We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
AUTHOR: JOSIE LOPEZ
With the increasing focus on environmental, social and governance (ESG) issues, mandatory climate disclosure reporting is being introduced around the world to provide information on an organisation’s progress towards their ESG goals. To demonstrate their commitment to acting on climate change in their own operations, the Commonwealth Government has introduced Climate Disclosure Reporting for Commonwealth entities and Commonwealth companies.
Like the introduction of Performance Statements into Commonwealth Government reporting, the introduction of Climate Disclosure Reporting will be applied in a phased approach to allow entities to develop their maturity over time. However, do not let this phased approach lull you into a sense of false security, for entities and Accountable Authorities to properly discharge their responsibilities under Climate Disclosure Reporting entities must invest in the relevant resources and take the time to develop and implement the appropriate infrastructure to support this reporting.
What is expected of entities under climate disclosure reporting?
There will be two streams of disclosure requirements for Commonwealth entities and
Commonwealth companies:
- Stream 1 – for Commonwealth companies equivalent in size or greater than ASX 300 and Commonwealth companies equivalent in size to large proprietary companies with material climate risks. Climate-related financial disclosures for this stream will be led by the Department of Treasury.
- Stream 2 – all other Commonwealth entities and Commonwealth companies. Climate-related disclosures for this stream will be led by the Department of Finance.
The Department of Finance expect to finalise the Commonwealth Climate Disclosure requirements for Stream 2 in mid-2024. Therefore at the time this paper was written, only the requirements for the Pilot had been released. However, the Department of Finance notes that the requirements will align with climate disclosure standards set internationally by the International Sustainability Standards Board (ISSB), nationally by the Australian Accounting Standards Board (AASB), and be tailored for government and the regulatory and policy environments under which they operate (e.g. APS Net Zero by 2030).
The pillars of Climate Disclosure reporting within International Financial Reporting Standards Sustainability Standard S2 Climate-related Disclosures that will be featured within the Department of Finance’s disclosure requirements include:
It is noted that the pillar of ‘Strategy’ is not included in the Pilot for Departments of State, however this pillar will be included in the required disclosures by the Department of Finance from 2024-25.
How do I prepare for Climate Disclosure Reporting?
Similar to the introduction of Performance Statements and the new Australian Accounting Standards for Revenue and Leases, entities that are not aware of their requirements and adequately prepare for climate disclosure reporting will get caught out in the first year of reporting.
For an entity, and therefore an Accountable Authority, to properly discharge their responsibilities under Climate Disclosure Reporting, an entity must take the time to ensure that they have the right resources and infrastructure in place. To report on the four pillars, this will include:
Although capacity building support is being provided to Commonwealth entities and Commonwealth companies to help them meet their climate disclosure obligations, entities need to ensure that they have dedicated resources with the capability and experience to be able to properly report on their climate disclosure requirements. In addition, employee engagement and staff led initiatives will be important to achieving net zero grassroots climate action and broader sustainability. Dependent on the size and nature of the entity, to ensure that there is the appropriate infrastructure, frameworks and level of executive involvement, this may require the establishment of a Chief Sustainability Officer, a Climate Sustainability and Assessment Team, a Risk Management Team and an Environmental Contact Officer Network (a volunteer-run network of staff committed to reducing the environmental footprint of the entity’s operations).
When do I have to report?
The following table details the tranche and initial year of reporting for all Commonwealth entities under Stream 2:
Will my sustainability report be audited?
The Department of Finance will be developing a verification and assurance regime in consultation with the Australian National Audit Office (ANAO) to be applied to Stream 2 entities. Like the initial Performance Statement reviews conducted by the ANAO, the focus of the regime will be on improving the quality of climate disclosures. We believe that over the years as the maturity of climate disclosure reporting increases within the Commonwealth, like the Performance Statements there may be a move to mandatory audits which will include the issue of an audit opinion in the form of positive assurance over compliance with the Commonwealth climate disclosure reporting requirements. With this in mind, entities should develop their climate disclosure reporting frameworks to ensure that there is rigor and robustness within processes to identify and capture applicable data, and ensure that the governance around this function supports the complete and accurate reporting of the climate disclosure requirements of the entity. This will also provide the Accountable Authority with comfort over what the entity is reporting as well as their progress in line with the Commonwealth Government’s commitment to Net Zero in Government operations.
Should Internal Audit get involved?
