I talked in an earlier blog about the benefits and drawbacks of having a ‘standardized approach’. Here is another example from assurance mapping where ‘standard’ terms can cause problems. Consider the standard assurance ratings as follows:

• Low assurance confidence – where management are self assessing their own work
• Medium assurance confidence – where the second line of defense (compliance and risk functions etc.) are checking what is being done
• High assurance confidence – where there is independent checking of  (say) >50% or 75% of key controls

These seem so sensible and reassuring – let’s use these criteria to produce an assurance map! The importance of independent checking by Internal Audit will become clear!

The problem with this sort of standardized assessment is that it implicitly downplays assurance from the first and second lines of defense and favours audit work in a way that can cause significant issues when management are told about their low levels of assurance.  Lets consider this question more closely how confident should we be with each type of assurance:

1)    Management

Of course there is always a risk of self-deception in self-assessment by managers of their own activities, but if the criteria management should apply are clearly spelled out, and the manager concerned is experienced and unafraid to be honest, we can take a lot from their assessment. This is all the more so when management may be reporting upwards that they have issues and concerns that need to be addressed.  Thus it is a dangerous over simplification to say that all management assurance is only of low quality.

2)    Risk and compliance functions

Of course ‘second line’ functions are an important source of assurance, but before we get too confident in what they do, consider:

• What is the coverage of the second line of defense in terms of the risk areas/locations/processes they look at? (It is not unusual to find that resource constraints are limiting what they look at);
• Even if risk and compliance are looking at an area, are they overseeing what is being done with a detached, objective frame of mind? After all, how often do you hear second line functions saying they “don’t want to be policemen”?
• Finally, even if a second line function is able to identify issues, and suggest remediation, how confident are they that this remediation has been implemented? (All to often other compliance functions do not have the same rigorous follow up process as internal audit)

Thus in relation to the question of how much assurance do second line functions provide, the correct answer is much more complex than a simple ‘medium’ level of assurance – this may arguably constitute the average degree of confidence over a range of functions, but – in my experience – some second line functions provide a great deal of assurance, and some very little.

3)    Independent assurance functions (in the third and fourth lines of defense)

Clearly there are lots of reasons to believe that assurances from internal audit and other external assurance bodies are going to be robust. That said:

• What is the level of understanding of the risk and required controls by the audit function? Increasingly risks can have an important technical component – can we be sure that third line functions etc. have the technical capability to properly understand the risk being considered? Here we can see that whilst management might not have the audit skills, management may have considerable experience working in the field that enables them to judge how well a risk is being managed rather well.
• Is the testing of 50% to 75% of the key controls really going to deliver a high level of assurance? If there is a very risk averse risk appetite perhaps testing of 80%, 90% or even 100% of key controls may be needed (if only on a sample basis) to feel properly assured about the management of the risk.
• Even if competent audit staff have assessed a high proportion of key controls and found them to be working earlier in the year – how can we be sure that this means that the risk is being effectively managed right now? After all some risks are very fast moving and dynamic and an assessment 2 months ago may not longer be true if the nature of the risk has changed or key processes and people have moved on.

In summary, audit professionals need to be mindful that the use of assessment frameworks that elevate the role of audit assurances and downplay the role of others, without giving adequate consideration to the specific facts and circumstances concerning each provider of assurance, need to be taken with a very large pinch of salt.

Of course as an audit profession we want to build on what other colleagues are doing, we want to keep things simple, but we need to be mindful of the danger of sticking to comfortable, standard ways of thinking, that may even be quite common, when they are in fact a substitute for careful and rigorous thought about what the real issues are that we need to pay attention to.