The Big Assurance Picture

Transcription

1 The Big Assurance Picture Stuart Wooldridge, Partner in Internal Audit Services at PwC, spoke at the joint ACCA/IIA networking forum on 25 October 2011 on The Big Assurance Picture. This is an overview of his talk. The two questions that all Heads of Audit ask are what s on everybody s audit plan and what s everybody doing with integrated assurance. What is it? A single organisation wide view of risk and control derived from assurance activity undertaken across the lines of defence. It is an opinion to the receivers of assurance on the adequacy of the governance risk and control environment. Why do we want it? Integrated Assurance has become a hot topic and indeed is the number one solution that organisations are looking to implement. Some of the drivers for this are: Business Drivers Increasing business complexity Increasing regulatory intervention and oversight in all industry sectors particularly in the financial services sector where the role of the regulator has changed and is continuing to change The need for a better view of the adequacy of governance risk and control is a key issue for the regulator Alongside that we ve seen the development of other assurance activities from non-internal audit parts of our businesses: Lines of defence SOX management assertions Increasing maturity of Enterprise Risk Management (ERM) - a mature risk management function will have some degree of assurance over the adequacy of control. It isn t one that just collates information and reports on the application of a framework. A mature risk management framework is one that undertakes some checking that controls that it is relying on in defining its net risk position are operating the way they expect them to. That can be self assessment or any form of checking but you would expect to see some sort of checking activity Management awareness of audit intervention The need for efficiency and cost saving Reveal the gaps Governance Drivers The need for an opinion on the adequacy of controls across the organisation. Audit Committees start the year by approving a plan of audit

2 activity at the end of the year they have a pile of audit reports and have to take that body of work and draw together the net impact of all that body of work to form their own opinion on the adequacy of the control and risk framework. They rarely have the opportunity to have somebody independent stand back from that pile of reports and help them draw together an opinion. With the increasing complexity of business and increasing regulatory intervention, Audit Committees need more help from audit functions to draw together an opinion and define that opinion Conflicting messages from Risk Management function and Internal Audit function for example, risk management functions producing green risk maps indicating that there are no problems and everything is within risk appetite but then the audit function does an audit and finds that half of the controls in that business unit are not operating the way that they are expected to and some are not even designed to achieve the objective they were trying to achieve. That conflict drives a greater degree of uncertainty for the Audit Committee around what the true story is. Integrated assurance is trying to overcome this by helping the Audit Committee understand what each function is trying to provide in terms of assurance Capital Adequacy based regulation in Financial Services such as Insolvency II. The last 10 years has seen a quantum change in the way that risk affects organisations. Risks have changed in terms of the contagion that they have across organisations. The best example of this at the moment is BP. BP had a very unfortunate and very significant operational failure on a platform something that we have all seen in the news. When you stand back from BP now and look at the impact which that operational failure had it led to regulatory scrutiny, it led to the US Government becoming significantly involved in the business of BP, and it ended up having liquidity and financial impacts on the organisation way and above examples of the same sort of impact that has been seen in the past. If you compare the contagion of that initial risk and impact to BP against something like Exxon Valdez that was 22 years ago a similar sort of operational failure in many ways the speed of contagion and the level of contagion of those two incidents were very different. We are now seeing risks spread far more rapidly across organisations and impact different types of risk categories. That is one of the key drivers for the increasing focus on risk management and for the stepping up of the whole activity of risk. The balance of power has swung from the 3 rd line of defence into the 2 nd line of defence so the challenge to internal auditors is to consider whether they have kept pace with what it is that organisations expect of them and expect from a 3 rd line of defence. Internal Audit has not kept pace with the level of assurance across the organisation that Audit Committees desire, demand and expect - and this is

3 why Audit Committees are looking to other sources of assurance from the organisation and calling for Integrated Assurance. For organisations where compliance with the IIA standards is important, the IIA standards put assurance as the remit of Internal Audit the 3 rd line of defence. That is the key to who has responsibility for providing that opinion on the adequacy of the governance risk and control environment to the Audit Committee and to the organisation and the Board. Integrated Assurance is Internal Audit s opportunity to reclaim the leadership on the provision of assurance in the corporate world. This may have slipped into the 2 nd line of defence but now is the time and this is the topic that allows us to take a little more leadership and a little bit more control of assurance for our organisations. So what is the role of Internal Audit? The role of Internal Audit is to deliver assurance to the Audit Committee to facilitate their evaluation of the adequacy of the Internal Control Framework. Commenting and opining on that Control Framework will involve providing some view on the control activities of the 1 st line of defence how management manage risk and the control monitoring and risk activities of the 2 nd line of defence including their checking activity where they do some. However Internal Audit s key challenge comes back to taking the body of work that they undertake, and taking the body of work that is done by other assurance activities and building that into a framework such that they can provide that overarching opinion on governance risk and control. Integrated Assurance is it inevitable? The journey to Integrated Assurance: Assurance Mapping or Combined Assurance is the starting point of the journey but the challenge for internal audit is actually helping their organisations get to integrated assurance.

