Our Job Is Not to Perform Audits

If you ask auditors what they do, most will answer that they perform audits. They may vary on that theme by saying that they assess and test controls, add value, identify control weaknesses, or similar; but if they say or imply that their job is to perform audits, then they are mistaken.

Our job is not to perform audits. It is to provide assurance (first) and then (secondarily) assist the organization through consulting services that identify opportunities for improving operations.

That’s not only my opinion, but what The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) tell us — and there is a tremendous difference between providing assurance and performing audits!

The Standards define an internal audit activity as:

A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

This definition doesn’t even mention audits! It talks about providing assurance and evaluating the effectiveness of management’s processes.

Providing assurance means that we are not only assessing the adequacy of management’s governance, risk management, and related internal control processes but sharing that assessment with our key stakeholders (generally the board/audit committee and executive management). It means that we are not only reporting whether there are any issues needing attention, but whether the processes we assessed are adequate.

Now we generally are able to assess management’s processes by performing audits. But audits are the means and not the end. In fact, we also provide assurance when we perform consulting projects such as reviews of new computer applications and systems. By assessing and providing advice (prior to implementation) so these new systems will have appropriate levels of security and adequate controls, we are ensuring that management’s processes will be adequate. When we communicate that result, we are providing assurance.

Assurance is not achieved without communication to our stakeholders. In fact, I cannot see how we can communicate our assessment of management’s processes if our audit reports do not contain an opinion to that effect! I do not believe that an audit report that informs stakeholders that there are seven control deficiencies, none of which is a high risk, is the same thing as clearly stating whether those processes are adequate to manage the business. Let’s not make stakeholders guess. Say what you think!

Further, I do not see how we are providing assurance of “the effectiveness of governance, risk management, and control processes” if we do not provide a formal report to management to that effect periodically.

Some will argue that because we don’t audit every risk area, and because our work is spread out over the year, they are not able to provide a formal assessment of management’s processes. I disagree. All it takes is for the formal report to stakeholders to explain that the auditor’s opinion is based on the audits and other activities performed during the period, and that not all risks were assessed — only those identified as being more significant and addressed in the audit plan. The opinion is subject to those limitations.

I admit that the Standards don’t state that we have to provide a formal report on the adequacy of management’s governance, risk management, and related internal control processes. But they should, and I believe in time they will. International governance standards, like King III in South Africa, already require formal assurance from internal auditing, so it is only a matter of time.

Anyway, how do you provide assurance if you don’t provide an opinion?

Is your audit department performing audits, or providing assurance?

Posted on Nov 17, 2009 by Norman Marks

Share This Article:    

  1. Mark,

    agree with your comments; however I beleive it is difficutl to measure assurance. The contributions by Internal audit is measured by the number of reports issued. We must find ways to measure audit department effeciency in a different way, e.g. improvement in operational processes, number of operational failures, etc.


  1. Norman:

    I couldn't agree more with your central message that internal auditors should not fixate on the notion that their core purpose in life is to do audits of areas/topics/processes and report results. I, like you , believe the key service should be providing assurance. 

    However, I also believe that mandate can be narrowed and focused on  providing assurance to the board that the board is receiving reliable reports from management on the organization's residual risk status related to key business objectives, including complying with applicable laws and regulations.   I don't believe internal audit should be the primary risk/control analysts/reporters.

    Getting 20, 50, 100 or even 500 audit reports a year from Internal Auidit should not be a substitute for reliable reports from management on the current residual risk status and what is being done to change situations where residual risk is outside of the organization's risk tolerance.

    If management is not capable of providing reliable reports or, worse yet, is dishonest in their reporting to the board, internal audit needs to report this to the board.  Having said that, this is likely the most dangerous position an internal auditor can face in their career. 


    I explain it this way:
    Relative to the 5 critical tasks as explained in the red book, internal audit provides consulting and assurance services that inform the organization of "what they need to know but do not already know".  This information needs to be conveyed in writing and extremely timely.  Auditors that build that reputation rarely need to watch their back (their stakeholders will keep the wolves back for them).
    In fact, when I say those words, I am usually thinking about some one just like Norman or Bob !
    I had the good fortune to ask Bill Bishop of when and how will he know when internal audit as a profession has arrived.  He replied with when every internal audit function has to issue an annual report on the state of internal controls.  Some of you may recall that we did a survey for Bill on this very topic before he testified in Washington just before the SOX bill passed in 2002. Send me an e-mail and I will point you to it on my old gain2 web site.
    That is enough history for one day I am sure.
    Donald E Sparks, CIA, CISA, ARM
    Vice President Audimation Services
    +1-888-641-2800 x1877
    www.audimation.com ..... we have a great IDEA!
  1. I think in many ways the Accounting/Financial Reporting world reminds me of 1970 IBM. Accounting over many decades has enjoyed the investor spotlight and a position of regulatory power. Accounting and Financial Reporting has created terms, process, regulation and statics eaten for breakfast by the business world. It is a language unto itself. The image that comes to my mind is the proud IBM engineering showing off how large his computer is. However, only a few short years later Microsoft began consuming IBM’s strength as it focused on what consumers actually needed.

