When I saw that Protiviti had published an article with the title What Is Embedded Assurance — and How Can It Benefit Enterprise Projects?, I was intrigued.
What exactly is “embedded assurance”?
I expected something along the lines of the new-fangled concept of ‘combined assurance’, which is really not new at all! In 2009, the IIA issued Practice Advisory 2050-2, Assurance Maps (available only to members). It was an excellent piece of work then and remains useful today.
Or it could have been related to continuous assurance/auditing. But it’s not.
In fact, the concepts behind “embedded assurance” are very old! Just Google ‘pre-implementation reviews’ to find multiple articles on the topic. I was doing these when the authors were in diapers!
That doesn’t mean that the Protiviti piece is without merit (only that the only thing new is the name they give it).
I strongly encourage every audit department to perform proactive auditing, getting involved in major (or even minor) projects when justified by the level of risk to the enterprise.
Vary the level of work, again based on the level of risk.
For example, a pre-implementation review might include one or more of the following:
- A review of the cost justification/capital expenditure request
- A review of the requirements…