I want to take two views in answering this question — the first is from day-to-day living, and the second is from The IIA's International Standards for the Professional Practice of Internal Auditing (Standards).
What do we mean when we say that we are going to assure somebody, or give somebody assurance? A quick look at the dictionary gives us multiple definitions, including to:
- Declare earnestly to; inform or tell positively; state with confidence to: She assured us that everything would turn out all right.
- Cause to know surely; reassure: He assured himself that no one was left on the bus.
- Give confidence to; encourage.
I am reminded of a child having a nightmare, with the devoted parent trying to provide assurance that everything is all right, and there is no need to be scared. How does the parent do that?
He or she tells the child that the experience was just a nightmare and that no danger exists. There are no monsters in the room.
The parent is giving not only information, but an assessment or opinion that the child can rely on.
Turn now to the role of the internal auditor. Internal audit functions are expected (in the Standards) to provide "assurance." I have always defined my role as CAE as being responsible for helping the board and executive management team "sleep through the storm." I provide them "peace of mind": assurance that the systems for managing risks, including the system of internal controls, are sufficient to the task.
The definition in the Standards of an internal audit activity is:
"A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes."
But, what is assurance? The Standards provide a definition for assurance services:
"An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements."
Drawing from this, assurance translates to "providing an independent assessment" based on evaluating the "effectiveness of governance, risk management, and control processes." Is this the same as providing an opinion on the adequacy of governance, risk management, and control processes?
For an article in the February 2010 issue of Internal Auditor, Mervyn King (the chair of the team that developed South Africa's King Report for corporate governance, which requires a formal assessment of risk management and control processes) said, "Opinion has connotations in the legal and accounting worlds, and I didn't want to start a whole debate about opinions."
So what does this all mean? I believe that an internal audit department provides assurance on governance, risk management, and related internal controls when it:
- Assesses the adequacy of design and operating effectiveness of those processes (using a risk-based approach).
- Communicates the results of that assessment in a way that provides assurance to stakeholders on the board and in management that the processes are effective and sufficient (or not).
- Provides a holistic view of the adequacy of those processes across the organization, not just in relation to the scope of individual audits.
Whether you call it a formal assessment or opinion, the CAE has to answer the question: "are my processes adequate." Unless you do that, how do you expect the executive manager — or child — to sleep through the storm?
Do you agree?