    Today, an investor needs to know strengths and vulnerabilities of companies as well as the opportunities and performance. Yet this context is left undefined. How effectively does the company set strategy? How does it implement it and manage the risks that will prevent it from reaching goals? This can be captured without compromising the actual strategy. A set of financial statements is one dimensional when considering this need. Internal Audit has wide opportunity to fill the Gap. Teach Governance about good governance practices. Provide Audit committees information in the language of management… how effectively accountability is assigned; how effectively management responds to accountability; and how do business processes compare to ideal mature processes. If we define risk management and internal control within this context we have an opportunity to be Microsoft…


    This is one I have struggled with.  I do not feel comfortable providing an overall opinion and overall report for an integrated health system for areas we have not audited.  I could summarize the results of the areas audited (we perform about eight to ten audits a year) and provide general comments based on those results.  However, I'm not sure how to provide an overall opinion.
    That being said, I agree that it is our job to provide assurance.  IMHO, an audit is the highest form of assurance if provided in accordance with the IIA Standards.  Just my opinion.
  1. IFAC (the peak body for the accounting profession globally) defines audit as a subset of assurance relating to statutory financial reporting (ie. external audit)  which implies that IA is an assurance provider, not an auditor.  Our remit is broad and broadening.

    Some trends:

    King III from South Africa encourages the audit committee to provide assurance to the entire board, and for the audit committee to get that assurance from the internal audit function.  

    In Australia, listed companies requirements are:  The board should require management to design and implement the risk management and internal control system to manage the company’s material business risks and report to it on whether those risks are being managed effectively. The board should disclose that management has reported to it as to the effectiveness of the company’s management of its material business risks.

    Our guidance for companies goes on to say: An internal audit function will generally carry out the analysis and independent appraisal of the adequacy and effectiveness of the company’s risk management and internal control system. 

    I'm not sure about countries outside the Commonwealth, but I suspect that for many Bill Bishop's comments have already arrived, and on a broader scope of assurance than we might have assumed.

    This of course begs a lot of questions on assurance frameworks, what level of assurance is given, how to give it, what caveats need to be raised with readers, possible lawsuits, insurance and a range of other issues, many of which our members are grappling with today and will keep us busy for some time to come.  There are a lot of big questions nested within all of this, and I'm hoping to be part of the solution on some of them..

  1. I think of it this way :

     What is better and what has changed for the better because I have been around?  ( yes, like you, its not the number of reports I have issued- though that is certainly a baseline measurement that our culture likes to see- and it is a measure of some efficiency- I have seen some groups issue only a few reports per person per year- that’s not good either)

  1. I’ll go you one further….our role is to assess unmitigated risk and help ensure that management applies measures/controls to reasonably address risk to keep the business in business. It’s the “going concern” concept from years past (yes – I’m that old). It does the organization little good if the auditor publishes 30 reports a year, and gets all audits done on time and under budget and passes the QAR reviews if their work does not add value and does not have a risk measurement and solutions orientation.

     As a result, audit reports are ONE tool that we use, but internal consulting and special projects can be just as effective in identifying, assessing, and helping to ensure that the risk is reasonably mitigated.

  1. Wonder if this has changed in 8 years?

    Public Reporting on Internal Controls

    • Analyzing 414 responses.
    • Presentation generated on April 5, 2002.
    • Invitations (1,330) Issued on April 2, 2002.
    • US Companies only.

    A1 - Does the internal auditing organization provide senior management and/or the audit committee with a written report on internal control? Check all that apply:

    Choice Count



    Yes, based on all internal audit work only 158 38.3%
    Yes, based on internal and external audits and other internal sources 100 24.3%
    Yes, based on a control model such as COSO's Internal Control - Integrated Framework 65 15.8%
    Yes, includes assurance on controls over significant risks 82 19.9%
    No, internal audit does not provide a report on internal control 120 29.1%
    Other: 41 10.0%

  1. (Continued)

    A2 - Does your company or organization provide (an internal audit) report on internal control in the annual report?

