Integrated assurance - too late to integrate?
Why a more externally oriented focus is required to ensure that our professional keeps track with the pace at which industries are developing.
It seems that the financial services sector is steadily recovering from the crisis and being discharged from intensive care from governments. One of the other positive developments of this journey to recovery is the discussion about the role and the responsibility of the internal audit function.
In some countries the regulator provided more specific guidance, especially within the financial services industry, and the IIA in one way or another also initiated a good discussion with impact beyond the FS industry.
For example the Federal Reserve in the US launched new guidance in 2013 that auditors should do more continuous risk assessments and have a wide range of business experts in their teams through rotational programs.
The IIA in the UK launched new guidance in 2013 especially for the financial services industry requiring that IA should change the role to:
- ‘Challenging’: from the passive role to a more assertive ‘here is my assessment, now it is time for you to act’
- being all-encompassing in IA’s risk assessment and assurance coverage including strategy and the full range of risks having an impact on the organisation
- IA being present at both the board AC and the board risk committee and any other committees
- IA’s reporting should include an assessment of the effectiveness of the governance; risk and control framework of the organisation; and themes and trends and their impact on the organisation’s risk profile
- ensuring the positioning and attendance of the chief audit executive at executive committee level and associated meetings.
These new developments have also initiated discussion in many companies, in and outside the financial services industry, about the primary role and focus of IA.
Setting the scene – IA in historical perspective
If we take a more historical perspective we can say that it was maybe only at most 20-30 years ago that the mandate and scope of many IA functions moved away from merely financial towards operational types of audit. In many companies we see a very positive trend that IA has followed a rapid growth journey in maturing from ‘childhood’ to being a robust and respected ‘adult’ within the company.
In many companies we have seen more or less a similar journey of how the IA function ‘grew up’ by originating with a focus of identifying gaps in the financial control area and helping to, or advising management to, implement a sound financial control framework to address weaknesses and gaps.
Through this ‘educational role’ IA helped the business to develop sound financial control frameworks within the business. IA quite often also played a role in helping the business to build and mature other controls and assurance activities and we have seen that many companies adopted the three lines of defence approach. In these three lines of defence, the business has implemented controls execution and business assurance/review activities in the first and second lines.
In many companies this has now come to a stage where management asks challenging questions about whether there is ‘too much compliance’, and if we still need ‘checkers to check the checkers’ etc. It is not part of the scope of this discussion note to challenge those comments in the light of the fact that it was just a couple of years ago that the crisis started in the financial services industry as well as in other industries due to the lack of strong governance (read controls and checks and balances). But what is part of the scope of this article is the movement in many companies to explore if and where they can reduce the so-called compliance burden by integrating those ‘compliance/assurance activities’.
The discussion I would like to embark on in our profession is whether IA should invest a lot of time and effort in supporting management's quest to find ‘lean’ opportunities to reduce the cost of control and assurance; or whether we should focus on other priorities supporting management in preventing other failures. Hence the question arises whether IA should challenge the business on the topic of integrated assurance, by assessing firstly if it is ‘too late to integrate’.
The pitfall of too much focus on integrated assurance
If we look at integrated assurance from a cost saving or efficiency perspective on one side or providing better or more effective assurance on the other there is always the risk/pitfall that we focus too much on the topic from the current state perspective. This so-called ‘As – Is’ perspective might identify overlap in control and or assurance activities or even opportunities to get rid of redundant controls. It also might lead to an even better or more focused scoping of IA. But what it will probably never lead to is a real ‘future’ perspective orientation and asking ourselves questions like:
- how will or should controls operations and testing look in five or ten years from now?
- will we still use fully fledged control frameworks (quite often documented in huge spreadsheets or off the shelf tooling designed in a same way as traditional spreadsheet frameworks) and most often manually tested in a monthly or quarterly cycle pattern?
- will internal audit still audit the control effectiveness or the effectiveness of the first and second line activities on a rotational cycle based approach?
- do we focus too much on control effectiveness and efficiency (second line of defence reviews) or should we focus more on quality of governance and risk management (risk intelligence of the business)?
Of course many companies are exploring the automation potential of their control and assurance activities to try to move to a sort of continuous control monitoring in conjunction with substantive testing through data analytics.
However, not many companies have really looked ahead to what the future should or will look like. If we consider how rapidly digital technology is changing entire business models, enterprises and even wiping out complete industry players (‘Blockbuster effect’, Ali Baba, Air BNB etc.), we as the IA profession should also be aware of these influences on the business control and assurance activities and hence the way we should adapt our audit approach.
Are we as the IA profession ready to advise management how the lines of defence model including our own activities will have to change as a consequence of exponential changes in the business caused for instance by new digital technology? Or in short is IA ready for the new digital disruption and ready to prevent a ‘Blockbuster’ event in our audit model?
