Domain III: Assurance role of the Internal Auditor (IA)


The objective of this module is to better prepare the participant to pass the Certification in Risk Management Assurance Exam by discussing and analyzing the technical dimensions of this domain while discussing techniques to best manage multiple-choice questions. 


Included are discussions of the skill requirements of a CRMA to:


A. Review the management of key risks


B. Evaluate the reporting of key risks


C. Provide assurance that risks are adequately evaluated


D. Provide assurance on risk management processes





Assurance role of the Internal Auditor (IA)

The 1999 IIA Standards states that each internal audit organization should define both assurance and consulting services in terms of what is appropriate for their own organization, and those definitions should be formal and published in the internal audit charter.

The IIA Standards clearly identify the opportunity for internal audit to increase its contribution to the success of an organization by using assurance to add value and improve an organization’s operation in a consulting

“Internal auditing is a …assurance activity designed to add value and improve an organization's operations. …”

Source: 1999 IIA Standards from

Internal audit helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.




The role of assurance is a natural extension of what internal auditors already accomplish.  They must offer professional services to survive in an extremely competitive business environment.   Both have “some independence” but are dependent of payment for services.  Both operate on project basis with a start and completion date (an audit is an example).


The review, evaluation, and management effort of key risks in a process is easier said than done.  To be effective this effort requires collaboration between and among process owners and risk and control specialist (internal auditors) at all levels. This means that there must be an understanding and acceptance by process owners of how to identify, measure, and prioritize key risks and then act on them accordingly.  In addition, this effort requires an empathetic approach by the risk and control specialist to help the process owners gain an understanding of risk and control management.  It is not only the risk and control specialist that are or should be identifying, measuring, and prioritizing key risks.



Continuous Monitoring


One of the roles that internal auditor plays in the area of risk management is to help process owners continually improve their processes.  Internal audit can meet process owners’ expectations by expanding use of operational auditing and traditional auditing skill to apply internal audit knowledge about controls.


Process owners with an ever-increasing list of required tasks will welcome helpful suggestions as to how to improve their processes.




Operational Auditing


The Terminology Jungle

The expansion in the scope of internal auditing though took place in a very short span of time, yet it manifested itself in a spurt of terms and expressions.  People started talking of operational auditing in different words.  Some of the more common expressions were:


·                     operational auditing

·                     comprehensive auditing

·                     value-for-money auditing

·                     management auditing

·                     operations auditing

·                     efficiency auditing

·                     effectiveness auditing

·                     preventive auditing

·                     system-oriented effectiveness auditing

·                     operational evaluation

·                     project auditing

·                     program auditing

·                     program evaluation




Source: John Tongren, “Exceeding Expectations for Internal Auditors”


There is a need for internal audit to monitor both business risks and IT risk.  This eliminates the audit risk of “over auditing” and “under auditing” the same business process, redundant recommended control techniques, unreported risks in those areas where neither the IT auditor nor the auditor thought were their responsibility, and a significant waste of resources.  The goal of Integrated Audit has been around since the 1970s.  They are internal auditors who understand both business and IT risk.  These understanding can be accomplished by a team of internal auditors. 


The key question is “Who Does What?” Computer-based auditing will significantly improve internal audit’s abilities to provide continuous monitoring (auditing).


If it is a computer-based process then internal audit needs to use computer-based auditing


Where to Go From Here?


Assurance Role of the Internal Auditor (IA)

3.3  CSA is a process that will ensure:

1.      that business objectives are met

2.      that risk is addressed

3.      that appropriate controls will be put in place

4.   none of the above

Answer 4 is the correct answer.  The word “ensure” is the giveaway in this question.  CSA is a control tool that addresses risks and the achievement of objectives.  However, it is virtually impossible to protect against all risks all of the time.  Therefore, answer 4 is the best answer.