Internal auditors should strive to be the protectors of what is right, good, effective, and efficient in our organizations. We are not the only ones. Most employees, including those in management, work to do the right thing, taking whatever steps necessary to ensure those things that are supposed to happen actually do happen. Organizations typically strive to install activities, if not entire functions, that are designed to ensure exactly that.
Internal auditors understand that providing this type of assurance to our companies is core to what we do. In fact, it is a critical component of the support we provide to those most responsible for effective governance and oversight in our organizations, including the audit committees to whom we should be most accountable.
However, it is difficult for internal audit to effectively provide assurance and insight without full consideration of the other functions that are also doing so.
At my organization, Great Plains Energy Inc., making sure we can integrate the assurance activities has become important to not only the ongoing effectiveness of the internal audit function, but also to improving the collective governance, risk, and compliance activities of the company as a whole. There are many ways to improve integration in organizations; I’ve highlighted a few of these methods based on my organization’s experience.
Ensure a common understanding of assurance. There is technical jargon thrown around in the internal audit profession that, when we speak it to each other, leads to pats on the back and nods of affirmation. Many of these terms, however, are rendered powerless when they fall on management’s ears. Assurance is one of those terms. Add “integrated” to that and you may completely lose management’s attention. Therefore, auditors cannot assume that the concept of assurance we see as fundamental is consistently understood by oversight providers.
The glossary of the International Standards for the Professional Practice of Internal Auditing defines assurance as “an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” Companies spend a lot of time, money, and other resources putting “things” internal auditors may label internal controls in place to make sure objectives are met and strategies come to fruition. Most simply, assurance is no more than taking action to make sure these “things” work as intended.
Identify the assurance activities in the organization. Internal audit must identify the activities that occur throughout the organization before it can begin integrating them. In January 2013, The IIA published a position paper, The Three Lines of Defense in Effective Risk Management and Control. The paper lays out an excellent framework to help internal audit functions consider and define the correlation between three key types of assurance activities in an organization:
- The first line of defense — operational management or the functions that own and manage risk. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals.
- The second line of defense — examples may include risk management and compliance functions. These functions are separate from first-line functions and validate the effective execution of first-line activities.
- The third line of defense — internal audit. Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization.
In the electric utility industry, safety is the first priority. Our company uses several first-line activities to help ensure our employees are safe, including regular training for employees and line crews holding pre-job “tailgate” meetings daily before beginning work on a job. It is common in our industry to have separate second-line functions that conduct safety audits to ensure first-line activities such as these are conducted. The internal audit function plays an important third-line role in providing assurance that all of these activities are designed and operating effectively.
Ensure a common understanding of integration. The next element of terminology auditors must deal with is integration. Making the meaning of integration clear to management and the board will not only allow internal audit to better support the objectives of the organization, but it also can move an internal audit function into that elusive “value-add” territory.
Because the real benefit of identifying and integrating assurance functions exists at the level of the key governing personnel or bodies of the organization, including senior management and the board, finding a simple way to demonstrate the relationship among the functions is critical. In our organization, we use a mapping approach to present the existing assurance activities as they connect with key risks or objectives of the company. IIA Practice Advisory 2050-2: Assurance Maps, notes: “An assurance mapping exercise involves mapping assurance coverage against the key risks in an organization. This process allows an organization to identify and address any gaps in the risk management process and gives stakeholders comfort that risks are being managed and reported on, and that regulatory and legal obligations are being met.”
We have used mapping as an output or deliverable resulting from continued coordination between internal audit, enterprise risk management, and compliance. All three functions collectively coordinate annual risk assessment activities with key company leadership, identifying the key objectives of the organization, threats to achieving those objectives, and the key activities in place to mitigate identified threats. That last piece is essential to identifying the assurance activities.
The internal audit function uses this and other information to begin the mapping exercise, noting where there are pronounced first or second line of defense assurance activities to mitigate risks or meet objectives (both as defined by the business owners, themselves). From this mapping, internal audit aligns its own work, noting for the governing parties precisely where (and why) its resources can gain coverage, rely on existing coverage, or not provide coverage.
At the end of the day, internal audit functions must move beyond thinking they are the only function in the organization that can provide assurance. For our company, spending the time to identify and give credit for the quality assurance activities embedded throughout the company has worked wonders in simplifying the collective view and understanding of assurance, risk mitigation, and governance.