Audit and assurance: building trust through better information

Improving engagement through better information is what underpins Restoring Trust in Audit and Corporate Governance, says Carolyn Clarke.

She is a member of ICAEW’s Internal Audit Panel, on the Council of the Chartered Institute of Internal Auditors, a member of the steering group that developed the Institute of Internal Audit’s Code of Practice for Internal Auditors, Chair of Care International UK, has 19 years in practice under her belt with PwC, and is an independent consultant advising on audit, risk and control. In this capacity she worked with ICAEW’s Audit and Assurance Faculty on the recently-published faculty report ‘Developing a Meaningful Audit and Assurance Policy’, although the views she expresses in this article are her own. 

“The audit and assurance policy provides a vehicle for better corporate information,” she says. “To my mind, it should be seen as the glue that holds the rest of the consultation together for internal preparers of information.” 

“The document talks about building trust through enhanced information that, firstly, meets the needs of shareholders and investors, secondly goes beyond that to meet the needs of groups like employees, creditors, suppliers and wider society,” she says. “In contemplating that additional information – be it alternative performance measures, key performance indicators, or the increased requirements for supply chain practices in the resilience statement – the consultation document says that companies should then, in the audit and assurance policy, explain how they show confidence that this information is appropriate, accurate, balanced and protects stakeholders.”

She points out that, while the consultation document talks specifically about the requirements of the policy, it also contains references to it throughout, implying, she suggests, that the audit and assurance policy could become key to companies’ evaluation of the information they are putting out going forward. 

“Importantly, this information will include the things that a company says about its risks,” she adds. “Companies are already required to disclose their principal risks, their appetite for risk and the way in which they mitigate those risks, but what they don't do at the moment is join the dots between that disclosure, disclosures in terms of financial and non-financial metrics, the way in which companies talk about their systems of internal control, and the nature of their external audit and internal audit functions.”

She explains that the role of the audit and assurance policy is to create a coherent picture that enables companies to understand their risk profiles, which risks they will take to meet their strategic outcomes, why they take those risks, what are the parameters in which risk is taken, which risks they will not take, how risks are mitigated, and so on. All this “confidence-creation” is then delivered to stakeholders through the lens of the Board, which is usually represented by the Audit Committee, headed by the Chair.

“A lot of that information is already out there, but it's very hard to follow,” says Clarke, adding that when ICAEW’s Audit and Assurance Faculty consulted about how an audit and assurance policy methodology could work there was feedback that, even internally, it is often unclear how all this information comes together.

“In a smaller and less complex company environment, where you have a limited number of business streams and products, in a limited number of environments or countries, creating a two-dimensional map of how you achieve that audit and assurance policy is not too difficult,” she says. “But when you look at large and multinational companies, it is a really difficult thing to do.”

She says the message to all companies is: get on top of understanding your business environment, create those assurance maps that tell you who provides you with comfort that your risks are being managed in the way you think they are, be confident that the disclosures and the information that you're putting out are accurate and fair, and understand how all this fits together.

“We’ve talked about lines of defence for a long time. Most companies do adopt some form of lines of defence model, and some discuss the fourth line as being external audit or independent audit, while others take a slightly different framework approach, but very few really understand how all of that really operates,” she says.

Although Audit Committee Chairs are accountable for the policy and signing off the annual report and accounts, Heads of Internal Audit have a key role to play regarding the audit and assurance policy, as the eyes and ears, and trusted advisor, of the Audit Committee Chair.

 “The Chair of the Audit Committee will be accountable for the policy and will sign it off in the annual report and accounts. Therefore, the Head of Internal Audit should understand the complete picture and should adapt their third-line audit activity to reflect what's happening in the first and second line as a consequence of working alongside other independent providers,” she says.

But internal audit is not a mandated function – some organisations have no such function while others outsource it entirely – and for those companies without it, this could present challenges to having an effective audit and assurance policy. “But you have to have a properly resourced, objective audit and assurance function to pull this together, and it has to go beyond the finance function to cover all principal risks,” she says. What is more, at present, there is no single software application that can offer a solution to this information-gathering and assuring need. “Developing tools – that will enable this assurance mapping exercise to become much more tangible – has really accelerated,” she says. “The question is: when will they be cost-effective and affordable beyond the biggest companies – who are building their own tools anyway.”

The ideas expressed in this article are not necessarily the views of ICAEW.

ICAEW wants to ensure members have their say on the upcoming consultation around restoring trust in audit and corporate governance. To do so, please share your thoughts via this feedback form. We cannot guarantee all responses will be incorporated in ICAEW's final submission but they will all be read and considered. 

Have your say - audit and corporate governance reform: ICAEW is running two webinars to give members the opportunity to have their say on the proposals, its impact, and the direction of travel. Times and links are below:

• 8:00-9:00 - Monday 26 May 2021
• 16:00 - 17:00 Tuesday 27 May 2021