Building organisational resilience through audit and assurance

Why is building organisational resilience important for your business? What role do audit and assurance play?

Businesses globally are on a path of continuous change, amid extreme political, environmental and catastrophic events. At the same time, the pace of digital transformation continues to increase at record speeds, with more change expected in the next 10 years than we have ever seen in history. Building an organisation which is sustainable, and can flourish long-term, is crucial for all governing bodies and management from a business resilience and continuity perspective.

In the past, organisations have generally aimed for continuity, however resilience is a growing area of focus worldwide. “Business continuity” – often compared to a rubber band which snaps back to where it was before it was stretched – focuses on returning operations to “normal”. “Business resilience” seeks to strengthen and continually improve operations.

Simply put, building organisational resilience will help your business prosper. Good governance and effective risk management, incorporating audit and assurance activities which are forward-looking, flexible and consultative, can help organisations remain competitive, meet stakeholder expectations, and thrive long-term regardless of most circumstances. Organisations with a focus on resilience often emerge renewed and strengthened amid disruption.

Does your organisation take a continuity or resilience approach? And, if the focus is continuity, do you have the capabilities required to shift this focus?

Have you heard of the Three Lines Model?

Three Lines Model for building organisational resilience

The Three Lines Model (previously known as the ‘Three Lines of Defence’) is a way of explaining the relationship between the elements of an organisation’s assurance environment. It also provides a guide to how responsibilities are divided and interact to provide an organisation with a robust governance, control and risk management framework.

At a recent presentation by Synectic’s Audit & Assurance specialists*, 89% of attendees had not heard of the Three Lines Model. Yet the model is appropriate for any organisation – corporate, not-for-profit and public – regardless of size or complexity. Audit and assurance make a significant contribution to the achievement of organisational objectives and value creation for shareholders and stakeholders. Therefore, it is important to consider this combined assurance model.

How the model can help you build organisational resilience

1.      Daily risk management, operations and development

The First Line owns and manages risk. It has a real-time focus and is concerned with the management of risks and controls.

The First Line involves managers and staff who are responsible for identifying and managing risk, reviewing operational arrangements to ensure “checks and balances’’ are working effectively, and desired products and services are being delivered. For this purpose, the First Line:

  • Leads and directs actions
  • Assesses risk
  • Establishes and maintains internal controls
  • Completes compliance activities
  • Reports on planned, actual and expected outcomes of activities

Line 1 requires an understanding of the organisation, its objectives, the environment in which it operates, and the risks it faces. In addition, those responsible should, collectively, have the necessary knowledge, skills, information and authority to operate the relevant policies and procedures of risk control. Through management, they are accountable to the governing body. 

2.      Expertise, monitoring and reporting

The Second Line monitors risk. It incorporates functions which oversee or who specialise in compliance or risk management. Chiefly, it is concerned with risk oversight and review of Line 1 activities.

This function owns the risk management frameworks and encompasses the work of specialist areas including:

  • Technical and regulatory compliance
  • Risk management
  • Security
  • Safety
  • Quality

It provides policies, tools, techniques and support to enable risk and compliance to be managed in the First Line. It also conducts monitoring to confirm the effectiveness of arrangements and to identify improvements.

For this purpose, Line 2:

  • Supports, monitors and challenges Line 1
  • Ensures risk management occurs
  • Undertakes stress-testing
  • Helps ensure consistency of definitions and measurement of risk
  • Provides analysis and reports on the adequacy and effectiveness of risk management and internal control

Through management, Line 2 roles are also accountable to the governing body.

3.      Internal audit (independent assurance)

The Third Line assures the strategic management of risk. Sitting outside Lines 1 and 2, Line 3 provides independent assurance. Its main roles are to evaluate the adequacy and effectiveness of the first two Lines.

Internal Audit specialists generally conduct this function. Internal Auditors are uniquely positioned to not only provide objective assurance, but to recommend and encourage continuous improvements. To that end, it is critical this function is independent from management.

Through systematic processes, deep understanding and expertise, Internal Auditors:

  • Provide objective assurance and advice
  • Review internal control design and evaluate effectiveness
  • Provide benchmarks, insights and confidence to support continual improvement

Internal audit is tasked by and reports to those charged with governance through the audit committee and/or senior management. However, it is important to note if an assurance activity is commissioned by management, it would be seen as Line 1 or Line 2 assurance; to sit within Line 3, independent internal audit activities should be directed and controlled by the Audit Committee.

