Assurance: What is it?

In response to the ever increasing “speed of risk”, leaders in the internal audit profession advocate increasing the insight and relevance of the activities performed by internal audit to better “add value and improve an organisation’s operations”. Approaches such as Continuous Monitoring, Agile Auditing and Consulting/Advisory engagements continue to be suggested by the IIA and industry thought leaders to enable internal audit to be insightful, proactive, and future-focused as required by the core principles of internal auditing.

As new approaches are being considered and designed, I have experienced confusion from colleagues and stakeholders on where new approaches fit in the Internal Audit mission and how they align to the standards of the profession. I hope to add clarity to this discussion by looking at the guidance and professional standards that are undamental to understanding the types of work we do.

Assurance Defined

In my experience there has been some confusion in relation to the status of various engagements as “assurance” or “not assurance”. The definition of assurance has been contentious over the years, with the IIA even publishing technical articles discussing the difficulties in defining it. The Chartered IIA (CIIA) website states, that assurance is “telling managers and governors how well the systems and processes designed to keep the organisation on track are working”.

The CIIA technical blog notes that using the term assurance can be problematic due to varying interpretations of the term. Scope statements in engagement communications are critical to ensure clarity of the nature of the opinion we provide. Whilst assurance itself is not defined by the IPPF, the IIA standards Glossary does define Assurance Services. Assurance Services are “An objective examination of evidence for the purpose of providing an independent assessment…” This provides a basic framework to define assurance in the context of IA engagements.

Assurance “Levels”

Guidance produced by IIA Australia provides an opinion on the concept of “levels” of assurance.

“The IPPF issued by the IIA-Global does not use terms like ‘reasonable assurance’, ‘limited assurance’ or ‘negative assurance. These are terms used by external auditors or auditors working under external audit standards and are irrelevant in the internal audit context. While some internal auditors attempt to use such terms, they are meaningless in the internal audit context. In internal auditing there is ‘assurance’ or ‘no assurance’ — there are no intermediate levels.”

This supports the position that despite differing characteristics and levels of work for engagement types they are either assurance or not based on the definitions above.

Report Ratings and Grades

Report ratings are a tool used by internal auditors to summarise our opinions and outcomes from a given assignment into a defined priority or maturity scale. This is primarily to support the recipients of engagement communications in understanding the priority of the outcomes and to help in directing focus and resources to higher priority areas. Whilst ratings are a common practice in the profession they are not required by professional standards and do not inherently increase the “value” or “weight” of the outcomes of the engagement. EY, AuditBoard and others have discussed this in a number of publications and its is clear there is not a standards requirement and the value of rating repors and findings is very much dependent on the context.

Previous interactions with regulators have indicated that some regulatory bodies prefer ratings to be attached to engagement communications, but unless this is a specific requirement of regulatory requirements in relation to Internal Audit it is not critical to an engagement providing assurance.

Testing

The concept of “testing” has also been suggested to me as a possible requirement for an engagement to meet the definition of “assurance”. The key concept from the IPPF is that Internal auditors are always expected to have ‘sufficient, reliable, relevant, and useful information’ to support conclusions or opinions offered (Internal Audit Standard 2310 ‘Identifying Information’). If this information is gained through transactions testing, control testing or simply though reading a document, if it meets the standard above it is sufficient to support assurance conclusions.

What about Consulting and Advisory

The distinction between assurance and consulting can be a contentious area with concern about “grey areas” and maintaining objectivity and independence. in 2003 The IIA internal audit research foundation published a review of research in this area and future topics for related study. A key concept in this document is contrasting assurance and consulting in relation to the parties involved. The conceptual model used posits that Assurance requires a “3rd party” that receives the assurance (e.g., the audit committee) and determines the value of the activity. Whereas consulting is an activity conducted between two parties only the auditor and the management team requesting the consulting. This concept is also useful in understanding how value should be measured for various types of engagement.

So What?

Based on the discussion above we can surmise that for an engagement to be an assurance service the key elements required are:

1. Objectivity
2. Examining Evidence
3. Providing an Independent Assessment
4. Relevance to governance, risk management, and control processes (GRC) for the organization
5. A 3rd Party stakeholder as the main customer for the engagement communications and opinion

The absence of rating, control testing or other specific engagement features is not sufficient in and of itself to exclude an engagement from being of value or delivering assurance as long as it aligns to the features above.

Extra — — Key Definitions

Internal Auditing — Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. International Standards for the Professional Practice of Internal Auditing

Engagement — A specific internal audit assignment, task, or review activity, such as an internal audit, controls self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Glossary to the International Standards for the Professional Practice of Internal Auditing IIA

Assurance Services- An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Glossary to the International Standards for the Professional Practice of Internal Auditing

Consulting Services- Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Glossary to the International Standards for the Professional Practice of Internal Auditing

Nature of Internal Audit Work The internal audit activity must evaluate and contribute to the improvement of the organisations governance, risk management and control processes using a systematic, disciplined and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations offer new insights and consider future impact. International Standards for the Professional Practice of Internal Auditing — Standard 2100