Internal Audit should play a significant part in an entity’s preparedness for Climate Disclosure Reporting, and now is the perfect time for Internal Audit to get involved! Internal Audit should be making contact with the line areas responsible for Climate Disclosure Reporting and integrating into an assurance program over the four pillars of reporting. Real time assurance as the entity progresses around the framework for Climate Disclosure Reporting, as well as assurance over results to be reported, will provide relevant governance committees and the Accountable Authority comfort in what the entity is reporting to both government and the public.
Conversely, line areas responsible for Climate Disclosure Reporting should be reaching out to Internal Audit to provide them assurance around the rigor and robustness of their processes for Climate Disclosure Reporting.
AUTHOR: JO CARROLL
In both the Public and Private sectors, it is important that individuals, programs and
organisations are held to account to deliver performance outcomes. Within the
private sector, profitability is the measure most often used, however we are seeing
an evolution with the increased focus and priority given to Environmental, Social
and Governance (ESG) reporting. Within Government the Annual Performance
Statements is the way in which performance is measured and reported,
implemented with the introduction of the Public Governance, Performance and
Accountability Act 2013 (PGPA Act) which established the system through which
accountability for public resources is to be governed.
In the public sector Annual Performance Statements is a regular audit topic on
Internal Audit Work Programs. As the Australian National Audit Office (ANAO)
continues to expand its external audit program, internal audit functions can help
their agencies to prepare for external audit, and address findings and
recommendations from ANAO work program.
Audits of Annual Performance Statements started to find their way onto our work
programs around 2019 when the ANAO commenced its pilot program. These audits
were focussed on the accuracy of the data presented in the statements. As time
progresses, we are seeing more value being added by audits that assess the
measures themselves and flesh out grey areas beyond prescriptive rules. Providing
assurance that agencies have coverage of material or key activities, an appropriate
balance of efficiency, outcome and output measures and a rigorous approach to
measuring qualitative aspects of functions such as the provision of policy advice
can provide a richer and more complete performance story to the public.
Off the back of a number of years of these rolling audit programs and ANAO
insights, we are seeing Government agencies continuing to refine their measures,
moving towards quality over quantity to tell a more compelling performance story.
For example, the Department of Infrastructure, Transport, Regional Development,
Communications and the Arts (DITRDCA) has reduced their measures from 85 in the
2021-22 Corporate Plan to 45 in 2023-24 and the Department of Treasury
consolidated its key activities from five to three in 2023-24 to allow for a more
long-term strategic view on its performance. The processes supporting the
planning, selecting, monitoring, reporting and validating of measures are also useful
for Internal Audit to provide insight and their process expertise.
But what is the next iteration of these audits? As we move beyond accuracy and
grey areas within the process, how can we continue to drive better performance
outcomes?
Value can be added by Internal Audits with objectives to assess how the
performance measures and statements are being used drive to better performance.
This is harder to quantify and evaluate than when we assess the measures
themselves and the processes that support them. As internal auditors, we have an
obligation to bring value through our audits, identify performance improvements
and look for opportunities to continue to mature.
Critical to achieving performance outcomes is the concept of accountability and
who is accountable to drive performance of an organisation, function or capability.
Internal Audit can consider how are individuals held to account, how they are using this performance information to make decisions that lead to better performance
outcomes (or are they waiting for the end of the reporting period with a rearward
facing view)?
Accountability refers to the obligation or willingness of individuals to take
responsibility for their actions, decisions, and the outcomes resulting from them. It
involves acknowledging and accepting the consequences—both positive and
negative—of one’s actions and fulfilling commitments made to others. In a broader
sense, accountability is a fundamental aspect of ethical and responsible behaviour
in personal, professional, and organisational contexts. It implies a commitment to
transparency, integrity, and the understanding that actions have an impact on
individuals, teams, and the overall performance of an organisation. In an
accountability-driven environment, team members are free to share knowledge,
provide constructive criticism, and own their successes and failures without fear of
repercussion.
A culture of accountability can be very difficult to build. Within Government, with
less reliance on profit as a means of measuring performance and there are often
less tangible measures of performance. Arguably accountability can still be difficult
in the private sector, how individuals are held to account for driving performance
isn’t always easy while maintaining a positive and healthy work culture. Successful
performance goes beyond financial results and companies are starting to more
actively measure and monitor other aspects of performance through ESG reporting.