    Choice Count Percentage Answered
    1. Yes, it is a comprehensive report based on COSO definition of control (integrity/reliability of financial data, safequarding of assets, economy/effectiveness of processes, and compliance with laws, regulations and policies) 33 8.0%
    2. Yes, report based primarily on management's responsibility for integrity and reliability of financial information 130 31.7%
    3. No report on internal control is provided 247 60.2%

  1. Hi Norman

    I agree with your points 100% Norman and I also like the comment from Tim Leech that management should be the primary providers of relevant information to the board. Internal audit should in that respect give assurance that the reports and information provided to the board are reliable and honest. I also agree that auditors have to communicate their assurance by providing opinions. I hope both the standards and the PA/PGs soon will reflect this view.

  1. Thus, the Institute of Internal Assurance & Advisory, or the IIAA.  Change the game.

  1. Norman,

    I agree that it is IA's responsibility to provide management with a
    degree of assurance and that performing audits is one way of helping to achieve this objective. The degree of assurance which can be reasonably provided will obviously depend on IA's overall approach in this regard. IA in itself is only one of the sources of assurance available to management, however IA can leverage from these other sources by performing assessments at strategic, tactical and operational levels. This can help enable IA to provide a higher degree of assurance rather than relying solely on the operational audits performed by the IA function itself.

    Please find attached a link to a short paper which I have previously
    written on the topic of sources of assurance.


    My views for what they are worth.



  1. Thanks to all for the various comments, and I see a majority saying we have to provide assurance. Performing audits is a means to that end.

    What about the balance of the blog, where I assert that you can't provide assurance unless you are willing to stand before your stakeholders and share your assessment in a formal fashion? I don't believe it is sufficient to give them your risk assessment and audit plan, the results of individual audits, and the status of management remediation efforts. You need to go further and tell them whether management's governance, risk management, and related systems of internal control are adequate.

    We should not make them 'assume' the controls, etc. are adequate. After all, how do we expect them to aggregate the results of all your audits to see the overall picture - unless we tell them?


  1. The IPPF says, at Standard 2100, that the IA must "assess and make appropriate recommendations for improving the governance process", and "must evaluate the effectiveness and contribute to the improvement of risk management processes", and also "must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement."

    Nowhere does it say we must "do audits". Certainly we should not be measured by the number of reports - any auditor can subdivide the work done into multiple reports in order to meet a quota. And since we are not permitted to intervene directly in changing processes, our contribution is achieved by communicating our findings and recommendations to line managers, and to the board via the audit committee.





    Hi Norman
    I strongly agree with your points. I have been proposing that in their Charters internal audit activities according definition would define their services as assurance and consulting which are implemented by tools for example audits among other tools. Charters should also contain a mandate or responsibility to provide an opinion until standards explicitly will demand this.
  1. I agree that our profession has moved from simply issuing audit reports to providing broad assurance to both management and the board audit committee. And as the expectations of the services we provide rise in the eyes of our key stakeholders, so must the quality of the professionals who provide these services. As such, we’re witnessing a shift in the spectrum of the metrics used to measure provided services from quantitative to qualitative. For example, the number of reports to most C-suite executives is less important than whether or not the coverage is aligned with organizational goals and strategy; audited areas are identified using a risk-based methodology aligned with their risk tolerance and implemented to fully utilize provided resources; work is aligned with the external auditor’s annual plan to minimize duplication of efforts; effective solutions are agreed to and monitored through remediation; etc.

  1. Definintely agree Norman.  The number of audit reports issued has very little to do with assurance provided, and is a metric that can be manipulated.  Assurance discussions with Audit Committees should focus on the risks facing the company (preferrably in the same language and framework management uses for ERM), and what IA's plan isto provide assurance that those risks are being managed appropriately.  An audit department should be measured against its exeuction of the plan.

  1. Norman, I totally agree with you and especially with Brian. The numbers of audit reports issued is a weak metric to communicate assurance to the respective stakeholders. In the light of providing assurance which also should add value to the stakeholders, an opinion based on the audit work would be extremely helpful and would also highlight the role of IA as a trusted business advisor.  

  1. I also endorse Tim Leech's comments to the effect the Internal Audit is only one source of assurance to the board. The importance of internal audit though is that while the volume of assurance that the board should expect from executive management will far outweigh the scope, volume and coverage of internal audit's assurances, the assurance from IA is independent and objective, and therefore gives credibility (where due) to the wider assurances received from management. This helps to address the concern about giving an overall opinion on a relatively small risk based sample of assurance projects; if you can consistently demonstrate that management's assurances are fair, open, transparent etc based on your audit work, the board are in a better position to place reliance on the remainder of management's assurances where you have not done any recent work. There are still risks involved, and in some cases we, management, or the board may get it wrong, but that is why we are counted as professionals and seek to take balanced judgements (it helps if we highlight the extent to which our opinion is directly based on evidence versus based on the absence of any strong counter-evidence!).

Leave a Reply