Organisations risk creating a dysfunctional patchwork of risk and control functions unless they have an integrated approach to risk management and assurance with a clear definition of responsibilities and coordination by the governing body.

As FERMA benchmarking surveys confirm, ever increasing compliance requirements and business complexity have driven companies to establish risk management and assurance functions.

These assurance functions are in charge of measuring and reporting risks, identifying control gaps, tracking remediations and evaluating the effectiveness of control processes in specific areas.

It is, however, becoming more and more difficult for the governing bodies of organisations to get a clear opinion on the risk management function and avoid work and cost overloads. An accumulation of separate functions can lead to a patchwork organisation, to the risk of thinking in silos and poor integration of the various actors.

There might be redundancies between various functions; different teams from risk management, quality and internal audit may visit the same unit at the same time. There could also be blind spots: activities or units not assessed by anybody.

This is why the Institute of Internal Auditors (IIA) recommends that the governing body, whether it is the board or audit committee, should be responsible for monitoring the effectiveness of the company’s internal control, risk management and audit systems. The governing body must coordinate and align the organisation’s different assurance activities (internal and external) to optimise the level of governance, risk and control oversight.

This integrated assurance will satisfy the governing body that significant areas of risk have been adequately addressed and that suitable controls exist to mitigate and reduce those risks.

This concept is illustrated by the three lines of defence model:

line of defence

  • Organisations need clear accountability for risk management and internal control. The governing body is responsible for strategic risk oversight.
  • The first line is responsible for assessing, controlling and mitigating risks together with maintaining effective internal controls.
  • The second line of defence is responsible for implementing effective risk management practices and assisting the risk owners in reporting adequate risk related information up and down in the organisation.
  • The third line of defence through a risk based approach provides assurance on the effectiveness of governance, risk management and internal control in the organisation.
  • The external assurance providers give assurance to the shareholders, the board and senior management. In regulated industries, they play a crucial role.

Guidance and standards
The IIA has issued a guidance and standards to define the collaboration between internal audit and assurance providers.
Standard 2050 says, “The chief audit executive should share information and coordinate activities with other assurance providers to ensure proper coverage and minimise duplication of efforts.”

Standard 2110 says, “The internal audit must evaluate the effectiveness and contribute to the improvement of risk management processes.”

The IIA has also published a practice guide “Reliance by internal audit on other assurance providers”, in which it describes the way the reliance may operate. These recommendations may be useful for risk managers to know when they collaborate with internal auditors in their organisation.

The extent of reliance to be placed on the other internal or external assurance providers depends on the following five principles:

    • 1. Purpose: the assurance provider is clear in purpose and committed to providing assurance on the specific area, and its work is relevant to internal audit’s objectives and scope. For internal providers, the purpose should be established in a charter;
    • 2. Independence and objectivity;
    • 3. Competence;
    • 4. Elements of practice: the assurance provider has established policies, programmes and procedures and follows them;
    • 5. Communication of results and impactful remediations: the assurance provider communicates results and ensures management takes timely action.
    • In conclusion, assurance functions are more and more under the spotlight, and this is good news. It is crucial that despite their differences, assurance providers work together and the governing body defines clear responsibility and coordinates the work of each function towards an integrated approach. This is the key to effective risk management.
      By Marie Hélène Laimay , ECIIA President