George Williams, Director of BDO Risk Advisory Services
The responsibilities of risk management within listed companies are enormous. When you consider that almost all retirement annuities and pension funds are invested in companies via the stock market, you realise that just about every one of us is a stakeholder in a listed company.
By extension, each one of us has our pension funds tied up in the success or failure of various listed companies. Our financial security hinges on how well these companies manage risk, how effectively boards exercise their oversight responsibilities and how the company’s systems of internal control are verified by effective assurance methods.
An effective way for companies to mitigate risk; is Combined Assurance. Combined Assurance can enhance a company’s profitability and reassure the board that the controls meant to manage risk are adequate and effective. Meaning are they designed and working properly.
What often causes companies to fail is the “casino effect”. Like a gambler, when a company loses money, the board begins to panic and throws excess money at the problem. This increases the risk. This is human nature. Combined Assurance seeks to minimise the casino effect. It ensures “many assurance eyes” look at a company’s risks and problems. Ultimately, a combined assurance report might tell the board, “This is how best to control your risks,” or else, “You can’t manage these costs. You need to get out of this business.”
Companies have objectives — for instance to be profitable. Then there are risks, which can hinder their ability to attain those objectives. Perhaps their biggest risk is that their costs are excessive. In order to mitigate this risk, the company needs to institute systems of internal control. They might introduce an approvals process so that no large costs can be incurred without board approval.
That is all well and good, but the success or failure of the company — and all its stakeholders — will rest on how effective its risk management process is. These controls are best evaluated through combined assurance, which gives stakeholders a holistic picture of the effectiveness of all the controls in place.
The reason assurance functions are combined is that external auditors, internal auditors, company management and occupational health and safety professionals all give a certain level of assurance, but all follow different rules — International Financial Reporting Standards (IFRS), the codes of professional practice of the Institute of Internal Auditors, etc. Combined Assurance is a mechanism to get all the assurance professionals together to develop a plan to provide the necessary combined assurance to the board.
Combined Assurance became mandatory in South Africa in 2010, but its adoption has been slow.
A study by Forte and Barac in the Southern African Journal of Accountability and Auditing Research found that companies were in varying stages of preparedness to implement Combined Assurance and there was still a need to clarify the responsibilities of Combined Assurance’s key role players (board, audit committee, internal and external assurance providers).
“Oversight responsibilities of boards have increased significantly,” the report states, “especially in the areas of risk oversight and obtaining assurance that significant risks are managed and mitigated to acceptable levels.”
A lot of work remains to be done, and with different suppliers providing this assurance, there’s sometimes a large cost burden for companies. With Combined Assurance, companies get all their controls looked at, at a reasonable cost.
This is all an attempt to deal with the “agency problem” in companies, where executives, owners and shareholders don’t necessarily share the same vision. You can have a situation where managers steal from the company, or make decisions that aren’t in the long-term interests of the entity.
One reason for the slow rate of adoption may be because each profession tends to work in a silo. But initial reluctance melts away once teams start sitting down and working together. Combined Assurance is worthwhile for the company, which is why it has been made mandatory. Companies want to achieve their profitability objective. They want the assurance that their controls are adequate and effective to mitigate their risks to an acceptable level. They want to know there’s a combined effort between role players to review these controls. In some cases, the external audit fees have reduced.
Besides being a legal requirement, Combined Assurance brings financial benefits to companies and in a practical sense helps to mitigate risks and ensure ongoing success and viability of companies. It is essential that boards engage risk advisory professionals, who can help them develop a proper combined assurance process.
Read more BDO Insights