There is a great need to change the way we approach the assessment of internal controls, which includes how we consider, find solutions and report on limitations and weaknesses in internal controls
- Collaboration between management and assurance providers
- An acceptance of the value of the audit process whether it’s internal audit or external audit
- Teamwork to the extent that it promotes good governance taking independence into account
- A consistent understanding and acceptance of the roles of each party in the various lines of defence
- Regular and focused interaction throughout the year, and
- Balanced reporting
If we don’t have most if not all of the above in place, then the audit process will not do justice to reporting accurately and in a manner that will contribute to building sound controls or aid in continuous improvement within the control environment. It rather becomes a routine event that is procedural in nature. I will cover some of these aspects below.
Starting with the end in mind, assurance providers submit an audit completion report with known limitations and weaknesses to those charged with governance after having discussed these with management. The format of these reports is fairly consistent and has not changed significantly over the years. The reports include an ‘observation’, ‘root cause’, ‘effect’, ‘recommendation’ and ‘management comment’ section. This format of reporting restricts the reader to read sections in isolation of each other. The reader is then required to reach a collective conclusion of the overall finding whilst trying to interpret how the context of each section influences the view of the matter that has been raised. This format makes it difficult to reach an overall opinion or the ability to influence any recommendations. Often the reader may stop at the observation section, only for management to defend themselves or to alert the reader to their comment.
I believe the format of this reporting must be changed to present an easier summary of the matters at hand and to reflect a balanced view without abdicating any responsibility or accountability on the part of management. This approach would promote greater collaboration and help to prevent an ‘us’ and ‘them’ situation between management and the assurance providers.
Leading on from the above, ‘combined assurance’ is a great principle, but it can only be successful if sufficient effort is directed towards this by all parties that contribute to the model. It cannot be something that is prepared by one party and circulated to other parties to provide input and commentary. Combined assurance should be facilitated through a workshop to discuss and agree on a model, the principles, responsibilities and timeframes. At the outset, there should be a meeting of minds on the purpose, functionality and fit-for-purpose nature of the model. A committee should be formed incorporating assurance providers and key management who will meet regularly to manage and monitor the model subsequent to the workshop.
As this model plays a key part in promoting an effective and efficient control environment, those charged with governance should be involved in providing input in setting up such a committee and determining its roles with the ultimate goal of achieving an effective combined assurance model.
This approach will also promote greater transparency and timeous notification of matters by management, who would have the comfort in alerting assurance providers and those charged with governance of issues without fear of what this could mean for them. Ultimately, this will all lead to greater collaboration, better understanding of key risks as well as facilitation of practical recommendations to control shortcomings. This approach will result in a report to management and those charged with governance in a format that is balanced and recommendations that are practical and feasible for the organisation, so that those charged with governance can better understand reportable matters in order to provide the required guidance over recommendations and the appropriate oversight.
Danny Naidoo CA(SA), Partner at Mazars and an independent Audit Committee member