Drawing lessons from high profile bankruptcies of major groups in the recent past, companies have realised the need to manage all risks that may jeopardise their existence and development. Accordingly, a number of them have put in place the necessary structures that would enable them to identify such risks for effective management. The ultimate goal is to provide an assurance that Management has taken the necessary actions to mitigate the risks identified on the targets or strategies. It is within such a context that internal audit is given the responsibility to independently scrutinise risk management, control and governance.

Assurance connects assurance providers and third-party recipients around specific goals with known benchmarks. The credibility of assurance depends on competence, independence, objectivity and the specific target.

The function of an assurance provider is based on the objective consideration of the facts in order to independently give an opinion (assurance) on the adequacy of the governance and control structures regarding the risks identified. The function of consulting is quite similar to that of an assurance provider and involves advice on the activities of the client. The nature and scope of consulting are agreed in advance and the aim is to improve the organisation and activities in the areas examined.

There are three categories of assurance providers who may be classified in accordance with the recipients of their reports: assurance provider who reports to the Board directly or indirectly through standing or ad-hoc committees; assurance provider who reports to other stakeholders; assurance provider who reports to the company (management, department etc.). It needs no emphasis that external assurance providers can improve the chances of effectively and completely covering all the major risks and controls.

The Board of Directors usually needs to take stock of the measures put in place to check the negative effect of risks, particularly major risks that can significantly impact the activities and the future of the company. The onus is therefore on the assurance provider to diagnose and ensure the adequacy of risk management, control and governance.

Assurance mapping is often required to determine the coverage provided by three lines of defence (managers, risk management / compliance and internal audit). Such mapping is conducted by placing the three lines of defence horizontally and the risks vertically - generally major risks - whose coverage is being checked.

The provision of assurance is not reserved for internal audit alone. In fact, in a number of companies, external assurance providers have been assigned tasks with regard to IT risks, quality control of finished products, periodic financial statements and compliance with laws and standards of supervisory authorities.

Internal Audit plays an important role in providing Management and the Board necessary assurance for their respective functions. Consequently, it has to assess significant risks on which it expends efforts and other resources. Internal Audit may not be able to provide absolute assurance on every issue and has to seek inputs from other assurance providers.