The Big Assurance Picture



Similar documents
Internal Audit and supervisory expectations building on progress

Test your talent How does your approach to talent strategy measure up?

Audit, Risk Management and Compliance Committee Charter

Audit Committee self-assessment

UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply

How to gather and evaluate information

Audit Committee Institute Assessment of audit committees

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

Security Management. Security is taken for granted until something goes wrong.

External Audit BV Performance Report: Delivering Change Management and Financial Sustainability

Participants Manual Video Seven The OSCAR Coaching Model

Sample interview question list

the role of the head of internal audit in public service organisations 2010

ISO 9001:2015 Your implementation guide

Guidance for audit committees. The internal audit function

Developing an effective internal audit plan profiling our experiences 10 December 2015

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Developing a Project. Management System. Using Project Agency Template. Approach. - the Process and the Benefits

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Appendix 1: Performance Management Guidance

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

Transforming risk management into a competitive advantage kpmg.com

RISK MANAGEMENT POLICY

STAGE 6 MONITORING AND EVALUATING CHILD PROTECTION POLICIES AND PROCEDURES

Technology and Cyber Resilience Benchmarking Report December 2013

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

How To Understand The Role Of An Internal Audit

Virtual Programme for HR Business Partners

Getting Started with Enterprise Risk Management

APPENDIX 50. Enterprise risk management - Risk management overview

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

RSA ARCHER AUDIT MANAGEMENT

Hertsmere Borough Council. Data Quality Strategy. December

IMPLEMENTING BUSINESS CONTINUITY MANAGEMENT IN A DISTRIBUTED ORGANISATION: A CASE STUDY

Management Information & KPIs: How and why to use information effectively in the Financial Services sector. Research White Paper

CHAPTER 3 - CUSTOMER RELATIONSHIP MANAGEMENT (CRM)

The Consultants Guide to. Successfully Implementing 5S

Change Management Office Benefits and Structure

Towards Excellence in Adult Social Care. Statement of purpose. Sector-led improvement

VOCATIONAL EDUCATION & TRAINING ASSESSMENT VALIDATION GUIDELINES

Coaching the team at Work

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk & Assurance. Tailored to your needs. Internal audit solutions

BBC Learning English Talk about English Business Language To Go Part 2 - Induction

Final Draft Guidance on Audit Committees

treasury risk management

Workshop materials Completed templates and forms

Visual design and UX services for cloud based applications, services and sites

Framework for Enterprise Risk Management

INTERNAL AUDIT FRAMEWORK

Quality Thinking in other Industries. Dominic Parry Inspired Pharma Training. WEB GMP BLOG inspiredpharmablog.

IT strategy. What is an IT strategy? 3. Why do you need an IT strategy? 5. How do you write an IT strategy? 6. Conclusion 12. Further information 13

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

Role Description Metro Operations, Data Analyst

Effective Internal Audit in the Financial. Services Sector. Non Executive Directors (NEDs) and the Management of Risk

Post-accreditation monitoring report: The Chartered Institute of Personnel and Development. June 2007 QCA/07/3407

Building a framework for operational risk management: the FSA s observations

SEPT EVIDENCE PRODUCT CHECKLIST For ISO Standard 9004:2009 Managing for the sustained success of an organization A quality management approach

A Changing Commission: How it affects you - Issue 1

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Social Return on Investment

Audit and risk assurance committee handbook

Terms of Reference - Board Risk Committee

The Compliance Universe

Business-critical Insurance

Information Security Governance:

Ealing, Hammersmith and West London College

The Lowitja Institute Risk Management Plan

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Manage Compliance with External Requirements

2.2 Reviewing the company s internal financial controls and the company s internal control and risk management systems;

Quality Manual ISO 9001:2015 Quality Management System

a guide to producing your video

Organisational Change Management

Infra -News Global PPP/ Infrastructure Yearbook 2005

ISO 14001:2015 How your ISO audit will be different. Whitepaper

Solvency II Data audit report guidance. March 2012

Audit Committee Self-Assessement

How quality assurance reviews can strengthen the strategic value of internal auditing*

The ILM Level 3 Diploma Programme in Leadership & Management consists of the following units, ILM credit values and guided learning hours.

