< Home > < In-House Taining > Assurance

Assurance

Communication Skills for Assurance Providers

Optimising Assurance

Local Authority Audit Committee Workshop

Communication Skills for Assurance Providers

Energised by the need to provide broader assurance, many Internal Audit, Compliance, Health and Safety, Quality and Environmental audit functions find they need to perform a much more comprehensive spectrum of reviews than ever before – whilst still providing comfort and reassurance that the basics are being managed well. Practitioners have now to expand their role as facilitators and advisors at the same time demonstrating that they are adding measurable added value.

These responsibilities and challenges require a new set of skills, competencies and abilities. Strong communication and presentation skills are essential in this highly challenging environment, whether this is facilitating control self- assessment workshops or negotiating with management or communicating your ideas in writing. Ask yourself a few questions: -

• Do you communicate as effectively as you would like?
• Do your interpersonal skills motivate and drive the audit team?
• Do you feel that your presentations and discussions with management could benefit from some constructive criticism to improve their impact?

Attending this highly practical 2-day seminar will provide the opportunity to improve your interpersonal communication and presentational skills in order to make a substantial difference to the way you interact with colleagues and senior management.

The seminar features a series of case studies and exercises covering verbal, listening, written and other communication skills, culminating in a presentation to Senior Management. Using video and peer review, you will have the opportunity to learn from fellow auditors as well as benefiting from the wide experience of your seminar leader Phil Griffiths.

Course Outline

Day 1 - The Art Of Effective Communication

• ‘ The Bamboo Cane’ - a thought provoking exercise
  
• Assurance providers primary roles, objectives and challenges
• What are the keys to success?
• Expressing yourself effectively
• Do you have clients, auditees or customers?
• The need to manage the customer relationship
• Creating rapport with your customers – tips and techniques
• The 4 management styles – Activists, Reflectors, Theorists and Pragmatists - and the implications for auditors
• Personal drivers and success
  
• Exercise 2 – management styles - working in small groups delegates are asked to determine and compare individual management styles and personal drivers
  
• Language and impact
• Simple and Complex language
• The use of ‘powerwords’ in your communications
• How to get on the same wavelength as your customer
• Phone conversations – how to make the right impression
• The use of humour
• Business Communication techniques
• Facilitation – the key skills
• Communication in writing – the do’s and don’ts
  
• Exercise 3 – Getting your message over – dealing with colleagues
  
• What management expects
• Active listening
• Meetings and how to manage them – the 5 P’s
• Body language and how to interpret it
• How to tell if you are not getting the true picture
• The secret of effective presentations
  
• Exercise 4 – making a short presentation (with video)
  
• The Competency framework
• Persuasion and negotiation
  
• Exercise 5 –meeting with an Executive – role play
  
• Preparing for an assignment
• Objectives and risk
• Areas to cover
• Getting management input
• Explaining the approach to staff of the function being audited
• Treating your customers with respect
• Deciding who to interview
• Audit interviews
• Testing – how to determine how much is necessary
• Walk through tests
• Fieldwork Techniques (compliance, transactional, analytical review, sampling etc)
• How to decide the depth of testing required
• The clearance meeting
  
• Exercise 6 – the clearance meeting – role play

Day 2 - Communicating together and with Senior Management

• Marketing the function – who do you need to convince - tips and proven techniques
• Communicating as part of a team - the do’s and don’ts
• 4 Practical exercises with analysis and feedback – series of linked tasks requiring clear communication and understanding
  • Moonshot
  • The final straw
  • Building rapport
  • The puzzle
• 5 minute presentations on the experience (video and feedback)
• The skills inventory – issues to concentrate on

All the following skills will be incorporated today:

• Diplomacy
• Open -mindedness
• Communication Skills – written, verbal, auditory, facilitation and presentation
• Persuasiveness
• Negotiation ability
• Self motivation and self confidence
• Decision making ability
• Flexibility and ability to co-operate
• Time management
• Judgement
• Analytical skills
• Self control
• Practicality
• Results orientation

Interviewing skills

• How to carry out an effective audit interview – role play

The Presentation

• Delegates work in teams to prepare a 10 minute presentation to Top management (which they must all participate in)
• The presentation - video-taped
• Evaluation and feedback
• Learning points discussed
• Personal action plans
• Course Summary

Back to top

OPTIMISING ASSURANCE

An examination of the corporate governance challenges to the various assurance providers in an organisation and how these functions can use the opportunity to optimise value added.