A culture of accountability in an organisation requires a number of conditions to be
present. Listed here are some criteria you can assess to form a view on the culture
of accountability that in turn supports performance outcomes:
Leadership Role Modelling
Leaders should consistently demonstrate and model accountability in their actions
and decisions. When employees see leaders taking responsibility for their actions,
it sets a positive example for the entire organisation.
Clear Expectations and Communication
Clearly communicated expectations for individual and team accountability. Ensure
that everyone understands their roles, responsibilities, and the impact of their work
on the overall success of the capability, function and organisation.
Regular monitoring of Performance Metrics and KPIs
Regularly track and communicate progress, holding teams accountable for meeting
these performance standards or to make decisions and adjustments when
performance is lacking.
Recognise and reward individuals and teams for their accountability and successful
outcomes. This can be through both formal recognition programs and informal
acknowledgment of a job well done.
Accountability Framework
An accountability framework that outlines the consequences for both meeting and
not meeting expectations that is transparent and consistently applied across the
organisation.
Training and Development
Training programs that focus on accountability, teamwork, and communication to
help employees develop the skills they need to take ownership of their work and
collaborate effectively across silos.
Cross-Functional Collaboration
Collaboration across different departments and teams is encouraged and
facilitated, fostering a culture where individuals understand the interconnectedness
of their work with others and the overall performance of the organisation.
Feedback Mechanisms
Regular feedback mechanisms, such as performance reviews and 360-degree
feedback, to provide individuals with insights into their personal performance in
relation to their accountabilities for the organisations performance. The link
between individual role and performance measure is clear and constructive
feedback is provided to foster a culture of continuous improvement.
Conflict Resolution Training
Training on conflict resolution to help teams address issues constructively. A
culture that addresses conflicts openly and seeks solutions promotes
accountability.
Continuous Improvement Culture
A culture of continuous improvement where mistakes are seen as opportunities to
learn and grow rather than as reasons for blame where employees are encouraged
and expected to share lessons learned from both successes and failures.
Employee Involvement
Involve accountable employees in decision-making processes and give them a
sense of ownership to take action to achieve in the organisation’s goals. When
employees feel a connection to the organisation’s mission, they are more likely to
take accountability for their contributions.
With these elements present, performance reporting can be more than just a tick
the box exercise, it can drive performance outcomes that are achieved through the
performance reporting and its supporting processes.
When setting the objective for your next audit of Performance Statements, think of
performance measures beyond an exercise for corporate reporting or to prepare for
an ANAO audit – consider how you can build upon the maturation of measures and
processes to factor how performance measures can and should be used by the
organisation to reinforce accountability and support decision making the improve
the performance outcomes.
AUTHORS: MARK HARRISON, LILI MILLAWITHANACHCHI, HIRUNDA KANAHARAARACHCHI, & KIRSTY MARTIN
In many organisations Internal Audit functions are not respected, and the value of Internal Auditors is not understood or appreciated. Internal Audit can be an incredible asset to any organisation and an effective strategy acts as powerful tool to identify and demonstrate the value we bring. A strategy helps to:
- Foster continuous improvement of the function
- Support strategic alignment between the audit function and the broader organisation
- Enable adaptation to changing risk profiles
- Improve Internal Audit’s reputation and relationships to gain influence across organisations
To support a future-ready Internal Audit function, an effective strategy should cover the following key elements:
Integrate with risk
Supporting effective risk management is a fundamental component of the role of Internal Audit. As such, risk management needs to sit as the core to an Internal Audit Strategy. To be effective in drawing on intel on risk, Internal Audit needs to partner with the Risk Management function to form a mutually beneficial relationship. Both Internal Audit and Risk Management perform unique roles that allow for a broad view across the organisation.
While it can sometimes feel like Internal Audit and Risk functions are competing to be the trusted advisor in an organisation, sharing insights between these functions can add value in tailoring and targeting the activities they each perform.
Namely for Internal Audit, it provides rich intel on where to focus the Internal Audit Strategy. Tactically, sharing of information between the roles can support Internal Audit to identify where it needs to pivot activities to better target changing risk profiles.
Be agile
Traditional Internal Audit structures and processes slow its ability to adapt to emerging risks.
Becoming more agile means that Internal Auditors have their eyes open to changing risk profiles and pivot quickly to deliver more valuable and timely insights.
