Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > New Assurance Challenges Facing Chief Audit Executives

Auditing Best Practice

New Assurance Challenges Facing Chief Audit Executives

by Simon D'Arcy

Executive Summary

  • Internal audit’s raison d’être is to provide assurance on the effectiveness of the management and control of significant risks.

  • Assurance can only ever be reasonable but not absolute—continuing corporate failure due to inadequate risk management and control challenges the value of such reasonable assurance.

  • Chief audit executives can use objective criteria to demonstrate the integrity of their reasonable assurance propositions.

  • Objective criteria include completeness, frequency, future orientation, explicitness, objectivity, and subject matter knowledge.

  • A key challenge for CAEs is that of a shift of mindset away from just doing audits, to auditing actually providing assurance of demonstrable integrity.


Looking back over the last 15 to 20 years, it does seem that at one time the biggest challenge facing the profession of internal auditing was whether the unique scope and contribution of internal audit was clearly defined, understood, or indeed actually needed. Much of the thought leadership around internal auditing in recent years has focused on this challenge. Two publications by PricewaterhouseCoopers in 2007,1 and a heads of internal audit summit “The Future of Internal Auditing Starts Here” in May 20082 jointly facilitated by the Institute of Internal Auditors and Deloitte, have all concluded that internal audit’s primary role is clearly to provide assurance on the effectiveness of risk management. In fact, in many organizations internal audit already clearly does this, as demonstrated in Protiviti’s June 2007 publication Internal Auditing Around the World.3 It is clear—and has been since Turnbull (1999),4 if not before—that boards have a duty to get themselves assured on the effectiveness of their systems of internal control. There is no doubt that chief audit executives see that their raison d’être is to provide such assurance, and many will claim, with some justification, that they have provided and will continue to provide this assurance. Therefore, on the face of it, CAEs have responded to their most fundamental challenge.

The Problem with Assurance

If Turnbull (1999) marks the turning point in corporate governance, it has nevertheless not marked a turning point in the steady stream of corporate failures and disasters, which are often due to ineffective risk management and control. The role of internal audit in these scenarios has been, if not quite exonerated, then at least found not liable, by virtue of one of the basic precepts of internal audit assurance—that it can only ever be reasonable and not absolute.

However, with the market turmoil of 2007 and 2008, the steady stream of failures has become a torrent of biblical proportions—initially, at the time of writing (September 2008), sweeping away the foundations of some major global financial institutions and likely to spread to other sectors as systemic market and recessionary risks crystallize. Accompanying the unfolding disasters is a damning commentary from governments and media on the hopelessly inadequate risk assessment and management capability of those corporates. The spotlight has been on the managers of risk and the attitude of senior executives to the assessment and management of risk. However, it will not be long before the spotlight moves toward the assurers of the effectiveness of risk management, and whether those assurers were in any way culpable. Rightly or wrongly, many will assume that reasonable assurance from internal audit should have identified and reported on the inadequacies of the risk management process, or at least been capable of doing so.

There is now a new challenge facing CAEs—that they are able to demonstrate that their assurance propositions have integrity and can withstand scrutiny against some key criteria. Internal audit assurance involves judgment, and there is an inherent imperfection in a process that relies on judgment. However, there is a difference between an omission or oversight based on accepted fallibility, and one where the scope of assurance was too narrow, where assurance conclusions lacked clarity, or were delivered too infrequently, or where work undertaken lacked sufficient knowledge or objectivity. Assurance delivered on the basis of a flawed proposition is indeed unreasonable assurance.

Therefore, in rising to meet that challenge, CAEs have been aspiring to create assurance propositions that are:

  • Complete: They cover all significant risks.

  • Frequent: They provide assurance with sufficient frequency.

  • Explicit: They give assurance outcomes that are clear and unambiguous.

  • Future-oriented: They offer assurance that controls will continue to be effective in the future, not just that they have been effective in the past.

  • Objective: They provide objective assurance based on sound knowledge.

Back to Table of contents

Further reading




  • Turnbull, N. “Internal control: Guidance for directors on the combinal code.” The Institute of Chartered Accountants in England and Wales, September 1999

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share