The concept of Board Assurance Frameworks (BAFs) isn’t exactly new, but at the same time they are not exactly a routine established part of many organisations' governance arrangements. The process of establishing a BAF itself instigates many beneficial conversations internally and introduces or reinforces an improved appreciation of risk, control, appetite and monitoring. 

Probably the most common BAF model is based upon three lines of defence; while variants exist the fundamentals boil down to the same common themes with additional lines typically referring to the ‘tone at the top’ and elements of an organisation’s governance arrangements. 

The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management, the second is management’s own monitoring and risk assurance processes including those escalated up through the governance framework and the third is independent assurance, providing a position statement for internal audit within organisations. 

Why should we embrace BAF?

As internal auditors why should we embrace the BAF concept? If the organisation’s BAF is suitably robust this can be used as a good basis to effectively direct our activity, ensuring we remain agile and responsive to organisational needs. It also reinforces the need for our work to be reported in an effective and timely manner to make a positive contribution to the organisation’s risk agenda and governance statements. 

In the face of constrained audit resources it can help to ensure that those at our disposal are deployed and used effectively to maximise the benefit of our clients’ investment, whether in-house or out-sourced, focusing audit attention to ensure we add the value expected of us and fulfil our ‘consulting’ role as recognised by the IIA International Professional Practice Framework (IPPF) and provide a suitable breath of assurance to our clients as required by Standards 2110 Governance, 2120 Risk Management and 2130 Control. 

The BAF is a useful starting point in assisting the head of internal audit in fulfilling their responsibility to identify, review and consider the wider assurances received by the organisation and use these to inform their annual opinion: helping address Standard 2050 Coordination. 

I query how well sources of assurance are understood by organisations; the BAF provides a starting point to assess this. Audit committees rightly look to internal audit as a core source of assurance; however, we must also recognise and promote other assurance sources. In my experience unless the term ‘auditor’ is used then the outcome of other work may not always find its way to positively informing and assisting the audit committee in fulfilling its responsibilities. Maybe this is an unintended consequence of its given identity prompted by legislation, regulation and standards; maybe a wider identity such as Risk and Assurance Committee throws the doors more widely open. 

Simply illustrated the risk of data loss through deliberate targeted attacks is nowadays high up the risk agenda of many organisations in the digital age and rightly so; it is not a sector specific risk with well-publicised events including online dating, telecoms, social housing, councils, airlines, retailers and financial services. While management may be commissioning penetration testing the results even at the highest level aren’t necessarily communicated and does the audit committee know to ask about them? 

Third line of defence

Internal audit must play a crucial and effective role in the third line of defence; however, we should also recognise that we are not the only provider of independent assurance. Some commentators rightly challenge the resources and experience of an internal audit function to deliver the assurance needs of an organisation, prompting the need for a pool of specialisms and skills. I don’t believe we should aim, claim or strive to be a one-size fits all solution; if we do we will almost certainly at some point be criticised for our cost especially in times of austerity. Rather we should work with our clients to ensure the key risks that justify independent review are suitably understood and the best assurance provider and solution identified to achieve this. 

In order to place reliance on the BAF in directing the efforts of internal audit we need to first assure ourselves that robust arrangements are in place; if not then this is ideal territory for internal audit to fulfil its consulting role and assist in the development of effective arrangements. 

Second line of defence

A crucial element of the second line of defence is an organisation’s performance monitoring arrangements feeding management and governance processes. As an internal auditor it never fails to surprise me how disjointed performance reporting can be from the strategic objectives of the organisation and the key risks it is facing. Often this appears to have developed over the passage of time with management information or the corporate dashboard either being poorly defined or failing to keep pace with change, particularly in a world where both the internal and external environment change faster than ever. 

Performance reporting processes have been reported as being flawed by a 2015 ACCA/KPMG report entitled An eye on the facts; performance indicators, data capture processes, data management and performance reporting systems are fundamental elements of the second line and, based on personal experience, are areas where internal audit can provide significant value. 

Importantly, where positive assurance isn’t possible this should be an area where  strong internal auditors' skills firmly lend themselves to consulting and helping their clients improve in a fundamental area of their business. Input from internal audit should provide confidence in both financial and non-financial data to assist in tackling issues highlighted by the ACCA/KPMG report such as almost 40% of decisions being grounded not on information-based insight but ‘gut instinct’. 

From a selfish perspective the internal auditor should also have a personal interest in the quality of reported data; it should provide useful intelligence in respect of directing audit attention. 

The 2015 analysis of audit committee reporting published by accountancy firm BDO entitled A Gathering Storm highlighted deficiencies in the effectiveness of internal audit reporting. As internal auditors we can use the underlying basis of the BAF model to direct our efforts, focus assurance on key risks and business critical controls and effectively talk the same language as our clients, ensuring a clear ‘on target’ message regarding residual risk exposure and affording both senior management and importantly other key stakeholder groups such as audit committee a clear basis upon which to assess the acceptability or otherwise of residual risk exposure within the context of the organisation’s appetite - particularly important in respect of Standard 2060 and 2600 Communicating the Acceptance of Risks. 

A key tool

The BAF is a key tool for the audit committee in fulfilling its responsibility to ensure that the organisation is effectively managing its inherent risks within risk appetite: not simply those of a financial nature but across an organisation’s operational activity, most of which will ultimately have a financial consequence but which may originate from operating in its chosen product line, service line or market. 

We are regularly asked by our clients to ‘add value’ which if we perform our role with the engagement, freedom, professionalism and enthusiasm it deserves we should achieve either through the assurance we are providing to our clients, enabling them to sleep well at night, or through the improvements we identify to their internal control, governance and risk management frameworks, which if implemented help our clients’ reduce their residual risk exposure through informing the first and second lines; but we need to ensure this is visible and understood by our clients. 

I firmly believe a good BAF benefits our clients but also importantly allows internal audit to position itself correctly within the organisation, embed ourselves through talking the same language as our clients, focus attention and effectively work together towards the delivery of strategic goals within risk appetite. 

Is an effective BAF in place? Questions to consider

As internal auditors this is one of the, if not the, most important question we should be asking ourselves and challenging our clients about. Through considering this we can answer some underlying fundamentals:

  1. Does our client understand its risks and have suitable risk reduction plans in place?
  2. Does it communicate effectively with the Board and therefore focus attention on the right areas?
  3. Is there a good understanding by all parties of the existing sources of assurance?
  4. Are any gaps in assurance well understood?
  5. Is this resulting in well-informed, clear, annual governance statements? 

Lee Glover FCCA