This can mean stepping away from a stable annual Internal Audit Program with fixed scopes determined at the start of the year. An agile delivery approach takes the pressure off Internal Audit functions to ‘crystal ball gaze’ to design relevant audit programs 12-18 months in advance. But this also means that linear performance measures of Internal Audit functions like timely delivery against a pre-determined audit program lose relevance. Success of the Internal Audit function needs to be measured with a focus on business outcomes and the alignment of the Internal Audit activity that contributed to it.
Moving to a more agile approach requires change management in setting the expectations of the Audit Committee, organisational leadership, and other stakeholders. Without understanding the true value of agile auditing, these stakeholders will default to traditional approaches. An Internal Audit Strategy that prioritises agile approaches can serve as a mechanism to aide change management by drawing attention to it and supporting conversations on what this will mean for each stakeholder group.
Capitalise on data
Data captured within organisations provides a rich source of information for Internal Auditors. This remains an area of untapped potential for many Internal Audit functions. Data literacy is a core capability of all Internal Auditors – specialist knowledge and expertise can help Internal Auditors to gain a seat at the table for discussions on new system functionality to influence decision making to ensure structured, reliable data is collected. Regardless of the maturity of the organisation and its Internal Audit function, there is value for an Internal Audit Strategy to prioritise the use of data and development of data capability within the function.
Data-heavy internal audits can also allow for innovative presentation – moving away from traditional reporting to dashboards of “real-time” data, allowing readers to interact with data visualisations to drill down into areas of interest.
This allows for more engaging and dynamic reporting, which increases the likelihood of it being read, understood, and actioned. In an increasingly fast-paced and resource constrained environment, an Internal Audit Strategy that fails to prioritise succinct, targeted reporting limits the value it can deliver.
Expand skillsets
Internal Audit functions need to expand on their skillsets to remain relevant and deliver innovative audits that add value. The Internal Audit profession needs creative auditors who are IT-savvy, flexible and agile, influential and with strong business acumen and communication and networking skills. This can mean taking risks on candidates who have these skills but lack technical audit skills and experience.
Target skills need to be prioritised and built into professional development plans and rewards and recognition mechanisms and supported by investment in training and recruitment.
This starts with demonstrating the value of Internal Audit within organisations to make a case for the investment. Building your future-proof Internal Audit team will not happen overnight but including capability uplift in your Internal Audit Strategy draws attention to the need and supports prioritisation of investment.
As with any change, we need to bring our stakeholders along on the journey. An effective Internal Audit Strategy provides a shared vision of the future and supports ongoing communication to enable progress towards a bolder and more valuable Internal Audit Function.
Author: Lili Millawithanachchi
As we get closer to 30 June, many Internal Audit functions have been casting their minds to developing their annual internal audit programs. Careful selection of audit topics can help to uncover areas of emerging risks for agencies and add the most value.
In this blog we outline audit topics that could resonate for your organisation’s audit program in unexpected areas. We have paired each of these topics with innovative approaches to delivery that can help to bring new insights and offer different ways of engaging with stakeholders.
1. Business Resilience
Why?
Business resilience remains a key area of risk for many organisations as they continue to examine aspects of operations affected by the pandemic, the economic slowdown, and change in government.
In particular, supply chain management risks brought to light during the pandemic, constrained labour markets, and hybrid working models are posing ongoing resilience challenges for organisations of all sizes.
How?
Agile auditing techniques can provide valuable insight and assurance over key areas that impact resilience. For example, a high-level audit of talent retention may be conducted to identify whether there are any significant gaps in the approach taken by the organisation. At the mid-point of the audit, the internal audit team may determine the need for a more in-depth review of one or more gaps identified. This way, audit effort is targeted to the areas of most significant exposure, which may not be known when planning the audit program.
2. Data Governance, Security, and User Access
Why?
Data governance, and more specifically, data security, has hit centre-stage for many organisations following several high-profile hacks in the past year. This has caused closer examination of things like data retention and user access, as well the security culture of organisations.
How?
Behavioural audits of security risk management culture can provide insights into how effectively controls are operating in practice. An audit can be designed to identify attitudes to security management, particularly in positions of influence such those in managerial or leadership roles. This can go beyond a “tick-and-flick” of whether an organisation is complying with requirements to providing insights on sticking points in improving security culture.
3. Performance Reporting
Why?
