Executive Summary

IDW Assurance Standard: Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems (IDW AssS 980)

1.

Background information

Recent changes to legislation in Germany concerning corporate governance have contributed to an increasing recognition of the need for entities to take distinct steps to ensure that their business behavior is satisfactory from a social and legal viewpoint. In this context, monitoring responsibilities assigned to those charged with governance/ audit committees in relation to compliance management have been strengthened. As a result, many entities have adopted or established frameworks and principles designed to govern the behavior of their management and employees, and, in some cases, where applicable, third parties involved with the entitys business processes. Using such frameworks as a basis, such entities have introduced, or are in the process of introducing systems to ensure that their own behavior does not contravene specific requirements, such as laws, regulations and the entitys own internal standards (compliance management systems CMS). A CMS forms an integral part of an entitys system of corporate governance. Many entities have also appointed a compliance officer, or have established a similar post, to oversee this area. There is a corresponding demand from entities to have independent practitioners provide a conclusion on specific aspects of their CMS, either during the design and set up phases or as to their subsequent operation, both for internal and, in case of the latter, external purposes. The IDW Assurance Standard has been issued in response to this demand. However, it is important to stress that an assurance engagement pursuant to IDW Assurance Standard 980 is neither directed at the detection of single instances of non-compliance nor to providing comfort that no such instances have occurred. IDW AssS 980 also provides an insight into the types of areas entities may seek to address by establishing a CMS, ranging from specific laws, e.g., competition and anti-trust, anticorruption etc., to business or corporate processes such as tendering practices, payment of commissions and occupational and work safety procedures, and, in this context, explores various frameworks that currently exist, and includes an appendix listing generally accepted CMS frameworks and specific framework designs prevalent in a number of major jurisdictions.

1
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.

The Standard also includes a table listing and describing the basic components that a CMS could be expected to encompass. This provides a basis for the practitioner to assess the CMS that has been established within an individual entity. These components include the compliance culture, compliance objectives, compliance organization, compliance risks, policies and procedures and organizational measures to respond to these risks, communication relating thereto and, finally, monitoring and (continuous) improvement of the CMS.

2. 2.1.

Objectives Entitys objectives in engaging a practitioner to perform an assurance engagement

As mentioned above, during the process of setting up a CMS, an entitys management or its internal governing body (i.e., supervisory board) may wish to have an independent assessment of the overall design approach pertaining to the CMS (i.e., whether the overall approach to design is suitable to reach the objectives. This does not include consideration of specific detailed elements, rather of the overall design approach), or as to the design and implementation (i.e., whether the CMS will be capable of detecting and preventing noncompliance, provided it is implemented as designed, and also whether the system has indeed been implemented). In such cases the practitioner will be engaged to provide a longform report to the entitys management or its internal governing body. This enables the entity to take necessary corrective action at an early stage in the process of implementing their CMS, or to make certain refinements, where necessary. External parties, including shareholders, regulators and other parties may also increasingly demand comfort as to whether, in addition to the above, the entitys CMS operated effectively at a specific point in time, or was operating effectively over a given period. In such cases, alongside the internal long-form report, the practitioner may prepare a shorter-form report for wider issuance. The standard has received considerable support from business enterprises, which would be able to engage an independent practitioner to perform extensive procedures in relation to the operating effectiveness of their CMS and thereby obtain objective evidence that they have exercised due care in respect of their respective leadership responsibilities. 2.2. Practitioners objective in performing the engagement

As IDW AssS 980 deals with a reasonable assurance engagement, the practitioners objective is to reduce engagement risk to an acceptably low level in order to be able to form a conclusion, with reasonable assurance, on the following: for an assurance engagement relating to operating effectiveness, to obtain reasonable assurance about whether the assertions contained in the CMS description about the CMSs policies and procedures are: o fairly presented in all material respects, e.g., that all important elements have been included, and are not presented in a misleading way (i.e., the specification of areas to be covered is appropriate and their selection is not biased), 2
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.

o o

in compliance with the applicable CMS principles, suitable for both identifying in due time and with reasonable assurance risks of material non-compliance and for preventing such non-compliance with reasonable assurance, and that the policies and procedures had been implemented at a given point in time, and were effective, during a given period.

for an assurance engagement relating to the overall design approach, to obtain reasonable assurance about whether the CMS description is fairly presented in all material respects as described above for an assurance engagement relating to design and implementation, to obtain reasonable assurance about whether the assertions about the design of the CMS included in the CMS description are fairly presented in all material respects as described above, are suitable for both identifying in due time risks of material noncompliance and for preventing such non-compliance with reasonable assurance, and have been implemented.

3. 3.1.

