Is Assurance Obsolete?

Bruce McCuaig

The literature today contains strong hints that the internal auditing profession is in trouble. One of the best sources of information is the annual State of the Internal Audit Profession survey produced by PwC.

The 2016 report by PwC continues the trend of alarming statistics. I have absolutely no doubt that the survey results accurately reflect the state of the profession. It’s a trend that has been ongoing for years. Many software analysts, audit practitioners, and others have come to the same conclusion.

As alarming as the statistics below appear, I believe the results point the way forward for internal auditors. Here is my interpretation.

Good news: Customers don’t want assurance

Auditors are expected to add value. Here is what the Institute of Internal Auditors says is the mission of internal audit: “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” No one could argue with that goal.

Clearly, customers surveyed here do not like what they are getting from internal auditors. My contention is that most of what they get is this thing called “assurance.” Assurance comes from traditional “audits” done in traditional ways using traditional tools. There is no real way to quantify the value of assurance. It’s also impossible to tell for sure whether assurance is false or reliable.

As a software provider, we make available to internal auditors advanced tools that could be used to dramatically improve the quantity and quality of assurance services.

My conclusion is that customers of internal audit score them so low on value added and leadership not because they aren’t getting assurance, but because they already either have all they need or they don’t believe it.

Digitization has dramatically increased transparency for business managers. They have more access to and confidence in the information they need to run their business than ever before.

But applying advanced technology to perform at the speed of light the assurance activities that produce failing grades won’t make customers happier.

I am convinced that the role of internal audit in providing assurance is now largely obsolete and adds little value. As the PwC research suggests, customers consider assurance activities non-value adding. I don’t believe they’re saying they want better or faster assurance. I believe they no longer need much of it.

Audits have become commodities

The vast majority of the time an internal auditor provides an opinion on internal control, they consider that to be an “audit” and consider the opinion to provide assurance. Just as an aside, it’s interesting that the International Professional Practices Framework (IPPF) doesn’t define what an “audit” is. In fact, as you can see in the word search of the IPPF below, in all cases the word “audit” is an adjective and not a noun.

Call me picky if you wish, but if auditors are measured on the number of audits they do, the cost per audit, the time spent to do an audit, and yet an “audit” is not defined in the standards, isn’t some clarification required? If audits have become adjectives and not outcomes we have a problem. The IPPF makes a clear distinction. Most practitioners do not.

Better news: Business wants trusted advisers, advice, and insight

I believe business leaders score internal audit poorly as trusted advisers and problem solvers not because they don’t want these services, but because they don’t get enough of them.

The IPPF recognizes consulting engagements as a separate and completely appropriate type of audit engagement. I believe the problem is that internal auditors are not proactive in providing these services. They wait to be asked.

Consulting engagements should produce advice and insight. Unlike assurance, the potential for adding value in providing these services is where advanced technology is necessary.

Speaking to our internal customers today, many are no longer interested in traditional planning and documentation capabilities. What they are looking for is advanced analytics, visualization, and HANA-based tools. They are going beyond assurance and learning to provide insight and advice. That’s what customers want, and that’s why I find hope and optimism in the PwC report.

Learn more and join the conversation at GRC Insider 2017. Register now and save.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.