Often, when multiple assurance functions exist across organizations, their audits may seem fragmented or even contradictory. Thomas Teravainen and James Bourke of Gartner’s audit research team share methods for aligning assurance strategies.
In response to growing organizational complexity and a rapidly changing risk landscape, there has been a rapid growth in assurance, with the number of distinct assurance functions (e.g., risk, privacy, information security and quality) nearly doubling in most organizations. Each function often uses different rationales and language in providing assurance, and yet they often interview the same managers and report to the same executive committees and the board.
Having multiple, uncoordinated assurance teams can lead to multiple views of the truth for the board and senior management, duplication and gaps in assurance coverage, and assurance fatigue. An uncoordinated approach also heightens the risk of noncompliance, and it can make leadership unnecessarily risk-averse and delay decision-making. As a result, many organizations are looking to implement aligned assurance initiatives.
But in doing so, they often experience ownership and coordination challenges and struggle to lay the necessary foundation for these initiatives to be successful. Chief audit executives (CAEs), too, are feeling the pressure of these challenges. According to Gartner research, only 37% of CAEs are confident in their ability to reduce corrections and repetitions of other assurance functions’ work and only 46% are confident in their ability to better align their reporting to the audit committee with other assurance functions.
Given the scale and difficulty of achieving fully aligned assurance, CAEs often struggle to know where to start. Moreover, attempting to build a comprehensive aligned assurance program can be a lengthy process that can be easily eclipsed by urgent priorities. To make progress, CAEs should identify targeted opportunities for aligned assurance in specific areas or projects and build from there, instead of attempting to achieve top-to-bottom alignment.
1. Conduct assurance mapping to improve cross-functional visibility
Identifying opportunities where assurance functions can coordinate their work starts with CAEs understanding what activities are performed by each assurance provider and when. To identify these opportunities and obtain a comprehensive view of the risk landscape, leading organizations leverage assurance maps to share their plans and identify potential assurance partners for key risks and assurance activities.
Sharing information on ongoing and planned assurance activities using one shared map for all assurance functions will help reduce the procedural burden on management and prevent assurance fatigue. This shared information allows audit to adjust risk assessment models and determine the depth of coverage and level of assurance needed for each risk depending on changes in organizational and business priorities.
Assurance maps also help identify areas of residual risk left over after accounting for all assurance activities and the maturity levels of assurance in different functional and risk areas. Having this information available helps streamline the process of updating the map for future activities and determine the depth of coverage required. Assurance mapping does not need to encompass all risks to the organization to be useful, so it is best to make a start on it rather than be put off by the difficulty of achieving a perfect map.
2. Streamline communication by creating a common risk language, risk-rating scales and metrics
To effectively integrate risk management processes and arrive at a consistent view of risk, assurance functions need to develop a common risk language and risk-rating scales. Assurance functions that use their own unique risk language, risk-rating scales and methodologies create confusion around key risks, risk tolerance, mitigation performance and actions required. This can complicate assurance findings and decision-making.
Unfortunately, Gartner found that less than half of audit committee members (46%) report their risk and assurance functions use the same scales when presenting on risks. Establishing a common risk language is key to facilitating meaningful coordination.
3. Collaborate on risk assessment and audit planning
Standard risk assessments involve audit or another assurance function conducting activities (such as surveys, interviews and workshops) to evaluate organizational risks and determine the priorities for plan coverage. When conducted alone, risk assessments are more likely to contain gaps and inaccuracies and/or fail to account for the work of other assurance functions in determining the level of residual risk.
Coordinating risk assessments remains a priority for CAEs, and joint risk assessments allow them to prioritize coverage based on a holistic view of the impact of all assurance functions’ work in mitigating risks.
Annual Survey: Companies Spending More Time on SOX Compliance
Nearly three in four organizations are looking for ways to further enable automation of their SOX compliance processes, according to Protiviti’s 14th annual SOX compliance survey, which also found that 58% said they spent more time on SOX compliance in the past year.
Read moreDetails4. Solicit input from other assurance functions on engagement scoping
A key efficiency gain from aligned assurance work is the ability to adapt the scope of audit engagements to account for the level of risk coverage and mitigation provided by other assurance functions. By doing so, audit can better “right size” the scope of its engagements and target key risks to meet the organization’s needs. Coordinating engagement scoping with other assurance functions also allows audit to ensure engagements have been updated for any changes in risk early enough in the audit engagement process. Audit can collaborate with other assurance functions in scoping audit engagements by incorporating specific risk information that would not be available if they were acting alone.
5. Deepen assurance coverage by performing joint audits
Joint auditing enables multiple assurance teams to pool resources when planning and conducting joint site visits and interviews. Joint audits decrease the likelihood of duplications in work that may occur when multiple assurance functions review and report on similar risks or controls and increase visibility into potential assurance gaps.
In joint audit scenarios, CAEs can effectively coordinate responsibilities across all assurance functions, which reduces the likelihood of the assurance fatigue that occurs when multiple assurance functions interview business partners separately. Joint audits also provide access to other assurance functions’ specialized knowledge, enhancing the depth of assurance.
6. Provide holistic view of risk across the organization by delivering joint reports
Like joint audits, collaboration between assurance functions through joint reporting helps prevent multiple assurance functions from providing different views on the same risks to the audit committee and board. Assurance functions typically work independently of each other and report separately to the board on the state of the risk and control environment. This can provide the board with information that is both incomplete and in different formats, limiting the board’s ability to make effective decisions.
In fact, 20% of audit committee members agree that getting different information from multiple assurance functions is confusing and about half of them want to see more thematic views of risk across the organization. With coordinated risk reporting, assurance providers provide the board with an integrated, comprehensive view of all risks, enabling better decision making.
CAEs do not need to approach these six activities sequentially but should instead view them as a menu of options and choose the ones that fit best for their organization’s capabilities and context.
Thomas Teravainen
James Bourke