Requirements relating to the performance of the engagement Professional and ethical obligations

For each engagement, the Standard requires the practitioner to comply with professional obligations, which include independence, confidentiality and due care and also to exercise professional skepticism in performing the engagement. Engagement quality control procedures such as direction and review of work performed are also required. 3.2. Engagement acceptance procedures

Before accepting the engagement the practitioner is required to consider whether it is appropriate to do so. This involves certain considerations that are common to audits of financial statements, i.e., whether the practitioner is competent to perform the engagement in terms of knowledge and experience, agreeing engagement terms in writing etc., but also considerations specific to this type of assurance engagement, i.e., whether the particular entitys CMS constitutes suitable subject matter for the assurance engagement. For example, without management commitment, no system could be effective, and therefore an assurance engagement would be worthless or misleading. The Standard stresses that the terms of engagement must stipulate that the assurance engagement constitutes an evaluation of the management assertions describing the CMS and does not cover whether the entity actually complied with all relevant regulations, etc. 3.3. Risk-based approach

The Standard requires the practitioner to plan and perform the engagement following a riskbased approach. The practitioner is required to obtain an understanding of the entitys legal and economic environment. The practitioner also has to evaluate the management asser3
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.

tions included in the CMS-Description in terms of design, basing this on the components identified in the Standard explained above. 3.4. Further aspects of the engagement

Other aspects of the assurance engagement that the Standard covers include materiality, using the work of an expert, events after the period subject to the assurance engagement, obtaining written management representations here the Standard stipulates that should management refuse to provide written representations, the practitioner must disclaim a conclusion evaluating results and forming a conclusion. In reaching a conclusion, the practitioner is also required to consider whether it has become evident during the engagement that the CMS description: is potentially unsuitable subject matter for the assurance engagement, contains inappropriate generalizations or unbalanced and biased descriptions, has been based on CMS principles that are not suitable for purpose, or could otherwise be misleading to the users of the report.

This misleading test includes a consideration of whether the delineated areas are appropriate. For example, if the officers have selected only certain areas, and purposefully excluded other relevant areas (e.g., areas with which compliance might be more difficult or less desirable for the entity) the practitioner would likely conclude that such presentation would potentially give a misleading view to users. In such cases the practitioner is required to issue an adverse conclusion.

4.

Communication and follow-up procedures

The Standard requires the practitioner to inform management in the event that the practitioner has either detected, or had reason to suspect, that an incidence of non-compliance has occurred. It clarifies that management is responsible for investigating such incidences and also for establishing why the entitys CMS failed to detect and prevent such an occurrence. The practitioner is, in turn, required to evaluate managements findings and evaluate whether the occurrence indicates a deficiency in the CMS. The Standard specifies that, without further supporting evidence, the practitioner cannot assume it to be an isolated incident. In addition, the practitioner is required to notify the entity in advance of any matters to be reported, which in the practitioners opinion necessitate an immediate reaction on the part of the entity. Finally, the practitioner is required to identify whether he or she has any further duties to report, for example, depending on the form of entity, there may be an obligation to report to the supervisory board.

4
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.

5. 5.1

Documentation and Reporting Documentation and working papers

The Standard specifies particular matters that the practitioner must document in this type of assurance engagement, and also, analogous to ISA 230, requires the documentation be sufficient to enable an experienced practitioner, having no previous connection with the assurance engagement, to form a view of the engagement performance and conclusions within an appropriate time. The standard also clarifies that the practitioner uses his or her professional judgment in deciding the form and content of the engagement documentation. 5.2. Reporting

The Standard requires the practitioner to prepare a written assurance report on the engagement, (long-form assurance report). The content stipulated in the Standard follows that of ISAE 3000, however the Standard also specifies that the CMS-Description be appended to the report, and any information not subject to the assurance engagement be clearly differentiated. Example reports for each engagement covered by the Standard are included in the appendices. As explained above, in respect of those engagements which cover the operating effectiveness of the CMS it is also possible to issue a shorter-form report.

6.

Compliance with international standards

The IDW Assurance Standard complies with the International Framework for Assurance Engagements and also the current version of the International Standard on Assurance Engagements 3000: Assurance Engagements other than Audits or Reviews of Historical Financial Information, both of which are pronouncements issued by the International Auditing and Assurance Board (IAASB). This is the first IDW Standard to have been prepared using the so-called clarity convention adopted by the IAASB in redrafting the International Standards on Auditing. Accordingly, the Standard includes introductory material, objectives, requirements the practitioner must follow, and supplementary application and other explanatory material, together with appendices.

7.

IDWs due process in standard setting

The IDWs due process involved the development of a IDW AssS 980 by a working group comprised of practitioners with expertise in assurance engagements and compliance management. This draft was, where appropriate, refined and approved by the IDWs Auditing and Accounting Board prior to its issuance as a draft standard for public comment, with a comment period of six months. Initiatives were taken to introduce the draft Standard to diverse representatives from industry as well as larger confederations and associations. The IDWs working group then considered the various comments received and the IDW held two hearings with interested parties, including representatives from a number of major German listed 5
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.

companies and compliance officers from some of the larger German companies, before amendments to the draft were put forward for presentation to the IDWs Auditing and Accounting Board for final amendment to, and approval of, the final standard. In conclusion: The development of IDW AssS 980 has attracted considerable interest from a wide range of stakeholders within Germany.

Date: 19 April 2011

6
Copyright Institut der Wirtschaftsprfer in Deutschland e.V., Dsseldorf.