What is Reasonable Assurance?
The AICPA defines reasonable assurance as a high, but not absolute, level of assurance. In an audit, that means perfection is not the goal because absolute assurance is not obtainable. Instead, auditors use reasonable assurance in their testing to come to a practical conclusion about the details of your organization’s security controls. At KirkpatrickPrice, our Information Security Specialists provide expert audits that focus on accuracy, attention to detail, and skilled efforts to meet standards of reasonable assurance.
During the audit process, our senior-level auditors use three guiding practices to ensure a thorough audit is performed: interview, observe, review. These practices enable our auditors to gain a certain quantity and quality of data in an effort to reach a level of reasonable assurance.
During the many stages of an audit, the Information Security Specialist designated to an organization will engage in direct discussion through weekly conference calls, our Online Audit Manager, and face-to-face conversations. These discussions focus on gaining understanding of an organization’s internal controls already in place and who is responsible for those controls. The interview portion of an audit allows auditors to gain enough information to form conclusions and gain reasonable assurance.
When an auditor makes an onsite visit, they walk through internal processes and confirm an organization is implementing the controls gathered by the auditor in previous discussions. The Information Security Specialist observes the practices, physical security safeguards, and personnel procedures that are applied within an organization. The auditor observes a number of controls that allow for a decision to be made on whether the processes meet compliance standards. By observing large quantities of internal controls during an audit, auditors can provide reasonable assurance that their conclusions are accurate and thorough.
Information Security Specialists also analyze documentation provided by an organization during the audit process. This review of policies, procedures, and other physical documentation is an opportunity for an auditor to understand particular processes that are written into an organization’s frameworks. When reviewing, auditors pay close attention to consistencies in policies as well as physical procedures. These detailed reviews help to foster a higher level of assurance. Once an auditor determines a level of reasonable assurance can be met, they can provide proper education and help clients on the road to compliance success.
Whenever you hire a CPA firm to conduct an audit for you, the threshold that we’re trying to meet is something called reasonable assurance. You can’t have absolute assurance in an audit because, in order for something to be absolute, everything would have to be perfect. We would have to see everything at all times. It’s just not practical and no one wants to spend the money it would take to reach absolute assurance, if that’s even possible. Reasonable assurance means that we have met a level of reasonableness in the testing that we performed. Would someone who has equivalent skills and expertise come to the same conclusions that we did? Did we do enough testing in order to gain that level of reasonable assurance? Is our level of effort that we’re asking you to participate in reasonable under the circumstances when you consider the risk that is involved? This is something to really understand when you go into your audit – that you auditor is going to be trying to reach that level that we call reasonable assurance.