Diligent One Platform World tour ad April 2024

Forgotten password?

Assurance Definitions

The start of a new year can be a time to think about annual internal audit opinions and year-end statements on the control environment. Internal auditors provide assurance opinions throughout the year at the end of each engagement too. Assurance can be specific to an individual process or risk but also overarching; a consolidated view across a period of time or area of operation.

But what does assurance mean?

Does satisfactory or reasonable mean the same thing to two different people?

Assurance is obvious to an internal auditor. It is an objective examination of evidence for the purpose of providing an independent assessment – according to the IPPF glossary definition of assurance services.

But it’s not straightforward for our colleagues, audit clients and board/audit committee members.

Currently there is no set terminology. Every chief audit executive is free to define the criteria and language for their audit opinion. This makes it difficult for independent board members (trustees, non-executive directors) to compare different organisations; particularly relevant within the public sector where members sit across multiple boards.

Three top tips

Communicate assurance definitions.

Agree or refresh with the board as part of the annual planning process. Definitions should always be agreed and communicated before audit engagements (advisory and assurance) are started.

Be consistent.

Create a clear link, using consistent criteria between the assessment of activity-based opinions (audit engagements) and the annual opinion. For example, it is confusing to switch from colours to words.

Be relevant

Type of Opinion	Guidance for when opinion may be provided
Substantial Assurance	The control environment is sound and operating effectively to mitigate key risks, which is contributing to the achievement of business objectives. No individual audit engagement classed as limited or no assurance Occasional medium risk rated weaknesses identified in individual audit engagements although mainly only low/efficiency weaknesses
Reasonable Assurance	The control environment is adequate and controls to mitigate key risks are generally operating effectively, although a number of controls need to improve to ensure business objectives are met. Medium risk rated weaknesses identified in individual audit engagements Isolated high risk rated weaknesses identified for isolated issues No critical risk rated weaknesses were identified Internal audit is broadly satisfied with management’s approach to resolving identified issues
Limited Assurance	The control environment is not operating effectively to mitigate key risks. Several key controls are absent or are not being applied to meet business objectives. Significant number of medium and/or critical risk rated weaknesses identified in individual audit engagements Isolated critical and/or high risk rated weaknesses identified that are not systemic Internal audit has concerns about managements approach to resolving identified issues
No Assurance	A control environment is not in place to mitigate key risks. The organisation is exposed to abuse, significant error or loss and/or misappropriation. Objectives are unlikely to be met. Serious systemic control weaknesses identified through aggregation of individual audit engagements Significant number of critical and/or high risk rated weaknesses identified for isolated issues Internal audit has serious concerns about managements approach to resolving identified issues
No Opinion	Insufficient internal audit work has been undertaken during the period to substantiate an independent opinion, and internal audit is unable to place reliance on the work of 1^st or 2^nd lines. The rationale for this will be fully explained in the report
NOTE:	Results and observations of internal audit advisory/consultancy work form an important part of the opinion. Where they have material weighting this will be fully explained in the report Internal audit may downgrade an opinion based on the work of internal audit where it is aware of material findings by another trusted assurance party. This will be fully explained in the report Circumstances may arise where internal audit is aware of specific issues within the control environment that negate the use of this framework. The rationale for such deviation will be fully explained in the report

Depending on the maturity of your audience, assurance may need to be broken down into control design and control effectiveness. It could also be an overarching opinion or specific to elements such as governance, risk, internal control, financial control, non-financial control, innovation etc.

Here are a couple of examples of how assurance can be defined.

Positive Opinion	Level of Assurance	Adequacy of Control and Design	Effectiveness of Operating Control
	Full Assurance	The controls fully mitigate the specific risks.	The controls are operating effectively.
	Substantial Assurance	In the main, the controls mitigate the risks, but not fully.	Partial effective operation exists over key controls to a material level.
	Adequate Assurance	Some key controls do not fully mitigate the specific risk.	Some key controls are not operating effectively, and/or controls are not adequately documented. Or systemic lapse of minor controls.
Negative Opinion	Limited Assurance	Many of the deemed key controls are not adequately mitigating the risks in the majority of instances.	The operational effectiveness of the control is poor.
Negative Opinion	No Assurance	No controls are in place.	Controls are ineffective or it is not possible to assess their effectiveness.

Take a moment to think about the assurance definitions you use:

Are they clear and unambiguous?
Is the terminology consistent?
Do you repeatedly communicate the definitions or assume people remember?

A new year. A new beginning.

If your assurance definitions need a tweak, now is the time to do it.

Members can access more guidance on the audit opinion here.

Content reviewed: 11 April 2023