1. Introduction

More and more emphasis on governance, assurance and control is being espoused by recent regulation, standards and guidance, much of which is risk orientated.

How should the various assurance functions in a business rise to the challenge and how should the organisation manage such activities effectively and efficiently?

The Combined Code disclosure requirements looked at from a dispassionate viewpoint, could simply be regarded as a need for listed companies to sign off the disciplines and processes already in place. However, the resultant debate and its intensity would suggest that companies are far from happy to do so.
The fulcrum of this debate is Risk Management. Most businesses believe they understand and can manage their significant risks, but the ever-growing list of well-publicised failures and problems indicate that such issues are not always fully understood.

As a result of the governance reforms, risk management has grown in just a few years from being a useful tool to become the very pulse of the organisation, and the way in which management of a company is judged.

No wonder tensions have been created. It should be no surprise that many Boards of Directors are uncomfortable in being asked to certify that they have reviewed the significant risks within their business - shareholders, after all, will be quite entitled to ask ' if all the significant risks have been reviewed (and presumably appropriate actions taken to mitigate them) why wasn't the recent disaster anticipated?'

This is a level of responsibility and open accountability that few directors will be comfortable. It also, of course, provides potential tension between the Executive and Non-executive directors- due to the recognition that the Non-exec's role is now to monitor how well the organisation is managed.

It is clear, therefore, that the Board needs help, not just in reviewing the effectiveness of internal controls but also in providing assurance that all the significant risks have been reviewed. Furthermore assurance will also be required in ensuring that the risks are being fully managed and an embedded risk management process is in place.

This is a tall order. In many organisations this challenge is being passed to the Internal Audit function. The other assurance functions within the business are increasingly also being given responsibilities in this regard.

The challenge is not just for PLC's either. Public sector senior management is very aware that similar governance responsibility falls on their shoulders and are reacting accordingly. The NHS, as an example, is blazing a very clear trail toward best practice in this regard. Corporate Governance is also likely to become a pan-European 'hot potato' very shortly as pressure to integrate the different corporate governance codes across Europe intensifies.

So what does this all mean for the assurance providers?

2. Assurance at the crossroads

Having worked in Internal Audit for 20 years and had close involvement with the other assurance providers, I have seen the roles change from verification and low-level checking to ones which in many organisations have carved out reputations for driving change and business improvement. The assurance providers , however, probably face the greatest challenge (and potential rewards) in their history.

This provides a potential "shot in the arm" for the function, particularly as the provision does highlight the advantages of having an adequately resourced and professional I A function.

Nonetheless the "kill-rate" for in-house internal audit functions is increasing in the UK, following a significant trend in the US. The Big 5 firms of accountants and other specialists have, quite correctly, identified opportunities to provide high quality, competitively priced internal audit services on either an out-sourced or partnering basis.

I do not intend to discuss the arguments for and against outsourcing or partnering but suffice it to say the Big 5 would not be providing the service unless they regarded it as a function that was important and would add value.

Exactly the same arguments apply to other assurance providers, particularly Quality Assurance, Environmental Audit and Insurance.

The challenges are those provided by the Combined Code, and the business risk agenda in particular.

So is Business Risk a lifeline or noose for Assurance providers?

Whether in-house or externally provided, the focus of the assurance functions in the first decade of the 21st Century has to be risk.

Audit Committees and Boards need the assurance functions to help them evaluate the effectiveness and efficiency of their systems of business risk management.

