View from the top: Integrating assurance – finding a risk-based pragmatic balance
Internal audit functions, and the organisations that employ us, will face significant challenges over the coming months. Are we as leaders doing enough to influence thinking and ensure that our voice is heard in the public arena, with government and regulators, and within our organisations? I believe we could and should be doing more!
We need to ask how we are responding as heads of internal audit to government-level events such as the ongoing BEIS consultation on restoring public trust. The Chartered IIA has responded as a body, however it is our role to drive the profile and awareness of controls, risks and assurance. This is equally important within our organisations as well as externally to shape future regulation and legislation.
On the other side, what are we doing within our organisations to respond to new demands and concerns? Are we being proactive and doing things that will enable us to promote and develop our businesses? Are the things we do currently proportionate and adding value? At all times, we must remember that our primary purpose is to strengthen the control environment because that is what helps our organisations to meet their objectives.
With these aims in mind, we decided to adopt early some of the principles included in the 2021 BEIS consultation. We have been transforming our control environment and approach to integrated assurance at SSE and I hope our experiences will be interesting and useful to others across the profession.
I joined SSE in January 2021 with responsibility for the group audit and risk functions. Shortly afterwards, I was asked to respond to the BEIS consultation on behalf of the business. We saw opportunities, so presented to the board our findings and ideas of elements we could adopt early, in order to get ahead of any forthcoming requirements. We believed it would put us in a strong position in the future.
Part of this response involved building up the capabilities of the third line, but we knew we had to go further and look across all three lines and the wider control environment. We collaborated with other functions – we engaged with finance to establish a project to strengthen internal controls over financial reporting, considered distributable reserves and dividend policy and explored our readiness to support a resilience statement. We engaged with our legal team to explore our approach to anti-corruption and financial crime, which might support a fraud statement. We also identified external assurance as a fourth line and the way this fits into our overall control framework.
We began with support from an external firm to benchmark across the industry and try to learn from history. This gave us the unique insight we needed to define a controls strategy that articulates our vision, but also specifies critical controls against three pillars: overall control environment critical controls; principal risk-mitigating controls; and resilience controls linked to climate change physical risks, regulatory compliance, operational continuity and cyber risks.
This enabled us to define our controls operating model and what this means to stakeholders, from the board to business units. We identified the responsibilities of each one – including my own as director of group risk and audit – and how these related back to the operational model and the four lines of defence (we identified the fourth line as our external stakeholders).
Then we looked at how we could co-ordinate this to ensure we focused on the right controls. We wanted to examine the way we understand the assurance coverage we get from the four lines and paint an overall picture of who covers what, and how different sources feed into each other and link back to the overarching risk model. We are still embedding this across the four lines to coordinate assurance programmes vertically within the second and third lines.
The “how” questions came next: how do we create minimum standards, how do we understand the level of assurance each area provides, and how do we decide what is needed and whether it is adequate (how does it relate to our risk appetite?)? We are currently bringing the group functions into line with our integrated assurance methodology and reporting regularly to the audit committee on our progress.
Although BEIS has said it does not intend to introduce a US-style Sarbanes-Oxley Act, it has indicated that directors will have to be able to explain the basis on which they sign off annually on the effectiveness of internal controls. We believe that we now have the vision and plans to implement a robust methodology that engages all the business units and corporate functions, aligns with our control strategy and enables us to provide integrated assurance that we can have confidence in. We believe (as we said in our response to BEIS in 2021) that boards and directors should decide our risk appetite and approach to assurance, which this integrated assurance is intended to support.
Furthermore, we hope this will make us more efficient by eliminating assurance duplication and will create value synergies in terms of enhanced insight. We can demonstrate our direct relevance to the business and can aggregate findings from across the business and group to keep the board fully informed.
We’ve been evolving our approach over the past 18 months, and, in parallel, have also considered our use of technology and data analytics alongside embedding a people-based strategy around talent development and innovative resourcing. We believe that, in the long run, this will enable us to provide better outcomes for stakeholders in terms of assurance as well as developing our skills and experience. It has also raised awareness and educated the business about controls, risk and assurance.
The statutory drivers of this programme have always been secondary – the primary purpose was to find better ways to strengthen SSE’s control environment and leverage the position that internal audit has within SSE. We still have a huge way to go, but we now have a clear view and vision of the future.
This article was published in March 2023.