What is a practitioner in assurance?
A partner signs a sustainability assurance report using the same independence letter they prepared for the financial statement (FS) audit. The review finds no separate threat assessment for the assurance engagement. The report gets pulled. We've seen this on about half the non-audit assurance files we review, and the fix is understanding what "practitioner" actually means under ISAE 3000.
ISAE 3000.12(r) defines the practitioner as the professional responsible for performing an assurance engagement. Unlike the ISA framework, which uses "auditor" exclusively for audits of historical FS, ISAE 3000 uses "practitioner" to cover any assurance engagement, whether financial or non-financial, reasonable or limited.
The practitioner is personally responsible for the conclusion issued in the assurance report (ISAE 3000.33). This responsibility cannot be delegated, even when the practitioner uses the work of a practitioner's expert (ISAE 3000.52) or other practitioners within the engagement team.
ISAE 3000.34 requires compliance with ethical requirements, including independence. This is not inherited from the audit. It must be evaluated separately for each assurance engagement. ISAE 3000.24(a) adds a competence precondition: the practitioner must have the skills and knowledge appropriate to the subject matter. For non-financial assurance (sustainability or IT controls), this may require subject-matter expertise beyond traditional financial audit skills.
Key Points
- "Practitioner" is the ISAE 3000 equivalent of "auditor" and is broader in scope, covering any assurance engagement.
- Personal responsibility for the conclusion cannot be delegated (ISAE 3000.33).
- Independence must be evaluated per engagement, not assumed from the audit relationship (ISAE 3000.34).
- Competence is a precondition so the practitioner must have subject-matter-appropriate skills (ISAE 3000.24(a)).
Why it matters in practice
Firms frequently omit the independence evaluation on non-audit assurance engagements, assuming "we're independent because we do the audit." Independence under ISAE 3000 must be assessed separately. Threats that do not exist for the FS audit may exist for the assurance engagement, and vice versa. The file needs a documented evaluation for each engagement. Treating this as a tick box exercise is the single fastest way to get a finding from your quality reviewer.
Nobody enjoys the competence assessment, but it matters. Competence evaluations are often generic rather than engagement-specific, especially for non-financial subject matters. A practitioner qualified to audit FS is not automatically competent to provide assurance on greenhouse gas emissions or IT general controls. The file must show how competence was assessed and, where gaps exist, how they were addressed (through training or use of a practitioner's expert).
Key standard references
- ISAE 3000.12(r): Definition of the practitioner in an assurance engagement.
- ISAE 3000.33: The practitioner's responsibility for the assurance conclusion.
- ISAE 3000.34: Ethical requirements including independence.
- ISAE 3000.24(a): Competence as a precondition for acceptance.
Related terms
Related reading
Related tools
Frequently asked questions
Is a practitioner the same as an auditor?
Not exactly. 'Auditor' is the ISA framework term for audits of historical financial statements. 'Practitioner' is the ISAE 3000 term covering any assurance engagement (financial or non-financial). Reports use different titles: 'Independent Auditor's Report' vs 'Independent Practitioner's Report.'
Does the practitioner need to be independent?
Yes. ISAE 3000.34 requires compliance with ethical requirements including independence. The practitioner must evaluate threats to independence before accepting the engagement, documented separately for each assurance engagement, even if the firm also performs the audit.