Audit Committees 2012
BREAKOUT 2:
Getting the most from your assurance
sources
Speaker: Bill Gill Director, BG Audit and Consultancy
Chair: Kelsey Walker Strategic Regulation Manager, Homes and Communities Agency The Social Housing Regulator
BG AUDIT & CONSULTANCY
Getting the most from your
assurance sources
Bill Gill
BG Audit & Consultancy
BG AUDIT & CONSULTANCY
Session
Assurance – key message within HCA new
regulatory framework
Maximising effectiveness and efficiency
Practical solutions on how to maximise
outputs
Ensuring focus remains on key business
objectives and risks
BG AUDIT & CONSULTANCY
What has been going on in
the outside world?
BG AUDIT & CONSULTANCY
Government policy
BG AUDIT & CONSULTANCY
New regulatory regime
Economic and consumer standards
New standard on value for money
Focus on financial governance
Risk based model
Limited resource to return to detailed
regulation of the past
HCA stretched due to complexity of issues
BG AUDIT & CONSULTANCY
Regulation
Boards assumed to be in control
Assurance needed on:
Key risks
Systems of internal control
Governance arrangements
Achievement of organisational objectives
Customer service
Staff satisfaction
BG AUDIT & CONSULTANCY
Key regulatory questions
Appropriate strategic business plan?
Understand external operating environment and markets?
Financial plan supports delivery of strategic objectives?
Understand risks to delivery of objectives and get sufficient assurance.
Demonstrate value for money?
Track record of delivery?
Transparent and accountable and uses challenge to drive up performance?
Organisation effectively led and controlled?
BG AUDIT & CONSULTANCY
Co-regulation
HCA need to provide assurance to
external stakeholders and investors
Minimise regulatory interference by
understanding what regulator needs in
terms of assurance
Benefits accrue to the organisation
Board increase comfort levels
Customer scrutiny of consumer standards
BG AUDIT & CONSULTANCY
HCA focus
Clearly on financial governance
Increasing complexity
Shotgun weddings not as straightforward
any more
Boards do not want to get into this
position
Quality, independent assurance provides
a solution
BG AUDIT & CONSULTANCY
Assurance
BG AUDIT & CONSULTANCY
What is assurance?
Statement intended to inspire confidence
Freedom from doubt
What external agencies are looking for
Only ‘reasonable’ assurance/confidence
BG AUDIT & CONSULTANCY
Assurance activity
Defined as:
“An activity providing objective and
impartial information or an opinion
relating to the adequacy and
effectiveness of the processes and
procedures in furtherance of the
organisation’s objectives”
BG AUDIT & CONSULTANCY
Assurance sources
in the past • External regulation
• Inspection regime
• External audit
• Internal audit
• Board oversight
• Service improvement
• Key performance
indicators
BG AUDIT & CONSULTANCY
Assurance sources
in the future?
• Continuous auditing/control systems
• Information technology
• Smarter risk management (multi-variant
sensitivity)
• Customer scrutiny reports
• External accreditations
• Outcome focused performance monitoring
BG AUDIT & CONSULTANCY
Shift in resources
• Assurance wanted at lowest cost
• Lack of regulatory reporting
• Increasing complexity for Boards
• Need for customer focus at front-line
• How much assurance needed?
• Importance of co-ordination of effort
• Where is value obtained from?
BG AUDIT & CONSULTANCY
Assurance provides
• Early warning system
• Ability to triangulate evidence
• Reality check
• Comfort to the regulator
• No total guarantee though
BG AUDIT & CONSULTANCY
What does your Audit
Committee do?
BG AUDIT & CONSULTANCY
Standard practice
Reviewing out of date information
Look at documents in isolation
Fail to challenge consultants
Scopes of work, especially internal audit,
not clearly understood or reviewed
sufficiently
Focus on recommendations
BG AUDIT & CONSULTANCY
Greater focus
Assurance co-ordination and reporting
Fraud investigation and reporting
Governance reviews
Value for Money remit
Closer involvement with information
technology and people management
Greater role for Audit Committee within
HCA regulatory framework
BG AUDIT & CONSULTANCY
Performance and control
• Poor performance often sign of weak
control or management issues
• Top performing organisations are self-
aware about strengths and weaknesses
• Review performance of assurance
providers
• Where is your assurance focused?
