We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
Author: Kirsty Martin
What is assurance & why is it important?
Assurance in general is not well understood and is often misunderstood because it can be defined in many different ways.
We like to define assurance as the flow of information that provides a level of confidence that objectives will be achieved within an acceptable level of risk. It is designed to provide confidence to leaders and decision makers that obligations are being met and risks are being managed effectively.
Assurance is critical to good governance. It answers the question “how do you know?”.
How do you know that outcomes are being achieved? How do you know that decisions are being made based on accurate information? How do you know that projects are on track? How do you know that risks are being managed? The answers to these questions are crucial for leaders to make informed decisions to support the ongoing management of an organisation.
Organisations often don’t understand the value of assurance until something goes wrong. Then they wonder “how could we possibly have missed this?!”. Then they invest in assurance to reduce the risk of being blindsided like that again. Let’s share a story so you can learn from the mistakes of others (and not wait for something to go wrong in your own organisation) to understand the value of assurance.
Case study: What happens when you don’t have assurance
A previous client represents a great case study in the importance of assurance.
Like most organisations, they often had to procure various goods and services. They had a great procurement policy with clear rules and delegations in line with legislative and regulatory requirements, supported by templates and a specialist procurement team. They had a tiered, risk-based approach in which lower value procurements used a simplified purchase order form with lower-level delegation for approval, and procurements over a certain threshold went through a more rigorous process with more senior approval required. The procurement team even did a monthly review of purchase orders to ensure the correct forms were used, they were signed off at the right level, and they matched the corresponding invoices.
So how had they missed that almost $50,000 had been spent through a purchase order that went through the low value (<$5,000) purchase order process?
When conducting an internal audit, one of the procurements in our sample involved hiring some equipment. The equipment was originally hired for one day to confirm that it was appropriate for the job and because they thought they might be able to get through the whole job in one day. The staff member in charge of procuring the equipment got a quote for one day (approx. $4,500) and filled out the low value purchase order form as the quote was for <$5,000.
Once they started using the equipment, it became clear that due to recent and predicted rain adding difficulty to the work, that they would need the equipment for around 10 business days. As they had already gotten the purchase order approved for one day, they assumed the same purchase order would be relevant for each day that the equipment was required.
The procurement team had checked the purchase order as part of their monthly review and seen the initial invoice for the first day which matched the purchase order and so ticked it off as compliant with the procurement policy. They hadn’t seen the other invoice for the rest of the work, as they had already found a matching invoice, therefore completing their review.
Finance also hadn’t noticed an issue, as they were told the purchase order was approved for each day and so released funds accordingly.
So, the cost ballooned to almost $50,000, which required a much more thorough procurement process, including a requirement to get at least 3 quotes to ensure value for money and a more senior level of sign-off, without anyone realising anything had gone wrong. The issue would eventually have been picked up when the finance and procurement teams did their more detailed annual reviews, but this would not prevent the issue, and it would mean other similar issues could continue to happen for months before being addressed.
Through our internal audit (just one of many ways to provide assurance), we identified the issue, diagnosed the control gap, and helped the client to improve the process and controls to prevent that particular issue from occurring again. Had the client had more thorough internal assurance processes (supported by an assurance framework), they may have discovered the issue much earlier.
What is an Assurance Framework and why is it important?
An assurance framework brings assurance to life in a way that is tailored to your organisation’s specific needs. Depending on the maturity of the business, and/or the resources available to develop and manage the framework, it could take the form of a simple document or series of documents, or an interactive intranet site, or it could be built into business systems, or any combination of those. As long as it documents the organisation’s approach to assurance, it can take whichever form fits best. The intent of an Assurance Framework is usually to provide information and guidance without being too prescriptive, providing flexibility for different business areas to apply assurance in the way that best suits their needs.
Having a defined framework for assurance in your organisation is important to provide clear and consistent expectations, structure, and guidance to support the implementation of assurance to enable more effective decision making. The increased formality and planning around assurance that comes with a framework also helps to improve assurance outcomes by enabling a comprehensive view of assurance across the organisation, encouraging a coordinated approach to ensure effective targeting of assurance based on risk level.
Although there is no one-size-fits-all assurance framework, a good assurance framework should include:
- Definition of assurance and policy statement outlining the expectations around assurance for the organisation.
- Clear roles, responsibilities, and lines of communication (The ‘Three Lines Model’ for governance and risk management from the Institute of Internal Auditors can provide a useful frame for this.)
- Resources, capabilities, and guidance needed to deliver effective assurance.
The best Assurance Frameworks also include:
- Practical guidance to make the framework a relevant reference point (and not just another policy collecting dust on the shelf). Short and sharp ‘quick reference guide’ style content can be really useful for staff when implementing the framework. Helpful topics include how to identify if you need assurance, the different forms of assurance and how to choose the most appropriate form for different circumstances, case studies of how to successfully apply the assurance framework in your organisation etc.
