Home > Risk > Does your internal audit function really provide assurance?

Does your internal audit function really provide assurance?

When a young child wakes up, crying, a parent will gather it in his or her arms and say “it’s ok, dear. Everything is going to be all right”. He assures the child that there is no need to worry.

Does the internal auditor say the same thing to the members of the board? The image of the board is different from that of a helpless young infant. The board is a collection of mature individuals with extensive life experiences. But they share with a young child a need for assurance, a need to know that they don’t need to worry because the controls are in place, adequately designed and operating effectively, to manage risks at the desired levels.

Board members are not involved in the day-to-day operations of the organization. Yet they have oversight responsibilities regarding the management of risks and the provision of internal controls. Internal Audit’s assurance services should be designed to tell them whether they need to worry about those processes and controls.

Imagine your child has been taken to the hospital after a car accident. When the doctor approaches you, which of these would you like to hear?

Option 1: “David is going to be all right. He just has some bumps and bruises.”

Option 2: “We examined David. He has some bumps and bruises that are not high risk.”

If the doctor told me that he had examined David and found some bumps and bruises that are not high risk, I think I would immediately ask her “so David is going to be all right?” I would be worried until I heard that positive assurance.

When an internal audit report provides an opinion that spells out, clearly, that the controls over the risks covered by the audit are adequately designed and operating effectively (I.e., they manage the risk at acceptable levels), that is positive assurance that has high value to the board and to management stakeholders.

But when the audit report only provides a list of control weaknesses, even if the significance of those weaknesses is rated, that is called negative assurance. The board has to assume, because the report doesn’t say so, that “everything is going to be all right with these risks.”

Some internal auditors are reluctant to provide their formal written opinion, whether at the end of each audit for the scope of that audit, or at the end of the year for the overall system of controls over the risks that matter. There is more personal risk to the auditor when he or she provides a formal written opinion. That is true. But is it better to make the board and top management assume that because you only found certain control weaknesses that overall everything is OK and they don’t need to worry? Is it acceptable to make the board evaluate all the reported control weaknesses to see if they add up to a conclusion that the risks are not effectively managed? Shouldn’t that be our job?

If you were on the board or in top management and asked the auditor about the results of their audit of an important area, would you be satisfied with a list of their findings? Or would you insist on their professional opinion of the adequacy of the controls in managing the risks?

Why should the board be satisfied with “our audit found these weaknesses” when they can be told “we found these weaknesses, but you don’t have to worry because overall the controls are adequate?”

  1. MDhar
    May 7, 2012 at 11:28 PM

    I believe rather than opinionising the whole thing, it adds a lot of value to brief the board about basic mathematics around the processes evaluated by the internal auditors. As an example, we provide a high level snapshot of total number of controls in a process, and a heat map wherein a holistic view of “effectiveness” of all key controls in a process can be reflected. This way, the board gets to understand the “overall picture” of assurance for that particular process.

    Following this practice, the key principle of “objectivity” is well respected. Moreover, let the board know if there is a issue, how big is it in view of the overall picture.

    • Norman Marks
      May 8, 2012 at 5:43 AM

      But, surely what is important is not whether the controls are individually effective but whether their combination is effective in managing risk at acceptable levels? Does it matter if you have 10 related controls and 3 fail – but are insignificant?

      We can give an objective opinion without compromise. In fact, what are we if not professionals who are paid to give an opinion?

      • MDhar
        May 8, 2012 at 10:27 AM

        I completely agree with you Norman on the first statement. If you allow me however, the concern of “3 controls failing but are insignificant” is taken care of by addressing results based on “key controls” only. We have not made any effort in assigning further priority/significance within key controls, although the rationale of being a “key control” is that it has to be duly “earned” to be a key control.

        Although not expressly stating the “wellness qoutient” of the passed controls, the overall impact of the control weaknesses are so well debated that one can get a clear idea about the overall picture on internal controls in a process. That’s all I had to say.

  2. May 8, 2012 at 12:06 AM

    A reasonable point, but surely the acceptability of risk is a matter for the organisation’s risk appetite. The internal auditor should therefore highlight their assessment of risk and whether the assessed risk is above the organisation’s not the auditor’s net risk. Happy to provide a warm assurance statement, but the board and audit committee should be mature enough to have a more analytical supporting review of risks below it. If the audit committee are like small children then, in my view, there is a training need.

    • Norman Marks
      May 8, 2012 at 5:45 AM

      I agree 100%. The only think I would add is that as auditors we need to be satisfied that the organization has a reasonable process for establishing acceptable risk levels that are meaningful to the assessment and management of risk in the front lines.

  3. May 8, 2012 at 5:58 AM


    I would suggest to you that in my experience few organizations have articulated what their risk appetite for illegality, accounting restatements, customer dissatisfaction, product quality defects, wasted money, environmental infractions, data security breaches and the full range of other areas where risks are being accepted. I agree with you 100% that far too many audit committees and boards want the head of internal audit to tell them everything is fine, document that assurance statement from the CAE and the date it was given and claim they relied on the the CAE if it turns out the company is another Walmart, SNC Lavalin, or the dozens of company’s at the heart of the 2008 global financial crisis. . CAEs should focus on ensuring as best they can that senior management and boards are aware of the significant risks being accepted and let boards decide if they are good with the current residual risk status.

