Internal Audit to Internal Assurance
Welcome to the Tongren & Associates Seminar Series. This seminar is
Transition: Internal Audit to Internal Assurance. Please make sure your speakers
are on or you are using a headset so you can hear the narration. The text of the
narration is available in an accompanying Word document.
I’ve been involved in Internal Audit for many years both as a practicing internal
auditor and a consultant, and have taught graduate level courses on
management and accounting and information technology. My teaching provided
continual exposure to new developments in my fields of expertise, and every day
there seemed to be significant changes occurring which demonstrated that many
of the business practices we considered “tried and true” had actually been
replaced by better alternatives and rather than “tried and true” had become more
like ‘tired and past due!” As I developed my consulting practice I began to realize
just how out of touch some auditors were with what was going on in the world,
especially with changes that were taking place in management theory and
Perhaps since I began my business career in manufacturing management rather
than as a financial auditor I brought a perspective to internal audit that was a bit
different – well actually very different than internal audit functions that were
John D Tongren
Page 1
Internal Audit to Internal Assurance
modeled after public accounting firms. Rather than looking at things as a
financial auditor, I looked at them from a business perspective. I have long been
an advocate for asking the “What can go wrong?” question during my audits, and
had developed an approach where the actual audit plan was not defined until
after meeting with the audit client. From discussions with many internal auditors
at conferences and seminars I learned some felt this approach was almost
disgraceful! They thought that Internal Auditors should do audits as they had
been done the year before – and that was that. Anything else would be heresy!
As I thought about starting my own consulting practice I began thinking about
Internal Audit from a Business Process Reengineering perspective. If we never
had Internal Audit before, if we were asked to design Internal Audit today, what
would it look like? What objectives would it have? How would it accomplish its
objectives? The first thing I realized was that most internal auditors thought their
primary objective was to focus on internal control. Some thought their objective
was to report on the status of internal control within the organization – and they
did that by testing to see if internal control problems existed. Other Internal
Auditors thought their objective was not only to report on current status but also
to improve internal control – and they did that by understanding processes well
enough to evaluate whether internal controls were in place where they should be
and that they worked. And a few internal auditors were going beyond internal
John D Tongren
Page 2
Internal Audit to Internal Assurance
control issues to work on management and operational and quality issues. Most
internal auditors thought a secondary objective was to ensure the organization
was in compliance with laws and regulations and policies and procedures by
performing compliance audits.
The most interesting thing to me was that almost all internal auditors thought they
should reach their objectives by performing audits. It didn’t matter whether the
objective was to evaluate control status, to improve control, or to improve
operations – the only way to accomplish the objective was to do an audit. After
all, internal auditors were auditors and by definition auditors did audits.
The objective of my research was to develop a more effective model for internal
audit resources. Operational Audit had been accepted as a viable activity for
internal audit so the objective had already grown beyond a basic financial internal
control orientation.
Some internal auditors had begun thinking about using risk
assessment not only to develop annual audit plans but also to drive individual
audits, as in risk based auditing. Yet something was still missing. The most
obvious question to me became – “If you want to improve a process why don’t
you get the most qualified people you can and focus directly on improving the
process? And if you don’t have qualified people why not educate them so they
are qualified? Why should Internal Auditors be the only ‘control experts’ in the
organization”? And answering those questions is what prompted my
John D Tongren
Page 3
Internal Audit to Internal Assurance
development of the CoActive Management Model, the CoActive Control
Principles, and CoActive Auditing. And CoActive thinking laid the foundation for
Internal Assurance.
Internal Audit has changed over the years, with the last redefinition of Internal
Audit by the Institute of Internal Auditors being the most drastic and significant.
“Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.”
Very interesting – the new definition says nothing about auditing financial
statements, nothing about doing compliance audits, and nothing about even
doing audits! Instead it focuses on assurance and consulting activities that will
add value to the organization. And rather than a financial orientation, the new
definition focuses on risk management, control, and governance processes. The
new definition of internal audit provides the foundation for internal auditors to
reinvent themselves and their profession – and begin a deliberate transition to
Internal Assurance.
John D Tongren
Page 4
Internal Audit to Internal Assurance
“Why do we do Internal Audits?”
That was my lead off question for a seminar I developed for a company that
desperately needed to reenergize its internal audit department. The Director of
Internal Audit had called me and explained that they were “in a rut” and he didn’t
know how to get them out. He felt his auditors were just going through the
motions – they were doing audits but didn’t seem interested in what they were
doing. The audit findings had become very predictable, and the Director felt his
auditors were probably missing some important things. He wanted a session that
would wake up his staff, challenge them to dig deeper and reach higher, and
become a truly progressive internal audit department. So my opening question
was designed to get them thinking.
Well, it didn’t seem that they were very interested in thinking as the room turned
very quiet after my question. But, after a pause that seemed like ten minutes or
so, one of the senior staff members spoke up. I’ll never forget the exchange that
followed. He said:
John D Tongren
Page 5

Transition: Internal Audit to Internal Assurance