Agencies need to be prepared for the increasing level of scrutiny over performance information that will come with the Australian National Audit Office’s (ANAO’s) expansion of their annual performance statement audit program.
How?
A series of snapshot audits through pivotal points in the performance reporting lifecycle can identify weak points and seek to address them early in 2023-24. Innovative reporting such as rapid snapshots and dashboards can be used to monitor and report on performance throughout the lifecycle. This would be useful for organisations seeking to ready themselves for an upcoming ANAO audit.
4. Indigenous Action Plans
Why?
Indigenous action plans are becoming an increasing area of focus for organisations as Australians consider the Indigenous Voice to Parliament.
How?
If progress against the Indigenous action plan is a known weakness, a facilitative audit may be undertaken in which organisations are supported in addressing known gaps with guidance and advice to management, rather than simply leaving a number of recommendations. A facilitative audit involving Indigenous leaders or experts in the field can be a way of supporting organisations in identifying ways to improve Indigenous action plans.
5. Coordinated Assurance
Why?
A more coordinated approach to assurance activity improves efficiency in a cost-constrained environment. Assurance mapping, assurance strategies, and whole-of-organisation assurance frameworks can be leveraged by management and leaders to prioritise assurance activity in areas of greatest need, reduce duplication of effort, and improve decision making.
How?
Internal Audit plays a pivotal role in assurance provision and is well placed to lead a more coordinated enterprise approach to assurance due to their technical expertise and visibility across the organisation. This may mean setting aside resourcing for coordinating assurance and sharing expertise to support other areas in implementing improved assurance approaches.
This can, for example, lead to supporting a second-line assurance function to develop self-assessments for evaluation of the effectiveness of a management framework.
Author: Kirsty Martin
What is assurance & why is it important?
Assurance in general is not well understood and is often misunderstood because it can be defined in many different ways.
We like to define assurance as the flow of information that provides a level of confidence that objectives will be achieved within an acceptable level of risk. It is designed to provide confidence to leaders and decision makers that obligations are being met and risks are being managed effectively.
Assurance is critical to good governance. It answers the question “how do you know?”.
How do you know that outcomes are being achieved? How do you know that decisions are being made based on accurate information? How do you know that projects are on track? How do you know that risks are being managed? The answers to these questions are crucial for leaders to make informed decisions to support the ongoing management of an organisation.
Organisations often don’t understand the value of assurance until something goes wrong. Then they wonder “how could we possibly have missed this?!”. Then they invest in assurance to reduce the risk of being blindsided like that again. Let’s share a story so you can learn from the mistakes of others (and not wait for something to go wrong in your own organisation) to understand the value of assurance.
Case study: What happens when you don’t have assurance
A previous client represents a great case study in the importance of assurance.
Like most organisations, they often had to procure various goods and services. They had a great procurement policy with clear rules and delegations in line with legislative and regulatory requirements, supported by templates and a specialist procurement team. They had a tiered, risk-based approach in which lower value procurements used a simplified purchase order form with lower-level delegation for approval, and procurements over a certain threshold went through a more rigorous process with more senior approval required. The procurement team even did a monthly review of purchase orders to ensure the correct forms were used, they were signed off at the right level, and they matched the corresponding invoices.
So how had they missed that almost $50,000 had been spent through a purchase order that went through the low value (<$5,000) purchase order process?
When conducting an internal audit, one of the procurements in our sample involved hiring some equipment. The equipment was originally hired for one day to confirm that it was appropriate for the job and because they thought they might be able to get through the whole job in one day. The staff member in charge of procuring the equipment got a quote for one day (approx. $4,500) and filled out the low value purchase order form as the quote was for <$5,000.
Once they started using the equipment, it became clear that due to recent and predicted rain adding difficulty to the work, that they would need the equipment for around 10 business days. As they had already gotten the purchase order approved for one day, they assumed the same purchase order would be relevant for each day that the equipment was required.
The procurement team had checked the purchase order as part of their monthly review and seen the initial invoice for the first day which matched the purchase order and so ticked it off as compliant with the procurement policy. They hadn’t seen the other invoice for the rest of the work, as they had already found a matching invoice, therefore completing their review.
Finance also hadn’t noticed an issue, as they were told the purchase order was approved for each day and so released funds accordingly.
