There is a growing recognition of the need to establish a clear system of internal control, not least in the context of the refreshed UK Corporate Governance Code. This requirement is being discussed in a multitude of events and conferences at present. It requires organisations to be clear about their intentions for internal controls and risk management, and to carefully select the frameworks they wish to adopt.
Three lines to success
The Institute of Internal Auditors advocates for a Three Lines model. In this model the first line is responsible for performing the controls, the second line for monitoring effectiveness and the third line provides objective assurance that tests, challenges and provides assurance in respect of the board’s risk appetite and management system.
Both integrated and coordinated assurance aim to optimise monitoring and assurance activities and promote effective risk management. They are designed to enable the job of ensuring the organisation is managing risks within appetite to be performed efficiently while obtaining the appropriate level of coverage and scope. However, these approaches differ in their objectives and implementation strategies. In this article, we explore the key distinctions and discuss their respective benefits and challenges.
Integrating assurance seamlessly
Integrated assurance involves the seamless integration of various monitoring and assurance functions, including internal audit, compliance, risk management, and other assurance providers, into a unified framework. This approach seeks to consolidate assurance activities to provide a comprehensive and holistic view of organisational risks and controls. It is intended to eliminate silos and promote collaboration and alignment of objectives.
In an integrated assurance model, the company may adopt common methodologies, standards, and processes to ensure consistency and comparability of assurance activities. This can enable standardised risk assessments, control evaluations, and reporting formats. Within this model the sharing of resources, expertise, and best practices is encouraged. By leveraging synergies organisations can optimise the allocation of resources and enhance the quality and depth of assurance coverage.
The holistic perspective enables organisations to identify interdependencies, emerging risks, and systemic issues that may not be apparent when conducting isolated assurance activities. However, there can be concerns that this approach places reliance on functions that are not subject to the same quality assurance as the third line, governed by expectations set up the Internal Audit Standards and Code of Practice for Internal Audit. Directors are unlikely to have the same level of confidence in the outputs or insights. Second line activity is also more focussed on testing the operating effectiveness of controls as defined by organisational policies, meaning that critical defaults in their design are overlooked.
Coordinated, combined and aligned assurance
Coordinated assurance, on the other hand, focuses on combining and aligning assurance activities across different monitoring and assurance functions while maintaining their independent and distinct roles. Unlike integrated assurance, which seeks to merge assurance functions within a single framework, coordinated assurance aims to optimise collaboration and communication among the second and third line while preserving their autonomy.
Coordinated assurance emphasises collaboration and communication among assurance and monitoring functions. This collaborative approach enables the sharing of information, insights, and resources to enhance the effectiveness of monitoring and assurance activities. Coordinated assurance maintains clear delineation of roles and responsibilities between second- and third-line functions to preserve their independence and objectivity. While collaboration is encouraged, each function retains autonomy in developing methodology, conducting assessments, making recommendations, and reporting findings.
Coordinated assurance requires a risk-based approach to prioritise assurance activities in the third line and allocate resources effectively. Second line functions will perform a variety of monitoring and assurance activities following their methodology and approach, including cyclical coverage and compliance testing. The alignment of third line assurance efforts with the organisation's risk profile and strategic priorities ensures the overall coordinated assurance picture focuses on areas of greatest concern while avoiding duplication of second line efforts. Harmonised assurance plans that reflect the collective priorities and objectives of the organisation can be developed ensuring that activities are complementary and aligned with the organisation's overall goals and objectives.
A coordinated assurance approach is more likely to be acceptable to regulators who want to see clear separation between lines of defence. They are keen to maintain the integrity and objectivity of internal audit in accordance with the Internal Audit Code of Practice. With this model, as with integrated assurance, internal audit will play an important role in assessing the quality and effectiveness of the activities performed by other functions and reporting this through to the Audit Committee and the Board.
Making thoughtful choices
Integrated and coordinated assurance represent two aligned yet distinct approaches to optimising monitoring and assurance activities and promoting effective risk management. When considering which approach to adopt, organisations may wish to consider:
- Organisational culture and structure: organisations with a centralised governance structure and a strong culture of collaboration may be better suited to an integrated assurance approach. Those with a decentralised structure and a preference for maintaining independence among functions may opt for coordinated assurance.
- Resource availability and capabilities: the availability of resources, expertise, and technology infrastructure may influence the feasibility of implementing integrated or coordinated assurance. Integrated assurance requires investment in integrating systems, processes, and methodologies, while coordinated assurance may be more agile and feasible in resource-constrained environments.
- Regulatory and stakeholder expectations: some regulatory frameworks prescribe specific requirements for the independence and objectivity of second- and third-line functions, limiting the extent to which integration can be achieved. This is the case in the UK for most financial services companies. Similarly, wider stakeholders may have varying preferences for the level of integration or coordination of assurance activities based on their risk tolerance and governance expectations.
- Risk management objectives: organisations should assess their risk appetite, tolerance for complexity, and desired level of assurance coverage to determine the most suitable approach for optimising assurance activities.
Two complementary approaches
Integrated and coordinated assurance represent two complementary approaches. Integrated assurance can be significantly more efficient enabling directors to look through the third line to also rely on second line functions without repetition. However, there are risks associated with this, both in respect of stakeholder acceptability and the lack of professional status, qualifications and methodology in second line functions. Directors need to evaluate their culture, structure, resource availability, regulatory requirements, and risk management objectives when determining which approach best suits their needs. By adopting a strategic and tailored approach to assurance optimisation, organisations can enhance their ability to identify and mitigate risks, drive performance improvement, and safeguard stakeholder value.