Talking About Internal Audit Assurance

Key Takeaways

• Backward-Looking Assurance Has Limits: Traditional internal audit practices often focus on past transactions, providing limited value for future decision-making.
• Forward-Looking Assurance Adds Real Value: Internal audit should shift toward assessing whether current and future controls will effectively manage today’s and tomorrow’s risks.
• Core Principles Were Watered Down: The removal of the “insightful, proactive, and future-focused” principle from the new Global Internal Audit Standards reflects a missed opportunity to emphasize future-oriented assurance.
• AI Should Support, Not Distract: While AI can help management detect past errors, auditors should avoid becoming overly focused on the past and instead deliver strategic insight.
• Focus on Strategic Risk, Not Just Operational Detail: Auditors should prioritize risks tied to enterprise objectives, not just those relevant to middle management or historical data validation.

Deep Dive

In this article, Norman Marks breaks down the difference between traditional, retrospective assurance and the kind of forward-looking insight that truly supports decision-making. Drawing on his decades of experience, he challenges internal auditors to shift their focus from the past to the future, and to deliver assurance that helps organizations navigate the risks and opportunities ahead.

The Real Value of Assurance Lies Ahead, Not Behind

There’s assurance, and then there’s assurance that adds real value. What on Earth do I mean?

When the CPA firm certifies that the financial statements are free from material error or omission, it is providing assurance on the past. Similarly, when internal audit tests a sample (even when it is as high as 100%) of the population of transactions, they are providing assurance on the past.

There’s value in that. But that value is limited.

What adds real value is assurance that is forward-looking. Unfortunately, this is a concept that didn’t make the transition from the Core Principles for Internal Audit to the Global Internal Audit Standards (GIAS). One of the Core Principles was, "is insightful, proactive, and future-focused".

Management and the board need assurance that their organization, systems, processes, and controls will help them achieve their objectives going forward. The value of assurance on what was done in the past is limited. It’s literally in the past. We need to focus and provide assurance on the management of the risks and opportunities of today and tomorrow.

Sometimes what happened in the past is an indicator, no more, of what is likely to happen in the future. But we are not living in a static world. Tomorrow’s world may not be the same as last year’s.

We need to know more. We need more assurance. We need assurance that the risks of today and tomorrow will be adequately addressed by the organization’s controls, etc. of today and tomorrow.

I am afraid that too many auditors are so addicted to the promise of AI that they will find themselves auditing the past and bayoneting the wounded. Let management use AI and advanced analytics to detect errors. Internal audit should focus on providing the assurance that management and the board need as they navigate, not the past, but the future.

How do we focus on the future? Focus on assessing the controls, etc. that will effectively address the risks of today and tomorrow. Of course, focus on the risks that matter to the achievement of enterprise objectives, not the risks that matter to middle management.

Audit the controls and provide assurance on the controls of today and tomorrow, not the validity of data in the past. You can have perfect data with no controls. Just think about whether the fact that your home has not been broken into proves that you closed and locked the doors and windows every time you went out.

My message today is that we don’t want to become the auditors of the past who looked for errors and mistakes: the audit Gestapo. No. We need to provide “insightful, proactive, and future-focused” assurance.

Do your audit opinions reflect assurance on the past or on the future?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.