Home > Risk > The Future of Internal Audit is Assurance

The Future of Internal Audit is Assurance

January 21, 2022 Leave a comment Go to comments

In the last couple of days, I have:

  • Listened to an internal audit executive as he shared a thought leadership piece from EY. In it, they talk about moving from the bottom left quadrant of internal audit maturity, which they describe as “assurance provider”, to the top right, “business advisor”.
  • Read an article by a practitioner for whom I respect on the future of internal audit.

That is after reading multiple pieces in the past that talked about Internal Audit 2.0, 3.0, and so on.

All of this had me ruminating on how I see the future of internal audit myself.

Let me start with the EY idea that providing assurance is a low level of maturity.

X

Imagine you are asked by a couple to provide them with assurance that their child, Adam, will be able to achieve his wilderness experience goals and return safely.

That is no small task!

You need to learn a great deal before attempting to provide any level of assurance. For example, you need to know:

  • What is this “wilderness experience”?
  • What are Adam’s goals?
  • What can happen, especially what can happen and cause him harm? But you also need to know what needs to happen if he is to achieve his goals?
  • What are Adam’s strengths and weaknesses? Is he fit and healthy? Can he make intelligent decisions?
  • What is his level of confidence? Is he over-confident?
  • How well has he done in the past?
  • What help will he have? Is it reliable? Will it be sufficient?
  • What equipment, etc. will he have? Is it reliable and sufficient to address any hurdles and other tasks?
  • How much risk of harm and how much risk of failing to achieve his goals are Adam and his parents willing to take? Do they agree on that?
  • Will he be able to adapt with agility if conditions change?
  • …and more.

X

Providing assurance involves assessing the current situation, looking forward and anticipating what might happen in the near future and longer term, determining whether that is acceptable, and if it is not helping decision-makers take appropriate actions.

Providing assurance is not a low level of internal audit maturity. It includes “business advisory” activities.

X

The practitioner article I read criticizes the IIA’s definition of internal auditing and their suggested mission statement for internal auditing.

To paraphrase the mission statement[1], it says that internal audit should provide the forward-looking assurance, advice, and insight that leadership needs to achieve success (the achievement of its objectives.

That is a high bar!

It is especially so when you set a goal of providing assurance over more than individual objectives and related risks and opportunities.

When I was on the IIA’s international committee that developed guidance for internal auditors (the Professional Issues Committee), I was a member of the team that developed a Practice Guide: Formulating and Expressing Internal Audit Opinions. It talks about micro opinions (opinions expressed in a single audit report) and macro opinions (opinions on the overall management of risks and opportunities).

My goal as CAE was always to provide management and the board with both: a business-oriented opinion after each audit, and an annual opinion on the overall management of risks and opportunities.

The opinion was supported with advice and insight to help management make improvements as needed.

Assurance is not a low level of maturity. I believe providing leaders with assurance that they can rely on the organization to perform as needed is of immense value. (They are not “assured” if there are serious weaknesses. In that case, we work with them to fix the issues and achieve success.)

The future of internal audit is delivering that level of value – a challenge and goal for many. The only question IMHO is how and when this will be achieved.

X

What do you think?

[1] Full disclosure: I was on the IIA task force that developed the mission statement.

  1. January 21, 2022 at 11:59 AM

    From above — “Providing assurance involves assessing the current situation, looking forward and anticipating what might happen in the near future and longer term, determining whether that is acceptable, and if it is not helping decision-makers take appropriate actions.”

    This is not assurance.

    Assurance is making sure the control activity already in place is functioning as intended. No thinking involved Yes or No.

    • Norman Marks
      January 21, 2022 at 12:05 PM

      I respect your opinion, but disagree

      • Anonymous
        January 21, 2022 at 8:53 PM

        Why?

        • Norman Marks
          January 21, 2022 at 8:56 PM

          The post says it all. For a start, “as intended” could be wrong. The board and management need assurance on more than whether controls are working as intended.

          • Anonymous
            January 21, 2022 at 9:05 PM

            You are mixing up things up to make a point that makes no sense. We don’t need internal audit anymore other than an assurance checker. Everything else is left to experts with specialty skills and expertise. World evolves.

