Principles and approach


Identify and map the other sources of assurance to the board, including:

internal to the organisation:

  • risk (second line);
  • compliance;
  • Sarbanes-Oxley Act (SOX);
  • health and safety; 
  • quality; and
  • line management (first line).

external to the organisation:

  • external audit; and
  • regulators and HMRC.

Assurance work help

Identify and obtain information which would help you in your assurance work, including:

  • risk appetite and key risk indicators (KRIs);
  • risk registers, incidents and losses reported;
  • committee packs and first line management committee reports including KPIs;
  • second line inspection/compliance reports;
  • SOX reports and documentation;
  • quality certification ie British standards;
  • SAS 70 reports (now SSAE 16 in the US and ISAE 3402 internationally);
  • external audit management letter;
  • regulatory reports and HMRC reports; and
  • independent consultants’ reports.

Sharing information

Share information with other assurance areas, subject to confidentiality controls, including:

audit plan; audit reports; issues raised and accepted; issue resolution progress.

Assess whether you can place reliance on other assurance work in your audits:

  • Assess their controls and test them, including any inspection/compliance checking
  • Assess how well their controls have managed the risk (substantive testing)
  • Reassess what additional audit work you need to do to provide assurance.

Integrated assurance reporting

Consider driving the emerging area of integrated assurance reporting, including:

  • grid of assurance from different sources. This could be using ‘traffic light’ reporting, with one axis being risk category and the other assurance provider;
  • provide an explanation of why assurance differs when needed; and
  • use reporting as an opportunity to explain the different attributes of the assurance provided. Aspects you could cover include the robustness of assurance provided, business areas covered, risk scope, timing/frequency of checks, depth of testing, etc.  Remember, internal audit assurance is the most robust.