top of page
Search
alex73824

Mapping out a robust Audit and Assurance Policy

Under UK government plans, the nation’s largest companies will soon be expected to publish a 3 yearly Audit and Assurance Policy. What are the fundamental steps for getting this right?

In light of feedback to its recent consultation Restoring Trust in Audit and Corporate Governance, the Department for Business, Energy and Industrial Strategy is set to require businesses of a certain size to formally publish an Audit and Assurance Policy (AAP).

Forthcoming legislation is expected to classify companies with more than 750 staff, and an annual turnover of more than £750m, as Public Interest Entities (PIEs) – and require them to issue an AAP every three years. Those companies will also need to publish annual implementation reports on how their assurance procedures work in practice. What sort of watershed does that shift represent for relevant businesses?

“Companies must already consider and make extensive disclosures about their risks,” says Carolyn Clarke, CEO of risk and assurance specialists Brave Consultancy. “However, the AAP presents an opportunity to bring together, in a single place, a much more complete picture of where all the necessary assurance comes from – plus its underlying nature and the degree to which directors rely upon it.”

In that sense, she says, the AAP is a useful mechanism for providing a company’s external stakeholders with a window into how its directors and board are thinking about their risks – including the sorts of disclosures they’re making around them, and the relevant assurance they are seeking.

Mapping the way

According to Clarke, the most important step in the drafting stage will be to develop an ‘assurance map,’ setting out the organisation’s risk universe, and also encompassing any financial and non-financial disclosures the business is required to make.

That map, she notes, must then be assessed through the internal lens of the company’s three-line assurance model. “First line,” she explains, “is management oversight: executive supervision of the company’s daily activities. The board will rely a great deal on looking into the eyes of senior managers and asking how they feel about day-to-day risks. Second line includes compliance functions, such as health and safety, that managers have put in place to monitor specific types of risks. And the third line is an independent appraisal – usually performed through internal audit – of the design and operational effectiveness of controls around the company’s risk appetite.”

Large listed companies, Clarke points out, are already required to describe their risk universes in annual reports and accounts. The nature of the relevant risks may be internal, strategic, macroeconomic or environmental. “Some companies may focus on risks they want to minimise,” Clarke says, “such as health and safety incidents. Other types of risks can stem from organisational improvement – for example, the implementation of new IT systems, and especially wider change programmes, can present significant risks.”



1 view0 comments

Comments


bottom of page