Moving From Performing Internal Audits to Providing Assurance

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


In 2001, I joined a new company called Solectron as the head of internal audit. Solectron had a history of entrepreunership and innovation (twice winning the Malcolm Baldridge award, in 1991 and 1997. I felt it was time to apply that innovative spirit to internal audit as I redesigned and rebuilt the internal audit function.

I wanted to move awaty from the prior practices of auditing the major locations every so often, assessing the more significant risks at those locations, to a top-down and risk-based approach — where we assessed the controls over the more significant risks to the business as a whole, provided an annual opinion on the adequacy of controls every yeat, and were a catalyst for change rather than a sideline observer and commentator.

To do this, I had to persuade both executive management and the audit committee.

Here is the note that I included in the audit committee materials.

I have some questions for you:

  • Do you agree with the principles that internal audit should be more focused on the big picture of providing assurance than on the smaller one of performing audits?
  • If so, how well are we doing?
  • What are the barriers to success?






We recognize that the value to be obtained from an internal audit function is derived from two things:

  1. The “peace of mind” we give our customers with our objective assessment of the company’s system of internal controls and their management of business risk; and,
  2. The change that is effected as the result of our work.

Our primary customer is the Audit Committee of the Board of Directors.  Other customers include executive, senior, and operating management.  The value of our work can only be measured in terms of our ability to satisfy our customers’ needs.

First and foremost, the Audit Committee relies on Internal Audit for assurance that the corporation’s internal controls are adequate to address significant business risks.  The Committee and executive management rely on us, not only for our assessment, but also for assurance that appropriate corrective actions are taking place to limit any business risk resulting from controls weaknesses.  Traditionally, we have met that need with formal audits that express an opinion on the condition of controls[1].

In these times of increasing attention by regulators (e.g., the SEC[2],[3]) and the investing public on the role of the Audit Committee, it is our responsibility to provide the members of that Committee with the information they need to perform their responsibilities.  It is our contention that performing a series of traditional assurance audits that addresses all major business risks over a short period, perhaps 3 years, no longer meets our primary customer’s needs.  We need to provide more continuous assurance; in fact, an annual opinion has become appropriate.

Our challenge in 2001 is to move from the traditional, series-of-audits approach to one that provides a more continuous level of assurance.  We need to be able to express an overall opinion on the corporation’s systems of internal control every year, for the January Audit Committee meeting.  We will build that assessment on a number of bricks and blocks, of different shapes and sizes.  Many activities, some traditional and some radical, will help us obtain sufficient knowledge and understanding of the system of internal controls to express that opinion.  We will consider, for example:

  • Traditional assurance audits
  • CSA workshops
  • Management self-assessment
  • Reliance on the work of third parties, including the external auditors, regulators, etc.
  • Controls monitoring activities (either monitoring controls performance directly, or searching for red flags that indicate potential controls problems)
  • Partnering with other groups in the corporation that monitor the performance of internal controls
  • Controls consulting work[4]
  • Participation in task forces, committees, systems development projects, etc.
  • Any other work that adds value and information

Our 2001 projects will be justified either because they are necessary to provide “Peace of Mind Through Controls Assurance”, or because they add significant value (or both)[5]

There are areas where our unique talents can assist the company make changes that have a significant impact on operations.  As we develop the scope and objectives of each project, and choose from among the variety of resources and tools available for our use, we will strive to develop a question that strikes at the heart of the business issue.  It will be a question that confronts the business problem head-on.  With the support (and frequently the participation) of management, we will use our objectivity, facilitation, analytical, and other skills to identify business-practical resolutions and action items.

These “WOW! Value-Added Projects” will not only help improve the company’s bottom line, but they will be dynamic opportunities for the audit staff to develop and showcase their skills.  They will be learning experiences, as they tackle problems that are typically multi-functional, and work with all levels of management.  At the same time, they will be preparing (and presenting) themselves for their eventual move into line management.  A win-win for the company and employee.

This new approach, performing projects that either add Peace of Mind or are WOW! projects, is changing our planning process.  We will understand where controls weaknesses can occur that have the potential of rising to the level of Audit Committee concern.  We will be creative in developing ways to obtain a level of professional confidence that those controls are adequate and operating properly…. every year.  We will also ensure that we only perform work that is effective in building towards that assurance, or adds significant value to the company’s bottom line.

[1] Many in our profession call these “assurance” audits.  By contrast, “consulting” projects are focused, not on providing an objective assessment, but on correcting or enhancing an area of controls that is already known to be in need of improvement.

[2] For example, one official of the SEC recently called the Audit Committee the “watchdog of financial reporting” within a company.

