What Directors Should Ask About Assurance

This resource was prepared after the ‘Global Internal Audit Standards’ were published in 2024

Assurance – A positive declaration intended to give confidence designed to improve the quality of information to aid informed decision-making.

Assurance Foundations

  1. Does the organisation have a defined assurance approach to identify all assurance elements, for example using a ‘3 Lines’ assurance model?
  2. Have the ‘3 Lines’ and external assurance activities been clearly defined specifically for the organisation, with clarity of their position in the organisation’s overarching governance framework? Is ownership of assurance responsibilities clearly defined throughout the organisation?
  3. Are assurance activities taken seriously, with sufficient support from the audit committee, chief executive officer and senior management?
  4. Is the overall assurance budget and resources adequate, is the total cost known to the organisation, does it represent value-for-money, and has benchmarking confirmed this?
  5. Do the various assurance activities across all lines have quality assurance and continuous improvement built in?

Integrated Assurance Planning

  1. Do the various assurance activities across all lines have risk-based plans to justify what they do, with a clear rationale for what is included and not included in the plans?
  2. Does the internal audit plan recognise the organisation’s holistic assurance arrangements and leverage the insights from an assurance map? Is there an assurance strategy developed from the assurance map that includes (a) an assurance plan for management to implement (b) an internal audit plan for internal audit to implement?
  3. Are assurance activities integrated to assure duplication is minimised and effectiveness is achieved for the most reasonable cost?
  4. Are planned assurance activities 100% delivered in the year they are due, with any exceptions to planned assurance activities reported to the audit committee?

Assurance Performance

  1. Are there robust performance measures (KPIs) for the various assurance activities across all lines to prove effectiveness, and are they achieved?
  2. Are Line 2 assurance activities really doing their job to make sure the Line 1 is doing what they are supposed to do, or do they rely on Line 1 self-reporting and pass this to management without validation?
  3. How do the assurance activities demonstrate competency of their resources?
  4. Is there a periodic independent review regime for the various assurance activities across all Lines that is reported to senior management and the audit committee?
  5. Is there an up-to-date assurance map that provides an overview of all assurance activities, and which illustrates through heat map style reporting whether there are gaps or duplicated efforts in the organisation’s holistic assurance arrangements?

Assurance Reporting

  1. Are periodic integrated assurance reports prepared for management and the audit committee?
  2. Does the audit committee have visibility of all assurance activities across all Lines, including reporting on their effectiveness?
  3. Do the various assurance activities across all Lines have annual reports, or a combined annual report, showing value added over the year, systemic issues identified, and trends to better position the organisation in the future? Does this include attestation from the assurance providers?
  4. What assurance is provided to management and the audit committee to demonstrate the organisation has effective controls over its significant risks?
  5. What assurance is provided to management and the audit committee in respect of fraud and corruption risks?
  6. Does management take responsive and timely action to implement remedial actions identified by assurance activities (including the assurance map) from the various Lines and external assurance activities?

The Big Question

Does the organisation clearly know how its assurance activities fit together, how much they cost, how effective they are, and whether there is a meaningful objective examination of evidence to provide an independent assessment of the organisation’s governance, risk management and control processes?