This should ensure that the functions have a high profile, particularly if the business risk focus is communicated widely within the organisation (which it should be). NB for those functions, which have not specifically marketed themselves by means of a brochure, web pages, intranet pages, newsletters etc. - this is an ideal opportunity to do so.

The high profile created and the necessity to give a considered opinion to the Board and the Audit Committee on the significant business risks and how effective they are being managed, could also have negative connotations.

If the assurance providers have reported to the effect that the business risk management processes are effective and major problems or surprises subsequently occur, this could significantly impact on their credibility.

There is also a further dimension. In may organisations, one of the assurance functions have been asked to lead the Business Risk Management programme or elements thereof. I.e. establishing and leading workshops, collating the results etc.

Under these circumstances it could be argued that their independence has been compromised. Who then will review the effectiveness of the process?

The key, I believe, is to co-ordinate the activities closely with the other assurance functions and, of course, management, to establish a clear agenda and the role and responsibilities of each function. This is further discussed in the conclusion (Section 6).

In this way, Corporate Governance and Business Risk in particular should be the vehicle for the assurance departments to develop a more influential and significant role than has been possible before. But for many departments this will involve an enormous amount of work and a change in culture.

What needs to be done?

To be able to rise to the significant challenges faced, the biggest issue cited was to enhance the skills within the function,

The IIA having also recognised this fact commissioned a very significant research project which culminated in the Competency Framework for Internal Auditing published in 1999.

The authors, William Birkett, Mona Barbera, Barry Leithhead, Marian Lower and Peter Roebuck are all highly experienced professionals and the resultant framework offers an extensive and highly relevant template for developing internal auditors.

3. Monitoring and reporting of significant risks.

Control Self Assurance provides a vehicle for management to establish a through and properly managed business risk programme, and also the means for "self-audit".
It will however be the assurance functions (and primarily internal audit) that will review the effectiveness of the programme and to monitor the very risks and report to Senior Management.
The Business Risk programme will identify the key risks faced by the organisation and their relative significance, normally plotted on a Boston box matrix (as below)
The internal audit function should ensure that the risks at the top right of the matrix (those in boxes 7-9 at least) are directly translated into the basis of their programme. My experience is that these risks should form the basis of at least 60% of the total audit programme.

In this way IA are being seen by the business as proactive and focussed - it is much easier to "sell" the benefits of an audit if the topic is recognised as critical to the success of the organisation.

Other assurance functions should also be fully aware of the matrix and plan their activities accordingly.

3.1 Perceived versus actual controls

Management will have given their evaluation of the effectiveness of the actions, procedures and systems in place to mitigate the significant risks identified during the risk workshops, and, probably again, in control self assessment questionnaires. Internal audit and other assurance functions will then, as part of their on-going audits, need to assess the accuracy of these perceptions and, of course, the effectiveness of the controls in place.

Reporting on the results of the audits (notably the accuracy of the perceived mitigation and ,of course, needs to be handled sensitively. This is discussed further in the paragraph on audit reporting.

Another important task often given to assurance providers in relation to the Business Risk programme is to review the actions achieved against those planned - to ensure that exposures are treated effectively and in the required timescale.

3.2 The need for multi-level reporting

Direct involvement of the Internal audit and other assurance functions in the business risk and corporate governance arenas provides the opportunity to enhance the profile and recognition of the functions, but only if the reporting process is managed effectively.

The Assurance functions have the opportunity to report on a number of levels - each one requiring a different approach.

To functional management

Reports to functional management on the perceived versus actual controls to mitigate key risks should focus on the opportunity to enhance control rather than a "you said …….. we found" approach. Specific benefits and business opportunities should be highlighted wherever possible. Actions must be agreed to tackle additional exposures before Board reporting.

To the Board

A quarterly summary of the results of the audits should be presented giving a picture of the overall accuracy of management's evaluations (in my experience, this having been generally sound) and an exception based schedule of the impact on risk exposures - especially further or more significant exposures identified - together with the actions agreed to tackle them.

A quarterly progress report on the action plans to address the risk exposures identified in the business risk programme should also be presented.