[3] The Blue Ribbon Committee included a number of recommendations for Audit Committees that have not been taken up by in the new SEC, NYSE, AMEX, or NASDAQ rules.  They include formal statements by Audit Committees on the financial statements and internal control systems.

[4] Some in our profession see the new definition of internal auditing as defining assurance and consulting as different and separate activities.  We believe that our customers desire first and foremost that the company has adequate controls.  Our consulting activities add to that assurance.  In addition, we obtain valuable information about the adequacy of the company’s internal controls through consulting and other work, and use that in forming our professional opinion each year.

[5] Required audits for regulators (e.g., the RFG attest) or the external auditors are considered to add value.  Our performing the work is considerably less expensive than the alternative.


Posted on Jul 23, 2012 by Norman Marks

Share This Article:    

  1. Norman, This is a very interesting piece. Myself (and I suspect many others) would be interested in a thumb nail sketch of what happened in the eleven intervening years since this note was originally written. I'm presuming that you were able to transform the Internal Audit function, but was there a lot of resistance, what sort of hurdles did you face and how did you overcome them? Mike
  1. Mike, thank you for the comment and question.

    There was no resistance at all from the board. In fact, they very much supported the idea. Management also supported me, although they were careful to ensure that I didn't request additional budget - which I did not. 

    I was able to do much of what I had intended, changing the audit plan to focus on risks to the organization as a whole and providing an annual opinion. While I inherited an internal audit team that was not perfect, I was able to make a number of changes in personnel, attitude, and performance - all of which helped a great deal.

    We went from some dozen reports (or so) a year to well over a 100.

    I left after after 3 years. While there remained work to be done, a great deal had been accomplished.

  1. Norman:

    I agree that IA should provide assurance.  What I don't think they should do is provide subjective opinions on whether controls are "adequate" or "effective".   To do that it requires they have a very clear understanding of the organization's risk tolerance related to all types of business objectives.  I don't think that clarity exists in many companies.

    What I think IA should provide assurance to the board is on the question of whether management has an effective risk management process capable of informing the board of significant residual risk status positions related to importantant value creating and value eroding objectives.

    If the organization'management  is not creating a composite/consolidated report on residual risk status for the board; IA should play a lead role creating one for the board at least annually until such time as management begins creating one.


  1. Tim, even assessing whether management has "an effective risk management process capable of informing the board of significant residual risk status positions related to importantant value creating and value eroding objectives" is subjective, and risk management should do more than inform - it should result in action by management to take the righ risks.

    I think you will agree with that.

    Also, if management has established risk criteria (or risk appetite/tolerance levels if you prefer), why can't internal audit assess whether the controls provide reasonable assurance that the risks are within acceptable ranges?

    Is it more valuable to inform the board and executive management that the risk management system can assess risks or that it is adequate to manage the risks?

  1. Norman:

    My experience is that few organizations today have articulated their risk appetite/tolerance at a level that IA can audit against and form defensible conclusions that controls are "effective".  In the majority of cases where IA is completing "direct report" audits (audits where IA is the primary risk/control analyst reporter) they are forming subjective views on what they think is the organization's appetite/tolerance.   There is a new post on that provides a good summary of some of these issues.’s-Acceptance-of-Risk

    Over my career I continue to promote the simple concept that, in cases where an objective is important enought to warrant spending money on formal documented risk assessment,  the best results are achieved when work units and senior management accept responsibility to be the primary risk/control analyst/reporter.  The more IA assumes the role of being primary risk/control analyst reporter the less motivated management/work units are to assume the role.  More and better direct report auditing can actually weaken an organization's overall control environment.  

    I recognize many internal auditors are reluctant to relinquish their role as primary risk/control analyst and reporters because of job security concerns but should seriously consider it if they want to put their organization's best interests first that they ought to champion work unit/management owned risk management.  There are many valuable roles including QAR, coaching and reporting on the effectiveness of risk management processes IA can do and add substantially more value.  


  1. Tim,

    Substantially, I suspect we are in agreement. But:

    1. I don't know of a single internal auditor that would say their job is to be the "the primary risk/control analyst/reporter".

    2. It is management's responsibility to identify the desired level of risk and if the internal auditor finds that management does not know what that is they should give strong consideration to making that a significant issue in the report. How can management manage risk at desired levels if they don't know what those levels are?

    3. If management has established risk criteria or similar, the internal auditor should use their judgment to determine whether the controls provide reasonable assurance that risks are within those ranges. They should NOT delegate that activity to the audit committee.

    4. If management has not established risk criteria or similar, as we are guided in the IIA Standards, internal audit should use their professional judgment and common sense to initiate a dialogue with management to determine whether the current level of risk should be acceptable or not. That may lead to a discussion with the board. It may not.

Leave a Reply