    Unfortunately many CAEs focus on the invalid SOX concept of saying controls are “effective”, in essence making decisions themselves on what constitutes acceptable residual risk, without making sure the board is aware of specifics on risks being accepted. CAEs that opine on the acceptability of controls should transition to ensuring senior management and boards are aware of the current residual risk status. Let them decide if they think it is acceptable or not. In cases where senior management and boards have a high risk tolerance for illegality and are prepared to “bet the farm” to access big bonuses CAEs will need to assess their own risk tolerance/severance terms.

  4. Norman Marks
    May 8, 2012 at 6:57 AM

    Tim (Leech, not Lech):

    Do you really believe that IA should perform a formal risk assessment of every risk it addresses? Is that not a management function? But it seems that is what you suggest in your comment.

    Are we not better served by pointing out to management and the board when the former (at the levels where decisions are made and risks are taken) does not know what level of risk is acceptable? How can anybody expect management to take the right risks if acceptable levels have not been defined and communicated?

    I agree with chiefauditex that we should be assessing whether (a) management has an adequate risk management framework and process, and (b) controls are effective in providing reasonable assurance that the risks are within acceptable levels.

    Let’s not position IA as the risk management function, assessing the level of risk, when that should be a management function.

    Having said which, when management has not determined acceptable levels, and we have reported that as a risk management failure, we should do what the draft update to the Standards propose, and after discussions with management use our common sense (not sophisticated models) to determine if the actual risk levels are reasonable.

    One final point. I agree with what I believe you are saying: that an opinion on controls without the context of whether they manage risk adequately is not as valuable as an opinion on whether the controls manage risk within acceptable levels.

  5. May 8, 2012 at 7:24 AM

    Norman; You have misunderstood my comment and/or I haven’t communicated well. I believe that IA should draw on all available information, including information produced by management on the state of residual risk,information on residual risk status determined from audits completed, and other available information to produce a consolidated report on residual risk. If it is a mature organization and management produces a consolidated report on residual risk for the board IA should report on the reliability of that consolidated report as part of its assessment of effectiveness of management’s risk management processes. I believe “effective” risk management processes should produce a reliable consolidated report on residual risk status just as effective accounting processes should produce reliable consolidated financial statements. If the best that is available is a half a dozen reports on risk from various risk silos but the board gets no assurance all dimensions of risk have been covered they need to recognize they are getting unconsolidated reports that may not cover all of the firm’s operations.

    In cases where management does not provide a consolidated report on residual risk status IA should provide one until such time as the maturity of the company’s risk management proceses is capable of providing one. In cases where IA has no information or low assurance information on risk related to some types of business objectives relevant to the business and management has provided no information on residual risk status related to those objectives the board should be told that the report they are getting does not cover those areas and there may be signficant residual risk positions in those areas that are not being reported. The board then needs to decide if their risk appetite is OK with not knowing about the current residual risk status and are prepared to be accountable if it turns out serious risks are realized that significantly negatively impact the organization.

    • Norman Marks
      May 8, 2012 at 7:48 AM

      Tim, I believe we have had this discussion before. Should IA report on the level of risk (the level of risk after considering controls in place, which used to be called (smile) residual risk) or whether the level of risk is outside acceptable criteria?

      In other words, let’s say management assesses the risk at 8 when the board has approved 10 as the acceptable level. Should IA report to the board when it is 7 or 9, or only when it is 11?

  6. May 8, 2012 at 8:09 AM

    In a perfect world, where IA knows with certainty what the acceptable level of residual risk to senior management and the board they would only need to report on whether risk is outside of acceptable levels. This might need to be tempered in a situation where IA believes the level of residual risk management and the board have decided is acceptable should be formally reconsidered in light of new information. An example might be management and the board have known the company is offside on FCPA in some countries but have decided there is little chance of detection/prosecution but the Justice Department is escalating enforcement efforts, or the company has been backdating stock options but lots of companies have been doing it without consequence. In my experience most, if not all internal audit departments lack reliable information on the risk appetite of senior management and the board.

    In the system we recommend there are structured definitions for the levels of residual risk status outside of appetite. These are shown below:

    0 Fully Acceptable  (it is at or below risk appetite)
    1 Low.  
    2 Minor 
    3 Moderate 
    4 Advanced 
    5 Significant 
    6 Major 
    7 Critical 
    8 Severe 
    9 Catastrophic
    10 Terminal

    Objectives where Residual Risk Rating is above 4-5 should be shared with the board including what is being done to reduce the residual risk status to 0, the rating where residual risk is at or below appetite. IA reserves the right to elevate situations management has rated as 0 but believes that the board may have a different opinion whether the status is acceptable given their residual risk appetite.

  7. vuyolwethu manda
    May 21, 2012 at 9:07 AM

    thanks norman i will implement this in my next report

  8. June 29, 2013 at 3:54 PM


  1. June 1, 2012 at 1:07 AM
  2. July 13, 2012 at 6:57 AM

Leave a Reply to MDhar Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: