ICAEW.com works better with JavaScript enabled.
Exclusive

Integrated vs. coordinated assurance: Which is for me?

Author:

Published: 09 Apr 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, users, subscribers and members.
As organisations strive to enhance their risk management and governance practices, the concepts of integrated and coordinated assurance have gained prominence.

There is a growing recognition of the need to establish a clear system of internal control, not least in the context of the refreshed UK Corporate Governance Code. This requirement is being discussed in a multitude of events and conferences at present. It requires organisations to be clear about their intentions for internal controls and risk management, and to carefully select the frameworks they wish to adopt.

Three lines to success

The Institute of Internal Auditors advocates for a Three Lines model. In this model the first line is responsible for performing the controls, the second line for monitoring effectiveness and the third line provides objective assurance that tests, challenges and provides assurance in respect of the board’s risk appetite and management system.

Both integrated and coordinated assurance aim to optimise monitoring and assurance activities and promote effective risk management. They are designed to enable the job of ensuring the organisation is managing risks within appetite to be performed efficiently while obtaining the appropriate level of coverage and scope. However, these approaches differ in their objectives and implementation strategies. In this article, we explore the key distinctions and discuss their respective benefits and challenges.

Integrating assurance seamlessly

Integrated assurance involves the seamless integration of various monitoring and assurance functions, including internal audit, compliance, risk management, and other assurance providers, into a unified framework. This approach seeks to consolidate assurance activities to provide a comprehensive and holistic view of organisational risks and controls. It is intended to eliminate silos and promote collaboration and alignment of objectives.

In an integrated assurance model, the company may adopt common methodologies, standards, and processes to ensure consistency and comparability of assurance activities. This can enable standardised risk assessments, control evaluations, and reporting formats. Within this model the sharing of resources, expertise, and best practices is encouraged. By leveraging synergies organisations can optimise the allocation of resources and enhance the quality and depth of assurance coverage.

The holistic perspective enables organisations to identify interdependencies, emerging risks, and systemic issues that may not be apparent when conducting isolated assurance activities. However, there can be concerns that this approach places reliance on functions that are not subject to the same quality assurance as the third line, governed by expectations set up the Internal Audit Standards and Code of Practice for Internal Audit. Directors are unlikely to have the same level of confidence in the outputs or insights. Second line activity is also more focussed on testing the operating effectiveness of controls as defined by organisational policies, meaning that critical defaults in their design are overlooked.

Coordinated, combined and aligned assurance

Coordinated assurance, on the other hand, focuses on combining and aligning assurance activities across different monitoring and assurance functions while maintaining their independent and distinct roles. Unlike integrated assurance, which seeks to merge assurance functions within a single framework, coordinated assurance aims to optimise collaboration and communication among the second and third line while preserving their autonomy. 

Coordinated assurance emphasises collaboration and communication among assurance and monitoring functions. This collaborative approach enables the sharing of information, insights, and resources to enhance the effectiveness of monitoring and assurance activities. Coordinated assurance maintains clear delineation of roles and responsibilities between second- and third-line functions to preserve their independence and objectivity. While collaboration is encouraged, each function retains autonomy in developing methodology, conducting assessments, making recommendations, and reporting findings.

Coordinated assurance requires a risk-based approach to prioritise assurance activities in the third line and allocate resources effectively. Second line functions will perform a variety of monitoring and assurance activities following their methodology and approach, including cyclical coverage and compliance testing. The alignment of third line assurance efforts with the organisation's risk profile and strategic priorities ensures the overall coordinated assurance picture focuses on areas of greatest concern while avoiding duplication of second line efforts. Harmonised assurance plans that reflect the collective priorities and objectives of the organisation can be developed ensuring that activities are complementary and aligned with the organisation's overall goals and objectives.

A coordinated assurance approach is more likely to be acceptable to regulators who want to see clear separation between lines of defence. They are keen to maintain the integrity and objectivity of internal audit in accordance with the Internal Audit Code of Practice. With this model, as with integrated assurance, internal audit will play an important role in assessing the quality and effectiveness of the activities performed by other functions and reporting this through to the Audit Committee and the Board.

Making thoughtful choices

Integrated and coordinated assurance represent two aligned yet distinct approaches to optimising monitoring and assurance activities and promoting effective risk management. When considering which approach to adopt, organisations may wish to consider:

Two complementary approaches

Integrated and coordinated assurance represent two complementary approaches. Integrated assurance can be significantly more efficient enabling directors to look through the third line to also rely on second line functions without repetition. However, there are risks associated with this, both in respect of stakeholder acceptability and the lack of professional status, qualifications and methodology in second line functions. Directors need to evaluate their culture, structure, resource availability, regulatory requirements, and risk management objectives when determining which approach best suits their needs. By adopting a strategic and tailored approach to assurance optimisation, organisations can enhance their ability to identify and mitigate risks, drive performance improvement, and safeguard stakeholder value.

 
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250