Assurance: independence of internal auditors and those providing assurance services

This article will answer the following questions:

• What are assurance services?
• Who can provide services that fall within the scope of assurance services?
• How to conduct an internal audit independently and objectively?

Assurance services are one of the main types of services provided by internal auditors. Providing them requires not only maintaining international and local quality standards, but also extensive experience in servicing a wide range of clients. Why? First of all, because assurance tasks can involve many entities, which means that they are provided in a variety of environments and organisations that are often completely different in terms of their purpose, size and structure. Importantly, laws, regulations and the needs of the organisations themselves are also diverse and depend on the country, industry or size of the entity. So, what should companies be guided by when choosing an internal auditor and what should they pay attention to when looking for the assurance services they need?

Professional auditing services are not just about auditing financial statements

As globalisation progresses and international supply chains develop, new regulations emerge and the role of internal auditors and statutory auditors well-versed in global standards of operation grows. It is no wonder that the role of assurance services has become particularly visible in the last few years and the need for professional, reliable assurance services for organisations has increased.

Types of assurance services

Using assurance services allows entities to obtain assurance that they meet specific regulatory requirements and that the internal control system they have developed and implemented is effective and appropriate to the identified risks, as well as to maintain the trust of stakeholders and the public.

Organisations are also increasingly reporting the need to obtain assurance regarding the processes carried out by (or at) their contractors. In order to be certain that the services they use are of an appropriately high standard, entities may require independent confirmation from business partners, e.g. in the form of a SOC report (ISAE 3402), in which the auditor confirms that the control processes related to a given area of outsourced services have been properly designed and implemented, and that they operate effectively.

The most important rules to remember when ordering audit and assurance services

If assurance services are to bring the greatest possible benefits to the organisation, they should be provided by independent, objective and competent staff. These conditions can be easily met by a properly selected audit firm, which will also guarantee that assurance activities will be carried out with high standards of quality, impartiality and professionalism, which will in turn translate into the effectiveness of achieving specific goals and increase trust among stakeholders.

Auditor independence

According to the definition given in the Code of Ethics of the Institute of Internal Auditors, independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner¹.

Independence is an essential factor in assurance services, crucial for the objective assessment of control processes or systems. Only the unquestionable independence of the auditor or statutory auditor providing assurance services allows us to consider the results of the work performed as reliable and credible.

Objectivity of assurance services providers

Objectivity, in turn, as defined by the Global Internal Audit Standards, requires auditors providing assurance services to be impartial and maintain the appropriate quality of the work performed².

In order to ensure that the internal auditor can maintain independence and objectivity, it is necessary to maintain an appropriate organisational structure, guarantee the person providing assurance services autonomy in the scope of the tasks performed and give them access to appropriate data, financial information, non-financial information and evidence. In doing so, it is necessary to prevent conflicts of interest from arising.

As defined in the Code of Ethics of the Institute of Internal Auditors, a conflict of interest occurs when an internal auditor experiences a conflict between their professional duties and their own personal interests or other commitments.

Such a situation may significantly hinder or disrupt the objective and impartial performance of the tasks entrusted to the auditor. The mere fact of identifying a conflict of interest therefore undermines the credibility of the auditor and trust in the assurance services provided by them³.

Importantly, internal auditors (and other assurance service providers) are not permitted to evaluate activities for which they were previously directly or indirectly responsible.

However, assurance services may continue to be provided for areas where the service provider previously provided advisory services – as long as independence and objectivity are maintained and demonstrated.

Confirming the quality of business processes helps in effective risk management

To obtain confirmations that require independent assurance services, organisations do not have to establish internal audit bodies within their structures. Both the Standards and the law allow for the use of external service providers such as audit firms to obtain assurance services.

An external provider may be entrusted with all internal audit activities or only part of the related services (cosourcing). Assurance services may also be provided continuously, cyclically or ad-hoc, if such a need is identified, e.g. in the case of company restructuring or planning changes in the organisation. This approach allows for flexible adjustment of both the scope and the schedule of work.

By choosing to work with experienced external assurance providers, an organisation gains access to independent specialists in the field of risk management and internal audit. These experts can be helpful not only in obtaining appropriate certifications – their knowledge in the field of assessing potential risks, controlling processes and implementing best practices in accordance with applicable standards can allow the organisation to better understand its weaknesses and strengths and focus more effectively on key business goals.

¹The Institute of Internal Auditors (2016), Definicja audytu wewnętrznego, Kodeks etyki oraz Międzynarodowe standardy praktyki zawodowej audytu wewnętrznego, p. 14.

²The Institute of Internal Auditors (2024), Globalne Standardy Audytu Wewnętrznego, p. 11.

³The Institute of Internal Auditors (2016), Definicja audytu wewnętrznego, Kodeks etyki oraz Międzynarodowe standardy praktyki zawodowej audytu wewnętrznego, p. 17.