Escolar Documentos
Profissional Documentos
Cultura Documentos
Becoming a Relevant
Partner through
Combined Assurance
2 TeamMate Global Audit Solutions | www.TeamMateSolutions.com
1
Combined Assurance: One Language, One Voice, One View
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 3
Reliance
While the idea of relying on the work done by other departments is very attractive, auditors have
a hard time accepting the possibility of trusting poor quality work, and we typically raise our
concerns related to maintaining independence. Thankfully, the IIA has also provided guidance on
the topic of reliance. In this Practice Guide2, the IIA explains the need to assess the other internal
assurance providers objectivity and competence. We can think of this evaluation in much the
same way we would think of a peer review as part of the Quality Assurance and Improvement
Program (QAIP).
Competence Objectivity
To ascertain the internal assurance providers Similarly, the CAE should also decide whether
competence, CAEs need to understand the the group is able to objectively perform the
individuals who make up the other team in audit work. Considering these groups are
much the same way we understand our internal generally not independent like an internal
audit team. audit department, we need to consider the
following:
The qualities we must assess include:
Who does the assurance provider report to in
Education the organization?
Professional experience Will the work performed be influenced by
Professional certification management?
Policies and procedures Are there factors that would prohibit the
Supervision provider from performing the audit?
Documentation standards
Documentation review For our part in internal audit, we always
Performance evaluations reserve the right to not use the work
performed by our partners, and we can retest
or perform our own audit of the area if needed.
In this way, our own independence is not
impaired. In the end, internal audit does not
report to any of the other assurance teams.
2
Reliance by Internal Audit on Other Assurance Providers, The IIA 2011
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 5
Holistic Reporting
We can also gain efficiency when reporting Risk Reporting
results to senior management and the board. In line with our respective audit processes,
At the beginning of the year, both the CAE and we should provide more risk information to
the heads of other teams, like the Director the audit committee. One way to highlight the
of EHS, submit summaries of their respective current state of our organizational risk profile
planned audit activities, staffing plan, and is with a risk coverage map. One of the best
budget to senior management and the board. examples of a risk coverage map in a combined
By combining these presentations, we can help assurance setting Ive found comes from a
our stakeholders better understand the scope PwC report titled Implementing a combined
of the work and planned audit coverage. assurance approach in the era of King III3 (see
figure 2). In this report, the authors present the
The same holds true for interim and year end major risk topics for an organization along with
results reporting. By co-presenting the results the groups within the Three Lines of Defense4
of multiple assurance providers at once, we can who are providing assurance services related
help management focus their efforts and set to each risk.
priorities for the organization. Of course, we
must be careful not to overwhelm the board From an internal audit perspective, the risk
with endless information. Always present coverage map shows exactly which group has
summary information, ideally with visuals, responsibility for risk management and to what
and provide any details as an appendix to the extent the coverage extends. In the example
summary. Remember that senior management below, you can see that Internal Audit has
has a very limited amount of time to dedicate minimal coverage on environmental risk, but
to your data, so be succinct and provide your this may be appropriate since there is an EHS
reports well in advance of any meetings. team and special projects that include heavier
coverage on this area of risk.
3
Implementing a combined assurance approach in the era of King III, 2010 PricewaterhouseCoopers.
4
IIA Position Paper The Three Lines of Defense in Effective Risk Management and Control (2013)
6 TeamMate Global Audit Solutions | www.TeamMateSolutions.com
Consulting engineers
Management review
Risk management
ISO certification
Health & safety
Special project
Special project
External audit
Internal audit
assessment
Compliance
Control self
SOX
Strategic
Cash/finance
and treasury
Funding
Sustainability
Growth/
mergers &
acquisitions
Alliances
Operational
Financial
IT
Treasury
Human
resources
Supply chain
management
Quality
Environment
Customers
Products &
Services
Figure 2
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 7
In the end, the risk coverage map serves as Audit Results Reporting
both a responsibility chart as well as a way to At the end of an audit, our work product
demonstrate to management which risks are is the audit report. For management, all
getting the most attention by all aspects of they generally see produced by the audit
the organization. If we use a risk assessment department will be the engagement letter
that includes a comprehensive view of risks and the audit report. Rightly so, we spend
identified by all assurance providers in our inordinate amounts of time perfecting our
organization, and a combined assurance report templates, formatting the report, and
risk map to show coverage, we will present agonizing over the wording of each finding
management with a more complete, and more we present. We are so focused on delivering a
understandable picture of our organizational flawless audit report that we may forget that
risk profile. other assurance providers are also providing
management with their reports and lists of
issues. One way to reduce assurance fatigue
through combined assurance is to coordinate
our reporting standards. If all of the assurance
groups can decide on both a common format
and common taxonomy regarding audit
findings, management will be able to more
easily absorb the information we are all
presenting.
8 TeamMate Global Audit Solutions | www.TeamMateSolutions.com
Technologys Role
Internal auditors have traditionally led the In many organizations, the monitoring and
charge in risk assessment, control monitoring, testing processes used by management in
and testing techniques. We have surpassed the first line are overly dependent on manual
others in adopting new technology designed review with limited or no use of technology.
to improve our testing effectiveness and When we audit these areas, we can very quickly
efficiency. As a relevant partner, we should test controls and find management is not
share our tools with other assurance functions getting the timely information they need for
in our organization. We are in a fantastic proper oversight due to a lack of technology.
position to act as a business partner to those Control monitoring functions may be more
in our organization who share responsibility advanced in their assessment and monitoring
for managing risk. Based on the Three Lines activities, but their technology or software
of Defense Model we can organize most risk solutions may not integrate with those internal
management processes into three groups: audit is using for similar tasks.
Management Oversight, Control Monitoring (e.g.
SOX, Quality Control, EHS, etc.), and Internal When we look at all of the technology
Audit (see Figure 3). available across the spectrum of assessment,
monitoring, and testing of processes, risks,
and controls, there are several opportunities
to increase the effectiveness of organizational
risk management while increasing the
efficiency of internal audits role through the
use of software solutions and tools. Many of
these tools are already in place in most audit
departments.
5
IIA Special Report - Developing an Effective Internal Audit Technology Strategy (2012)
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 11
Data
Analytics Management
Internal
Audit
Risk
Assessment
Controls
Monitoring
Controls
Management
Figure 4
Conclusion
As we all strive to provide our organizational management with useful and concise information
for their decision making process, combining efforts between internal audit and other assurance
groups will lead to improvement. We will better understand our audit coverage, and we will
gain efficiencies in our audit planning and reporting activities. Ultimately, by strengthening
the relationship between these similar functions, we will improve our ability to protect overall
organizational value while increasing our value as a relevant partner to the broader assurance
function as well as to the entire organization.
Contact information:
UNITED STATES & LATIN AMERICA
The Towers at Westshore
1410 N. Westshore Boulevard
Suite 400
Tampa, FL 33607
United States
1 888 830 5559
CANADA
Suite 300, 90 Sheppard Ave. E. Please visit
Toronto, Ontario M2N 6X1
Canada
1 800 461 5308, ext. 6853
TeamMateSolutions.com
EUROPE, MIDDLE EAST, AFRICA
25 Canada Square
41st Floor for more information.
London, E14 5LQ
United Kingdom
+44 20 3197 6566
ASIA PACIFIC
15/F, W Square
312-324 Hennessey Road
Wan Chai
Hong Kong
+ 852 2610 7080
Copyright 2017 Wolters Kluwer Financial Services, Inc. All rights reserved. 10198