Embed Size (px)
Citation preview
Moving forward with combined assurance
IMFO Audit & Risk Indaba28 October [email protected]
www.pwc.com
PwC
Discussion topics
1. The source of the combined assurance concept
2. Objectives and tangible benefits
3. The challenges
4. The models to consider
5. A five step practical approach
6. Where to from here…………..
Combined assurance and corporate governance2
October 2011
PwC
1. The Source - King III introduces combined assurance as a recommended governance practice
“3.5. The audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities”
“7.3.1. Internal audit should form an integral part of the combined assurance model as internal assurance provider.” Combined assurance and corporate governance
3
Combined assurance model
October 2011
PwC
2. The objectives
1. A combined assurance model aims to optimise the assurance coverage obtained from management, internal assurance providers and external assurance providers on the (key) risk areas affecting the company.
2. The combined assurance provided by internal and external assurance providers and management should be sufficient to satisfy the audit committee that significant risk areas within the organisation have been adequately addressed and suitable controls exist to mitigate and reduce these risks.
What are we often faced with?
• Risks not being covered/ covered too much
• Audit fatigue
• Limited assurance budget (especially for internal audit?)
Combined assurance and corporate governance4
October 2011
PwC
2. Combined assurance offers tangible benefits that extent beyond compliance
• Coordinated and relevant assurance efforts focusing on key risks
• Comprehensive and prioritised tracking of remedial actions
• Minimised business/operational disruptions
• Improved reporting to the board and committees, including reducing the repetition of reports
• Possible reduced assurance costs or expansion in scope
• The use of combined assurance to support the audit committee and board in making their control assessment statements in the integrated report (IFC’s and systems of internal control)
Combined assurance and corporate governance5
October 2011
PwC
3. The challenges and critical success factors
1. Executive sponsor
2. Combined Assurance champion – the driver
3. Relevant and accurate risk information – ERM Maturity
4. Agreeing on a framework, methodology, risk language, enabling technology
5. Evaluating the quality of assurance provided and to whom
6. Deciding on the desired level of assurance from which assurance provider (link to risk appetite and tolerance)
7. Communication and training throughout the organisation
8. Clear understanding of the plan, its objectives, processes, and outputs
Combined assurance and corporate governance6
October 2011
PwC
3. The challenges and critical success factors
Combined assurance and corporate governance7
October 2011
PwC
4. Market Models – What we see…
New market challenge IFC’s and overall controls Who drives the combined assurance initiative
Combined assurance and corporate governance8
October 2011
PwC
5. Combined assurance is one the biggest challenges in adopting King III
A practical five-step approach to implementing an effective combined assurance approach
1. Establishing the business case
2. Assess the actual assurance provided – Reality check
3. Detailed mapping of risks to assurance providers
4. Design Combined Assurance blueprint
5. Make Combined Assurance a reality
Combined assurance and corporate governance9
October 2011
PwC
1. Gain high-level understanding of the current Assurance Profile
Assurance is provided by 3 Lines of Defence:
• Line#1 - Management oversight e.g. performance measurement, risk management, control self-assessment.
• Line#2 - Enterprise risk management, legal, compliance, health and safety, quality assurance.
• Line#3 - Internal audit, external audit and other credible assurance providers.