BG AUDIT & CONSULTANCY
Times are changing
Regulation not providing level of
assurance required
Need to provide assurance within business
External audit – more caveats less
assurance
Internal audit - resources being reviewed
Resident scrutiny – key to assurance on
consumer standards?
BG AUDIT & CONSULTANCY
Continuous assurance
BG AUDIT & CONSULTANCY
What are the issues
Real time assurance
Management information systems - are
they adequate?
Performance management software –
daily updates
Trigger points
Need to look at reporting detail/timescales
Focus on key risks/issues
BG AUDIT & CONSULTANCY
Co-regulation
Boards responsible for meeting
standards
Being transparent and accountable
Providers support customers to shape
and scrutinise service delivery
Hold boards to account
Growth in influence of customers
Improving quality of scrutiny work
undertaken
BG AUDIT & CONSULTANCY
Real co-regulation
Do you utilise any customer scrutiny work within
your annual assurance statement?
Are customer inspector/customer auditor reports
reviewed when planning internal audits/service
improvement reviews?
Are work plans shared and agreed at Audit
Committee?
Does internal audit/service improvement work
alongside scrutiny arrangements?
Are performance reports utilised by customers?
BG AUDIT & CONSULTANCY Risk Management
BG AUDIT & CONSULTANCY
Strategic risks
BG AUDIT & CONSULTANCY Operational risks
BG AUDIT & CONSULTANCY Project risks
BG AUDIT & CONSULTANCY Managing dynamic risks?
BG AUDIT & CONSULTANCY
What do you need?
Aware of environment
Well equipped
Experienced
Constantly monitoring situation
Scenario testing
Back up plan
Feel the fear and do it anyway!
BG AUDIT & CONSULTANCY
Risk
No
Categor
y
Risk Brief Description Inheren
t
Impact
Inherent
Likeliho
od
Inheren
t Score
(I x L)
Existing Controls Control
Owner
Residual
Impact
Residu
al
Likelih
ood
Residu
al
Score
(I x L)
Key Actions
Required
Responsi
bility
Deadli
ne
1
Governa
nce
Lack of
strategic
direction
This may arise
from a weak
Executive or a
weak Board and
will lead to poor
governance. This
also can result
from divisions
within the Board. 5 4 20
Board training
programme.
Guidance on new
regulatory
framework.
Communi
cations &
Governan
ce
Manager 4 3 12
Board appraisal
process.
Communi
cations &
Governan
ce
Manager
01-
Aug-10
2
Governa
nce
Fail to
change
the
culture
Insufficient culture
change will
prevent NCH
achieving its
objectives and
making the
necessary step
changes in
performance and
value for money 5 4 20
Corporate training.
Appraisal and
performance
management
system.
Director of
Corporate
Services 4 3 12
Complete cultural
change
programme.
Implement a
performance driven
management
system.
Director of
Corporate
Services
01-
Mar-11
3
Governa
nce
Lower
political
priority
Changes in
national and local
politics may
reduce the
importance given
to housing. This
may also have
implications for
the dowry. 4 3 12
Lobbying of local
politicians.
Community Cymru
raising profile of
social housing.
Chief
Executive 4 3 12
Raised profile for
social housing in
South Wales
Chief
Executive
01/06/2
011
4
Governa
nce
Reputati
on
suffers
Poor decisions by
the Board or the
Executive result in
the reputation of
the organisation
being affected.
Also a breakdown
in the relationship
with the Council
could affect
reputation. 4 4 16
Regular meetings
with the Council to
keep them
informed of
progress.
