A Guide to Audit Assurance: How Do Assurance, Attestation, and Auditing Fit Together?

Understanding audit assurance

In the world of accounting and audit services, assurance, attest, and audit play key roles. The question often arises: What is audit assurance? What is the difference between these three terms? How do they relate or complement each other? A definition check with Merriam-Webster provides the following:

  • Assurance:
    • the state of being assured: such as
      • being certain in the mind
      • confidence of mind or manner: easy freedom from self-doubt or uncertainty also: excessive self-confidence
    • something that inspires or tends to inspire confidence
    • the act or action of assuring someone or something: such as a pledge or guarantee
  • Attest:
    • to affirm to be true or genuine
      • specifically: to authenticate by signing as a witness
      • to authenticate officially
    • to establish or verify the usage of
    • to be proof of
    • to put on oath
  • Attestation:
    • an act or instance of attesting something: such as
      • a proving of the existence of something through evidence
      • an official verification of something as true or authentic
    • the proof or evidence by which something (such as the usage of a word) is attested
  • Audit:
    • Noun definition:
      • a formal examination of an organization’s or individual’s accounts or financial situation
      • the final report of an audit
      • a methodical examination and review
    • Verb definition:
      • to perform an audit of or for
      • to attend (a course) without working for or expecting to receive formal credit


Assurance vs. attestation vs. audits

How Are Audit Assurance, Attestation, and Auditing Related?

What is Meant by Assurance in Auditing?

Assurance provides the overarching umbrella, which provides assurance for the procedures performed. The outcome of the procedures lends credibility to the final deliverable outcome, creates confidence, and reduces uncertainty in the outcome by the recipient of the final deliverable. The resulting actions the recipient takes may be driven by the level of assurance received.

Attest, or attestation, is a component of assurance. An individual or company may provide assurance by attesting to the outcome of a focused engagement.

What Is the Difference Between an Audit and Audit Assurance?

An audit performs the base of assurance services. In every engagement, the audit procedures must be performed in order to reach a conclusion, such as providing an attestation to a targeted party. Providing assurance to the engagement results or compiled information gives the receiver of the results or information confidence regarding reliability.


Audit assurance services & more

What Type of Assurance, Attest, and Audit Services are Available?

Types of Assurance Services in the accounting and auditing world are:

  • Third-Party Assurance Services – Where an independent CPA firm audits the activities of an organization that provides third-party outsourcing services to its customer companies.  The independent CPA firm provides a report of the results of the audit.  The objective of this report is to provide reasonable assurance that contracted services performed by the third-party outsourcing firm are being performed as prescribed.  This report may be distributed to the customer companies and other appropriate parties.  Examples are SOC 1, SOC 2, and SOC 3 engagements.
  • Specialized Audit Services – Where an independent CPA firm performs services customized to a need defined by the party contracting for such services.  These services could be in the areas of IT, valuation, data analytics, and other financial specialist services.

The intended audience or recipient of the final deliverables of the services depends upon the service the engagement falls under.

Attest engagements fall into three areas as stated in the AICPA Statement on Standards for Attestation Engagement (SSAE) No. 18:

  • Examination engagements
  • Review engagements
  • Agreed-Upon Procedures engagements

As stated in paragraph .07 in SSAE No. 18,

“.07 The purpose of an attestation engagement is to provide users of information, generally third parties, with an opinion, conclusion, or findings regarding the reliability of subject matter or an assertion about the subject matter, as measured against suitable and available criteria. (An examination engagement results in an opinion; a review engagement results in a conclusion; and an agreed-upon procedures engagement results in findings.) The practitioner’s report is intended to enhance the degree of confidence that intended users can place in the subject matter.”

Audit services is the process of examining information or a process, whether it be financial, IT, or operational. The ultimate purpose is to determine the completeness and correctness of the information in relation to the process it represents and the representation it provides. This could include financial statements or management reports.

Audit procedures are performed by a trained professional, in accordance with guidance and requirements put forth by various accounting and auditing organizations. This results in outcomes that allow for the ability to rely on the conclusions provided by an attest engagement and the overarching assurance that accompanies the engagements. The requirements include ethics as well as competency. Examples of such accounting and auditing organizations may include the following:

  • American Institute of Certified Public Accountants
  • Institute of Internal Auditors
  • Information Systems Audit and Control Association
  • Public Company Accounting Oversight Board, and so on.


Negative and positive assurance

What Is The Difference Between Negative Assurance & Positive Assurance?

Each one of these engagements offers a different type of opinion or, potentially, no opinion; but, rather, negative assurance. Negative assurance tells the user that nothing has come to the CPA’s attention of an adverse nature or character regarding the data or process reviewed. Positive assurance, of which the general public is more familiar with, is the affirmation that a CPA believes something to be true or correct. For example, a SOC 2 Type II engagement offers the following positive assurance:

  • The description presents XX application services that were designed and implemented throughout the period XX-XX in accordance with the description criteria
  • The controls stated in the description were suitably designed throughout the period XX-XX to provide reasonable assurance
  • The controls stated in the description operated effectively throughout the period XX-XX to provide reasonable assurance


What assurance is provided?

What Type of Assurance Does an Engagement Provide?

For all engagements, only reasonable assurance is provided versus absolute assurance since 100% testing is not performed, and the firm performing the service cannot have 100% of the available information. Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Thus, there is always the risk that an inappropriate conclusion is expressed when the information on the subject matter is materially misstated. Because of this, absolute assurance cannot be attained.


Assurance, attestation, and audits are interrelated accounting activities with specific professional guidance relating to each activity. The audit activity underlies attestation and assurance. It is the ethics and competency of the accountant or auditor in executing the engagement, in accordance with the professional guidance, that provides for a reliable attestation and level of assurance desired for an engagement.

Linford & Company is well versed in Third-Party Assurance Services and can assist you in determining which service is best suited for your business needs. If you have questions or would like further information on Assurance Services please contact us.