Home > Risk > Proactive Auditing or Embedded Assurance

Proactive Auditing or Embedded Assurance

When I saw that Protiviti had published an article with the title What Is Embedded Assurance — and How Can It Benefit Enterprise Projects?, I was intrigued.

What exactly is “embedded assurance”?

I expected something along the lines of the new-fangled concept of ‘combined assurance’, which is really not new at all! In 2009, the IIA issued Practice Advisory 2050-2, Assurance Maps (available only to members). It was an excellent piece of work then and remains useful today.

Or it could have been related to continuous assurance/auditing. But it’s not.

In fact, the concepts behind “embedded assurance” are very old! Just Google ‘pre-implementation reviews’ to find multiple articles on the topic. I was doing these when the authors were in diapers!

That doesn’t mean that the Protiviti piece is without merit (only that the only thing new is the name they give it).

I strongly encourage every audit department to perform proactive auditing, getting involved in major (or even minor) projects when justified by the level of risk to the enterprise.

Vary the level of work, again based on the level of risk.

For example, a pre-implementation review might include one or more of the following:

  • A review of the cost justification/capital expenditure request
  • A review of the requirements documentation
  • A review of the project approach, such as whether adopting an agile methodology is optimal. One of the issues I have seen is that the incremental changes identified over the project’s life move it away from the original intent and why the expenditure was approved.
  • A review of the project plan and its management
  • A review of the design to ensure it will address the requirements
  • A review of the design to ensure it will have the necessary internal controls and security
  • A review of the test plans
  • Independent testing or reperformance
  • Building in additional data monitoring and alerts
  • A post-implementation review

You should also make sure you have the right team for your pre-implementation review.

At Tosco Marketing Company, which had more than 6,000 convenience stores as well as gas stations, management had a massive IT systems project. They would replace all the systems in the stores, connect them with a new central stores management system, run everything on new hardware, and implement a new access control system.

My team included two IT audit managers with application auditing expertise, another IT auditor with highly technical skills (including experience with the new access control system), and an operational auditing manager.

I needed all of these to make sure we covered the waterfront. This was not an IT project; it was a major business project.

By the way, this concept should apply to the proactive auditing of any major project, not just technology ones. For example, get involved in major new construction projects.

What do you think?

How active are you in pro-active auditing?

  1. Chris Foster
    May 22, 2022 at 6:24 AM

    Hi Norman

    Could you recommend any internal audit resources for auditors based in the UK?

    Many thanks

  1. May 20, 2022 at 10:35 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: