Audit’s Increasingly Critical Role in GRC

The Need for Aligned Assurance

Today’s changing risk landscape has put increased pressure on assurance functions to simplify their requirements and to provide the board, senior management and other key stakeholders with a complete risk and assurance picture. To do so requires coordinating on the risk universe, risk terminology and ratings. Malcolm Murray and Rafael Go discuss how, in light of this mandate to the board and companywide remit, internal audit is best placed to kick-start and champion these aligned assurance efforts.

with co-author Rafael Go

In recent years, both the size and scope of the risk landscape has changed dramatically. These changes are driven by the reality that organizations are becoming larger, more complex and more geographically dispersed. Add that to the number of third parties (now including fourth and fifth parties) rapidly proliferating and the increase in digitization efforts that are requiring more robust protection from cyberattacks and data breaches. And, along with all of this, companies are under increased competitive pressure from more digitized competitors.

Despite an increased focus on these new challenges, assurance functions are faced with stagnant resources, having to provide more comprehensive assurance with less. Most organizations’ assurance functions tend to work independently, which adversely affects operations and strategy by lengthening decision-making, slowing down corporate clock speed and increasing the procedural burden. According to research from CEB, now Gartner, 43 percent of compliance executives report that internal partners sometimes avoid the compliance process and 77 percent of business leaders have indicated becoming more risk averse. This leads to a 48 percent reduction in potential top-line growth from foregone corporate opportunities and new projects.

Having separate groups report independently to the board and senior management also means they get an incomplete or, at worst, contradictory picture of the risk landscape. In order to provide comprehensive risk guidance to the business, assurance functions must increase their efforts at aligning their work.

Enter Aligned Assurance

Aligned assurance brings about formalized collaboration and coordination between assurance functions to share risk information, assign risk coverage and synchronize assessment and reporting efforts. In doing so, assurance functions can provide the organization with a clear view of the current risk environment, offer better assurance, minimize redundancies and identify and mitigate new risks. Providing a unified voice to the board also allows assurance functions to increase executive accountability.

In order to successfully implement aligned assurance, participants need to take the following steps:

• Identify and align the needs of assurance partners. Fostering discussion and open communication among all relevant assurance functions is crucial to the success of aligned assurance. This can be done in the form of an aligned assurance project groups or steering committees. To be effective, these discussions need to have input from all participants to address their concerns and generate buy-in. The group also needs to assess the organization’s current control environment and the strengths and weaknesses of each function in order to find optimal areas for collaboration and allocate resources effectively.
• Jointly establish a framework. Bringing together team members from different assurance functions yields diverse insights that are central to the success of the project. To ensure productive communication and coordination, stakeholders must build formal structures into the process, including a common risk language and/or register and an assurance map.
• Execute aligned assurance activities. Synchronizing activities among assurance providers combines their expertise and resources and eases the compliance burden on the business. Successful organizations coordinate their assessments and audits to happen simultaneously or they conduct them together. In doing this, stakeholders gain a broader view of the risk and control environment and it becomes easier to provide a clear and unified view of the organization’s risks to senior management and the board.
• Review and assess the aligned assurance model. Constant maintenance and regular check-ups ensure the longevity of machines. The same principle applies to the aligned assurance model. Continually discussing the program with stakeholders can highlight inefficiencies that can be addressed, thereby improving the process. Furthermore, by actively engaging with the business and increasing awareness of aligned assurance, the model becomes embedded in the company culture, enabling more effective cooperation among stakeholders in the future.

What Audit Should Know About Aligned Assurance

In a recent CEB, now Gartner, survey of 130+ audit departments globally, 76 percent cite aligning assurance efforts as an important or critically important priority for 2018. However, only 41 percent currently have an aligned assurance model. The remaining 59 percent of audit departments must take the lead in this area, as audit is the best-suited function to initiate or push it forward.

As the only function with a direct mandate to the board, audit is the most equipped to lead cross-functional efforts on aligning assurance. Further, with its companywide remit and unparalleled knowledge of the entire control environment, audit is best placed to spot gaps and redundancies in assurance efforts. Audit also stands to gain significantly from these efforts, as a successful aligned assurance model can lead to audit not having to do full-scale audits in areas covered by the second line.

Conclusion

Given today’s frenetic pace of change and new threats in the risk landscape, it is imperative that assurance functions increase their collaboration to keep organizations on top of these complex risks. Aligned assurance provides assurance functions a valuable framework to guide their efforts at coordination in order to manage their resources more effectively and provide more comprehensive assurance to the business, and audit should take the lead at making it a reality.