4 Assurance Mapping What is it? A visual representation of the assurance provided across the organisation Covering all (or key) risks / processes Identifying all assurance providers Indicating the extent and effectiveness of assurance provided A stock take of what assurance the organisation is getting, where it is located, and how good it is. Good assurance mapping does not just relate to business process and control activity it also identifies where non-business processbased assurance is also being received. eg. Health & safety audits, quality control reviews, etc Why do it? Provides an overview to the Audit Committee, assurance providers and operational management of: The assurance activity that is being undertaken across the organisation (quantum not quality) Gaps in that assurance (risks and controls not covered) that need to be either filled or accepted Overlaps in assurance; where efficiency gains can be made The map can also be used to adjust the Internal Audit programme to review, where appropriate, assurance providers rather than controls the start of the journey towards Integrated Assurance. Example Assurance Map Continuum: Over-arching requirements Balance conflicting needs for detail and simplicity / sustainability Document the collation process to facilitate review and re-performance Perform a thorough assessment first time to ensure efficiency

5 Example Assurance Map Integrated Assurance What is it? A single organisation wide view of risk and control derived from assurance activity undertaken across the lines of defence. But there are some key questions. Which Stakeholder body is the assurance for? Different stakeholder bodies have different definitions of what assurance is. Management s definition of what assurance is will differ from the definition that the Audit Committee holds and a project board would have a different definition from both of them. A Head of Internal Audit driving integrated assurance will therefore need to work with each Stakeholder body to define what assurance means to them and how much confidence they want from that assurance. One of the biggest challenges for internal audit methodology is the way in which they manage the level of confidence they provide around their outputs. If you are going to do integrated assurance properly, firstly you need a definition of what assurance is and secondly, you need to be able to manage your assurance activities around a level of confidence that you need to satisfy the Stakeholder body that you are reporting to. That will be important in terms of the way in which you evaluate assurance activities from other lines of defence. Understanding the sources of Assurance Most people are familiar with the three lines of defence model: Ist line management control and reporting 2 nd line functional oversight/governance 3 rd line independent review/oversight

6 1 st & 2 nd line are management action whilst the 3 rd line is independent monitoring. There are different levels of assurance resulting from the different lines of defence. The assurance scale is from low assurance at the 1 st line (self assessment, sporadic) to high assurance at the 3 rd (high degree of independence, timely systematic and regular, technical expertise). 1 st line features of assurance activity: Tends to be quality based (how good are things) or more likely performance based (how are we doing against budget). When we are looking at activity that supports integrated assurance, 1 st line of defence assurance activity is rarely evidence based and is rarely risk and control specific. Using activity out of the 1 st line of defence is therefore a challenge. 2 nd line features of assurance activity: There are similar challenges with using activity out of the 2 nd line of defence. Activity is quite often metric or performance based and frequently focused on regulatory rules rather than Shareholder value protection business process controls. And it is compliance with policy based did you do what you were tolds to do? Judgements on controls are often supported by self-assessment processes. 3 rd line features of assurance activity: Activity is independent, evidence based and confidence comes from sample based activity. What is assurance? The first activity in moving towards integrated assurance is to get your organisation to agree upon a definition of assurance. Some definitions include: Objective examination of evidence for the purpose of providing an independent assessment on risk management, control, and governance processes for the organisation. Source: Institute of Internal Auditors Confidence, based on sufficient evidence, that objectives are being achieved, risks are being identified and appropriately managed and that internal controls are in place and operating effectively. Source: Institute of Internal Auditors For assurance to be provided there needs to be a subject matter and criteria against which the subject matter can be evaluated or measured to provide an opinion. Source: ISAE 3000 This last definition tends to work the best for many organisations.

7 The Integrated Assurance Framework Blending Assurance Activity When you are trying to blend assurance activities - which is what you ll get to when you have evaluated your assurance activities - the first step is confidence. Define the nature and level of assurance required if you cannot define that from the activity then it is hard to define the level of confidence that you need from it. Try and define what type of activity it is supporting is it testing operating effectiveness or is it looking at the design of controls. Then you need to test the way in which the activity is undertaken - assess the activity against the Assurance Framework - and contemplate the nature of gaps and other sources of assurance. If you are able to use that sort of evaluation technique on a piece of assurance activity, then upon completion you should have a good view of where you are getting your compliance assurance from, where you are getting your control assurance from and where you are getting your risk management assurance from. Who manages the delivery of integrated assurance? The IIA has defined this for us - the natural home for assurance is the 3 rd Line of defence. But the question for me is - is Integrated Assurance the answer to the delivery of an audit opinion? My view would be that it is an extremely good step towards it it doesn t necessarily take away the challenge of providing an overall opinion but our Audit Committees think that this is part of the journey. So integrated assurance is probably part of the answer for internal

8 audit functions providing an overall opinion on the adequacy of governance risk and control. What does the future hold around assurance? PwC did some work 12 months ago looking at Key Control Indicators (KCI). We worked with some insurance companies looking at how they could use performance-based transaction information to demonstrate the operation of a control. The output of that work was quite interesting in terms of allowing an organisation to use the performance data that it has around transactions going through systems to help evidence the operation of control. When I think about what the future might look like and what world class integrated assurance might look like, I think there is a challenge for us that a lot of it needs to be automated in one way or another and I expect that we are going to see organisations looking for ways to identify features of transactions that enable them to demonstrate that controls have operated. So 1 st and 2 nd line of defence assurance activity will potentially be automated. In summary, the future around assurance could see: The identification of Key Control Indicators (KCI) across all business risks Ongoing monitoring of KCIs automated data collection and threshold based reporting A greater focus on the adequacy of risk management and risk identification Dynamic risk monitoring how are risks and risk drivers moving. Recap The further development of Integrated Assurance is inevitable. It is inevitable because our Audit Committees are struggling to put together their opinions on the adequacy of the control environment and they are looking towards integrated assurance to help them do that. This is Internal Audit s opportunity to take back the lead on who provides assurance in our organisations, to rebalance the provision of assurance across the 3 lines of defence, and to use integrated assurance frameworks as a toolkit to help us help our Audit Committees understand the output from the body of work that we generate.