Point of View. Planning for success after a merger or acquisition. Danny A Davis, Programme Director, Mergers & Acquisitions

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

Project Risk Analysis toolkit

P3M3 Portfolio Management Self-Assessment

Newman Students Union. Recruitment Pack. Development Manager. October 2015

Business Solutions Manager Self and contribution to Team. Information Services

Compliance. Group Standard

Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company)

Defining and Assessing Regulatory Excellence

Key Steps to a Management Skills Audit

Performance Management Rating Scales

Cyber, Social Media and IT Risks. David Canham (BA) Hons, MIRM

Transcription:

The Big Assurance Picture Stuart Wooldridge, Partner in Internal Audit Services at PwC, spoke at the joint ACCA/IIA networking forum on 25 October 2011 on The Big Assurance Picture. This is an overview of his talk. The two questions that all Heads of Audit ask are what s on everybody s audit plan and what s everybody doing with integrated assurance. What is it? A single organisation wide view of risk and control derived from assurance activity undertaken across the lines of defence. It is an opinion to the receivers of assurance on the adequacy of the governance risk and control environment. Why do we want it? Integrated Assurance has become a hot topic and indeed is the number one solution that organisations are looking to implement. Some of the drivers for this are: Business Drivers Increasing business complexity Increasing regulatory intervention and oversight in all industry sectors particularly in the financial services sector where the role of the regulator has changed and is continuing to change The need for a better view of the adequacy of governance risk and control is a key issue for the regulator Alongside that we ve seen the development of other assurance activities from non-internal audit parts of our businesses: Lines of defence SOX management assertions Increasing maturity of Enterprise Risk Management (ERM) - a mature risk management function will have some degree of assurance over the adequacy of control. It isn t one that just collates information and reports on the application of a framework. A mature risk management framework is one that undertakes some checking that controls that it is relying on in defining its net risk position are operating the way they expect them to. That can be self assessment or any form of checking but you would expect to see some sort of checking activity Management awareness of audit intervention The need for efficiency and cost saving Reveal the gaps Governance Drivers The need for an opinion on the adequacy of controls across the organisation. Audit Committees start the year by approving a plan of audit

activity at the end of the year they have a pile of audit reports and have to take that body of work and draw together the net impact of all that body of work to form their own opinion on the adequacy of the control and risk framework. They rarely have the opportunity to have somebody independent stand back from that pile of reports and help them draw together an opinion. With the increasing complexity of business and increasing regulatory intervention, Audit Committees need more help from audit functions to draw together an opinion and define that opinion Conflicting messages from Risk Management function and Internal Audit function for example, risk management functions producing green risk maps indicating that there are no problems and everything is within risk appetite but then the audit function does an audit and finds that half of the controls in that business unit are not operating the way that they are expected to and some are not even designed to achieve the objective they were trying to achieve. That conflict drives a greater degree of uncertainty for the Audit Committee around what the true story is. Integrated assurance is trying to overcome this by helping the Audit Committee understand what each function is trying to provide in terms of assurance Capital Adequacy based regulation in Financial Services such as Insolvency II. The last 10 years has seen a quantum change in the way that risk affects organisations. Risks have changed in terms of the contagion that they have across organisations. The best example of this at the moment is BP. BP had a very unfortunate and very significant operational failure on a platform something that we have all seen in the news. When you stand back from BP now and look at the impact which that operational failure had it led to regulatory scrutiny, it led to the US Government becoming significantly involved in the business of BP, and it ended up having liquidity and financial impacts on the organisation way and above examples of the same sort of impact that has been seen in the past. If you compare the contagion of that initial risk and impact to BP against something like Exxon Valdez that was 22 years ago a similar sort of operational failure in many ways the speed of contagion and the level of contagion of those two incidents were very different. We are now seeing risks spread far more rapidly across organisations and impact different types of risk categories. That is one of the key drivers for the increasing focus on risk management and for the stepping up of the whole activity of risk. The balance of power has swung from the 3 rd line of defence into the 2 nd line of defence so the challenge to internal auditors is to consider whether they have kept pace with what it is that organisations expect of them and expect from a 3 rd line of defence. Internal Audit has not kept pace with the level of assurance across the organisation that Audit Committees desire, demand and expect - and this is

why Audit Committees are looking to other sources of assurance from the organisation and calling for Integrated Assurance. For organisations where compliance with the IIA standards is important, the IIA standards put assurance as the remit of Internal Audit the 3 rd line of defence. That is the key to who has responsibility for providing that opinion on the adequacy of the governance risk and control environment to the Audit Committee and to the organisation and the Board. Integrated Assurance is Internal Audit s opportunity to reclaim the leadership on the provision of assurance in the corporate world. This may have slipped into the 2 nd line of defence but now is the time and this is the topic that allows us to take a little more leadership and a little bit more control of assurance for our organisations. So what is the role of Internal Audit? The role of Internal Audit is to deliver assurance to the Audit Committee to facilitate their evaluation of the adequacy of the Internal Control Framework. Commenting and opining on that Control Framework will involve providing some view on the control activities of the 1 st line of defence how management manage risk and the control monitoring and risk activities of the 2 nd line of defence including their checking activity where they do some. However Internal Audit s key challenge comes back to taking the body of work that they undertake, and taking the body of work that is done by other assurance activities and building that into a framework such that they can provide that overarching opinion on governance risk and control. Integrated Assurance is it inevitable? The journey to Integrated Assurance: Assurance Mapping or Combined Assurance is the starting point of the journey but the challenge for internal audit is actually helping their organisations get to integrated assurance.

Assurance Mapping What is it? A visual representation of the assurance provided across the organisation Covering all (or key) risks / processes Identifying all assurance providers Indicating the extent and effectiveness of assurance provided A stock take of what assurance the organisation is getting, where it is located, and how good it is. Good assurance mapping does not just relate to business process and control activity it also identifies where non-business processbased assurance is also being received. eg. Health & safety audits, quality control reviews, etc Why do it? Provides an overview to the Audit Committee, assurance providers and operational management of: The assurance activity that is being undertaken across the organisation (quantum not quality) Gaps in that assurance (risks and controls not covered) that need to be either filled or accepted Overlaps in assurance; where efficiency gains can be made The map can also be used to adjust the Internal Audit programme to review, where appropriate, assurance providers rather than controls the start of the journey towards Integrated Assurance. Example Assurance Map Continuum: Over-arching requirements Balance conflicting needs for detail and simplicity / sustainability Document the collation process to facilitate review and re-performance Perform a thorough assessment first time to ensure efficiency

Example Assurance Map Integrated Assurance What is it? A single organisation wide view of risk and control derived from assurance activity undertaken across the lines of defence. But there are some key questions. Which Stakeholder body is the assurance for? Different stakeholder bodies have different definitions of what assurance is. Management s definition of what assurance is will differ from the definition that the Audit Committee holds and a project board would have a different definition from both of them. A Head of Internal Audit driving integrated assurance will therefore need to work with each Stakeholder body to define what assurance means to them and how much confidence they want from that assurance. One of the biggest challenges for internal audit methodology is the way in which they manage the level of confidence they provide around their outputs. If you are going to do integrated assurance properly, firstly you need a definition of what assurance is and secondly, you need to be able to manage your assurance activities around a level of confidence that you need to satisfy the Stakeholder body that you are reporting to. That will be important in terms of the way in which you evaluate assurance activities from other lines of defence. Understanding the sources of Assurance Most people are familiar with the three lines of defence model: Ist line management control and reporting 2 nd line functional oversight/governance 3 rd line independent review/oversight

