Assurance Services
As per the International Professional Practices Framework (IPPF) standards an Assurance Engagement is an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organisation. Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding the entity, operation, function, processes, system, or other subject matters. Assurance engagements typically are the means by which internal audit seeks to achieve its objectives to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.
Compliance is defined as adherence to policies, plans, procedures, laws, regulations, con-tracts, and other requirements. Compliance assurance is the review of controls intended to ensure organisation adherence to relevant laws and regulations, contractual arrangements, internal policies that support compliance, and other organisational objectives. This type of assurance requires the evaluation of risk exposures and the effectiveness of controls. The risks relate to the organisation’s governance, operations, and information systems regarding compliance with laws, regulations, policies, procedures, and contracts. The objective of a compliance assurance is to assure adequate controls over an important internal process while promoting and contributing to good corporate governance.
Compliance assurance assists organisations in preventing unintended employee violations, detecting illegal acts, and discouraging intentional employee violations. They also help in proving insurance claims, determining director and officer liability, creating or enhancing corporate identity, and deciding the appropriateness of punitive damages. For example, a compliance internal audit can be conducted to test the compliance of a company with the AML Framework. In this respect, the role of an internal audit is to provide independent assurance that a company’s AML control framework is operating effectively and to provide an independent opinion thereon. The approach involves an assessment of the AML control framework, which includes the business risk assessment process. An internal audit gives the company the opportunity to address any weaknesses in AML risks before they are detected by the applicable authorities. It would also propose recommendations on how identified weaknesses or potential enhancements of processes can be sought by management.
Controls internal audits provide assurance about the control environment, risk assessment, control activities, information and communication, and monitoring. The internal assessment of internal controls is carried out through internal audit testing and as such is a management control to ensure the conformity of internal controls to pre-determined standards. Facilitating efficient operations implies improvement and properly applied internal controls processes adds value to an organisation by considering outcomes against original plans and then proposing ways in which they might be addressed.
For example, a controls internal audit can be conducted to measure the internal controls of a company towards adherence to the Environmental Social and Governance (ESG) Framework and its guidelines. ESG is a collaborative spectrum that requires active participation in ESG initiatives to contribute to the long-term sustainability and success of the organisation. It is expected that organisations implement robust policies, processes, and internal controls that result in consistent information that ensures ESG reporting and disclosures are reliable, transparent, consistent, and accurate. In this respect, the role of internal audit is to provide independent and objective assurance that a company not only encompasses the ESG Framework and its guidelines but also reflects the ESG efforts transparently.
Financial assurance addresses questions of the accounting and reporting of financial trans-actions, including commitments, authorizations, and the receipt and disbursement of funds. The purpose is to verify that there are sufficient controls over cash and cash-like assets and that there are adequate process controls over the acquisition and use of resources. A com-mon financial assurance is value for money (VFM) and contract internal audits.
VFM provides an independent, evidence-based examination of whether economy, efficiency, and effectiveness were achieved in the use of procurement. VFM internal audits aim to obtain the maximum benefit with the resources available.
Contract auditing involves an engagement to monitor and evaluate significant construction contracts and operating contracts that involve the provision of goods or services. The usual types of arrangements for such contracts are lump-sum (fixed-price), cost-plus, and unit-price. GRC Internal Auditors investigate whether the terms of the contract have been met by both parties.
These are internal audits conducted approximately six to one year after an internal audit report has been issued. They are designed to evaluate the corrective action that has been taken on the internal audit issues reported in the original internal audit report. The purpose of a follow-up internal audit is to revisit a past internal audit’s recommendations and management’s action plan to determine if corrective actions were taken and are working, or if situations have changed to warrant different actions.
Information technology and information systems internal audits are used interchangeably. An IT/IS assurance is the review and testing of IT to assure the integrity of information and focus on technology reviews on controls, hardware, software, security, documentation, and back-up/recovery of systems. The goal is likely to be to assess general IT accuracy and pro-cessing capabilities. IT/IS assurance addresses the internal control environment of automated information processing systems and how people use those systems. An IT/IS internal audit typically evaluates system input, output, processing controls, backup and recovery plans, system security, and computer facility reviews. IT/IS internal auditing projects can focus on existing systems as well as systems in the development stage.
An operational assurance is the review of a function or process to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives. Operational internal audits provide assurance on the systematic process of evaluating an organisation’s effectiveness, productivity, and cost efficiency of operations of the business. The scope includes areas such as product quality, customer service, revenue maximization, expense minimization, fraud prevention, asset safeguarding, corporate social responsibility (CSR), streamlines workflows, safety, and staffing.
A security internal audit provides assurance about the security controls. GRC Internal Audi-tors evaluate the adequacy and effectiveness of controls designed and implemented by management in all areas of security. The most common use of the term ‘Security’ in an organisational setting is in connection with information technology (IT); however, an organisation must take a more comprehensive view of security. One example is the protection of employees and visitors from workplace violence. Thus, security is an appropriate governance and risk management issue even in the absence of IT.