So, the cost ballooned to almost $50,000, which required a much more thorough procurement process, including a requirement to get at least 3 quotes to ensure value for money and a more senior level of sign-off, without anyone realising anything had gone wrong. The issue would eventually have been picked up when the finance and procurement teams did their more detailed annual reviews, but this would not prevent the issue, and it would mean other similar issues could continue to happen for months before being addressed.
Through our internal audit (just one of many ways to provide assurance), we identified the issue, diagnosed the control gap, and helped the client to improve the process and controls to prevent that particular issue from occurring again. Had the client had more thorough internal assurance processes (supported by an assurance framework), they may have discovered the issue much earlier.
What is an Assurance Framework and why is it important?
An assurance framework brings assurance to life in a way that is tailored to your organisation’s specific needs. Depending on the maturity of the business, and/or the resources available to develop and manage the framework, it could take the form of a simple document or series of documents, or an interactive intranet site, or it could be built into business systems, or any combination of those. As long as it documents the organisation’s approach to assurance, it can take whichever form fits best. The intent of an Assurance Framework is usually to provide information and guidance without being too prescriptive, providing flexibility for different business areas to apply assurance in the way that best suits their needs.
Having a defined framework for assurance in your organisation is important to provide clear and consistent expectations, structure, and guidance to support the implementation of assurance to enable more effective decision making. The increased formality and planning around assurance that comes with a framework also helps to improve assurance outcomes by enabling a comprehensive view of assurance across the organisation, encouraging a coordinated approach to ensure effective targeting of assurance based on risk level.
Although there is no one-size-fits-all assurance framework, a good assurance framework should include:
- Definition of assurance and policy statement outlining the expectations around assurance for the organisation.
- Clear roles, responsibilities, and lines of communication (The ‘Three Lines Model’ for governance and risk management from the Institute of Internal Auditors can provide a useful frame for this.)
- Resources, capabilities, and guidance needed to deliver effective assurance.
The best Assurance Frameworks also include:
- Practical guidance to make the framework a relevant reference point (and not just another policy collecting dust on the shelf). Short and sharp ‘quick reference guide’ style content can be really useful for staff when implementing the framework. Helpful topics include how to identify if you need assurance, the different forms of assurance and how to choose the most appropriate form for different circumstances, case studies of how to successfully apply the assurance framework in your organisation etc.
- An explanation of how assurance information will be used to benefit the organisation. This could include some form of assurance mapping or other process by which assurance gaps can be analysed to better target assurance and/or feed into planning for the internal audit program.
Better Practice Assurance
Now that we have a better understanding of assurance and assurance frameworks, we can start to explore what “good” assurance looks like. Assurance needs to be planned in order to be conducted effectively and efficiently. This ensures the right assurance is provided at the right time. To assist with assurance planning, we recommend building the following “assurance lifecycle” into your assurance framework.
Assurance lifecycle
At a high level, the phases of the assurance lifecycle are:
Phase 1: Identifying Assurance Needs
Organisations are complex. At any one time, there are likely many different services, programs, projects, business initiatives etc. being delivered. The purpose of this phase is to assess which of these activities are likely to benefit most from assurance. Some key criteria to consider in identifying areas of greatest assurance need include:
- Is the activity higher risk (e.g., large financial impact, public/media interest, political sensitivity, large impact on objectives, high consequence of failure etc.)?
- Is it a defined area of focus for the leaders of the organisation?
- Are there known issues or weaknesses in this area?
- Is this a new activity or has it recently undergone a change?
Phase 2: Understand Existing Assurance
Once areas of assurance need are identified, existing assurance arrangements and controls need to be understood to identify ‘gaps’, ensure there are no overlaps, and recognise where existing assurance can be leveraged. Key questions to ask in this phase include:
- What controls (if any) are in place that are relevant to the identified areas of assurance need?
Have these been tested recently? - What assurance activities (if any) have been conducted in that area in the past 12 months?
Do they provide a satisfactory level of confidence? - What assurance activities (if any) are planned for the next 12 months?
Do they provide a satisfactory level of confidence? - Have any similar projects/programs/functions got any relevant recent or planned assurance activities?
Is there an opportunity to cooperate on or leverage these activities?
Phase 3: Prioritise Through Risk
Although there may be many areas identified that would benefit from assurance, it is generally not cost or time-effective to provide assurance over all of them. So, once assurance requirements have been identified, they must be prioritised to ensure resources are allocated to the assurance activities that will be of greatest value to the organisation. A risk assessment using the organisation’s risk matrix will assist prioritisation.
