Internal audit is unique in its independence but there are other sources of assurance across the organisation. Integrated assurance is the framework which enables an organisation to maximise the coverage of assurance in a coherent and coordinated manner by avoiding duplication or gaps across control functions.
Integrated assurance is the solution to a familiar problem.
Assurance activities are often uncoordinated which can lead to frustration and confusion for governance bodies including the board and audit committee. For example, receiving different types of reports from risk, internal audit and compliance presenting sometimes conflicting conclusions, business leaders feeling control fatigue as they need to fill in various questionnaires from control functions, and difficulty finding the right internal contacts to help with externally driven assurance requests from regulators.
Assurance on regular business activities and project management comes from the first line – management (risk owners), the second line – risk specialists and the third line – internal audit, independent objective opinion. Also known at the Three Lines model.
Symptoms of the problem include:
Governance leaders and assurance providers alike put up with the problems outlined because it can be challenging to resolve them. However, the need for integrated assurance has increased significantly following the proposal for an Audit and Assurance Policy (AAP) in the 2021 BEIS White Paper: “Restoring Trust in Audit and Corporate Governance.” It will be challenging to produce an AAP without integrating assurance.
Members can check out our guidance on facilitating the AAP and internal audit’s role.
A chief audit executive has the authority and skills to lead and coordinate the framework and the delivery of integrated assurance to the governance bodies of the organisation.
In fact, IPPF Standard 2050 – Coordination and Reliance, states: “The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.”
These three steps help a CAE get the framework started:
Step 1: Create awareness, engage with stakeholders, explain benefits, and create governance
Step 2: Develop tools, common language and mechanism for tracking and reporting
Step 3: Start reporting in consistent format and automate the process where possible
CAEs will have to remain realistic on the timetable for each of these steps before they bring in tangible results. Implementation will require coordinating with many internal and potentially external stakeholders. For example in a large, complex organisation, achieving step one alone could take twelve months to identify and convince parties of the need for such an effort.
The implementation of a robust integrated assurance framework has many advantages, mainly:
Is this something you need to do?
Why delay? Add it to your quality and improvement programme today and start talking to the audit committee.
HM Treasury have a useful Assurance Frameworks guide
Members can also access
Coordination of assurance services
Coordinating Risk Management and Assurance