What Is Assurance? Does Your Department Provide It?

I want to take two views in answering this question — the first is from day-to-day living, and the second is from The IIA's International Standards for the Professional Practice of Internal Auditing (Standards).

What do we mean when we say that we are going to assure somebody, or give somebody assurance? A quick look at the dictionary gives us multiple definitions, including to:

  • Declare earnestly to; inform or tell positively; state with confidence to: She assured us that everything would turn out all right.
  • Cause to know surely; reassure: He assured himself that no one was left on the bus.
  • Give confidence to; encourage.

I am reminded of a child having a nightmare, with the devoted parent trying to provide assurance that everything is all right, and there is no need to be scared. How does the parent do that?

He or she tells the child that the experience was just a nightmare and that no danger exists. There are no monsters in the room.

The parent is giving not only information, but an assessment or opinion that the child can rely on.

Turn now to the role of the internal auditor. Internal audit functions are expected (in the Standards) to provide “assurance.” I have always defined my role as CAE as being responsible for helping the board and executive management team “sleep through the storm.” I provide them “peace of mind”: assurance that the systems for managing risks, including the system of internal controls, are sufficient to the task.

The definition in the Standards of an internal audit activity is:

“A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.”

But, what is assurance? The Standards provide a definition for assurance services:

“An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.”

Drawing from this, assurance translates to “providing an independent assessment” based on evaluating the “effectiveness of governance, risk management, and control processes.” Is this the same as providing an opinion on the adequacy of governance, risk management, and control processes?

For an article in the February 2010 issue of Internal Auditor, Mervyn King (the chair of the team that developed South Africa’s King Report for corporate governance, which requires a formal assessment of risk management and control processes) said, "Opinion has connotations in the legal and accounting worlds, and I didn't want to start a whole debate about opinions.”

So what does this all mean? I believe that an internal audit department provides assurance on governance, risk management, and related internal controls when it:

  1. Assesses the adequacy of design and operating effectiveness of those processes (using a risk-based approach).
  2. Communicates the results of that assessment in a way that provides assurance to stakeholders on the board and in management that the processes are effective and sufficient (or not).
  3. Provides a holistic view of the adequacy of those processes across the organization, not just in relation to the scope of individual audits.

Whether you call it a formal assessment or opinion, the CAE has to answer the question: “are my processes adequate.” Unless you do that, how do you expect the executive manager — or child — to sleep through the storm?

Do you agree?

Posted on Mar 1, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    What you have is good. If you want to take it up several notches (which will then alow internal audit to report against this at end of the year) then use the new HB 158 for ISO 31000 and I will quote from it-

    An internal audit department will provide assurance that

    the risk management process has been applied appropriately and that all elements of the process are suitable and sufficient

    the risk management process is in keeping with the strategic needs and intent of the organization

    all material risks have been identified and are being controlled

    all prioritized intolerable risks have cost effective treatment plans in place

    controls are being correctly designed in keeping with the outputs of the risk management process

    critical controls are adequate and effective

    risks are not over controlled

    line management review and other non audit assurance activities are effective at maintaining and improving controls

    risk treatment plans are being executed

    there is appropriate and as reported progress in the risk management plan

  1. Taking one line from ISO 31000 - "all material risks have been identified and are being controlled" -   I have an interest in understanding whether internal audit teams ever recognise, or study or asess, the risks of the organization being penalized for non-compliance in its software licensing.

  1. Colin, software license non-compliance is something my team has covered in the past at different companies where I was CAE.

  1. Yes, my team has covered, during the past year across two of our entities, the risk of the organization being penalized for non-compliance with software licensing terms.

  1. how does one then give assurance that governance is "adequate"? is it a question of compliance with codes like the King III or can an organisation settle for less and still have "adequate" governance?  

  1. Good question, Phyllis. I believe the standard is the same for assessing governance as it is for any other area. Do the processes and controls provide a reasonable level of assurance that the objectives will be achieved? I would certainly refer to governance frameworks and 'best practices', but I would use judgement in consultation with the board and management to determine whether practices in place were sufficient.

  1. Colin-the answer to your question is "that depends"- if it could impede a company from accomplishing its business objectives, then during the normal course of a risk assessment, the internal auditors or whoever is tasked with performing the assessment, should identify the respective events that would create this risk (eg penalization for non compliance). The internal auditors should provide assurance coverage over this risk in their annual audit plan.



  1. Assurance means to assure the stakeholders to understand that the business process is being run following the internal control of the respective orgnaization ,it is assessment not hypothetical or test based opinion like mere audit.

  1. Hi Normal, My opinion on providing assurance at each engagement level is stating clearly in the conclusion paragraph whether the auditee function or department has adequate governance, risk managmenet and control processes to meet its mission and goal.  Unless such a clear conclusion or opinion is presented in the audit reports, we may not be providing assurnace to the C-Suite or Board.

  1.  Do you think it should be written a special report (not audit report) to the board on assurance(f.example assurance is positive/negative or some ratings?)?

Leave a Reply