Internal Audit: Providing Assurance not Insurance

Regular readers of this blog know my assertions about the value of internal audit. Our profession offers an indispensable service that is essential for businesses, governments, and non-profits to operate at the highest levels.

Further, as the challenges of the global marketplace demand higher efficiencies, insight, and vision to stay ahead of the competition, a good internal audit function can be uniquely positioned to offer a holistic and critical view of operations.

These growing demands create the need for increasingly complex and sophisticated strategies for improving efficiencies, defending against fraud and corruption, and managing risk. But one of the bedrock services of internal audit remains providing assurance.

Assurance is the confirmation that policies, practices and internal controls put in place for a myriad of operations either are working as intended or need adjusting. Assurance is the affirmation that management has adequately assessed risks and designed strategies for effective mitigation or that more attention is needed.

But it is important for internal audit’s stakeholders and others to clearly understand that assurance is not insurance. The dictionary definitions of the concepts offer a good starting point for this discussion:

Assurance – A positive declaration intended to give confidence.

Insurance – Something that provides protection against a possible eventuality.

Though subtle, the difference between the two concepts is clear and important. Assurance tells you you are on the right path. Insurance is a hedge against something going wrong. There is danger in conflating the two ideas, especially in the minds of stakeholders when it comes to what internal audit brings to the table.

A more conventional definition of the word insurance – an arrangement or policy that provides a guarantee of compensation for a specified loss or damage in return for payment of a premium – is even further afield from what an internal audit function is intended to do.

I have known many gifted and talented CAEs, inspectors general and heads of audit in my four decades in the profession, but I’m confident that not a single one was willing to insure an outcome or guarantee the success or failure of a particular strategy.

At a time when organizations are quick to look for scapegoats when things go wrong, it is important for stakeholders to have a clear understanding between assurance and insurance when it comes to internal audit.

With the growing number of costly and high-profile data security breaches, we often hear the question: “Where was internal audit?” Sometimes the question is a fair one, but often breakdowns that lead to security breaches are outside internal audit’s scope of work.

What’s more, even when internal audit is heavily involved in data security and, even when an organizations are well-positioned to protect against security breaches, sophisticated and persistent cyberattacks can succeed.

When this happens, the assurance/insurance distinction is vital.

Internal audit’s role in cybersecurity then is analogous to its other roles, for example battling fraud. Internal audit can offer insight into the policies and practices necessary to deter fraud and offer assurances on how those policies and practices are being carried out within the organization. However, the expectation is that internal audit function can help deter fraud, not prevent it.

I remain a strong proponent of internal audit taking on additional roles as it seeks its proper place that management table. But as the internal audit function does so, the assurance/insurance distinction must remain crystal clear in the minds of our stakeholders.

I’d like to hear from readers on how you make they make the distinction to your stakeholders.