Building a Better Auditor: The Case for Reasonable Assurance
Blogs Seth Agyei Aboagye, ACIB Mar 25, 2025
Internal audit plays a critical role in enhancing corporate governance, risk management and internal control effectiveness. However, a growing misconception among audit clients, including first-line risk owners and executive management, is that once an area has been audited, no control breakdown should occur. This misunderstanding is gradually shifting expectations from providing reasonable assurance to total assurance, a standard that is neither practical nor aligned with the principles of internal auditing.
Reasonable assurance, as practiced by internal auditors, means that audits are designed to assess the effectiveness of controls within a defined scope, using established methodologies and sampling techniques. It does not imply that every single transaction, control, or process is reviewed exhaustively. Instead, audits focus on high-risk areas, leveraging data analytics, control testing, and professional judgment to identify material risks and anomalies. The expectation that internal audit should uncover every possible failure ignores realities such as scope limitations, sampling techniques, and management’s self-identified issues.
Every audit is governed by agreed-upon terms of reference, outlining the specific areas covered, the methodology used, and potential limitations. Auditors work within this scope, ensuring efficient use of time and resources, while addressing key risks. Conducting a full review of every transaction is infeasible, so auditors rely on techniques that involve statistics, judgment, observation, interviews, sampling, etc. The frequency and volume of samples depend on the nature of the process, the available data, and other factors. Even with the adoption of advanced AI or data analytics tools, we may not be able to say we are providing total assurance due to the subjectivity in what the auditor tells the AI or bot to do.
Despite the inherent limitations of internal auditing, auditors are often held accountable when control failures materialize. Many executives and risk owners do not review working papers or audit methodologies before questioning why an issue was not detected. They overlook key factors such as the timing of the audit, changes in the business environment that may have impacted controls after the audit, and operational risks that are inherently difficult to mitigate — external cyber threats, human error, system failures, and the like. This expectation gap places unreasonable pressure on internal auditors, compelling them to conduct cover-to-cover reviews beyond what is feasible, often at the expense of focusing on critical risk areas.
While internal audit provides an independent review of control effectiveness, it is not the sole custodian of risk management. First-line roles (business units) own the risk and are responsible for implementing and maintaining controls. Internal audit provides an advisory and monitoring role, ensuring that risks are identified, managed, and mitigated effectively. Risk mitigation also depends on external factors that may be beyond the organization’s direct control. Cybersecurity risks continue to evolve, despite investment in advanced security technologies. The critical question is not whether an organization can completely prevent cyber threats but how quickly it can detect, respond, and recover from an attack. Similarly, macroeconomic risks, such as inflation, exchange rate fluctuations, and geopolitical events cannot be eliminated but can be managed through proactive financial planning and scenario analysis.
Sustaining organizational success is a collective responsibility. First-line business units must ensure that controls are robust, effective, and continuously monitored. Second-line roles, comprising risk management and compliance teams, must provide oversight and guidance to reinforce a strong risk culture. The third line, internal audit, provides independent assurance — not as an absolute guarantee — but as an informed, risk-based evaluation of control effectiveness.
The misconception that internal audit provides total assurance rather than reasonable assurance must be corrected. Audit clients and management should recognize the practical limitations of audits and appreciate the role of sampling techniques, scope definition, and risk-based prioritization in the audit process. By fostering a culture where all stakeholders acknowledge their roles in risk management, organizations can create a more realistic, efficient, and effective assurance framework — one where internal audit is valued for enhancing governance, rather than being unfairly held accountable for every control breakdown.