Phase 4: Undertake Assurance
The prioritised assurance requirements are then considered against different assurance approaches to identify the appropriate form/s of assurance and the associated methodology to ensure the ‘right’ assurance is undertaken to achieve the desired level of assurance confidence. Once these decisions have been made, its time to start conducting your assurance!
Phase 5: Reporting and Monitoring
For assurance to add value, the outcomes need to be captured and shared. Different types of assurance will require varying degrees of formality in reporting, ranging from simple checklists or dashboards, through to detailed formal reports. Reporting should follow a format that best facilitates communication of the assurance information with relevant stakeholders to support timely decision making.
Phase 6: Implementing Recommendations and Continuous Improvement
The true benefit of assurance comes from taking the findings, identifying improvement opportunities, and implementing them as soon as possible to continuously improve the organisation. A continuous improvement approach is crucial for organisations to stay relevant and successful in our ever changing social, economic, political, and technological environment. It is important to allocate clear responsibilities and time frames for implementing recommendations so that assurance value is not lost.
Key challenges in implementing assurance
- There is a cost associated with assurance. Depending on the types of assurance, it requires time and effort from staff, and/or fees for external providers. Assurance costs need to be factored into business planning.
- It can be a challenge getting broad buy-in from staff. People will need to be convinced of the value of assurance and understand why they are being asked to do it. If this isn’t effectively communicated, they will see it as just another tick box exercise that is percieved to waste their time. They will either make excuses to not do it (we have other much more important priorities!), or they will do it poorly with bare minimum effort to tick the box.
- Assurance requires certain skills and capabilities. There are many different forms of assurance, each requiring certain knowledge or skills. These can range from more general skills like critical thinking, attention to detail, and research, through to specific skills or knowledge such as data analysis, business analysis, financial analysis, risk management and internal audit expertise, knowledge of specific standards or better practice guidelines etc. Assurance needs to be factored into resourcing and staffing planning to ensure people with the right skills are available.
- Assurance relies on access to useable and useful information/data. It may require some work to set up collection mechanisms to extract the necessary data, particularly where assurance requirements weren’t considered at the time of designing processes and/or systems.
An assurance framework helps to address some of these challenges by setting the foundations for a shared organisational understanding of assurance, including roles, expectations, resources and capabilities. However, a framework alone will not solve everything. To effectively implement an assurance framework (like any business change) will require a coordinated change management and communications plan to bring staff along for the journey.
To help tailor an Assurance Framework to meet your needs and add value, and/or assist in the change management and communications to roll it out across the organisation, you may want to enlist an external provider. Sententia Consulting has highly experienced assurance specialists who have designed and implemented Assurance Frameworks and are available to assist your organisation. Reach out today to find out how we can help.
Author: Mark Harrison
Over the last year the COVID-19 pandemic has spread across the world at an unparalleled pace, bringing a level of disruption and devastation that will shape a generation and define the global social and economic landscape for at least the next decade. Although impacts have varied from country to country, the world has collectively experienced a profound change and a new era of ‘never normal’ is predicted, characterised by unpredictability and fast changing shifts in cultural norms, societal values, and behaviours. So, what lessons can we take away from what we have experienced so far and what role can internal audit play?
Impact
The impacts of COVID-19 have been varied and far reaching, with repercussions for health, social, economic, and business outcomes.
Health
There have been an extraordinary number of infections and deaths from COVID-19, however, the pandemic has also contributed to other health impacts. For example, fear of exposure to COVID-19 or lack of accessibility to medical professionals leading some to miss out on treatment for other conditions, and deteriorating mental health as a result of worsening economic conditions and social isolation.
Social
The pandemic has caused significant social changes both through formal rules and restrictions in place, and informal changes due to social pressure or health concerns. There has been an increase in social isolation (especially for people with disability and the elderly), unemployment, and homelessness, as well as profound changes to work and schooling as many places moved to remote environments, in some cases exacerbating existing inequalities and placing increasing strain on families and communities trying to adjust to these new ways of existing together.
Economic
Through border closures, government-imposed lockdowns, health risks and fear of infection, social pressure to stay home, job losses, need for public investment etc. the virus has also contributed to significant economic changes that have shaped the last 12 months and will continue in some form for at least the next few years.
