Is integrated assurance a good thing or not? Is it a pipe dream or is it the way forward? Speakers at this year’s ACCA Internal Audit Conference shared their thoughts.
The topic of integrated assurance continues to interest internal auditors from all backgrounds, but according to Graeme Clarke, director – governance, risk and internal control, Mazars LLP, raising the subject with clients within the public sector often elicits the response: ‘Integrated what?’
‘Building assurance frameworks started in the NHS many years ago, but largely failed to ripple out to other public sector organisations,’ he said. ‘This was despite the 2012 HM Treasury guidance on the subject, which simply never seemed to land.’
Graeme took his audience through a journey of key markers in the history of assurance in the public and not-for-profit sectors before arriving at the present day – a time, he said, when storm clouds were gathering.
‘We have yet to see evidence of internal audit working in practice,’ he said. ‘Risk frameworks exist but whether they are truly embedded is altogether another question. However, having them in place is a halfway marker – it’s just the assurance that’s missing now.’
When boards and their directors are asked whether they have thought about integrated assurance, Graeme said that it is clear that the whole idea has passed them by. But when the process and what it can achieve is explained, he believed that winning some ‘buy-in’ is possible.
‘There is no doubt that some pain will be involved in getting started but the green shoots are there,’ he concluded. ‘The foundations are in place with the increasing adoption and sophistication of frameworks and with awareness of risk becoming heightened. So…start talking, build on existing assurance links and give key stakeholders some training on the basics. To begin with, focus on key risks/processes because if you try to do more than that you will be setting yourself up to fail. Above all, keep it simple. It’s a journey.’
Selling in integration Integrated assurance may currently defy a universal definition, but Vicky Kubitscheck, chief risk officer and compliance director, Police Mutual Group, pointed out that there are six familiar ‘labels’ – GRC, ERM, total assurance, combined assurance, coordinated assurance and integrated reporting – which all involve some form of integration.
‘However, they all have slightly different aims, features and users,’ she said, 'but they share some common characteristics and aim to create a much more joined up picture, although some are more risk-based than others.’
The financial crisis had exposed weaknesses in the quality of assurance and offered a strong case for rethinking boardroom assurance. ‘Firms are recovering from the crisis but market conditions are still tough,’ Vicky said. ‘Organisations are not just having to reinvent themselves in the face of challenges such as technology and cybercrime but the whole environment has changed with the degree and depth of regulation.’
The selling point of an integrated assurance framework is that its structured approach can give an organisation a holistic picture of the principal risks and help it determine the residual exposure of risks it is facing. It joins up risk management and assurance across all lines of defence; aligning and optimising the organisation’s assurance in line with the board’s risk appetite and promoting accountability and shared risk intelligence.
The four key components of the framework are:
specifying methodology, policies and procedure
defining ownership, roles and responsibilities
integrated assurance mapping (which identifies gaps and overlaps in the contribution of risk assurance across all lines of defence but is not an end in itself)
integrated assurance reporting
all of which require communication and sharing of intelligence.
Vicky has also identified three levels of application. The first is to inform risk assurance planning, the second is to enhance risk assurance and the third is for those organisations looking to harness shared and collective intelligence to gain a holistic risk and assurance picture and improve the effectiveness of risk management.
Among the key implementation challenges are not having a universally defined framework, which makes it difficult to sell the concept or get buy-in, the maturity of risk management, and turf wars which hamper coordination and collaboration.
In summary, Vicky said that an integrated assurance framework is about rethinking assurance in order to promote a much more sustainable business. ‘It’s about promoting accountability so that we can work across boundaries to gain synergetic benefits and inspire confidence in our stakeholders,’ she concluded.
Too late to integrate? Siebe Postuma, senior partner, Risk Advisory, Deloitte, was keen to stress the importance of applying an external perspective on why it is so difficult to integrate assurance and implement it in an organisation. ‘As assurance providers, it is important to have the widest possible lens,’ he said.
Over the last years, he said, most assurance providers have been putting their efforts into trying to be relevant and provide added value. However, in this ‘new world of big data, disruptions and digital tsunamis’ it is much more important to focus on real time. ‘Instead, we should be asking: are we timely enough, are we agile enough, or do we spend too much time integrating all those assurance functions?’ Siebe said.
There are many examples pointing to a ‘struggle’ in large companies to bring assurance integration alive despite their having mature assurance frameworks, control frameworks, anti-bribery activities, effective codes of conduct and mature internal audit functions.
‘For me one of the most frustrating things is that everyone is looking at risk management and internal audit and asking what we’ve done wrong,’ Siebe said. ‘Nobody is asking the question: where was the business? Why was the business not providing enough budget to do proper assurance or to build that integrated assurance that we really need?’
One of the factors behind compliance failures is that technology is changing businesses disruptively and exponentially. The world’s largest taxi company owns no vehicles, the world’s largest accommodation provider owns no real estate and the world’s most popular media owner owns no content.
‘Technology is changing the nature and volatility (speed) of risk and we should follow that with the same speed in adapting our ways of “doing controls and integrating assurance”,’ Siebe insisted. ‘In this “new world” doing controls or doing compliance every month or every quarter is far too late - real time control and continuous control monitoring is the new mantra.’
Future risk The wider lens Siebe advocated needs to be used to anticipate future risk and respond with greater agility. Techniques like 24/7 risk sensing and monitoring and even predicting risk events are at the frontline of changing companies’ internal governance risk and control environments. Deloitte forecasts that the future risks presented by cyber attacks, climate change, geopolitical risks, terrorism and business disruption will lead organisations to adopt new and broader risk transfer instruments, such as insurance and more sophisticated supplier contracts, to protect themselves. They will also be proactively managing the accelerated and amplified reputational risks that the new hyper-connected world presents, it anticipates.
‘We also believe that the big names will deploy persuasive controls as a part of their products, services and business models to monitor and manage risks in real time,’ Siebe said.
He questioned whether internal audit is ready for the new digital disruption. ‘Are we ready to advise management on how the three lines of defence model will have to change as a consequence?’ he asked. ‘There is no time to lose. We have to become more agile and decide how and where to innovate as an IA function. In five to ten years data scientists will be running internal audit.’
The internal audit role has to move from passive to more assertive, predictive, proactive and insightful, he insisted, adding new skills, tools and techniques to improve focus and effectiveness. It needs to evolve rapidly to offer deeper and broader insights by expanding the scope of its work and including assurance on market-moving information.
Automating labour-intensive processes in order to focus resources and expertise on high impact areas will also need to be part of the future. And for example changing the way we align with the stakeholders in the company (board, audit committee and auditees) and this should include new ways of communication, marketing the brand and value of IA in the company and the art of storytelling your key messages to those stakeholders.
‘It is time to come up with our own future-proof GRC and IA strategy and engage with our business stakeholders early in the process to send them the right signals,’ Siebe concluded. ‘It’s too late to integrate. And the new word is “innovate”’.