Home > Risk > What kind of auditor are you? Are you an assurance professional?

What kind of auditor are you? Are you an assurance professional?

December 29, 2011 Leave a comment Go to comments

I am struck by how many think the job of internal audit is to find defects.

I believe that is the road to ruin.

Our job should be to help the organization succeed, and we do that by helping PREVENT defects. Our primary role is ASSURANCE, not performing audits to report issues.

Contrast these situations:

1. The auditor strolls into the room, which is full of cops, and points to the body. “You have a dead body on the floor.”

2. The auditor works with the building architect and critiques the provision of fire and smoke detection and alarm systems, as well as the fire suppression system and availability of exit routes. She advises on the need for fire safety training and drills.

Which is more valuable to your company?

Which are you?

  1. Larry Brown
    December 29, 2011 at 10:06 AM

    Norman – You raise an interesting point. What if the auditor – a CIA, CPA, CISA – recommends and management implements fire and smoke detection and alarm systems, as well as the fire suppression system and availability of exit routes that are totally contrary to good engineering / building design standards? Rather than pointing to one dead body (no risk), the entire building population could be unnecessarily at risk through a well intended but totally misguided assurance initiative.



  2. Norman Marks
    December 29, 2011 at 10:24 AM

    Larry, isn’t that the risk we run every time we perform an audit – that our assessment and perhaps our recommendations are misplaced?

    I can remember visiting a refinery that my company was about to acquire, and the current owner’s auditors had suggested they implement changes to their systems that would have actually increased both risk and cost.

    But I would rather have auditors who want their customers to succeed than those who wear stars on their sleeves showing how many defects they had found.

  3. Norman Marks
    December 29, 2011 at 11:27 AM

    As a reminder, the IIA definition of internal auditing does not say our job is to perform audits and find defects.

    It says:

    “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

  4. Michael Corcoran
    December 29, 2011 at 11:57 AM

    The heat map (Impact on Value, Vulnerability) I use for Risk Assessment and Internal Audit training suggests that IA consulting services/actiivities should take place in 3 of the 4 quadrants. I would change the IIA definition from risk management to value management. Businesses do not exist to manage risk, they exist to create value and the IIA should align accordingly.

  5. Norman Marks
    December 29, 2011 at 11:59 AM

    Michael, I agree that business exist to create value. But shouldn’t internal audit be concerned with the quality of the processes and systems management relies on, and the way in which risks to the creation of value are treated?

    • Michael Corcoran
      December 29, 2011 at 4:55 PM

      The assertions (value objectives, value/risk assessment, value/risk response) need to come from management first. If they need help to design & implement, IA should be able to consult. The best run companies expect this of this function. If IA cannot bring these skills sets to the table then bring in counsultants who can. No sense providing assurance on assertions that do not exist. Once in place, then IA should periodically validate that the assertion process is operating as intended and are efficient. This is the assurance part of IA role.

      Norman, Which management are you referring to?

      • Mike O. Villegas
        December 29, 2011 at 5:09 PM

        Internal auditor and external auditors opine on management’s assertions on the effectiveness of internal controls. That opinion is based on their own independent testing and some of which they might rely on internal independent testers but that may be limited. I have found that both internal audit, external auditors and information security need to collaborate closely to achieve the best results – easier said than done, however, in some environments.

        • Michael Corcoran
          December 29, 2011 at 5:20 PM

          Mike, I believe, external auditors assertions are limited to internal controls over financial accounting and reporting. This is very narrow and really does not cover many areas of a business. Good question on where the secuirty scope begins and ends. Norman, good question for the Audit Committee?

  6. Mike O. Villegas
    December 29, 2011 at 4:21 PM

    “Auditors do not have to be completely accurate; they just have to be right.” I replied on Twitter but let me reply here. My experience is that auditors sample and do not necessarily test full population. They opine on what they believe to be representative of the whole. Sampling is not accuracy but their conclusions definitely have to be right. I started my career in 1978 as an IT auditor, IT audit director, partner for a Big 4 (6 at the time) and now a Dir of Info Sec. As a security professional, I don’t have the luxury of sampling. I have to remediate all issues. I not only have to be right but accurate as well. That said, as an auditor, I considered myself as an agent of change and it was very satisfying to see improvements made based on my recommendations.

    • Michael Corcoran
      December 29, 2011 at 4:46 PM

      Mike, I agree, software exists to provide an additional level of assurance for most business transactions and I believe process or functionals owners should install, operate and report on this on a regular basis (objective, risk assessment and risk response attestation). IA’s role is to make sure these risk responses are operating as intended, efficient and effective and test a periodic basis the assertions made by process and functional owners are real. Given that security is also everyone’s business, takes some innovative approaches and thinking.

  7. Norman Marks
    December 29, 2011 at 5:47 PM

    I have never seen management make a formal assertion regarding the effectiveness of either risk management or internal control, except when it comes to financial reporting. There is an implicit assertion, in that they are responsible for an effective system of internal control.

    The external auditor requires management to give them a letter with an assertion of the effectiveness of internal control over financial reporting. This is a CYA papering of the rear-end mandated by PCAOB standards.

    When it comes to IT security, I am a believer that you need just enough to protect the information assets at a risk level acceptable to the organization.

    • Michael Corcoran
      December 29, 2011 at 6:06 PM

      Norman you are right and this is very confusing to me. If management does not make or have standards for assertions on risk management and internal control how can the IIA come out with a Certification of Risk Management Assurance (they forgot the Consulting part by the way) credential

      From the IIA announcement:

      “Beginning in October, qualified individuals with knowledge and experience in risk management assurance can begin applying for the CRMA prior to the exam launch exam through a “professional experience recognition” process. More information on the specifics of this process will be available later this year.”

