Coordination of assurance servicesThere is growing interest in the coordination of assurance. This guide looks at the risks, benefits and issues of having multiple assurance providers. We also examine some of the complexities and concerns surrounding the coordination of assurance, and take a look at the opportunities and challenges facing internal auditors that arise from coordinated assurance. 

Assurance - in the roundWho provides assurance?Grouping sources of assurance within a frameworkWhat are the issues and risks?What are the benefits?Why does it fail?Can it work?Coordinated assurance or coordination between assurance providers?Coordination - what needs to be done and by whom?Considering the reliability of assurance providersInternal audit and coordinationConclusion

Assurance - in the round

Some organisations are beginning to look more closely at their assurance needs and are asking questions like:

Who needs assurance both inside and outside the organisation? What do we require assurance on? Who provides assurance? How does assurance fit together? Where are the gaps and overlaps? Can assurance costs be controlled?

As the last question suggests the thought given to assurance is partly being driven by the need to manage costs during difficult economic conditions but the growing interest also comes from the pressure upon organisations to improve the effectiveness of their governance in the wake of the financial crisis.

This is far more complicated than simply recognising who is providing assurance and keeping the cost down. Fundamentally, it is about marshalling assurance provision so that the people governing the organisation and stakeholders know that objectives are being achieved through the management of risk.

This is explicitly addressed in the Code of Governance Principles for South Africa, effective 1 July 2010, known as King 3, whereby a combined assurance model is advocated to provide a coordinated approach to all assurance activity.

The need for stronger governance and effective assurance is also recognised in the 2009 Walker Review of Corporate Governance in UK Banks and Other Financial Institutions and the new UK Corporate Governance Code. Both of these have strengthened the role of non-executives and the involvement of stakeholders to improve governance by giving them new roles and responsibilities to monitor risks. The emergence of risk committees is part of the growing demand for a complete picture of risks and assurances.

Auditing guidance and standards such as AAF 01/06, SAS 70 and ISAE 3402 requiring service organisations to have a mechanism for providing independent assurance to their user organisations are also bringing assurance providers together.

Internal auditors within service organisations are working with independent assurers such as reporting accountants to identify control objectives and assess the effectiveness of the controls that manage risks.

Read the case study: RPMI Pension Administrators

Coordination of assurance is also occurring in the public sector. For example the 2006 Audit Commission document 'Taking it on trust' encourages hospital trusts to 'review and increase the assurances they receive from sources other than internal audit, including clinical audit' to ensure that their full portfolio of risk is covered.

More recently, the 2010 HM Treasury Strategic Improvement Plan for Internal Audit Consultation states that a prerequisite for a high performing internal audit service is that 'stakeholders must understand all major risks and their related assurance needs, and actively support an integrated assurance process to increase focus, reduce duplication and eliminate unnecessary cost over assurance.'

The challenge facing all organisations is to understand and organise assurance services. This begins with a shared understanding of assurance needs and knowledge of who provides assurance.

Assurance services can then be organised in a cost effective way with clarity on how and when it will be provided. Above all the process should ensure there is comprehensive assurance on the things that matter namely that the risk management process supports and enables the delivery of objectives. 

Who provides assurance?

While this question sounds simple enough finding out who provides assurance, on what and whether it is reported to the board appears to be something of a challenge.

Obtaining a full picture of internal and external providers of assurance can be time consuming and complex and this often means that no one assumes overall responsibility for this task.

Our survey among heads of internal audit revealed that half of the participants felt that the people responsible for governance in their organisation, such as the board of directors or governors, did not have a complete picture of assurance.

The survey indicates that on average an organisation has six different types of assurance provider but also suggest that there could be as many as 14 or more, especially where the organisation faces regulatory and compliance requirements.

Many organisations have several sources of assurance, both internal and external, as shown by the tabel below. 

Who provides assurance that risks are being managed and controlled in your organisation?

Percentage or survey respondents who say this occurs in their organisation

Internal audit 90%Management - self assessments 71%External audit 63%Management - KPI and performance 60%Risk management function 55%Health and safety auditors 45%Compliance function 37%Quality auditors 36%Regulatory bodies 29%Information security auditors 26%External inspection agencies 19%Environmential auditors 16%Counter fraud team 11%Government agencies 10%Corporate social responsibility auditors 6%Complaints team 5%Funding and investments auditors 3%

       

Grouping sources of assurance within a framework

Grouping the different sources of assurance within a single model can provide the basis for a better understanding and organisation of assurance, while creating a platform for coordination.

The 'three lines of defence' model provides a simple framework for understanding the role of internal audit in the overall risk management and internal control process of an organisation: first line operational management controls, second line monitoring controls and third line

independent assurance.

Under the first line of defence, operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.

The second line of defence consists of activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments).  This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk-related information up and down the organisation.

Internal audit forms the organisation's third line of defence.  An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation's board of directors and senior management.  This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence.  It encompasses all elements of an institution's risk management framework (from risk identification, risk assessment and response, to communication of risk-related information) and all categories of organisational objectives: strategic, operational, reporting and compliance.

The framework requires organisations to have a simple but comprehensive understanding and agreement of its principal objectives and risks in order to formulate and coordinate assurance needs. The entire assurance framework contains the following elements:

Principal objectives Principal risks Key controls Assurance on key controls Board reports - providing positive assurances while identifying gaps in control and

assurance Board action plans- to improve control, delivery of objectives and gain assurance

Read the Siemens case study on implementing control risk assessment  

With the increasing occurrences of cyber attacks, IT risk management is getting more important across the three lines of defence.

Read the Company ABC case study on implementing an IT control risk assessment

What are the issues and risks?

Having a long and diverse list of assurance providers may not necessarily be a problem. They may be quite necessary. At the same time it is easy to understand how duplication occurs between assurance providers and how board members, senior management and frontline staff can develop a feeling of audit 'overload'.

In addition the extent of this assurance does not guarantee the avoidance of assurance gaps and is likely to lead to confusion if mixed or contradictory opinions are given.

As the organisation changes and the regulatory and risk environments become more complex, there is also a risk that the three lines of defence become disjointed with regard to what it is they are defending and from what threats.

The result is that they become ineffective - no longer providing a proper defence - or that they become inefficient.

There may be a role for internal audit to provide periodic updates to the board on who provides assurance within the three lines of defence and their main focus so that the board can consider the overall balance and effectiveness of the assurance framework. This may include internal audit expressing an opinion on the reliability of the assurance provided. 

What are the benefits?

Conversely the benefits of a coordinated approach are simple to appreciate: -

Assurance based on a comprehensive and shared view of risk enables the board to identify its assurance needs effectively.

Matching the board's assurance needs to the sources of assurance avoids gaps and overlaps.

The board has reduced workload enabling them to a focus on key risks, controls and assurance.

Strong first and second lines of defence can make the task of internal audit easier, enabling more directed attention to important exposures or areas not well covered.

Where internal audit is required to express an opinion on the whole of management's framework of governance, risk management and control, it may be able to place reliance on a well structured management assurance regime.

The avoidance of gaps and overlaps enables cost effective delivery of assurance. Motivation, development and sense of purpose among assurance providers are more

readily facilitated. 

Why does it fail?

Looking at the big picture it is essential that the people charged with governance of the organisation have a clear understanding of what they require assurance on and know who is providing what assurance.

Recognising this responsibility and the compelling nature of the benefits of coordinated assurance why does it seem so hard to deliver? The table below shows the main factors provided by heads of internal audit that make the coordination of assurance difficult to achieve: 

ResponsePercent of survey

respondentsDifferent terminology and methods of assurance providers 40%Risk management framework is not sufficiently developed 39%No one has taken ownership 34%Self intersest of the different assurance providers 27%Lack of board and senior management sponsorship and commitment

26%

Competency and skills of assurance providers 21%Other 6%

     

Other reasons included the timing of reviews and reluctance among some assurance providers to share information. It is interesting to note that many heads of internal audit (nearly 39%) feel their organisation's risk management framework is not sufficiently developed to enable coordination even though the majority of those organisations maintain risk registers or risk maps that identify assurance providers within them. 

Can it work?

If risk management is immature and ineffective, time may be better spent by internal audit on helping the organisation improve its risk management arrangements so that there is a better understanding of the requisite assurance needs.

Attempts to coordinate assurance without a clear risk focus will be like 'putting the cart before the horse' and may prove costly and confusing. Internal audit can help the organisation to improve its approach to risk management through its consulting role.

Assuming risk management is reasonably well developed the board and senior management can consider their assurance requirements and agree, if appropriate, upon the principle of coordination.

A commitment to coordination at the highest level is needed to provide the impetus for a coordinated approach. 

Coordinated assurance or coordination between assurance providers?

What exactly is meant by a coordinated approach? - It is important for the board to clarify and agree what assurance they need and what they mean by coordination.

Coordination can be achieved by simply making sure that assurance providers work together to avoid getting in each others way and eliminate gaps and duplication.

However, the board may prefer to take this to a higher level whereby the coordination of assurance is specifically designed to support them, usually through the audit committee, in making an annual statement on the effectiveness of internal control based upon the work of all the sources of assurance.

Our survey informed us that few organisations fully coordinate the plans of their assurance providers. Only 8% of heads of internal audit said that their organisation have a combined assurance plan showing all assurance providers, which is agreed with the board.

For most organisations coordination means the board agreeing internal and external audit plans. While some Audit Committees (22%) agree the work of other assurance providers. 

Coordination - what needs to be done and by whom?

Some form of structure and leadership will be needed to enable coordinated assurance and/or the coordination of assurance providers to work, even where there are relatively few assurance providers. This could be a steering committee or working group depending on the degree of formality required.

Regardless of the actual structure, clear objectives and an understanding of what coordination means in practice should be documented and agreed with the board offering a statement on who is involved, what is needed and how it will work and be monitored. This should be consistent with the board's interpretation of coordination.

The committee or group will require a leader who has an understanding of what the board wants in terms of assurance and an understanding of the purpose and contribution of the individual assurance mechanisms.

It should be remembered that there are different assurance mechanisms that operate for different purposes, providing assurance to different recipients. An assurance framework, or map, is best produced and owned by the business and can be produced to support audit committee deliberations.

Our Practice advisory 2050-2 Assurance Maps provides a good starting for planning and organising assurance priorities, especially where coordination is concerned. It recommends an assurance mapping exercise that 'involves mapping assurance coverage against the key risks in the organisation'. PA 2050-2 provides an example of what an assurance map may look like, as shown below, but other approaches tailored to the organisation's needs are equally valid:

Significant risk category Management role responsible for the risk (risk owner) Inherent risk rating Residual risk rating External audit coverage Internal audit coverage Other assurance provider coverage

To begin with the assurance map will identify gaps and duplication that need to be discussed and resolved. The discussion can help to delineate the boundaries of each assurance provider and in doing so could form the basis of a combined or coordinated assurance plan.

This provides opportunity for the board to determine that adequate and reliable assurance is planned and being delivered and to challenge potentially excessive or inadequate coverage.

Potential overlaps can be an advantage rather than a cause for argument as they identify scope for providers to work together, assuming everyone sticks by the coordination principle.

Like any other plan the nature, scope, extent of assurance work required, resources and timing must be formally agreed with the board and senior management following a period of consultation.

Plans for joint working also offer an opportunity for staff to build working relationships and develop learning. 

Read the case study: Cambridgeshire County Council 

Plans should also include the work of external assurance providers to avoid overload in specific areas. External providers of assurance should be encouraged to specify their terms of reference and timetable.

Nevertheless, the plan may need a degree of flexibility to accommodate a wide range of people and potential changes as the year progresses. 

Considering the reliability of assurance providers

Where organisations have a wide range of internal and external assurance providers it is important for the board to mandate or endorse the precise approach and the nature of the assurance that is being provided in order to understand how this fits into the assurance map.

As we have seen in our survey the approaches, terminology and the expression of opinions tend to vary between individuals and groups, so it is important that the leader of the coordination steering committee or working group understands the way the different assurance providers work and what they look at.

This will help to begin the determination of whether or not the assurance can be relied upon and whether additional assurance is needed to satisfy the requirements of the board.

The next step would be to include initial pieces of work in the assurance plan to review the reliability of selected assurance providers. The terms of reference might include:

Professional certification, licensed by or membership of a professional body Competency, comprising skills, knowledge, qualifications, experience and

development Performance, covering areas such a frequency of reviews, timeliness of reporting,

delivery of objectives, and levels of staff retention, Levels of independence and objectivity Focus and timing of reviews, which should be risk based and undertaken with

adequate frequency Different techniques, such as the scope of reviews, depth of audit information

gathered, inclusion of recommendations and action plans, whether the output includes an opinion. 

Internal audit and coordination

The Institute's International Standards support the idea of effective coordination among assurance providers. Performance Standard 2050 - Coordination, states: 'The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts'.

Internal auditors can promote and encourage coordination in a number of different ways:

Internal audit can encourage the board to fully define the nature and levels of assurance that it requires. Where this exists it may be a case of reviewing and updating at appropriate intervals. Where it does not internal audit can help to explain the nature and value of the three lines of defence model.

Internal audit should encourage management to take the lead and ownership for the coordination of its assurance work in the first two lines of defence;

Internal audit can explain and promote the benefits of assurance mapping, which can be used as a basis for coordination.

Internal audit should work with management, building on the existing assurance activity to demonstrate how it will provide the most effective assurance coverage to support the needs of the board and audit committee.

Assurance plans should also illustrate what external audit coverage is planned.

Because of internal audit's knowledge and expertise in relation to assurance, it may be encouraged to take the lead on co-ordination activities or to head up the co-ordinating group.

Internal audit should provide encouragement, support and advice to drive forward such work, but seek to avoid taking control of the planning and directing of management's own assurance arrangements.

Similarly, internal audit should preserve its right to conduct its own assurance activity freely and independently in order to meet its obligations.

Internal audit may seek to place reliance on, or use, the work of others where it is competently and objectively carried out. This could particularly assist in deriving broad assurance coverage in seeking to express an opinion on the whole framework of governance, risk management and control.  Further guidance on this can be found within Practice Advisory PA2050-3 Relying on the work of other assurance providers and the Practice Guide - Reliance by internal audit on other assurance providers.

This should be reflected in planned internal audit coverage. Conversely, where internal audit sees a need to provide coverage to an area already subject to other assurance arrangements, the reasons need to be understood by the co-ordinating group.

In purely practical terms internal auditors may need to develop a working relationship with a diverse range of experts to cover the broad complexity of risks facing the organisation and the assurance expectations of its stakeholders. This is only likely to increase as legal and regulatory obligations increase.

A good example of this exists in the NHS where the compliance function is relied upon to perform clinical audit, while internal audit is expected to review the compliance function periodically, including operational adherence to the compliance framework and applicable legislation.

Part of the challenge will therefore be in explaining to other assurance providers that internal audit want to be part of a coherent, holistic assurance framework but because we are internal audit we have to review you as well as coordinate with you.

For an example of how a high street bank uses the three lines of defence model to create a coordinated assurance plan read the case study: high street bank.

To see how internal audit assess the reliability of the assurance providers in the first and second lines of defence, read the case study: Siemens.

For a practical example on how a company uses the three lines of defence model to create a coordinated IT assurance approach, read the case study: Company ABC

Where internal audit conclude confidence in the reliability of the work undertaken is high, it may only be necessary to consider whether the work adequately covers the organisation's risk profile. Where the work is less reliable further and more detailed assurance by internal audit will be needed.

A rolling programme of assuring the assurors by internal audit needs to be agreed with the board or through the coordination steering committee/working group i.e. how often it should happen and when ad-hoc reviews should take place such as change in the risk profile, changes in key staff, or following a major problem/incident.

The chart below sums up the extent to which heads of internal audit say they review the reliability of other assurance providers within an organisation. 

 

The private sector make up 80% of the 'yes - this is built into our annual plan' with the majority falling with the financial services and insurance sector.

Where internal audit carry out a review of assurance providers, either as part of their annual plan or upon request, 70% of those surveyed use a defined structure or a set of criteria.

A total of 50% apply some form of grading at the end of the evaluation. 

Conclusion

The people who are responsible for the governance of their organisation want to know whether the organisation is being managed well and is successful in what it does. In many cases they have to give a report to their stakeholders on the identification, evaluation and management of risks.

The overall increase in pressure upon organisations to improve the effectiveness of governance is also making some boards look at the nature, extent and cost of assurance and strive for a single, consolidated view of the health and well being of the organisation i.e. coordinated assurance.

Coordinated assurance is not an easy thing to deliver. Boards and their audit committees must have a clear view of their objectives and identify and respond to risks before they can piece together their assurance needs. Our survey shows that some organisations appear to struggle with the implementation of an effective risk management process.

The situation is often complicated by a myriad of assurance providers that can be difficult to piece together to form am effective framework. In some cases risk management processes will need to be improved before an assurance framework can be put in place and internal auditors can support their organisation in these endeavours.

Organisations also need to have a shared understanding of what coordination means and a framework with strong leadership to pull the various resources and plans together creating a cohesive programme of work around a risk based approach. Fortunately, as with any jigsaw puzzle, it is possible to arrange all the pieces to see the overall picture.

Internal audit is the only part of the organisation with the competence and remit to evaluate the effectiveness and efficiency of the assurance provision arrangements. As such, it should encourage management to take the lead and ownership for the coordination of its assurance work in the first two lines of defence.

Internal audit should also work with management, building on the existing assurance activity to demonstrate how it will provide the most effective assurance coverage to support the needs of the board and audit committee.

At the same time coordination does not diminish internal audit's responsibility to express an opinion on the effectiveness of governance, risk management and control.

Internal audit may rely upon the work of other assurance providers to form this opinion but must assess their work on a periodic basis.

Internal audit must therefore be free to review and comment on the effectiveness and reliability that can be placed upon other assurance providers.

This message should be made clear with any steering group or working committee. 

Futher reading 

Practice advisories

2050-1 Coordination2050-2 Assurance maps2050-3 Relying on the work of other assurance providers

Practice guide

Formulating and Expressing Internal Audit OpinionsReliance by Internal Audit on Other Assurance Providers