We should not think that this is only the case in certain industries like media and telecom or fast moving consumer goods, and that our audit activities will be affected only in those rapidly changing industries. Even in highly capital intense industries like power and utilities or oil and gas the business is more and more controlled by high tech systems and software. Smart grids, smart meters and applying drilling analytics are just a couple of examples to illustrate this. The very traditional business model of the global taxi business was highly disrupted by a simple app invented by Uber.
Imagine just some thoughts about how drones, Google glass, or iPads used in field work could change the way business is executing oversight, controls, collecting evidence and following manuals and procedures by sophisticated knowledge management systems via push down techniques brought to the business wherever they are and exactly on time when they need it. In this perspective we should challenge ourselves as a profession and also in our role as auditors. And we should not forget we should challenge the first and second line function how they want that same business to execute and document controls in the future.
In this context we should ask ourselves questions like:
- how will it affect our resource strategy or model; do we need a completely different mix of resources and skillsets in our IA team?
- how will it affect our methodology of executing the audits, documenting evidence etc.?
- how much time should be spent on independent risk assessment and discussing with key stakeholders in the business key changes, versus executing audits?
- how will it affect our board and audit committee interactions and reporting?
- should we move to more real time reporting?
Based on our experience we know that change management is the most difficult part of these efforts. Therefore it would make sense if we recognise that it will take time to make the abovementioned changes in our IA delivery model. However, in the current environment ‘time’ is one of the factors which is the next disruptive element ...
Some considerations on challenges for our IA
Most IA organisations have managed to establish a good brand within the company they serve, and are recognised as strong independent assurance providers, supporting the business board and AC in addressing high risk areas, delivering added value etc.
But IA functions face the same risks as large companies that could not adjust quickly enough their governance, risk and compliance environment to the continuous flow of changes in the business and external landscape.
Besides the challenge of following the pace of the business, another challenge is the best operational model to ensure that your audit scoping and planning as well as execution is geared to the new world of continuous change and more volatile risk environment. Where risks are volatile not only from a size or likelihood perspective but also from a timing perspective the ‘speed of risk’ (risk velocity) is a new dimension which deserves a permanent ‘seat’ in the design of risk heat-maps.
Many audit departments already have a rolling forward approach in planning audits. In addition most often they also have a solution to adapt and include new risks or ad hoc audit demand from management in the audit plan. The question, however, is whether this is agile enough to move from a relatively ‘static’ approach to a more ‘dynamic’ audit approach.
Applying an audit continuum approach where you can select from a large variety of ways to execute the audit could bring a more dynamic approach. The agile approach will certainly also demand much more flexible resource models including a constant, broad, flexible pool of guest auditors, as well as short and longer term business rotators.
Co-source models with other providers to deliver subject matter expertise is another option to make the delivery model agile. The co-source providers should not necessarily come from the ‘traditional arena’ (the big four or similar firms). In the light of being close to the business, it makes a lot of sense to expand the co-source relationship to companies like strategy firms, digital technology firms etc.
Being more agile could also require that traditional reporting schemes need to change. Quarterly audit committee meetings, where IA presents outcomes of audits over the past 3-6 months covering an audit period of dates even further in the past, will not give timely enough input for management to make necessary improvements and changes in a rapidly and constantly changing environment. Add to that the time it takes to start improvement projects on the recommendations going forward and it will not be sufficient to continue the traditional way of reporting.
All the previous considerations could be captured under the umbrella of one central question - do we have an IA strategy?
Most IA functions have a sound methodology and a well organised annual audit planning approach, but the question I would like to pose in this article is whether we spend enough time on developing a good IA strategy and whether we pay sufficient focus and attention in this strategy to topics such as:
- how to become more agile (follow the pace of change in the business and become more dynamic)
- how and where to innovate (continuous auditing etc.)
- how to change our communication and reporting approach (marketing our brand and do more knowledge sharing versus plain reporting of findings and recommendations).
While it is clear that integrated assurance is still an important topic and could bring additional benefits in terms of efficiencies and more focused controls and assurance, I emphasise that a more externally oriented focus is required to ensure that our profession keeps track with the enormous pace at which most industries are developing themselves, and that we make sure that we are ready for the new future. A new future that will be driven more and more by technology and almost constantly facing disruptive events.
If our stakeholders in those businesses (read auditees) have to follow this pace and make sure that they stay in control of their strategy, it is surely the same for us as IA professionals.
Otherwise we might face another challenge that business will legitimately pose comments on the execution of our audit approach like: ‘you do not understand the business’, or ‘you are putting too much compliance around my processes’ etc.
It is now time to come up with our own future proof strategy (as our stakeholders in the business do in their standard planning and control cycles) and engage with our stakeholders (boards and audit committees) early in the process to send them the right signals etc.
Strategise, innovate and accelerate is very common language if you read companies' vision and mission statements. Why shouldn’t this be our language and bring more substance to our profession than only adopting new analytical tools in our existing methodology and ways of working?
Siebe Postuma CIA – Partner, Deloitte Risk Advisory