must consider whether any adjustments are required. Where there are no material misstatements, either individually or in aggregate, adjustments may not be required to be made.
The auditor developed the judgement of materiality at the planning stage, but the final information is different from that available at the planning phase, or the circumstances have changed which impacts on the audit team leader risk assessment and assurance engagement plan.
Materiality is a judgement call based on the available data and circumstances. When either of those factors changes, the audit team leader’s assessment of materiality must change accordingly.
The auditor must revisit the materiality assessment throughout the engagement and at least at the reporting stage prior to the assurance engagement report being signed, to determine if additional work is required.
The audit team leader final conclusions expressed in the assurance engagement report are based on judgements made using the final materiality set using final data.
The results of the risk assessment phase are used to determine and document in the assurance engagement plan the assurance procedures to be performed. In particular the level of assurance risk determined in each area of the reported greenhouse and energy information, the materiality assessment and the results of the assessment of the audited body’s systems, processes and controls.
The greater the level of assurance risk, the more detailed the assurance procedures required. The procedures need to be robust enough to ensure sufficient appropriate evidence is obtained to reduce the level of assurance risk to an acceptable level to support the assurance conclusion.
The following factors contribute to lower assurance risk:
Once the assurance risk has been established the auditor needs to determine if reliance can be placed on the internal controls. The extent to which the auditor can rely on internal controls will determine the mix of assurance procedures to be performed. Typically:
As shown in the assurance engagement process flow chart (Figures 2 to 5), the performing stage of the assurance engagement can include tests of details and controls testing. Tests of details are focused on analytical procedures, inspecting supporting records and documentation, observation, external confirmation, re‑performing calculations and enquiry.
Paragraphs 56 and 57 of ASAE 3000 Assurance Engagements other than Audits or Reviews of Historical Financial Information contain additional guidance on sufficiency and appropriateness of audit evidence.
The audit team leader must ultimately determine the nature, timing and extent of the testing and review performed based on their professional judgement. The audit team leader could also use the principles contained within the assurance standards. The audit team leader must be consulted on all key decisions made. They must be comfortable with the level of work performed and be prepared to support this if the assurance engagement file is subject to review by internal or external parties.
Additional guidance regarding sufficiency and appropriateness of evidence is provided by ASAE 3000, issued by the AUASB.
This guidance is summarised below:
To reduce inefficiency, it is recommended that an attitude of consultation is adopted within the audit team during the performance of the engagement.
Guidance is given in this handbook on the two key types of evidence gathering procedures: substantive analytical procedures (see section 5.4.3) and tests of details (see section 5.4.5).
See section 3.6 of the NGER Audit Determination for requirements of the assurance engagement plan. Requirements include:
The assurance engagement plan provides for the audit team leader’s assurance approach and how they intend to gather sufficient and appropriate evidence to support the assurance conclusion. The previous stages of the assurance engagement are brought together and discussed among the audit team and with management. The culmination of this process is the assurance engagement plan.
The audit team leader should include in the assurance engagement plan any recommended actions the audited body should take before the performing stage of the assurance engagement.
If such changes are required, they must be discussed and agreed with management before execution of the plan.
The assurance engagement plan is also a handy tool to use in organising the logistical requirements of the assurance engagement, particularly if it is used to communicate:
To help auditors compile a key information request list, a suggested template is included at the end of this handbook. A key information request list is a list of information and supporting documentation required by the auditor to complete the engagement. Preparing in advance of the audit allows the audited body to prepare the necessary information ahead of site visits to its offices to improve the efficiency of the audit.
The NGER Audit Determination provides a list of specific requirements that must be documented in the assurance engagement plan. This list includes matters relating to management of the engagement, the audit team leader’s understanding of the audited body and the subject matter, and the procedures that are expected to be performed.
Section 3.8 of the NGER Audit Determination requires the assurance engagement plan to be reviewed by the audit team leader and amended if the assurance procedures change.
It is important to note the contents of the assurance engagement plan are not fixed and unchangeable. In particular, the assurance procedures are expected to change throughout the engagement depending on the results of procedures that are completed.
Please refer to the audit templates at the end of this handbook for an assurance engagement plan template.
The auditor of Company A, a large petro-chemical production company, has completed the preparing and planning procedures and is documenting the outcomes of those procedures and the proposed assurance approach in the assurance engagement plan. The audit team leader’s key findings from the preparing and planning stages were:
The audit team leader used the assurance engagement plan to base the judgement of the risks identified during the risk assessment and the procedures which would be used to address those risks. As well as including the required components of the assurance engagement plan (see the audit templates at the end of this handbook), the auditor placed particular emphasis on:
By emphasising the items above in addition to the required components of the assurance engagement plan, the auditor communicated to management their assessment of risks of material misstatements and how they would address those risks in the most efficient and effective manner possible.
About The Clean Energy Regulator
Carbon Farming Initiative
Carbon Pricing Mechanism
National Greenhouse And Energy Reporting
Renewable Energy Target
Emissions Reduction Fund
Our Systems And Their Resources
Clean Energy Markets
Data and information
Subscribe to email updates
The Clean Energy Regulator is a Government body responsible for accelerating carbon abatement for Australia.
Follow us on Twitter
Follow us on LinkedIn