The Whole Truth, and Nothing but the Truth!
All too often Boards and management receive conflicting versions of the truth when it comes to assurance. This is partly due to the fact that some of the assurance functions such as risk management and compliance are interwoven into the management structure and report directly to management, whereas internal audit for instance is considered an independent and objective assurance function reporting, functionally at least, to the Board and the Audit Committee of the Board. However navigating through and trying to make sense of conflicting information in their quest to find the real version of the truth is not always the best use of both management’s and the Board’s time and resources.
There should be a strong alignment in the relationship between these assurance functions with clear rules of engagement and a combined effort to ensure that management and the Board receive one version of the truth when it comes to risk assurance. This not only helps management and the Board get a clear understanding of the risks the business is facing and how well they are being managed, but it also helps them utilise their time and resources more effectively as well as avoiding duplication of effort across these assurance activities.
This does not imply that internal audit for example should abandon or dilute their independence and objectivity. They would also be expected to provide assurance on the adequacy and effectiveness of some of the other assurance functions such as risk management and compliance. Nevertheless there should be a good dialogue and agreement between these functions on the state of the business’ governance, risk, and control environment, an aligned opinion on what works and what does not, shared insights on (real)