    • Douglas Anderson
      January 21, 2022 at 4:32 PM

      It is rarely yes or no. Organizations activities are not that simple. If they look this simple, the audit scope if probably wrong.

  2. January 21, 2022 at 1:38 PM

    I feel IA should stick to the core skill – assurance. And do it well. Currently not good enough, the quality of the findings are quite poor and too high level to be useful. If auditors want to know what good audit reports should look like read any technical due diligence report.

    • Anonymous
      January 21, 2022 at 9:26 PM

      It is either yes it is working or not. Others with technical expertise can get to root cause ,etc. If that fails try something new. Accounts payable is not difficult but should be solid.

      • January 31, 2022 at 8:59 AM

        Can you share a sample of a technical due diligence report you are referring to?

  3. Douglas Anderson
    January 21, 2022 at 4:36 PM

    Norman states: “I believe providing leaders with assurance that they can rely on the organization to perform as needed is of immense value.” So true! Unfortunately, too many auditors see being a “free” resource to perform management tasks as bringing value.

    • Anonymous
      January 21, 2022 at 9:17 PM

      Pollyanna!

  4. Paul J Flora
    January 21, 2022 at 5:02 PM

    I totally agree with Norman that assurance is NOT a low level of maturity, and business advisory is a significant part of assurance. If done correctly, audit findings, issues, recommendations, or however you classify audit results, must be supported by “business advice” from Internal Audit’s perspective as to what may be wrong, what may need to be fixed. When I was a CAE I did much the same as Norman in that I provided management with a business oriented opinion after each audit as well as an annual overall business oriented opinion on their management of risk. That to me was the essence of an internal auditor’s mission.

    • Norman Marks
      January 21, 2022 at 5:14 PM

      Congrats, Paul

    • Anonymous
      January 21, 2022 at 8:59 PM

      We all did this 20 years ago. Norman Tosco Mike Philip Morris and Union Camp and Paul in NYC at a global insurance? Point being nothing in the profession has changed. I moved on.

  5. amvillamorjr
    January 22, 2022 at 3:39 AM

    If our business model is colonizing an uncharted planet, what assurance could we give that the business model is successful and the people we transplanted would survive? None. I say, in more mature arrangements (i.e., business processes and models), we could be great assurance providers. There would have already been some professional standards that we can use as criteria management. However, organizations develop new business products and operational models that sometimes there are no standards we could use yet. Should we stop management from chartering the unchartered course because someone has prepared no control standards, or should we work with them as business advisors? Claiming “assurance is making sure the control activity in place is functioning as intended” is akin to saying the doctors’ patient would survive because they administered the latest and top-of-the-line medicine. Thus, giving false assurance to both the patient and the doctors. We need to get out of this current paradigm about assurance. As internal auditors, we should not relegate ourselves as historians. We could also be visionaries.

    • Anonymous
      January 22, 2022 at 2:38 PM

      Exactly what we do with Covid. IA is just not equipped or funded and thus others do it.

      • Norman Marks
        January 22, 2022 at 2:47 PM

        Sad

  6. Mike
    January 22, 2022 at 11:29 AM

    Agree Norman, macro/micro opinion I still apply today. I think the 3 lines model conflates IA role. In a growing world with more complex business models, growing diverse risk vectors and stakeholders (AI, robotics, cyber, climate etc…), assurance is becoming even more important than ever in is value. Finding an unbiased voice in complexity not easy. Important to ensure you providing assurance over the right areas, that better defines maturity.

  7. Anonymous
    January 31, 2022 at 9:09 AM

    Internal audit must review and assess internal controls. Otherwise how are policies, procedures, and processes ultimately assessed. That being said, internal controls are just one facet of internal audit’s responsibility of providing assurance. That includes other facets such as management oversight, business resiliency, financial sustainability, etc. All of those factors must be reviewed and assessed by internal auditing so as to form an opinion on a given topic/area. When all applicable components are reviewed and determined, then true assurance has been achieved.

  8. Anonymous
    January 31, 2022 at 9:11 AM

    How often should the Audit Committee be surveyed — annually, every 2 years, . . .? Should this be discussed in detail prior to issuing the survey? Should the Audit Committee members have input into the questions that are being asked?

  1. January 21, 2022 at 11:04 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: