This is the second of a three-part series of articles looking at risk management, integrated assurance and the Chief Audit Executive's Annual Report.

In my previous article – Risk Management and Internal Audit - I likened Internal Audit to a lighthouse, with the Chief Audit Executive (CAE) acting as the Lighthouse Keeper, providing independent assurance to the Captain (the Board) on the Navigator and Crew's ability to manage risk and guide the organisation through the turbulent waters to its destination.

This follow-up article considers how Internal Audit can align its efforts with other assurance providers to create a cohesive and comprehensive assurance framework, upgrading the lighthouse bulb to shine brighter, whilst possibly using less electricity. 

The CAE plays a pivotal role in ensuring that Internal Audit activities are aligned with the broader assurance landscape. According to the IIA standards, the CAE must consider the work of other assurance providers when forming their annual opinion. This requirement underscores the importance of a coordinated approach to assurance activities, ensuring that significant risks are covered without unnecessary duplication of effort.

The Institute of Internal Auditors (IIA) Global Internal Audit Standards (GIAS) state:

The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimises duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers.

When the internal audit function relies on the work of other assurance service providers, the chief audit executive must document the basis for that reliance and is still responsible for the conclusions reached by the internal audit function.

Source:  IIA GIAS 2024 9.5 Coordination and Reliance

Plotting the Assurance Landscape

The first article recognised that Internal Audit is sadly not an infinite resource and therefore should be suitably prioritised and directed; pointing out that the risk register is a key tool in the CAE's toolbox in identifying where Boards need assurance to inform the direction of resources.  

However, once we've identified where the Board needs assurance, we can then move to consider how best to achieve this coverage.  

Now when we hear the term 'integrated assurance' this can mean many things to many people, however, many of these differences occur due to the positioning and role of those who are providing the assurance we are attempting to 'integrate' at different levels across an organisation.  

Ultimately from the CAE's perspective the strength of reliance which can be placed upon any other assurance is going to be based upon their review and assessment.

Typically, roles such as Risk Management, Compliance, and Quality are likely to sit with members of the Crew, or at least rely heavily upon them, and therefore are not sufficiently independent of the Navigator. 

The CAE will be focused upon seeking out other third line, independent assurance providers; these 'peers' are where we can possibly find other sources of illumination to bolster and support our overall view of the route ahead.

The CAE may choose to perform their own assurance mapping, or where risk management arrangements are sufficiently mature, be able to rely upon the organisation's Board Assurance Framework to identify potential sources. Regardless of how these sources of assurance are identified, the CAE must do their own due diligence, protect against Pirates and ensure the effectiveness and resilience of the lighthouse.

Enhancing and Protecting the Lighthouse

The CAE must consider how and whether Internal Audit should rely upon other assurance providers. Remember it is the CAE's responsibility as the Lighthouse Keeper, to keep the light shining - they remain responsible for the conclusions reached and opinions provided to Board.

First, what sources of assurance have been identified and how do they fit into the wider assurance picture; are these covering key strategic risks, or areas of lesser concern which Internal Audit may not have the time or resources to consider in sufficient frequency or depth.  Considering this pivotal point is important in framing the context of your considerations.

The CAE must be mindful of the independence of the assurance source; consider for example the background of the arrangement, who made the appointment, who manages the relationship, any declared conflicts of interest, length of appointment, where are the outputs reported, and to what professional standards or regulations does the provider work. Unless the provider is sufficiently independent, you are unlikely to be able to place much reliance upon their work.

Next consider professional standing; what qualifications and experience does the assurance provider upon which you intend to place reliance have. Are they suitably qualified, do they maintain their registrations, does their background instil confidence; do your own due diligence. Of course, as CAE you may conclude that the provider is better equipped to provide this particular aspect of assurance than you, or your own team, in much the same manner as co-souring to plug gaps in the in-house knowledge, expertise or resources.

Another core consideration will be the depth of work underpinning the assurance; consider for example reviewing the terms of reference, do they cover all aspects that you would consider important if reviewing the area directly, or do gaps exist. What is the scope of the underlying testing methodology? Is it both design and application of controls, or limited in either respect. As internal auditors we want to ensure that organisations are protected through both a good control framework and consistent application of that control framework. Was their opinion or scope of work limited in any significant way. Minor shortcomings in this area could possibly be addressed through partial reliance, filling in the gaps, and expanding upon the testing without having to do all the work. However, the very existence of such points may lead you to conclude that their work should not be relied upon.

How robust are the provider's quality assurance processes; are they regulated? Do they have their own processes externally verified? How have management responded to their findings? What has the organisation's feedback on their performance been? 

In reviewing other sources of assurance and deciding upon whether or not to place reliance upon them, wherever possible I would champion meeting with the provider, discussing the outcome of their work and exploring whether they would be willing to share access to their working papers, in much the same way as you are likely to experience external audit reviewing the work of Internal Audit. However, remember one of the core reasons for this exercise is to avoid duplication of effort and improve value, therefore resist the urge to plough into the depth of files. The willingness and openness of providers will vary, and some will be eager, understandably, to protect their own intellectual property. 

There are other opportunities which may exist, for example, the internal audit team may be able to collaborate jointly on audits with other 'experts' from across the business; in these cases the traditional due diligence checks may not work, however, through effective assignment planning, delivery, quality and reporting mechanisms, and work remaining ‘owned’ by the audit team, enhanced value may be leveraged from utilising the expert knowledge within the internal audit process, particularly true for any advisory work you may embark upon. Just be mindful of the potential for piracy.

Remember, if relying upon the work of any third parties in the formation of your own CAE reporting and opinions, then you should document the reasons for this reliance and recognise that you are responsible for the opinions you are providing.  

Tides Flow Both Ways

As internal auditors we are traditionally more familiar with external audit placing reliance upon our work; assuming your client agrees then offer to meet with the external auditor throughout the year, maintaining a healthy professional dialogue and provide access to your reports and working papers where it may assist them in their work particularly in their planning stages.

Under the Financial Reporting Council (FRC) International Auditing & Assurance Standards Board (IAASB) International Standards on Auditing 610 and 315 any review will be used to inform their overall view of the control framework rather than resulting in any significant reduction in their own audit work. As we do, when relying upon the work of others, the external auditor remains responsible for any conclusions they reach.

Voyage of Discovery

So, to wrap up, if used wisely other sources of assurance should become a valuable addition to the CAE's arsenal, directly bolstering the output of the lighthouse, contributing to understanding of the route, checking the compass points true, acting as sonar to provide advance warning of previously unknown threats or contributing as buoyage to provide comfort. Used effectively the CAE can effectively cover more ground, discover new insights and better support our Captain, the Board.  

By acting in this way, the CAE is compliant with professional standards, ensuring a well-rounded informed opinion, minimising duplication and maximising the return on an organisation's investment in assurance.

What are your experiences and views of collaboration and integration?

At Validera it is our mission to help our clients Improve, Comply and Optimise their operations, navigating storming waters, keeping their eyes on the horizon and their ultimate destination.

Lee Glover FCCA - Director, Validera