Combined assurance has been a topic of conversation in audit for the last few years. Now with the pending updates to the Three Lines of Defense model, the topic is even more critical. As we look ahead to the proposed update, audit and risk management will need to work even more closely together.
Based on IIA Standard 2050, the CAE should connect with internal groups to ensure “proper coverage and minimize duplication of efforts.” At Wolters Kluwer, we see a trend with CAEs assuming responsibility for internal audit, internal control, and risk management. Since taking responsibility beyond audit could compromise the CAEs independence, these functions should ideally be separated, but separation does not preclude coordination.
During audit plan development, auditors should understand the scope and objectives of the work being performed by the other teams. The assessments completed and work planned by other assurance teams such as internal control and risk management, should be relied upon for coordinated audit coverage.
When CAEs approach the concept of coordination, the first step is generally sharing information with other departments that focus on risks and controls in a similar fashion to internal audit. Typically, this involves internal control teams (for example, SOX departments) and Enterprise Risk Management (ERM) functions.
Once the work is completed, coordination comes back into the conversation related to reporting. Issues can aggregated and categorized using the same terminologies. This creates comprehensive reporting to give to the audit committee.
While this sounds pretty simple on paper, we fully recognize the level of effort it takes to do this well. Through research and interviews, we have found that most groups will go through various stages of maturity for coordination. The underlying theme to this growth curve is the use of technology to standardize elements like terminologies, risk libraries, and reporting capabilities.
The Three Lines of Defense update will be released soon, so it’s the perfect time to revisit your relationships with other assurance providers. When you read through the exposure document linked above, pay special attention to sections C2 and D2. These areas will help you prepare for conversations with the other assurance providers. During those conversations, discuss the use of consolidated tools for risk management, controls monitoring, and audit. By bringing everyone into one platform, like TeamMate+ of course, you will move your organization up the coordination maturity curve.