Total assurance picture

Does the committee have a "total assurance” picture?

The total assurance framework comprises all of the assurance activities that are provided or carried out throughout an entity. If an audit committee is aware of the total assurance picture, it is able to allocate the right level of resources to manage the entity’s risks. As well as the internal auditor’s programme of work, other assurance providers carry out these activities.

The diagram below shows the types of assurance activities that contribute towards a total assurance framework.

total-assurance-picture.png

The audit committee does not have to deal with all the topics and parts of an assurance picture, but it should know that the organisation has assurance over all of these aspects.

We have been told that many entities have struggled to articulate their total assurance framework.

For some audit committees, the internal auditor will table their internal audit programme with no or limited reference to other assurance activities. Generally, the other main provider of assurance to the audit committee is the external auditor in relation to the financial statements.

With an entity unable to articulate its total assurance framework, the audit committee can receive limited assurance about key risks and issues. 

This means the entities will have limited success in identifying and recording their total assurance framework. This is because many business units procure assurance independently, and thus no one part of the organisation maintains an overview.

The internal audit function is a logical place to maintain this overview and report to the audit committee. No matter how this assurance is obtained and monitored, the framework is useful for checking a complete picture is being acquired. 

Also, identifying those who have provided assurance can give an organisation comfort that it is obtaining its assurance needs efficiently. 

For example, financial records are not always clear because assurance activity is often bundled into one general ledger code called “consultants and contractors” or charged directly to a project.

These practices make it difficult for audit committees to obtain the full picture of assurance activities and its full costs. This situation is exacerbated when an entity has no internal audit function. Therefore, obtaining that complete overview becomes difficult.