Integrated assurance – can internal audit really place reliance on others?
Effective collaboration across all key stakeholders is vital to the success of integrated assurance but raises many practical considerations.
Integrated assurance is complicated. The lack of a universally agreed definition of what it is, alongside different views on its applications at various organisational levels, leads Lisa Nowell, Global Director, quality assurance and professional practices, Barclays internal audit, to pose the question: ‘If we don’t know what it is or how to do it, why do we in internal audit even bother?’
‘Implementation of integrated assurance is made difficult by different interpretations of its applications,’ she told attendees at ACCA’s annual internal audit conference in London. ‘For some, it is about working with second line defence, while others think it’s all about having more relationship meetings to discuss what’s going on. Still others believe it is about placing reliance on other people in the business so that audit doesn’t have to do as much work in that area and can focus on the highest risk.
‘There are also different terms used to describe the activity, including coordinated assurance, combined assurance and governance risks and controls. All these different definitions are confusing for the profession. However, I think the common characteristic is the coordination between the assurance functions, including internal and external audit.’
The financial crisis revealed that boards did not challenge their executives properly, did not understand the key risks within an organisation and therefore couldn’t understand the level of assurance that they needed in order to discharge their responsibilities.
‘This wasn’t – and isn't – just true of the financial industry', Lisa pointed out. ‘Other industries share similar problems, such as the food industry with its horse meat scandal and the slave labour in Bangladesh’s clothing industry, so I think it makes it really clear that we do need to try and progress integrated assurance at least at some level.’
An integrated view of risk While everyone thinks they know what assurance is, Lisa said it is important to question whether this is true. She didn't think it was. ‘I don’t believe organisations know the level of assurance they are getting for the amount of money they're investing and I also don’t think people understand how best to get an integrated view of risks,’ she said.
From Barclays’ perspective, some of the key characteristics of integrated assurance are that it promotes risk management and assurance as an integrated process across functional boundaries. ‘It means we talk to each other,’ Lisa explained. ‘We talk across the boundaries, so it’s not just “them and us”. By combining forces we provide a holistic view of what risk we think is still left in the business and what needs to be addressed.’
More widely, integrated assurance does ‘try to believe in one version of the truth’, she added. ‘It helps organisations move towards a more common language and that’s important because you have to try to talk in a similar language. If you don’t, you will be endlessly debating the nuances of various points with other parts of the business. In Barclays it took four years to get to a common language just in risk perspective.
‘The baseline for integrated assurance has to be a methodical process which identifies key risks and business activities and maps the level of assurance, understands what the board’s risk appetite and tolerance is and determines how you're going to meet that.’
In 2012 Barclays set up a programme designed to create common definitions of its risks and how it rated its control environment, as well as a way to define the company’s culture. The work on these led to an assurance map, which Lisa was keen to emphasise was not the same as co-ordinated assurance. ‘This map is just determining that assurance should take place and planning where to go next,’ she said. ‘It has taken nine months in one area of Barclays to do that, but it has created much better relationships within the business.’
The assurance ‘maturity model’, which Lisa then outlined, begins with communication and coordination, which at its most basic level might just be different parts of the business sending each other their plans. Increasing ‘maturity’ of the model would lead to coordinating planned work, which Barclays has started to do, and integrated reporting to the audit committee and board, which the company aspires to.
A coordinated assurance plan would be starting to join up the three lines of defence to report to senior management and the board, creating a fully co-ordinated assurance plan and achieving controls testing efficiency through streamlining and automation. The aspiration in banking, Lisa said, is to automate as much of assurance as possible.
Practical considerations To successfully realise this model, which Lisa emphasised was not a ‘one size fits all’ solution, a number of practical implications and problems need to be addressed.
‘There needs to be a mandate from the top otherwise you end up having fuzziness in the middle, which is not going to buy into the programme of reform,' she said. ‘If you don't get that, it’s going to make your job an awful lot harder.’
There also needs to be trust in the process. As Lisa pointed out, for the first time people now can go to jail if things go wrong. ‘That’s a big risk,’ she said. ‘Why should people place reliance on people they have no control over? Why would a head of risk or head of assurance place reliance on the first line of the business when they could go to jail if it all goes wrong? I really do think there is more communication required with regulators as to whether you can really place reliance on somebody else in the banking industry when there is a personal risk of going to jail.’
Lack of a single methodology also poses a barrier to integrated assurance in Lisa’s view. ‘Internal audit has its own methodology but I wouldn't want risk management compliance or the business setting up their own audit teams,’ she said. ‘The assurance that risk management provides is different in terms of the level and view of risk and what you're looking for is different views of the same risk from different angles. To move on, there needs to be a focus on finding a consistent methodology.’
Different levels of skills and experience across a firm is also key. In a company such as Barclays, which has a staff of 140,000, this is relatively easy. A smaller organisation might have 40 staff or fewer, so the question of where the required skills to achieve integrated assurance can be found has to be asked, alongside whether it is even really necessary.
Lisa concluded by suggesting that at the current time management places much higher reliance and importance on the work of internal audit compared to the other assurance providers. ‘That isn’t easy in terms of demands on our time,’ she observed. ‘And working towards integrated assurance is very time-consuming.’