Many companies still do not have an effective model to provide overall assurance regarding corporate strategic risks. Unlike in the past, this function can no longer be left just to the internal audit and external teams to give assurance and provide boards with sufficient peace of mind.
“This observation is rather concerning, given that combined assurance is one of the requirements of the King III Code and Report on Governance Principles,” says Oupa Mbokodo, senior manager at Grant Thornton Business Risk Services in Johannesburg.
Combined assurance is the process of helping organisations to understand overall levels of assurance and where they would need to improve or address these levels to manage organisational risk.
Mbokodo explains that this function is assigned to audit and risk committees who ensure that assurance is provided. While the King III Report on Governance Principles still puts the responsibility for assurance with audit and risk committees, it asks for a more holistic approach to providing assurance.
“The problem with how things were done in the past is that risk assessment and assurance happen in silos. The different subcommittees then don’t have a view of how the risks – including external factors – ultimately impact on the organisation,” he says.
He believes a more logical approach would be to start with the organisation’s senior executives identifying what the ten greatest strategic risks are and then ascertaining who the correct people are to give assurance about those.
“Once one knows what the company’s strategy is, it is much easier to identify the risks aligned to that strategy. These are basically the things that keep senior management and the board awake at night.”
According to Mbokodo, organisations find the implementation of combined assurance challenging.
“We have developed a method for our clients of identifying all company risks at the different levels and putting them in one dashboard. We have found that this is a good way of always being aware of what the risks are, where there is assurance, at what level it is and whether it is adequate.
“The benefit is that we can start at a small level with just the ten or twenty high risks, because it can seem a bit daunting at first. From there you can begin to focus at deeper levels within the organisation,” he says.
The combined assurance approach results in gaps or instances of over-assurance being identified and addressed accordingly. Many people have asked whether a combined assurance approach would result in a reduced external audit fee. While this method of assurance might come with increased costs of providing assurance or advisory fees, Mbokodo warns that this should not be the issue and that the focus should rather be on overall level of assurance at a strategic level.
“This is not just about complying with the Code – it ultimately makes business sense,” he concludes.