1 st & 2 nd line are management action whilst the 3 rd line is independent monitoring. There are different levels of assurance resulting from the different lines of defence. The assurance scale is from low assurance at the 1 st line (self assessment, sporadic) to high assurance at the 3 rd (high degree of independence, timely systematic and regular, technical expertise). 1 st line features of assurance activity: Tends to be quality based (how good are things) or more likely performance based (how are we doing against budget). When we are looking at activity that supports integrated assurance, 1 st line of defence assurance activity is rarely evidence based and is rarely risk and control specific. Using activity out of the 1 st line of defence is therefore a challenge. 2 nd line features of assurance activity: There are similar challenges with using activity out of the 2 nd line of defence. Activity is quite often metric or performance based and frequently focused on regulatory rules rather than Shareholder value protection business process controls. And it is compliance with policy based did you do what you were tolds to do? Judgements on controls are often supported by self-assessment processes. 3 rd line features of assurance activity: Activity is independent, evidence based and confidence comes from sample based activity. What is assurance? The first activity in moving towards integrated assurance is to get your organisation to agree upon a definition of assurance. Some definitions include: Objective examination of evidence for the purpose of providing an independent assessment on risk management, control, and governance processes for the organisation. Source: Institute of Internal Auditors Confidence, based on sufficient evidence, that objectives are being achieved, risks are being identified and appropriately managed and that internal controls are in place and operating effectively. Source: Institute of Internal Auditors For assurance to be provided there needs to be a subject matter and criteria against which the subject matter can be evaluated or measured to provide an opinion. Source: ISAE 3000 This last definition tends to work the best for many organisations.

The Integrated Assurance Framework Blending Assurance Activity When you are trying to blend assurance activities - which is what you ll get to when you have evaluated your assurance activities - the first step is confidence. Define the nature and level of assurance required if you cannot define that from the activity then it is hard to define the level of confidence that you need from it. Try and define what type of activity it is supporting is it testing operating effectiveness or is it looking at the design of controls. Then you need to test the way in which the activity is undertaken - assess the activity against the Assurance Framework - and contemplate the nature of gaps and other sources of assurance. If you are able to use that sort of evaluation technique on a piece of assurance activity, then upon completion you should have a good view of where you are getting your compliance assurance from, where you are getting your control assurance from and where you are getting your risk management assurance from. Who manages the delivery of integrated assurance? The IIA has defined this for us - the natural home for assurance is the 3 rd Line of defence. But the question for me is - is Integrated Assurance the answer to the delivery of an audit opinion? My view would be that it is an extremely good step towards it it doesn t necessarily take away the challenge of providing an overall opinion but our Audit Committees think that this is part of the journey. So integrated assurance is probably part of the answer for internal

audit functions providing an overall opinion on the adequacy of governance risk and control. What does the future hold around assurance? PwC did some work 12 months ago looking at Key Control Indicators (KCI). We worked with some insurance companies looking at how they could use performance-based transaction information to demonstrate the operation of a control. The output of that work was quite interesting in terms of allowing an organisation to use the performance data that it has around transactions going through systems to help evidence the operation of control. When I think about what the future might look like and what world class integrated assurance might look like, I think there is a challenge for us that a lot of it needs to be automated in one way or another and I expect that we are going to see organisations looking for ways to identify features of transactions that enable them to demonstrate that controls have operated. So 1 st and 2 nd line of defence assurance activity will potentially be automated. In summary, the future around assurance could see: The identification of Key Control Indicators (KCI) across all business risks Ongoing monitoring of KCIs automated data collection and threshold based reporting A greater focus on the adequacy of risk management and risk identification Dynamic risk monitoring how are risks and risk drivers moving. Recap The further development of Integrated Assurance is inevitable. It is inevitable because our Audit Committees are struggling to put together their opinions on the adequacy of the control environment and they are looking towards integrated assurance to help them do that. This is Internal Audit s opportunity to take back the lead on who provides assurance in our organisations, to rebalance the provision of assurance across the 3 lines of defence, and to use integrated assurance frameworks as a toolkit to help us help our Audit Committees understand the output from the body of work that we generate.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information