Proactive Auditing or Embedded Assurance
When I saw that Protiviti had published an article with the title What Is Embedded Assurance — and How Can It Benefit Enterprise Projects?, I was intrigued.
What exactly is “embedded assurance”?
I expected something along the lines of the new-fangled concept of ‘combined assurance’, which is really not new at all! In 2009, the IIA issued Practice Advisory 2050-2, Assurance Maps (available only to members). It was an excellent piece of work then and remains useful today.
Or it could have been related to continuous assurance/auditing. But it’s not.
In fact, the concepts behind “embedded assurance” are very old! Just Google ‘pre-implementation reviews’ to find multiple articles on the topic. I was doing these when the authors were in diapers!
That doesn’t mean that the Protiviti piece is without merit (only that the only thing new is the name they give it).
I strongly encourage every audit department to perform proactive auditing, getting involved in major (or even minor) projects when justified by the level of risk to the enterprise.
Vary the level of work, again based on the level of risk.
For example, a pre-implementation review might include one or more of the following:
- A review of the cost justification/capital expenditure request
- A review of the requirements documentation
- A review of the project approach, such as whether adopting an agile methodology is optimal. One of the issues I have seen is that the incremental changes identified over the project’s life move it away from the original intent and why the expenditure was approved.
- A review of the project plan and its management
- A review of the design to ensure it will address the requirements
- A review of the design to ensure it will have the necessary internal controls and security
- A review of the test plans
- Independent testing or reperformance
- Building in additional data monitoring and alerts
- A post-implementation review
You should also make sure you have the right team for your pre-implementation review.
At Tosco Marketing Company, which had more than 6,000 convenience stores as well as gas stations, management had a massive IT systems project. They would replace all the systems in the stores, connect them with a new central stores management system, run everything on new hardware, and implement a new access control system.
My team included two IT audit managers with application auditing expertise, another IT auditor with highly technical skills (including experience with the new access control system), and an operational auditing manager.
I needed all of these to make sure we covered the waterfront. This was not an IT project; it was a major business project.
By the way, this concept should apply to the proactive auditing of any major project, not just technology ones. For example, get involved in major new construction projects.
What do you think?
How active are you in pro-active auditing?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Hi Norman
Could you recommend any internal audit resources for auditors based in the UK?
Many thanks
Chris
Chris, have you looked at the material from the UK affiliate of the IIA? https://www.iia.org.uk/
My books are available in the UK on Amazon
Norman, I have IIA membership through work and I have read three of your books (auditing that matters,
World class internal audit and world class risk management)
Are you aware of any other UK based thought leaders who have blogs such as yours?
Chris, thank you for reading my books. Sorry, but I can’t think of any UK-based internal audit bloggers. You can ask Andrew Chambers (https://www.linkedin.com/in/andrew-chambers-47654498/) and Richard Anderson (https://www.linkedin.com/in/richardcharlesanderson/)
Thanks Norman.
Have you seen my website at http://www.internalaudit.biz?
David