The three lines of defense model clearly distinguishes internal auditors' roles from other internal assurance teams like compliance, risk management, and other second-line functions. If not effectively implemented, there is the possibility for the various assurance teams to operate in silos. This would inevitably lead to discrepancies in messaging to the board, disjointed risk assessments, gaps in assurance coverage, and increased assurance fatigue. However, in order to support the three lines of defense model and avoid silos, assurance teams can work closely together by adopting an integrated assurance approach. Integrated assurance is a proven method for closing gaps and eliminating redundant efforts in an organization’s governance, risk, and control activities. This article will provide three action items you can take to kickstart your integrated assurance program immediately, with particular attention placed on readiness within the internal audit team.
Kickstart your integrated assurance program
Step 1: Develop a unified vision
Gaining consensus includes more than socializing the idea of integrated processes. The audit team must be prepared with a strong argument laying out the end goal for integrated assurance. The audit committee, risk management, and compliance team leaders may push back if they fail to see the vision or feel like internal audit is overstepping. Audit leaders should identify the stakeholders in the final model to prepare and understand how the respective functions will work toward a common goal. For example, the end goal could include integrating the efforts among the internal audit, risk management, compliance, and IT security so that each team works toward coordinating their assurance activities to avoid duplication and maximize coverage. Through this coordination, the different teams avoid overlap and instead focus on the highest priority risks to the organization.
Step 2: Focus on operational alignment
When implementing integrated assurance, the teams should focus on operationalizing their actions around a single objective. The first step is to align the various teams’ risk assessment methodologies. To the extent possible, this should include adopting a unified terminology around risks and controls and a uniform approach to risk assessments so that scoring and outcomes are consistent. This will also provide an opportunity for meaningful conversations around any risk variances and why some groups perceive risks differently. For example, the risk management team may use a set risk framework with five common risks scored on a ten-point scale, while internal audit assesses detailed process risks using a five-point scale. Both approaches are valid, but the teams should use a common approach to present a unified view of risks. In this way, each team can agree on which risks are the highest priority, and the organization can more appropriately and efficiently plan its efforts to mitigate the risks that could significantly impact the organization. While the terms and method are the same, each assurance discipline still has a unique perspective on risk that its assessment and subsequent control activities will reflect.
Step 3: Consolidate the results for reporting
Senior leadership throughout an organization depends on regular communication from assurance teams, but receiving information from the different teams can be fragmented and contain conflicting information if the assurance teams are not aligned. When the teams work toward a consistent goal, the message to leaders is more direct, focused, and valuable. To prepare for this, the assurance teams should agree on the communication's timing, format, and content and set clear expectations for each other to avoid confusion, delay, and mistakes in front of the leadership team. For example, internal audit may meet with the audit committee each quarter and present slides with updates. In contrast, risk management meets monthly with the board to discuss key risk indicators (KRIs) and the risk response when specific metrics exceed a threshold. In integrated assurance, the two groups could look to align their messaging to focus on the total risk environment and how the audit plan and KRI monitoring fit together to address the highest priority risks.
Click below to view a demo of TeamMate+ Audit
Leverage assurance enabling technology
Using a technology solution like TeamMate+ can help jumpstart your Integrated Assurance journey. By coordinating your activities with other assurance providers, documenting your organization’s risks and controls using a single, agreed-upon approach, and more clearly communicating across assurance activities, internal audit functions can play a critical leadership role in:
- Identifying gaps in assurance coverage
- Reducing assurance fatigue across the organization
- Improving the quality of risk management
Assessing and mitigating critical risks is a team effort, and there is no reason to delay kickstarting your integrated assurance program.