Aligning risk reporting with audit and assurance
10 August: More needs to be done to link audit and assurance with reported risks. ICAEW is undertaking a major project to find out how to do this practically.
There is much vital assurance activity that is currently underreported. The word ‘assurance’ is not readily understood, and some forms are very informal such as verbal or written representations provided by management to company directors and other third parties. More often than not, it is unconnected to reported principal risks.
ICAEW and other organisations have highlighted the need for more connectivity between risks, mitigations and assurance. In 2019, the Institute issued a thought leadership report on user-driven assurance as well as the practical guidance contained in The Buyers Guide to Assurance. Sir Donald Brydon, architect of the Brydon Report into the future of audit, went further, recommending a three-year rolling Audit and Assurance Policy that is publicly published and discussed with shareholders.
The COVID-19 pandemic has made clear the necessity for focussed attention on risk management and business resilience. Stakeholders, be they customers, suppliers, regulators, activists, investors, or company directors, are expressing increased interest in the risks that organisations take. Audit and assurance are critical to providing confidence that the right level of risk is being taken and that undesirable risks are being reduced to an acceptable level.
New research for practical principles
ICAEW has commissioned research to consider the Brydon recommendations and the potential value of a published Audit and Assurance Policy Report. The intention is to develop practical recommendations and principles that can be adopted by all organisations and bring about transparency in the reporting of assurance over how risks are mitigated.
The benefits might include transparency over how risks are being assured to inform the level of confidence stakeholders should have in relation to management’s risk responses.
It could result in systematic mapping of all structured audit and assurance activities to the reported principal risks, creating a more action-orientated view on risk management, or include the needs of a wider range of stakeholders in the reporting of audit and assurance activities, beyond the financial lens currently applied.
It could also provide visibility of the wider range of assurance available beyond the statutory audit opinion, increase clarity around the process of scenario analysis and testing applied in the consideration of operational resilience and viability analysis, and give greater accountability for all providers of assurance, both internal and external.
There will clearly be concerns over the adoption of these recommendations. The research project is designed to flush out these concerns and seek pragmatic and proportionate solutions to enable the benefits of enhanced reporting while avoiding unintended costs and consequences that yield little value.
In reporting on the findings, we will seek to provide a framework of principles – not a tick-box template or set of rules – that organisations might adopt in developing their policy and reporting.
We welcome all views and would encourage you to take part in this debate and contribute to this important opportunity to create real transparency.
We will release a questionnaire in mid-August. To register your interest to respond to the questionnaire please email firstname.lastname@example.org