Skip to main content


Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters.  The nature and scope of an assurance engagement are determined by the internal auditor. Generally, three parties are participants in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter — the “process owner”, (2) the person or group making the assessment — the internal auditor, and (3) the person of group using the assessment — the user.

International Standards for the Professional Practice of Internal Auditing


General Non-IT Assurance Areas

A particular engagement may include procedures from one or more of the following assurance areas, in addition to related IT Risk Assurance procedures, utilizing Data Analytics to extent feasible:

Financial Reporting and Controls

Assessment designed to determine the existence and effectiveness of financial accounting/reporting processes and related internal controls, in compliance with relevant University policies and applicable contractual or legal/regulatory requirements.


Assurance with respect to particular source(s) of compliance obligations, including regulations, sponsor or donor restrictions, etc.

General Operations / Business Process

Operational or performance audits to determine whether management is appropriately and effectively measuring, evaluating and reporting the effectiveness of the operation or functional area.

Follow-up Review

Semiannual review of all open planned management corrective/risk-mitigation actions arising from Medium and High risk Key Obervations contained in issued UAO reports, based on target completion date.


Relative Levels of Assurance by Engagement Type

Different types of assurance engagements result in different levels of relative assurance, depending on the engagement objectives (including desired level of assurance) and available resources.

Risk Assessment

Assessment of relevant risks to an entity, operation, system, etc.  Typically does not involve direct testing of transactions, processes, etc.  Lowest level of assurance.


Assessment of relevant risks to an entity, operation, system, etc.  Moderate level of assurance, obtained through review of available evidence (e.g. transaction documentation), typically on a sample basis from an overall population.


An independent/objective assessment of available evidence through testing and other procedures (inspection, observation, inquiry, reperformance/recalculation) to render an opinion/conclusion regarding the subject matter subject to scrutiny.  High level of assurance, achieved through more extensive procedures (testing, sampling, etc.)


A comprehensive examination of all available evidence to prove/disprove a hypothesis or expel any doubt regarding a particular subject matter.  Provides the highest level of assurance.