      Norman, Implicit assetion over internal control ? — what does that really mean? – value creation or safeguarding physical assets? What about language to minimize liabilities. COSO is flawed.

    • Mike O. Villegas
      December 30, 2011 at 12:31 AM

      You are absolutely right. Management assertions are strictly for financial reporting and that is what the external auditor opines on. Internal audit’s scope is more expansive. The implicit assertion is one way of looking at it. Going back to you original question, however, of what kind of auditor we are. We need to be auditors that provide value, realistic risk views, practical and pragmatic recommendations a company’s internal control structure. If we are checklist auditors or driven by the number of “unsats” that we report, we do not provide value and our motives are completely wrong.

      BTW, I stumbled onto your blog from Twitter and I can say you have added a follower. Nice blog. Nice questions and great input from your followers. I’ll keep watching. Thank you.

  8. Deb
    December 29, 2011 at 10:16 PM


    I’d like to focus a bit on the divergence between answers to the two questions you’ve posed at the end of your post: “Which is more valuable to your company?” and “Which are you?” IA may believe totally that it’s an assurance function and not a ‘defects finder’, and that there are so many facets of assurance, many of them consulting based rather than ‘auditing’ based.

    But would the company think on the same lines? Not necessarily, and not at all times/ situations, I’d think. One issue could be the USP – internal audit has always been seen to provide ‘auditing’ services; for other, more value added consulting, companies usually tend to turn to more ‘specialized’ resources (internal & external), sometimes ignoring the fact that IA may have the most comprehensive helicopter view of the organization. Another issue could be the IA skill base itself, prompting the same response as above.

    So the answers to your question may be based a lot on the level of maturity, both of the organization and of the IA function (and these differ vastly across geographies/jurisdictions and sizes). If we see it as a continuum, perhaps IA may need to first establish itself with a USP of providing assurance, and get that proverbial ‘seat at the table’, before it’s called upon to provide more value-based consulting services.


  9. Norman Marks
    December 30, 2011 at 7:53 AM

    Michael, management does not have to make a formal assertion when it is their responsibility to have effective risk management and internal control processes. Internal audit assesses whether they are adequate to the task, and does not have to rely on a management assertion like the external auditors believe is necessary.

    • Michael Corcoran
      December 30, 2011 at 8:02 AM

      Norman, this is noble but a fantasy!

      What risk management standards are IA Depatments using to render this opinion? I have never seen such an opinion. If you have companies and examples, please share.

      What standards are IA Departments using to render an overall opinion on the internal control environment? I would like to see examples of companies that are doing this if you can share.

  10. Norman Marks
    December 30, 2011 at 8:17 AM

    Michael, the IIA has a Practice Guide that is available to members on how to provide an opinion (http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/formulating-and-expressing-internal-audit-opinions/).

    There is also an older Position Paper that you can download at http://www.theiia.org/CAE-bulletin/index.cfm?iid=391

    Here’s an article on the topic: http://www.theiia.org/intAuditor/free-feature/2010/april/the-importance-of-internal-audit-opinions/

    And an old example of mine: https://www.box.net/shared/2pmmrn1gyqgar75a051m

  11. Norman Marks
    December 30, 2011 at 8:20 AM

    Michael, with respect to ‘what standards’ for risk management and internal control, while I am an advocate of ISO for the former and COSO for the latter, the key is that:

    – risk management processes provide reasonable assurance that the more significant effects of uncertainty on objectives will be identified, assessed, evaluated, and treated so that they are within acceptable boundaries

    – the system of internal control provides reasonable assurance that the more significant risks to the organization and its creation of value are within acceptable boundaries

    In other words, use judgment instead of assessing compliance with any standard.

  12. Michael Corcoran
    December 30, 2011 at 4:11 PM

    Show me a t least 100 of the 15,000 SEC registants that are doing this and I will rate your post very revelant. Otherwise, this group and many others are not interested in fantasy.


  13. Norman Marks
    December 30, 2011 at 4:18 PM

    So, Michael, should we do what everybody else is doing or what we should be doing and where the profession is going? The IIA is publishing guidance on how to do this, more thought leadership that it is necessary, and now will provide training and a certification to boot.

    Providing overall opinions is much more common in the UK, Australia, and South Africa than in the backward US.

  14. Michael Corcoran
    December 30, 2011 at 4:51 PM

    Much of Mike and Norman, what do you want to say?

  15. Jim
    January 2, 2012 at 2:18 PM

    Norman, like yourself I have been a practitioner in internal/external audit, risk management, compliance, assurance and consulting for a long time. However i come from an IT perspective, led internal/external IT audit departments, been the Head of Technology Risk, and been a senior risk consultant.
    20 years ago I was of the view the only good report was a fat report (more recommendations the better)…..as in general was the view of the audit profession at that time. Now, I still produce too many recommendations but I put a lot of thought into the cause and the significance of the impact, rather than just the observed effect (findings).
    Unfortunately there are still too many auditors that have not matured as the profession has, and focus on the dead body. The word Audit and Assurance clash in the eyes of a lot of Audit professionals, with the belief that Assurance compromises independence. I recognize the need for independence but feel it is used as a crutch and excuse for not having put your neck on the line and say what you really think. Perhaps it is because too many auditors do not think.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: