Assurance Services

Assurance Services

2.1 Assurance Services

Assurance services are evaluations conducted by internal auditors to help organizations establish trust and confidence in their governance, risk management, and control processes. These services offer valuable insights for organizations to improve and maintain their operations, promoting stability and sustainability.

Purpose

The main goal is to strengthen the organization’s ability to create and maintain value by ensuring efficient operations, compliance with laws, effective risk management, and proper asset safeguarding.

Key Participants

• Process owner: Responsible for the activity being assessed.

• Internal auditor: Performs the assessment and provides the evaluation.

• User: Uses the results of the assessment for decision-making.

Scope of Assurance Services

Assurance services cover:

• Operational efficiency

• Reliability of reporting

• Compliance

• Safeguarding assets

• Ethical culture

The scope is determined by the internal auditors.

Evaluation

Internal auditors evaluate conditions against established criteria to decide whether to report significant issues and conclude on the effectiveness of processes.

Assurance Engagements

Unlike external audits focused on financial statements, internal audit assurance engagements cover a wide range of subjects. The extent of possible assurance engagements is indicated by the three organizational processes in the definition of assurance:

• Governance:

  “[T]he combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”

• Risk management:

  “[A] process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.”

• Control processes:

  “[T]he policies, procedures, and activities designed and operated to manage risks to be within the level of an organization’s risk tolerance.”

COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance (not absolute assurance) regarding the achievement of objectives relating to operations, reporting, and compliance.

These objectives correspond to the principal types of assurance engagements:

1. Operational

2. Reporting

3. Compliance

• Operations objectives: Relate to the effectiveness and efficiency of operations, including operational and financial performance goals and safeguarding assets against loss.

• Reporting objectives: Relate to internal and external financial and nonfinancial reporting, including the reliability, timeliness, and transparency of such reporting.

• Compliance objectives: Relate to adherence to laws, regulations, contracts, policies, procedures, and other requirements.

An assurance engagement reviews internal control components in the COSO framework:

• The control environment,

• Risk assessment,

• Control activities,

• Information and communication, and

• Monitoring.

Relationship with External Auditors

External auditors are responsible for the financial audit of the organization’s financial statements. Internal auditors focus on the effectiveness of internal controls over financial reporting, providing external auditors with confidence to place some reliance on internal controls and the work performed by the internal auditors.

Internal auditors may also review elements of the financial statements, internal reports such as monthly management reporting, internal scorecards, and key performance indicators (KPIs).

Three Types of Assurance Services

• Compliance assurance: Reviews controls to ensure adherence to:

  1. Relevant laws and regulations,

  2. Contractual arrangements,

  3. Internal policies that support compliance, and

  4. Other organizational objectives.

  An example is auditing the process and sign off of an annual requirement for employees to review and agree to the corporate code of ethics.

• Operational assurance: Reviews a function or process to appraise the efficiency and effectiveness of operations and whether those functions achieve their objectives. The scope includes:

  1. Product quality,

  2. Customer service,

  3. Revenue maximization,

  4. Expense minimization,

  5. Fraud prevention,

  6. Asset safeguarding,

  7. Corporate social responsibility and citizenship,

  8. Streamlined workflows,

  9. Safety, and

  10. Staffing.

• IT assurance: Reviews and tests:

  1. Computers,

  2. Technology infrastructure,

  3. IT governance,

  4. Mobile devices, and

  5. Cloud computing.

  The purpose is to assure the integrity of information. IT auditing is increasingly being integrated into all audits.

2.2 Risk and Control Self-Assessment

A control self-assessment (CSA) is a process that helps organizations evaluate their own risk management and control systems. It empowers employees to engage in monitoring and improving systems, leading to a more resilient and effective operational environment.

Purpose

CSA aims to improve internal controls and risk awareness by getting input from employees and managers directly involved in different processes. It recognizes that effective control is a shared responsibility.

Involvement

Employees at all levels participate in assessing risks and controls related to their specific functions.

Role of Internal Auditors

Internal auditors support and facilitate the CSA process by helping design and implement assessments, training staff, and verifying outcomes.

Methods

CSA can be conducted through workshops, surveys, or self-certification processes.

Benefits

Primary benefits include heightened awareness of risks, improved effectiveness of controls, and greater accountability among team members.

How Internal Auditors Use CSA

A CSA program assists management in fulfilling its responsibilities to establish and maintain risk management and control processes and evaluates the adequacy of that system.

Internal audit and the business units and functions collaborate to produce better information about the working status of control processes and the significance of any residual risks.

Internal audit’s investment in CSA programs may be significant:

• Sponsor, design, implement, and own the process

• Conduct the training

• Supply the facilitators, scribes, and reporters

• Coordinate the participation of management and work teams

As the level of involvement in the CSA program and individual workshop deliberations increases, the chief audit executive (CAE):

• Monitors the objectivity of the internal audit staff,

• Manages that objectivity (if necessary), and

• Increases internal audit testing to ensure that bias or partiality does not affect the final judgments of the staff.

The internal audit function often finds that it may reduce the effort spent in gathering information about controls and eliminate some testing because a CSA program may:

• Increase the coverage of assessments of control processes across the organization.

• Improve the quality of corrective actions made by the process owners.

• Focus the auditors’ work on reviewing high-risk processes and unusual situations.

• Validate the assessments by the CSA process.

• Synthesize the information gathered from the components of the organization.

• Express its overall judgment about the effectiveness of controls to senior management and the board.

Outcomes, Benefits, and Limitations

Business unit personnel must manage risks to improve the probabilities of achieving objectives.

Informal, soft controls are more easily identified and evaluated. Personnel are motivated to take ownership of the control processes in their units, and corrective actions taken by the work teams are often more effective and timely.

The entire objectives-risks-controls infrastructure of an organization is subject to greater monitoring and continuous improvement.

Internal auditors become involved in and knowledgeable about the self-assessment process by serving as facilitators, scribes, and reporters for the work teams and as trainers in risk and control concepts supporting the CSA program.

The internal audit function acquires more information about the control processes within the organization and can leverage that additional information in allocating its scarce resources.

Management’s responsibility for the risk management and control processes of the organization is reinforced, and managers are less tempted to delegate those activities to specialists.

The primary role of the internal audit function will continue to include validation of the evaluation process by the performance of tests and the expression of professional judgment about the adequacy and effectiveness of the risk management and control system.

The internal auditor may not effectively use the selected CSA approach(es), or the persons performing the self-assessment may not be skilled in risk management and control.

Responsibilities

Senior management should oversee the establishment, administration, and evaluation of the processes of risk management and control. Operating managers’ responsibilities include assessment of the risks and controls in their units.

Internal and external auditors provide varying degrees of assurance about the state of effectiveness of the risk management and control processes of the organization.

Three CSA Approaches

The three primary approaches of CSA programs are

1. Workshop-facilitation,

2. Survey (questionnaire),

3. Self-certification.

Organizations often combine approaches.

The CSA process should be customized to fit the unique characteristics of each organization.

The variety of approaches used for CSA processes in organizations reflects the differences in industry, geography, structure, organizational culture, degree of employee empowerment, dominant management style, and the manner of formulating strategies and policies.

A CSA approach needs to be dynamic and change with the continual development of the organization.

Workshop-Facilitation Approach

CSA typically employs a workshop-facilitation approach to self-assessment that is structured, documented, and repetitive.

The process, or steps, for such an approach includes:

• Front-end planning and preliminary audit work.

• An in-person meeting, typically involving a facilitation seating arrangement (U-shaped table) and a meeting facilitator. A scribe also may be present to make an online transcription of the session, and electronic voting technology may be used to enable participant anonymity.

  The participants are process owners, i.e., management and staff who:

  • Are involved with the particular issues under examination,

  • Know them best, and

  • Are critical to the implementation of appropriate process controls.

• A structured agenda used by the facilitator to lead the group through an examination of the process’s risks and controls. Frequently, the agenda is based on a well-defined framework or model so that participants can address all necessary issues. A model may focus on controls, risks, or a framework developed for that project.

• Reporting and the development of action plans.

Four Possible Formats.

1. The objective-based format

   Focuses on the best way to accomplish a business objective. The workshop begins by identifying the controls currently in place to support the objective and then determines the residual risks remaining. The aim of the workshop is to decide whether the control procedures are working effectively and are resulting in residual risks within an acceptable level.

2. The risk-based format

   Focuses on the risks to achieving an objective. The workshop begins by listing all possible barriers, obstacles, threats, and exposures that might prevent achieving an objective and then examines the control procedures to determine whether they are sufficient to manage the key risks. The workshop’s aim is to determine significant residual risks. This format takes the work team through the entire objective-risks-controls process.

3. The control-based format

   Focuses on how well the controls in place are working. This format is different from the objective-based and risk-based formats because the facilitator identifies the key risks and controls before the beginning of the workshop. During the workshop, the work team assesses how well the controls mitigate risks and promote the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between how controls are working and how well management expects those controls to work.

4. The process-based format

   Focuses on selected activities of a chain of processes. The processes are usually a series of related activities performed from a beginning point to an end, such as the steps in purchasing, product development, or revenue generation. This type of workshop usually covers the identification of the objectives of the whole process and the various intermediate steps. The workshop’s aim is to evaluate, update, validate, improve, and even streamline the whole process and its component activities. This workshop format may have a greater breadth of analysis than a control-based approach. It covers multiple objectives within the process and supports concurrent management efforts, such as reengineering, quality improvement, and continuous improvement initiatives.

Survey Approach

The survey form of CSA uses a questionnaire that tends to ask mostly simple “yes or no” or “have or have not” questions that are carefully written to be understood by the target recipients.

Surveys often are used if the desired respondents are too numerous or widely dispersed to participate in a workshop.

They are preferred if the culture in the organization may limit open, candid discussions in workshop settings or if management desires to minimize the time spent and costs incurred in gathering the information.

Self-Certification Approach

This form of self-assessment is based on a management-produced analysis of selected business processes, risk management activities, and control procedures. The analysis is often intended to reach an informed and timely judgment about specific characteristics of control procedures and is commonly prepared by a team in a staff or support role.

COSO Framework

All self-assessment programs assume that managers and members of the work teams understand risk and control concepts and use them in communications. Often use a control framework, such as the COSO (Committee of Sponsoring Organizations) internal control model.

In Summary

CSA includes self-assessment surveys and facilitated workshops. It is a useful and efficient approach for managers and internal auditors to collaborate in evaluating control procedures. In its purest form, CSA integrates business objectives and risks with control processes. CSA also is called control and risk self-assessment.

2.3 Audits of Third Parties and Contract Auditing

Internal auditors conduct audits of third parties and contracts to enhance risk management by identifying potential compliance issues, reputational risks, and operational inefficiencies related to external business relationships, verify that these partnerships provide more benefits than drawbacks, uncover missed revenue opportunities and cost-saving potentials, and promotes accountability by evaluating third-party performance.

External Business Relationships

Organizations have multiple external business relationships. Management’s responsibility is to ensure that the benefits of these relationships exceed their risks. Internal audit has a key role in assisting management and validating its efforts.

External business relationships (EBRs) may involve the following:

• Service providers

• Supply-side partners

• Demand-side partners

• Strategic alliances and joint ventures

• Intellectual property (IP) partners

The benefits that EBR partners may provide include

1. lower costs,

2. better operational efficiency,

3. special expertise,

4. new technology,

5. a known brand, and/or

6. economies of scale.

The internal audit function helps management and the board identify, assess, and manage risks, including reputation and economic risks.

Significant EBR Risks

• EBRs may not be identified and therefore may not be managed, assessed, or monitored.

• EBRs may adversely affect the organization’s reputation by violating laws, committing fraud, or not complying with contracts.

• EBRs may have inadequate insurance coverage.

• Service levels or products may be unsatisfactory because of inadequate requirements detailed in the contract.

• Conflicts of interest may occur when the work is affected by the EBRs’ contractual obligations to others.

• Licensing of intellectual property may result in misuse, theft, or loss of revenue.

• The organization may be overcharged for services.

• An EBR partner may become insolvent.

• The organization’s confidential information may be lost or at risk of being disclosed.

Auditing External Business Relationships

Before auditing an EBR, internal auditors need to understand critical elements of the relationship. This includes examining the initiation of the relationship and how it was defined and procured.

Additionally, internal auditors must identify the nature of how the EBR is managed and monitored.

The control environment, and in particular the independence and objectivity of management, is a key factor for the auditor’s consideration.

The internal auditor will also identify how an EBR may be terminated and whether the EBR grants a right to audit in the contract creating the relationship.

Internal audit procedures may include evaluating compliance with the contract to determine whether monetary and nonmonetary obligations are met.

Audit procedures may discover missed revenue or cost savings, improve reporting, or add value to the relationship through limiting fraud, increasing trust, fostering feedback, improving relationships and helping management improve internal and external controls.

The CAE decides whether to audit (1) each EBR separately, (2) only certain types of EBR, or (3) the total EBR process.

Cycle for an EBR Audit

• Understanding the organization, its environment, its processes, and the nature of each EBR

• Assessing risks and controls

• Performing the audit

• Reporting

• Monitoring progress

Third-Party Audits

Engagements involving third parties may be necessary when vital controls affecting transactions exist outside the organization. One example is the outsourcing of the organization’s information processing function to an external service provider (ESP).

The added control risk can be mitigated by the issuance of control reports, such as System and Organization Controls (SOC) reports.

• A service auditor of a service provider issues a SOC 1® report for a financial statements auditor of a client that uses the service provider.

• A SOC 2® report is used by customers and business partners interested in the controls that a service provider (e.g., a cloud service) uses to provide services.

• A SOC 3® report is a more generalized version of a SOC 2 report that is suitable for general use.

Reports must be reviewed for accuracy by the internal auditor. Moreover, the ESP’s external auditor should be evaluated for reliability and credibility to justify relying on the report.

Another typical third-party audit is the audit performed by a qualified registrar as part of the ISO 9000 certification process.

The internal auditors should coordinate their activities with those of the third-party auditor to share information and to prevent duplication of effort.

Contract Auditing

Internal auditors often perform engagements to monitor and evaluate significant construction contracts and operating contracts that involve the provision of goods or services.

The usual types of arrangements for such contracts are lump-sum (fixed-price), cost-plus, and unit-price. The auditor investigates whether the terms of the contract have been met by both parties.

Lump-Sum Contracts

Lump-sum contracts are used when the requirements are well-defined, uncertainties can be identified and costs estimated, and competition is adequate.

Cost-Plus Contracts

Cost-plus contracts are ways to cope with uncertainties about costs by setting a price equal to the cost plus a fixed amount or the cost plus a fixed percentage of cost. A problem is that the contractor may have little incentive for economy and efficiency, a reason for careful review by the internal auditors.

Unit-Price Contracts

Unit-price contracts often are used when a convenient measure of work is available, such as person-hours logged, acres of land cleared, cubic yards of earth moved, or square footage patrolled by a security service. The key issue is the accurate measurement of the work performed.

Engagement Timeline

To protect the organization, internal auditors should be involved throughout the contracting process, not merely in the performance phase. They should review the terms of the contract and the procedures for bidding, cost estimation and control, budgets and financial forecasts, the contractor’s information and control systems, the contractor’s financial position, funding and tax matters, and the progress of the project and costs incurred.

Source Code Escrow Clause

When reviewing a contract for the purchase of a business application system, the internal auditor should recommend that the contract contain a source code escrow clause.

It requires the application source code to be held in escrow by a trusted third party.

2.4 Quality Auditing

Assurance that quality processes are operating to meet quality standards. Preventing defects is preferable to rejection or reworking of defective goods, hence the holistic approach.

Total quality management (TQM), encompasses all processes, from product design to materials acquisition and final inspection, and extends throughout the organization.

TQM can increase revenues and decrease costs significantly and cannot be easily duplicated by competitors.

Quality is best viewed from multiple perspectives, for example, attributes of the product, customer satisfaction, conformity with manufacturing specifications, and value.

TQM is the continuous pursuit of quality in every aspect of organizational activities through a philosophy of doing it right the first time, employee training and empowerment, promotion of teamwork, improvement of processes, and attention to satisfaction of internal and external customers.

This search for quality emphasizes the supplier’s relationship with the customer and identifies customer needs. It also recognizes that everyone in a process is at some time a customer or supplier of someone else, either within or outside the organization.

TQM begins with external customer requirements, identifies internal customer-supplier relationships and requirements, and establishes requirements for external suppliers.

Responsibility for quality resides with all staff within the organization and is not limited to personnel with explicit involvement in quality management.

The internal audit function performs procedures to provide assurance that the basic quality management objectives are reached: customer satisfaction, continuous improvement, and promotion of teamwork.

2.5 Security and Privacy Audits

Security Auditing

The internal audit function evaluates the adequacy and effectiveness of controls designed and implemented by management in all areas of security. Internal audit works closely with senior management and the board to assist in the performance of the governance function with respect to information security.

The CAE should be familiar with globally accepted control frameworks and consider those used by the organization. For each identified organizational objective, the CAE should develop and maintain a broad understanding of the control processes and their effectiveness.

The CAE may develop a risk and control matrix to document risks that may affect achievement of objectives, indicate the relative significance of risks, understand key controls in processes, and understand which controls have been reviewed for design adequacy and deemed to be operating as intended.

The board must provide adequate governance and oversight and is ultimately accountable for identification of principal risks, implementation of controls, and management of privacy risk.

Privacy Auditing

Given the difficulty of the technical and legal issues, the internal audit function needs to ensure it has the knowledge and competence to assess the risks and controls of the privacy framework.

Personal information must be protected from unauthorized intrusion and misuse by those who have authorized access. Privacy is balanced with the need to allow appropriate and prompt availability of personal information to legitimate users.

Benefits of the security arrangements should exceed the costs.

Information reliability and integrity includes accuracy, completeness, and security.

The adequacy and effectiveness of controls to ensure information reliability and integrity is the responsibility of management.

The internal audit function provides assurance that management is appropriately discharging this responsibility.

Privacy

The definition of privacy can vary widely. It may simply be the protection of the collection, storage, processing, dissemination, and destruction of personal information. More fundamentally, it is a human right that those in power must protect.

The following are elements of privacy:

• Personal privacy (physical and psychological)

• Privacy of space (freedom from surveillance)

• Privacy of communication (freedom from monitoring)

• Privacy of information (collection, use, and disclosure of personal information by others)

The internal auditor may seek advice from legal counsel before beginning audit work if questions arise about access to personal information.

Ethical Requirements

Principle 5 Maintain Confidentiality states that “internal auditors use and protect information appropriately.” They must respect the value and ownership of information by using it solely for professional purposes and safeguarding it against unauthorized access or disclosure, both within the organization and externally.

2.6 Performance Audits

Performance audits evaluate how effectively an organization measures and accomplishes its objectives. These audits are essential for ensuring the organization operates efficiently, stays on course to achieve its goals, and uses its resources effectively for sustainable success.

Internal auditors assess an organization’s ability to (1) measure its performance, (2) recognize deficiencies, (3) take corrective actions, and (4) achieve acceptable performance levels.

Effective management control requires (1) clear performance expectations, (2) measurement of actual performance against expectations, and (3) feedback if performance is unsatisfactory.

A performance audit may provide assurance about the organization’s progress in meeting key performance indicators (KPIs).

Performance audit engagements involve the review of (1) the organization, (2) the control environment, and (3) KPIs against established criteria. Methods include (1) balanced scorecards, (2) SWOT analysis, and (3) management control evaluation.

Balanced Scorecard

A balanced scorecard is a performance measurement tool that relates critical success factors determined in a strategic analysis with financial and nonfinancial measures.

Whether certain objectives are achieved at the expense of others also may be determined. For example, reduced spending on customer service may improve short-term financial results but cause a decline in customer satisfaction.

Management uses strategic analysis to identify relevant objectives for each perspective. Measures then are chosen to assess whether the objectives are achieved. If not, initiatives are undertaken to ensure that the targets for each measure are met.

1. Financial measures are results provided to owners.

2. Customer measures reflect customer needs and satisfaction.

3. Internal measures of key processes drive the organization.

4. Learning, growth, and innovation measures are the basis for future success (people and infrastructure).

SWOT Analysis

An organization uses SWOT analysis, which evaluates internal factors (strengths and weaknesses) and external factors (opportunities and threats), to identify critical success factors.