Is your assurance integrated?

Integrated assurance is the solution

Internal audit is unique in its independence but there are other sources of assurance across the organisation. Integrated assurance is the framework which enables an organisation to maximise the coverage of assurance in a coherent and coordinated manner by avoiding duplication or gaps across control functions.

Integrated assurance is the solution to a familiar problem.


What problem does it solve?

Assurance activities are often uncoordinated which can lead to frustration and confusion for governance bodies including the board and audit committee. For example, receiving different types of reports from risk, internal audit and compliance presenting sometimes conflicting conclusions, business leaders feeling control fatigue as they need to fill in various questionnaires from control functions, and difficulty finding the right internal contacts to help with externally driven assurance requests from regulators.

Assurance on regular business activities and project management comes from the first line – management (risk owners), the second line – risk specialists and the third line – internal audit, independent objective opinion. Also known at the Three Lines model.

Symptoms of the problem include:

  • There is typically no centralised management of first line assurance efforts including the hiring of external consultants to provide diagnostics on specific technical issues (such as for cyber-security)
  • Not all assurance reports are co-ordinated and escalated to the appropriate governing body for decision making and prioritisation of actions. In addition, reports from 1st, 2nd, 3rd line and external sources often go to different governing bodies
  • Assurance reports escalated to different governing bodies without coordination
  • Actions (if any) from first and second line reports are often not tracked or reported
  • Potential conflicting views from different assurance sources are not systematically reconciled and acted upon
  • It can be challenging to understand if enough (or too much) assurance is provided on certain topics if assurance providers do not coordinate their efforts
  • Lack of coordination between internal audit and other assurance providers often result in real or perceived additional operational cost and bureaucracy for management
  • The lack of a common methodology (including a clear language), common tools (such as a GRC system) and procedures may prevent internal audit from relying on other providers’ work

The problem is intensifying

Governance leaders and assurance providers alike put up with the problems outlined because it can be challenging to resolve them. However, the need for integrated assurance has increased significantly following the proposal for an Audit and Assurance Policy (AAP) in the 2021 BEIS White Paper: “Restoring Trust in Audit and Corporate Governance.” It will be challenging to produce an AAP without integrating assurance.

Members can check out our guidance on facilitating the AAP and internal audit’s role.


The solution in three steps

A chief audit executive has the authority and skills to lead and coordinate the framework and the delivery of integrated assurance to the governance bodies of the organisation.

In fact, IPPF Standard 2050 – Coordination and Reliance, states: “The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.”

These three steps help a CAE get the framework started:

Step 1: Create awareness, engage with stakeholders, explain benefits, and create governance

  • Discuss the new requirement for an Audit and Assurance Policy Statement (BEIS recommendation) with the audit committee. Articulate the benefits and challenges of the new approach
  • Obtain buy-in from the audit committee and senior management
  • Determine which assurance providers will be part of the integrated assurance framework
  • Develop an integrated assurance charter with clear responsibilities and accountabilities
  • Create a governance process for integrated assurance

Step 2: Develop tools, common language and mechanism for tracking and reporting

  • Establish a procedure to assess the maturity and independence of assurance providers and for them to notify internal audit of all assurance activity
  • Lead a task force with representatives of risk, compliance and the business to develop a standardised process, risk and control terminology and assessment approach of reporting for all assurance providers
  • Use existing committees and fora to promote the integrated assurance message
  • Design a template for ease of reporting to the audit committee (assurance maps, dashboards)

Step 3: Start reporting in consistent format and automate the process where possible

  • Focus on key risks initially for easy wins
  • Engage an external party or internal stakeholder to develop automated tools to analyse and aggregate controls and risk data from existing systems and create assurance maps (explore the use of free tools if the budget is unavailable to invest in GRC software)
  • Develop a central data repository for all assurance data
  • Begin the journey from static to dynamic (real time) reporting and monitoring

CAEs will have to remain realistic on the timetable for each of these steps before they bring in tangible results. Implementation will require coordinating with many internal and potentially external stakeholders. For example in a large, complex organisation, achieving step one alone could take twelve months to identify and convince parties of the need for such an effort.


The future is bright

The implementation of a robust integrated assurance framework has many advantages, mainly:

  • Better consistency of message to the governing body through a common language and coordinated reporting
  • Elimination of the gaps in coverage of risk and controls
  • Lower costs of control monitoring and diminished “drag” on first line
  • Improvement in the image and brand of internal audit and other assurance functions.

Is this something you need to do?

Why delay? Add it to your quality and improvement programme today and start talking to the audit committee.


Further reading

HM Treasury have a useful Assurance Frameworks guide

Members can also access

Coordination of assurance services

Assurance mapping to support the audit committee 

Coordinating Risk Management and Assurance

Content reviewed: 25 February 2022