Internal auditing assures an audit committee

Internal audit exists to assure stakeholder representatives that management is behaving itself. Anything else is an optional extra.

The audit committee, specifically What the committee is assured Internal audit assures Next thought

Auditors Version .1 Beta

The audit committee, specifically

Audit committees are not employees and not part of management. To employees and management, audit committees represent the stakeholders to which the organisation has obligations. Some members of an audit committee may be executives from the management structure. That is awkward, but it does not invalidate the premise that audit committees are above management. Neither is there a real-world problem that in some government organisations, the audit committee is appointed by the CEO.

What the committee is assured

Independent assurance means evidence-based verification of positive statements that management makes to stakeholders [1]. In practice, most of those management statements are implied rather than declared explicitly. Implied positive statements from management to stakeholders typically include these.

  1. The financial, compliance and performance reports we submit are accurate and can be taken on face value.
  2. We are faithfully carrying out the mission given to us. We are using the organisation’s resources to achieve its mission as efficiently as reasonably possible, all things considered. We do not divert or waste resources.
  3. The organisation does not carry out illegal or unauthorised activities. We prevent and deter improper activities that might be rewarding to individual managers or employees.
  4. The organisation takes risks in accordance with stakeholder expectations. Risk treatments align with conventional and expected practices, unless there is a valid reason to do something else. Exceptions and grey areas are reported promptly and honestly.
  5. The enterprise takes appropriate opportunities to exceed expectations when it may be possible, and when the offsetting risks are acceptable. [2]

The audit committee must obtain satisfaction that such statements are true, whether the statements are made out loud, or implied by silence and budget requests. It is not defensible for an audit committee to simply have faith in management, based on trust or personal relationships. There must be an objective basis for believing such statements.

Internal audit assures

That’s where internal audit comes in. Internal audit exists to create an evidence-based reason to believe what management is saying. The evidence-based reason is then shareable with the audit committee, then the board, and all of the actual stakeholders.

The audit committee is the client for internal audit. Managers of activities being audited, even senior executives, are not. Managers and executives deserve a lot of consideration. But auditee managers are not, and can never be, ‘the client’ for audit assurance. Internal audit works for the audit committee. It is not part of, and does not work for, organisation management. Managers should create the basis for their own confidence in their own activities, without relying on auditors.

The internal audit function can serve clients other than the audit committee, and purposes other than assurance—with a lot of ifs, buts, and independence rules. But the audit function only exists to provide independent assurance to external stakeholders, through the audit committee. Don’t be confused by the industrial noise about ‘adding value’, consulting, ‘managing risk’, or providing strategic advice.

Those extras have elements of legitimacy, but they are just that—extras.

Assurance is the primary output of an audit. That is obvious in the case of an external audit on a company financial statement. The report is the attestation, which gives assurance on the statement.The attestation is brief, but it does all the work.

Assurance statements are often hard to find in internal audit reports, but they should not be. They should be the most prominent part of the text. The Clear Lines feel that both auditors and their clients should spend a lot more time on those assurance statements. Managers should also be encouraged to understand audit assurance and its limitations.

The value and success of an audit should be understood first by whether it achieved its assurance purpose for stakeholder representatives. That is the cake. The rest is icing.

Next thought

I said that auditors, clients, and management should spend more time on assurance. To help that happen, everyone could spend less time arguing about recommendations, or even about ‘findings’. That saving of time looks more realistic when we all understand that assurance is primary, and that recommendations, and even findings, are secondary.

Next article for Auditors

Audit recommendations are secondary; so are ‘findings’

Audits are about assurance, not change How the conversation goes Assurance, finding, and recommendation tracking A suggestion for Chief Audit Executives and helpers

Auditors Beta


1. By ‘stakeholders’ we mean the groups who are not the enterprise, but whose interests are affected by it. For a profit-making enterprise, primary ‘stakeholders’ include owners or investors. For a non-profit, donors and volunteers are ‘stakeholders’, and for a government agency, think of taxpayers, voters, and agency clients. There are other stakeholders in each case. Employees and regulators are also usually counted as stakeholders.

Where you came from

2. Items 4 through 6 in this list might seem a little adventurous for audit assurance. There is an ideological message. Items 1 through 6 represent a fair ambit claim for internal audit, drawing on the broad risk and audit views of the Clear Lines, which substantially align with those of Norman Marks, among other authorities. If you are surprised by the last few list items, the central argument comes down to these two points:

  1. Risk management is about achieving sufficient confidence in activity outcomes, despite the inevitability of uncertainty.
  2. Audits, particularly internal audits, are about demonstrating an objective basis for that confidence.

The broad view of risk management aligns with the ISO 31000 definition of ‘risk’ as the effect of uncertainty on objectives (with a customary Clear Lines emphasis). Assurances about risk might go to the risk committee rather than the audit committee, if they are separate.

Where you came from