Reaching for Nirvana
In this article, we look at the benefits of integrated assurance.
As organisations become more complex, the demand for lateral communication mushrooms. Stuart Wooldridge, partner, KPMG, considers some of the collaborative road blocks and how organisations are overcoming them.
“Integrated assurance is what companies regard as nirvana - it's where they want to get to and it's something that larger organisations have a better chance of achieving.” This was the view of KPMG Partner, Stuart Wooldridge, addressing delegates to ACCA UK’s 2019 Internal Audit conference.
“’Assurance is the interesting word here,” he said. “What is assurance and who provides it?”
Stuart suggested agreeing on the IFAC definition: that assurance can only be provided when where there are three parties: the auditor, the body receiving the assurance and the body being audited. Further, it has to have an opinion and must be based on criteria that everyone understands.
He asked his audience to consider whether the individual compliance, risk and internal audit functions provide assurance and suggested that the answer in all cases was “possibly”.
It is also important to consider what integrated assurance is not. “It is not a conceptual framework, reporting approach, technology solution or additional bureaucratic layer. And it does not eliminate the need for existing assurance functions.”
What is clear, Stuart said, is that assurance presents a challenge which cannot be met without buy-in from all key risk control and compliance functions. Among the problems and hindrances associated with the provision of integrated assurance, the greatest, in his view, is the politics that operate across lines of defence. “If, for instance, the governance function isn’t pushing for it, it won’t happen.”
Acknowledging truth in the view that integrated assurance has high costs at the start and then tails off, he pointed out that, over time, there is an opportunity for it to help the organisations understand and manage cost more.
One of the challenges that control functions face is that they are constrained by budget. The cost-saving opportunity created by integrated assurance, Stuart said, is that it allows control functions to reallocate cost and expand what they do and the assurance they can provide in other areas.
The avoidance of duplication is another key benefit. So many different bodies are providing oversight and assurance that a spaghetti effect is being created with organisations ending up with multiple reports, often unaligned and saying different things. “It’s madness,” Stuart said. “So try and push integrated assurance’s ability to create one way of reporting, evaluating and communicating the importance of an issue. If integrated assurance led to the production of one reporting tool that would a good start.”
Fundamentally, integrated assurance is about is taking the “spaghetti” away and establishing first line of defence control groups. “Businesses are saying: ‘We’re audited umpteen times throughout the year and we’ve had enough of the inconsistencies – let’s get ourselves in order,’” Stuart said. “So they create their own control functions. Big banks have had them for years and insurance companies are not far behind.”
Improved risk management is arguably the most important advantage of integrated assurance. “It is a useful tool to help internal audit with its planning but the body that gets most benefit from is the audit committee,” Stuart said. “This is because it helps them get a much better view of whose doing what and where they doing it It helps them understand where there might be gaps and point the control functions at those gaps. That’s where integrated assurance really gives value. Rationalising information to drive better business is what are we seeing.”
After highly turbulent times, a relatively benign risk environment has been in place for some time. This relative stability has meant that organisations are starting to wonder if they are needing so many controls or whether they can be rationalised to create greater efficiency.
“That doesn’t happen when you have a volatile risk environment,” Stuart pointed out. “Integrated assurance gives that broader view and encourages organisations to think more about what the feedback from the assurance functions tells them. If the outlook is green, it could provoke the question: “Are we taking enough risk?”
A long journey
So how do organisations achieve integrated assurance? To start the process, someone in the organisation needs to recognise the synergies between difference functions and the benefits that rationalisation of their activities can bring.
“If you’ve got alignment of objectives between leaders in the lines of defence, you’ve got the chance of achieving integrated assurance but you’re on the start of a long journey,” Stuart said.
“You have to have a shared assurance vision and strategy. You’ve got to be able to talk about who owns risk, who monitors it and who provides assurance. If you can do that you’ve got an assurance model. You also need freedom from budget constraints and coordination of reporting, which means you need to get out of politics.
“If you’re going to do this well, you’ve got to have a common language and methodology,” Stuart stressed. “Ask yourselves: ‘What are our definitions and toolkits and how do we communicate around what we’ve done?’”
Above all, Stuart concluded, there needs to be a shared definition of assurance. “How often do I see that exist? Never. But that’s where we need to start.”
Jill Wyatt is a business journalist