To the Audit Committee

The Audit Committee report (at least 3 times a year) should focus on achievement: -
* What actions have been implemented;
* the benefits achieved (monetarily if possible);
* the extent to which the risks have been reduced (using the Boston box matrix is a very good idea);
* What competitive opportunities have been identified/exploited;
* the % accuracy of perceived versus actual mitigation;
* the percentage coverage of the most significant risks achieved by Internal audit.

3.3 The need to coordinate reporting activities

Each assurance function within the organisation will have its normal reporting hierarchy - normally via the Executive with responsibility for the activity.

It is important to ensure that the messages received by the Board, the Audit Committee and Risk Management Committee are consistent and accurate.

To do so requires coordination. This can be achieved in a number of ways.
One way is for a nominated function ( e.g. Risk Management or Internal Audit) to receive reports from the other assurance functions on their activities, and for the Head of this function to extract the risk implications for onward reporting.

Another method is to have each function prepare a monthly or quarterly report, specifically relating to risks covered and the key findings. These reports can then be put together into a pack (with a summary) for onward transmission to the Board etc
This method has the advantage of enhancing ownership.

A third approach is to circulate individual reports widely between the assurance functions and ask the heads of the departments to compare and contrast the findings with their own - enabling reports for their Executives to be more balanced.

I favour a fully coordinated approach with one function taking responsibility for extracting the key issues (with accompanying reports from each assurance function)

4. Conclusions

The governance and business risk challenges posed by the combined Code provide considerable opportunities for the assurance functions in a business to demonstrate their important contributions. A much more coordinated approach is, however, necessary if this is to be truly successful.
The following is a suggested model or paradigm:-

Ever increasing shareholder expectations and the need to achieve demanding growth, profit, safety, environmental and other regulatory targets pushes organisations into taking bigger and greater risks.

To survive in this environment , an effective risk management and control framework is essential. As a result independent , positive assurance that such frameworks are effective and efficient is vital.

Professionally focussed assurance activities provide organisations with this assurance.

Risk and opportunity go hand in hand and assurance functions, if properly coordinated, can also provide organisations with advice and guidance on the relationship and balance between risk and control.- enabling you to make the right decisions.

©Business Risk Management 2004

LOCAL AUTHORITY AUDIT COMMITTEE WORKSHOP

The key role of Audit Committees in Local Government

• CIPFA guidance
• Role within Corporate Governance
• Audit Committee Charter
• Structure and Independence
• Chairmanship and other roles
• The need to be independent of Executive and Scrutiny functions
• Reporting lines
• Meetings and suggested agendas
• Core roles

Roles and responsibilities

• Corporate Governance
  • Pressures on Local authorities
  • Corporate Governance requirements
  • Members responsibilities
  • The challenges faced

• Internal Audit
  • The need for independent assurance
  • CIPFA guidance
  • The unique relationship between IA and the audit committee
  • Ensuring direct access to the Chief Executive
  • How to evaluate the Internal Audit function
  • Reviewing and assessing the IA work plan
  • Internal Audit Quarterly reports to Audit Committee
  • Reviewing management’s response to recommendations
  • Approving internal audit strategy and plans
  • Relationship with External Audit
  • Separate meetings with Head of Internal Audit

• External Audit
  • Receiving external audit reports
  • Questions to ask
  • How to evaluate the work completed
  • Assessing the External Audit opinion
  • Monitoring actions taken in response to issues raised

• Assessment of Risk Management effectiveness
  • Local Authority developments
  • CIPFA/ SOLACE guidelines
  • Risk standards
  • CPA
  • The need to integrate risk with Corporate planning
  • Identification of risk owners
  • Development of action plans
  • Measuring success
  • Reports for members
  • Linking risks with priority setting
  • Ensuring anti-fraud arrangements are adequate

• Financial and Assurance Statements
  • Statement of Internal Control
  • Financial statements
  • The questions to ask
  • CPA reports

Copyright Business Risk Management Ltd 2006

Back to top