Principles and approach


In external auditing, a clean audit opinion doesn’t mean a 100 per cent guarantee that the accounts will be correct.

Currently, there’s a lack of understanding of the role of audit - an expectation gap between what wider groups of stakeholders and managers/owners of companies think of auditors, and what the actual role, function, and limitations of audit are.

It’s important that external audits make clear the risks and limitations of the work done, so that stakeholders can engage in a debate about areas for greater focus.

Greater than financial control

Whilst financial controls are important, so are other areas like compliance and operational risk. Moreover, the statistics show that the greatest sources of value loss come from the mismanagement of strategic risks.

Assurance over other risk areas is therefore becoming increasingly important.

It’s important to have a complete picture of all of the key risks facing an organisation and care needs to be taken that this isn’t simply a list of key processes, nor the current set of ‘key risks’ (which may already be taking into account the effectiveness of certain mitigations).

Range of sources

Recognise the range of sources of assurance that may be available: external audit (EA), internal audit (IA), other assurance functions and also line management.

Recognise that policies alone don’t provide assurance - learn about how much assurance you’re getting (in terms of depth, breadth, frequency and independence).

Determine the risk appetite for certain risks, since this will impact the amount of assurance needed.

Assurance framework

The use of assurance frameworks and assurance mapping can help clarify whether there is sufficient assurance.

The Institute of Internal Audit's (IIA) three lines of defence model can be helpful in clarifying expected assurance roles.

Ensure that assurance frameworks and assurance mapping are used on an ongoing basis, not just as part of a one-off exercise.

Hints and tips

Multiple-choice questions