- An explanation of how assurance information will be used to benefit the organisation. This could include some form of assurance mapping or other process by which assurance gaps can be analysed to better target assurance and/or feed into planning for the internal audit program.
Better Practice Assurance
Now that we have a better understanding of assurance and assurance frameworks, we can start to explore what “good” assurance looks like. Assurance needs to be planned in order to be conducted effectively and efficiently. This ensures the right assurance is provided at the right time. To assist with assurance planning, we recommend building the following “assurance lifecycle” into your assurance framework.
At a high level, the phases of the assurance lifecycle are:
Phase 1: Identifying Assurance Needs
Organisations are complex. At any one time, there are likely many different services, programs, projects, business initiatives etc. being delivered. The purpose of this phase is to assess which of these activities are likely to benefit most from assurance. Some key criteria to consider in identifying areas of greatest assurance need include:
- Is the activity higher risk (e.g., large financial impact, public/media interest, political sensitivity, large impact on objectives, high consequence of failure etc.)?
- Is it a defined area of focus for the leaders of the organisation?
- Are there known issues or weaknesses in this area?
- Is this a new activity or has it recently undergone a change?
Phase 2: Understand Existing Assurance
Once areas of assurance need are identified, existing assurance arrangements and controls need to be understood to identify ‘gaps’, ensure there are no overlaps, and recognise where existing assurance can be leveraged. Key questions to ask in this phase include:
- What controls (if any) are in place that are relevant to the identified areas of assurance need?
Have these been tested recently?
- What assurance activities (if any) have been conducted in that area in the past 12 months?
Do they provide a satisfactory level of confidence?
- What assurance activities (if any) are planned for the next 12 months?
Do they provide a satisfactory level of confidence?
- Have any similar projects/programs/functions got any relevant recent or planned assurance activities?
Is there an opportunity to cooperate on or leverage these activities?
Phase 3: Prioritise Through Risk
Although there may be many areas identified that would benefit from assurance, it is generally not cost or time-effective to provide assurance over all of them. So, once assurance requirements have been identified, they must be prioritised to ensure resources are allocated to the assurance activities that will be of greatest value to the organisation. A risk assessment using the organisation’s risk matrix will assist prioritisation.
Phase 4: Undertake Assurance
The prioritised assurance requirements are then considered against different assurance approaches to identify the appropriate form/s of assurance and the associated methodology to ensure the ‘right’ assurance is undertaken to achieve the desired level of assurance confidence. Once these decisions have been made, its time to start conducting your assurance!
Phase 5: Reporting and Monitoring
For assurance to add value, the outcomes need to be captured and shared. Different types of assurance will require varying degrees of formality in reporting, ranging from simple checklists or dashboards, through to detailed formal reports. Reporting should follow a format that best facilitates communication of the assurance information with relevant stakeholders to support timely decision making.
Phase 6: Implementing Recommendations and Continuous Improvement
The true benefit of assurance comes from taking the findings, identifying improvement opportunities, and implementing them as soon as possible to continuously improve the organisation. A continuous improvement approach is crucial for organisations to stay relevant and successful in our ever changing social, economic, political, and technological environment. It is important to allocate clear responsibilities and time frames for implementing recommendations so that assurance value is not lost.
Key challenges in implementing assurance
- There is a cost associated with assurance. Depending on the types of assurance, it requires time and effort from staff, and/or fees for external providers. Assurance costs need to be factored into business planning.
- It can be a challenge getting broad buy-in from staff. People will need to be convinced of the value of assurance and understand why they are being asked to do it. If this isn’t effectively communicated, they will see it as just another tick box exercise that is percieved to waste their time. They will either make excuses to not do it (we have other much more important priorities!), or they will do it poorly with bare minimum effort to tick the box.
- Assurance requires certain skills and capabilities. There are many different forms of assurance, each requiring certain knowledge or skills. These can range from more general skills like critical thinking, attention to detail, and research, through to specific skills or knowledge such as data analysis, business analysis, financial analysis, risk management and internal audit expertise, knowledge of specific standards or better practice guidelines etc. Assurance needs to be factored into resourcing and staffing planning to ensure people with the right skills are available.
- Assurance relies on access to useable and useful information/data. It may require some work to set up collection mechanisms to extract the necessary data, particularly where assurance requirements weren’t considered at the time of designing processes and/or systems.
An assurance framework helps to address some of these challenges by setting the foundations for a shared organisational understanding of assurance, including roles, expectations, resources and capabilities. However, a framework alone will not solve everything. To effectively implement an assurance framework (like any business change) will require a coordinated change management and communications plan to bring staff along for the journey.
To help tailor an Assurance Framework to meet your needs and add value, and/or assist in the change management and communications to roll it out across the organisation, you may want to enlist an external provider. Sententia Consulting has highly experienced assurance specialists who have designed and implemented Assurance Frameworks and are available to assist your organisation. Reach out today to find out how we can help.