Chief
Executive 3 3 9
Better liaison with
local Councillors
Chief
Executive
01/09/2
011
Risk Register
BG AUDIT & CONSULTANCY
Problem with registers
Often managed by a single person
Appear static
Input often only from senior staff
Regular (irregular) review
Escalations often outside the process
Limited linkage to ‘golden thread’
Can lead to ‘point in time’ risk
management
BG AUDIT & CONSULTANCY
Risk reporting
Often not formalised
Usually quarterly reviews of register by
executives and Audit Committee
No formal reporting of progress in
implementing controls
Not tied into other operational reporting
Often does not do anything to help embed
risk into the business
BG AUDIT & CONSULTANCY
Improved risk management
Multi-variant analysis – use software to assist
More discussion of ‘emerging risks’
Boards members using time to scenario plan
Need to ask ‘what if and why’ rather than
‘when, how and what’
Horizon scanning vital
Board members can offer more value by
looking at risks not already in the risk register
BG AUDIT & CONSULTANCY
Solution Continual risk management
Involvement from all levels within an
organisation
Linkages to objectives at each level of the
business
Regular reporting
Escalations built into the process
Embedded into the culture
A ‘living’ process
BG AUDIT & CONSULTANCY
Performance management
systems
Proliferation in recent years
Many incorporate risk management
modules
Enables organisations to maintain their
‘golden thread’ through a host of strategies
and plans
Visual link to the objectives established by
the Board
BG AUDIT & CONSULTANCY
Advantages
Allows all parts of the business to collaborate
Enables visualisation of risks, improves
transparency and visibility
Enables pro-active management of risks and
controls on an on-going basis
Assists with bringing a consistent approach to
assessment
Raises risk awareness throughout an
organisation
BG AUDIT & CONSULTANCY
Risk management –
a way of life
BG AUDIT & CONSULTANCY
Management
reports
External
accreditations
HCA
Customer
scrutiny
Benchmarking
External audit
Assurance
Board review
Other
regulators
Where do you get your
assurance from?
Performance
management
BG AUDIT & CONSULTANCY
Assurance maps
‘Three lines of defence’ mapping for key
strategic risks
Assurance co-ordination mapping across
business
Extrapolation of risk register with
objectives, risks and controls
BG AUDIT & CONSULTANCY
Three lines of defence
First line : business operations - risk and
control in the business (Risk control)
Second line : risk management and
compliance functions (Risk management)
Third line : internal audit and other
independent assurance providers (Risk
assurance)
Ensure appropriate mix of coverage
BG AUDIT & CONSULTANCY
Assurance co-ordination
Areas of the business, linked to strategic
objectives
Mapped against sources of assurance
Consider quantity and quality of assurance
Cost of each form of assurance can also
be considered
Provides picture of assurance gaps and
also time and cost of gaining assurance
BG AUDIT & CONSULTANCY
Putting a value on assurance
Have you evaluated how else the
association could obtain the assurance
provided by internal audit?
Have you identified the level of assurance
that the Board are satisfied with and hence
the level that internal audit needs to
provide?
Is the organisation maximising the
assurance from other sources?
BG AUDIT & CONSULTANCY
Internal audit
• Audit scopes
ambiguous
• Fail to cover what they
say they do
• Too many control
failures occur in areas
that internal audit have
reviewed
• Quality rarely really
assessed
BG AUDIT & CONSULTANCY
Future of assurance
• Audit Committees in control
• Objective rather than subjective decision
making
• Intelligent controls required rather than
layers of management
• Close influence on where assurance time
should be spent
• Report back on where actually spent
BG AUDIT & CONSULTANCY
BG AUDIT & CONSULTANCY
BG AUDIT & CONSULTANCY
Quotes
“Yes, risk taking is inherently failure-prone.
Otherwise, it would be called sure-thing taking.”
Jim McMahon
“Take calculated risks. That is quite different from
being rash.”
General George S Patton
BG AUDIT & CONSULTANCY
Conclusion
Audit Committees define the level of
assurance they want
Internal audit main source but customer
scrutiny useful addition
Important to get value from assurance
Match skills and cost to level of risk and
complexity
Self awareness is the new scrutiny – look
before you leap!
BG AUDIT & CONSULTANCY
Any
comments/questions?