Management oversight will be factored into combined assurance where no second and third lines of defence are considered appropriate in the combined assurance model
The business case is established through getting an overview status of the assurance profileCombined assurance and corporate governance
10October 2011
PwC
Example Assurance Profile
Combined assurance and corporate governance11
Processes
Three lines of defence assurance providers
First line of defence - Management
Second line of defence – Risk and legal based assurance
Third line of defence – Independent assurance
Control self assess
Mgt review Special project
ERM SOX Compliance External audit
Internal audit
Special project
Strategic
Funding
Sustainability
Growth
Operational
Treasury
Products and services
Finance
Extensive assurance Moderate assurance Inadequate assurance Not applicable
October 2011
PwC
2. The assurance reality check
Identify the assurance providers
―Internal and external audit ― Human Capital
―Risk Management ― SOX Compliance
―Compliance ― ISO
―Information security ― Insurance
Assessment of the assurance providers
• Skill and experience levels
• Scope and frequency of work will address the risks
• Acceptable approach/methodology
• Conflict of interest
• Quality reviewsCombined assurance and corporate governance12
October 2011
PwC
2. The assurance reality check
Example of ranking of assurance
Combined assurance and corporate governance13
Rating Description/Characteristics guidance
Extensive Assurance
Scope of work covers entire process area Period of the work performed covers more than half the year
Positive opinion or certification is provided Accredited assurance provider
Moderate Assurance
Scope of work covers part of the business process Work performed covers less than 6 months of the period under review
Limited assurance statement provided Limited Assurance
Scope of work covers a very specific part of the business process
Work performed is for a period less than 3 months or is at a point in time
No certification or assurance statement provided (e.g. factual findings with recommendations)
October 2011
PwC
2. The assurance reality check
Assess quality of assurance:
• Interviews with the recipients of the assurance
• Identify the assurance sponsors for forward consultation
Assessment of current state of assurance reporting:
• Assurance may not reach appropriate forum
• Some forums do not receive any assurance
• Certain governance committees are overburdened
• Certain agenda items are debated in multiple forums
INTERNAL AUDIT CAN DO THIS !Combined assurance and corporate governance
14October 2011
PwC
Example – Current state of assurance reporting
Combined assurance and corporate governance15
October 2011
PwC
3. Detailed mapping of risks to assurance providers
Establish the universe for Combined Assurance:
• A consistent risk assessment approach should exist – ERM Maturity Profile
• Use strategic and key business unit risk profiles (start top 20 inherent?)
• Map the different lines of defence to the detailed risks and controls
• Determine the desired level of assurance
• Identify the gaps and the “excess assurance”
• Use risk management software to allow analysis and reporting
INTERNAL AUDIT CAN LEAD THIS PROCESS !!Combined assurance and corporate governance
16October 2011
PwC
Example Risk Map
Combined assurance and corporate governance17
Example IT risk
Associated controls
Three lines of defence assurance providers
First line of defence - Management
Second line of defence – Risk and legal based assurance
Third line of defence – Independent assurance
Control self assess
Mgt review
Special project
ERM SOX Compliance
External audit
Internal audit
Special project
Operational - Network
Network perimeter security breach
Secure firewall configuration
Secure remote access design
Security monitoring service contracted with supplier
Network downtime
Service level agreement with supplier
Disaster recovery plan
Currently providing assurance
Should provide assurance
Quality of assurance acceptable
Quality of assurance unacceptable
Scope excludes detailed
configuration
October 2011
PwC
4. Design Combined Assurance blueprint
Convince all stakeholders of the future approach:
• Agree the common risk universe
• What assurance is to be provided and to whom
• Agree on methodology to assess assurance providers
Combined Assurance blueprint:
• Risk based assurance coverage
• Analysis by assurance provider
• Management / governance committee responsible
• Frequency and extent of assurance required Combined assurance and corporate governance
18October 2011
PwC
5. Make Combined Assurance a reality
• Executive sponsor and Audit Committee support
• Combined assurance champion driving day-to-day activities
◦ Needs to be driven actively
◦ Consistent reporting structure and feedback
◦ Regular assessment of quality of delivery
• Combined Assurance Forum
◦ Initial planning
◦ 3 to 6 monthly assessmentCombined assurance and corporate governance
19October 2011
PwC
6. What do I do when I leave here?
Find your Executive sponsor
Assess the level of maturity of your ERM process
Determine who is best placed to drive this initiative
Liaison with the AC Chair
What are their expectations
Reporting requirements
GET STARTED !
Combined assurance and corporate governance20
October 2011
www.pwc.com/za
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Inc, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2011 PricewaterhouseCoopers (“PwC”), a South African firm, PwC is part of the PricewaterhouseCoopers International Limited (“PwCIL”) network that consists of separate and independent legal entities that do not act as agents of PwCIL or any other member firm, nor is PwCIL or the separate firms responsible or liable for the acts or omissions of each other in any way. No portion of this document may be reproduced by any process without the written permission of PwC.
That’s the theory –
the rest is up to you!
