Assurance - are you sure?
Assurance – are you sure?
If this question sounds familiar, you won’t be alone. The question of assurance – its definition, articulation, application – has been common to the profession for as long as we’ve used the term. Is now the time to revisit the concept and possibly refine it?
First, let’s look at what the International Standards, our north star, say about assurance. The definition itself of internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations”.
Later, we read that “assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters.”
Finally, the definition of “assurance services” is “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. Examples may include financial, performance, compliance, system security and due diligence engagements.”
And yet – the term “assurance” itself isn’t defined in the Standards. The new Three Lines Model states that assurance is “independent confirmation and confidence,” with the Chartered Institute developing the point further: “The assurance part of our work involves telling managers and governors how well the systems and processes designed to keep the organisation on track are working.”
If we go back to basics, the Oxford Dictionary’s primary definition of assurance is “a positive declaration intended to give confidence; a promise”. How many of us would be willing to give our audit clients “a positive declaration”, knowing they may interpret it as approval? Is it any different for the term “assurance” itself?
As Liz Sandwith, Chief Professional Practices Advisor for the Institute says, “Internal audit has a great track record of adding value to the organisations it serves, but the use of the word ‘assurance’ to describe the purpose of internal audit can be highly problematic.”
If we as internal auditors commit to clear, transparent communications throughout our engagements, we must be alert to any chance of misunderstanding. In using certain terms – assurance, adequate, effective – are we speaking as if to other internal auditors, rather than to the wider organisation we serve?
After all, “assurance” in the eyes of some could well mean complete comfort on a process or subject. If so, this could unwittingly create gaps in understanding and expectations. This could damage not only internal audit’s reputation as trusted advisors. It could undermine the “no-surprises” principle, damage relationships and ultimately prevent senior managers from improving controls.
This is one reason why our scope documents and terms of reference frame the work we will do and the nature of the opinion we will provide. However, as not all executives and other readers may see these documents, we should remind them what “assurance” actually represents. Whether working in a global function or a one- or two-person “audit shop”, our awareness of our clients and readers must always be at the forefront of communication.
Internal audit is not the only profession mindful of how its approach affects its reputation. External audit too faces reputational difficulties, in spite of efforts to influence the legislative and regulatory framework within which it operates. Given that internal audit typically has a broader remit than external audit, could “assurance” become a trap internal audit has created for itself?
This discussion is far from being a new one. Before Audit & Risk magazine, there was Internal Audit & Business Risk. In the June 2007 issue, Neil Baker’s article “A question of give and take” stated that “Assurance is a key word of internal auditors, but its meaning is less than clear”. Less than a year later, Maria Craig’s “Assurance puzzles?” (Internal Auditing, May 2008) addressed the potential for conflict between risk acceptance and audit opinions – in other words, assurance.
The Chartered Institute itself held a series of HIA events in 2008 to debate the definition and use of the term “assurance”. As the resulting briefing stated, “Corporate governance reforms and regulatory changes have, in recent years, put a growing emphasis on the word ‘assurance’. Moreover, boards of directors, and audit committees especially, have a growing appetite for assurance – even if they are not entirely clear what the word means – and increasingly expect their internal audit functions to provide it.”
Thirteen years later, internal audit faces the same expectations to provide assurance – whatever it means. Contributors to the HIA events in 2008 pointed out that accountancy and external audit have their own understanding of the term, which risks further confusing matters.
All of this assumes that internal audit actually provides assurance – something several 2008 contributors disputed. Opinions, conclusions and findings were some of the other terms proffered – could we say they are more generic and therefore more neutral than “assurance”? One CAE who participated in the events said, “The opinion is the vehicle that provides assurance, or not”.
Could this bring us back full circle, to the Chartered Institute’s statement on its website? If indeed assurance means “telling managers and governors how well the systems and processes designed to keep the organisation on track are working”, then perhaps we as internal auditors should revisit the terminology we use.
Arguably we could conclude that the outcome of an internal audit “assessment” is the provision of “assurance”. This could mark a welcome return to the traditions of the profession. While looking back to the traditions, though, we must also look forward. Next steps for internal audit activities could include explaining what they mean by their terminology – including “assurance”. How well do internal audit charters, or audit and assurance policies, communicate these crucial points to clients, audit committees and others? Without clear definitions and communication, we cannot help the organisations we serve improve, let alone thrive.
