The trials and tribulations of integrated assurance
What can we learn from Transport for London’s efforts to revitalise its integrated assurance development programme?
Lack of understanding about what integrated assurance is meant to achieve and who should be involved in making it a reality was commonly acknowledged by speakers at this year’s ACCA Internal Audit Conference, ‘Assurance through the looking glass’.
Roy Millard, senior audit manager, commercial and HSE&T, internal audit, Transport for London (TfL) was no exception. Even if delegates could define the concept of integrated assurance, he suggested that conversations with other professionals would quickly reveal there is little commonality in their understanding of either what it is or who provides it.
Roy identified many other barriers to making integrated assurance work, including a lack of commitment from the top, the strength of focus on different areas of assurance, and the disputed value of the chosen methods of delivering assurance. A reluctance to abandon or challenge customary practices is often a further challenge, as are organisational structures – reporting lines in particular.
‘In TfL, internal audit reports into the audit committee, safety reports into the London Underground managing director and the product assurance function reports into the finance director,’ Roy explained. ‘How do you get those people working together? Are they losing some control over assurance if they become integrated? There is, almost inevitably, some resistance to that.’
A question of ownership So who owns the task of getting people to work together better to integrate assurance? Roy was clear on this. ‘My view is that it’s internal audit because ultimately all assurance should flow to the audit committee,’ he said. ‘Unfortunately, internal audit doesn’t necessarily have the loudest voice or the most influence in this area, so everything comes back to tone at the top.’
The need to make integrated assurance work, he argued, is becoming increasingly important in the light of organisational complexity, joint sponsorship of major projects and the development of long and complex supply chains. A notably less tolerant view of failure from both local and central government is a further incentive.
The opportunities and benefits of success include closing gaps and creating greater efficiency, drawing out root causes of systemic issues and, importantly, amplifying the impact and improving the credibility of assurance. Creating a coordinated picture of assurance output can also provide collective knowledge about the culture of an organisation, which can then be fed back to the board, as well as helping them learn lessons from both project or business successes and failures.
‘I don't think any assurance provider is in a particularly good position to do that,’ Roy said. ‘But bringing together knowledge from various sources creates a much stronger ability to gather corporate knowledge, as well as a framework for propagating it out to the rest of the organisation.’
The expectations of stakeholders – both providers and receivers – is an important consideration when deciding how an integrated assurance framework can be defined within an organisation. When do they need assurance and what are the relationships that already exist between those stakeholders?
Roy also stressed the importance of understanding the governance hierarchy. How many levels are there? What are the inter-relationships between the different governance panels and organisations and how well do they work together?
Six key principles However an assurance framework is set up, it needs to adhere to the six principles of integrated assurance spelt out in the 2014 APM Guide to Integrated Assurance:
planning and coordination
impact, follow up and escalation.
‘If you follow these principles, you will be better able to successfully integrate a framework,’ Roy told his audience. ‘Applying them can be a way of improving some areas of assurance by bringing them up to common standards, building on what’s already there and avoiding duplication.’
For Crossrail, the new high frequency, high capacity railway for London and the south east, this had proved vital. When the project was just getting off the ground, the then chief executive identified the amount of assurance that would be done as representing one of the biggest risks to its success.
‘It became clear that there would be so many people wanting to interfere, working out how much money was being spent and what was being delivered, and so many different political and financial interests that an integrated approach to assurance was essential,’ Roy explained.
Equal weight should be given to each of the principles with someone clearly owning the task of integration. In TfL, an integrated assessment framework sets the policy for the organisation, which is overseen by the assurance delivery group and chaired by the general council, which is in turn accountable to TfL’s executive committee.
Roy highlighted the need for people’s roles and responsibilities to have an assurance element to them, suggesting that any project manager’s job description, for example, should include the need to fulfill an assurance role.
Recapping on the barriers to successful integrated assurance, Roy listed the top contenders as lack of corporate will, self-interest, culture and associated lack of trust, and inadequate risk management.
The strength of the audit committee, whose belief in the importance of achieving integration could serve as a useful lever in conversations across the organisation, numbered among the key factors in achieving success. Others include creating a strong link between risk and assurance, building in a culture of risk and assurance ownership, linking assurance and approvals, embedding assurance within activity plans and having well-defined assurance processes.
The way forward ‘Assurance mapping is one of the most powerful tools available in moving the integration agenda forward,’ Roy said. ‘However, this is fiendishly difficult to do in a large organisation. TfL put its first maps together three years ago but there is clearly a long way to go before we realise the benefits of this technique.’
Nevertheless, assurance mapping plays an important role in TfL’s current efforts to revitalise its integrated assurance development programme. There is also a focus on ensuring that all auditors, wherever they are in the organisation, follow common processes, a common competence framework and common templates. Complementary work streams are concentrating on self-assurance, trying to discover ways that assurance maps can help generate assurance itself, rather than all being review based, and on corporate learning.
Supporting this work is the introduction of an assurance database where all assurance plans and assurance outputs are stored and accessible to everyone in the organisation.