Business
The combination of these varied health, social, and economic impacts are having a profound effect on strategy, customers, workforce, operations, finance and technology for businesses and organisations around the world, requiring fast pace and repeated adaptation.
Lessons learned
Observing successful and less successful adaptations to the pandemic, some general lessons emerge:
-
- Move at the customer’s pace
- Have a globalised mindset
- Identify the right platform, data, and technology
- Build an augmented workforce strategy
- Think about the future in a different way
However, in addition to these general lessons, it is important for organisations to understand and evaluate their own pandemic response to identify important lessons that relate to their own unique circumstances. This is where internal audit can help.
Role for Internal Audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. With this skill set, internal auditors are well placed to conduct a post-crisis review focusing on an organisation’s pandemic response which can be a highly valuable exercise to assist the organisation to better adapt to future impacts whether pandemic related or not.
A post-crisis review would typically go through the following steps:
- Documentation of the response – Typically the documentation of key decisions and response features is poor – as the focus is more on survival and less on accountability and transparency. Documentation is important as it may be relied upon in future inquiries or legal matters.
- Technical investigation of the cause – An investigation of cause will be of greatest value if impact on the organisation is disproportionately higher than for similar or related organisations. A “root cause analysis” is an effective approach to use here.
- Quantification/explanation of impact – While most business leaders will be well-across the impacts of the pandemic, there will be instances where leadership is so deep in the tactical response, that they cannot see the longer-term and strategic impact. Although not a “typical” internal audit output, internal audit can add value in these circumstances through a research or issues paper to prompt discussion, or facilitation of an executive workshop.
- Assessment of the effectiveness of the response – This is a “typical” structured lessons learned project, which assesses the actions taken against a normative model. Assessments should be cognisant of the circumstances in which actions were made in order to be sympathetic and realistic.
- Enhance organisational resilience – Organisational resilience is “the ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper. An engagement that brings learnings from the broader analysis of impacts on business, as well as the experiences facing the organisation, and takes both a historical perspective as well as a forward-looking perspective will have the greatest potential impact on organizational resilience.
Key challenges and better practice
For a lessons learned activity such as a post-crisis review to be effective, an organisation should consider the following factors:
- Does the organisation have a learning environment? Without that it is difficult to gain traction.
- There must be accountability for acting on the lessons and lessons must be genuinely embedded. (Many of the lessons of previous pandemics have been forgotten).
- Data collection needs to be structured.
- For maximum impact, aim for a combination of top-down and bottom-up.
- Ensure the project has leadership sponsorship.
- Bring in expertise as required to ensure capability and credibility.
- Be clear on the value you are proposing to add.
- Be practical – theoretical constructs will not be seen as helpful.
- Be sympathetic and balanced.
- Focus as much on positioning the organisation for the future, as commenting on the past.
- In conduct and reporting, be conscious of the operating environment.
- Every single lesson does not need to be acted upon – focus on a few most valuable lessons for action.
A normative model of better practice crisis response
The following key principles can be used to guide a post-crisis review of an organisations performance in response to the pandemic (or any other crisis).
- Strong, active organisation leadership with the right capacity, capability, engagement, and focus.
- Clear governance arrangements which take effect early and are applied consistently.
- Clarity of roles and expectations for direction from, and information to, the Board.
- Timely and robust documentation of key decisions and actions taken to ensure transparency and accountability.
- Relevant (principles-based) planning (preparedness, operational response, risk) in place and understood to guide the organisational response.
- Redundancy in key roles in case of infection or requirement for a break.
- Timely implementation of non-medical risk mitigation strategies to reduce infection and maintain business continuity.
- Supply chains are reinforced to support access to necessary equipment, materials reliably through the pandemic.
- Nimble and adaptive leadership approach with continuous sensing and response.
- Reliable access to relevant and timely environmental and operational information and data to support decision making.
- Create capable capacity that leads key disciplines essential to the response.
- Creative and collaborative yet disciplined (and risk-aware) problem solving – quickly.
- Internal and external communication that is clear, disciplined, frank, consistent, timely and empathetic – educate, ameliorate fears, engender trust and enable people to remain connected.
- Relevant policy changes are made and published on a timely basis (privacy, hygiene, leave, amongst others).
Depending on resourcing and capability, a post-crisis review could be conducted internally or through engagement with an external provider. Sententia Consulting has capability and experience in this area and would be happy to assist your organisation. Contact us to find out how we can help you today.