4.      External audit / regulators (external assurance)

Although it sits outside the Three Lines, external assurance plays a vital role in the organisation’s governance and risk management approach. Therefore, it is often called the Fourth Line.

External assurance:

  • Ensures satisfaction of legislative and regulatory expectations, which serve to protect the interests of shareholders and stakeholders
  • Satisfies requests by management and the governing body to compliment internal sources of assurance

Regulators often set governance and risk management requirements and may also conduct their own independent controls reviews.

External Auditors consider governance and risk management where this is relevant to the organisation’s accounting processes and financial information.

How do audit and assurance help build organisational resilience?

Without internal and external audit and assurance, the governance process is incomplete.

People often confuse internal audit and external audit. However, there are significant differences.

  • External audit focuses on the accuracy of the organisation’s annual report and financial statements.
  • Internal audit is a review of systems and operations based on the strategic needs of the organisation.

Key benefits of Internal Audit

A narrowly focused, ‘defensive’ approach to risk management merely stops bad things from happening, while Internal Audit delivers the broader outcomes of resilience, value creation and organisational success.

✔ Independent

Free from bias, a trusted adviser and strategic partner – Internal Audit should be the Board’s best friend, providing foresight into potential assurance gaps and opportunities for continual improvement.

✔ Valuable tool to those charged with governance and management

Internal Audit is the “eyes and ears” of the governing body as it responds directly to the concerns and objectives of those charged with governance. Risk is the “canary in the coalmine”, while Internal Audit is the “crickets”.

✔ Risk-based and highly adaptable

Internal Audit can have a wide-reaching brief. While it can provide a “snapshot” of compliance at a given point in time, it is uniquely placed to span beyond traditional compliance and finance areas, to evaluate the performance of all areas of an organisation. Significantly, a risk-based approach to Internal Audit focuses these efforts on high-risk areas.

✔ Integral to ensure good governance, oversight and risk management

Internal Audit provides an objective view that major risks an organisation faces are managed appropriately and the risk management and internal control framework is operating effectively and strategically.

✔ Help meet your organisation’s objectives

Serving the organisation as a whole, Internal Auditors can consider anything which might be important to your organisation’s lasting success. By supporting and promoting continuous improvement and innovation, the function can help your organisation build resilience by assuring the upside of organisational strengths and opportunities that must be sustained to achieve its goals and objectives.

✔ Reduce complexity and cost

Internal Auditors can ask questions that uncover waste and inefficiencies, such as: why are we doing this; are we duplicating efforts; how does this contribute to our success? They can also provide benchmarking against recognised industry standards and best-practice to facilitate better processes.

Key benefits of External Audit

An External Audit is essentially the expression of an independent opinion regarding the veracity of your financial statements. But – far from the dreaded “looking over your shoulder” function – a well-run external audit can provide peace of mind and form part of the organisation’s continuous improvement.

Indeed, during our recent presentation1, 46% of attendees told us the best thing about their external audit was receiving suggestions on ways to improve things.

✔ The organisation

An External Audit will provide greater confidence in your financial reports. The objective exploration of the major activities reflected in your financial statements also presents a unique opportunity to identify improvements in internal processes.

✔ Shareholders

An External Audit will introduce an additional level of rigour and accountability around financial reporting for your shareholders – who are not directly involved in all aspects of company activities. This then supports shareholder decision-making by ensuring the reliability of financial results.

✔ External Stakeholders

Providing audited financial statements when required by external stakeholders – such as financial institutions or prospective customers and suppliers – indicates a greater level of professionalism and sophistication and reduces their risk assessment. The resulting increase in confidence can lead to better trading terms or borrowing rates being made available.

✔ Management

An External Audit offers management a regular, structured assessment of governance, risk management and internal controls. Outcomes can include detection of operational inefficiencies, mitigation of potential fraud risks, and regular health checks of IT systems and cybersecurity.

What you can do now to help build organisational resilience

To remain relevant in the current environment, organisations need to ensure they are prepared to adapt – to go beyond business continuity and focus on building resilience. The financial and related risk is too great to do otherwise. Whereas organisations with a focus on resilience often come out of tough times even stronger than before.

While addressing organisational resilience is a challenge, it is necessary to meet stakeholder expectations and gain a sharper understanding of organisational changes and priorities in a world of change and disruption.

Audit and assurance specialists can help you ensure organisational resilience is a continuous effort by:

  • Embedding resilience into audit objectives
  • Providing a unique view of strategic risks and taking a broad, long-term view to addressing issues at a strategic level
  • Championing and being involved in process transformation, systems implementations and change initiatives
  • Serving in an advisory capacity, including establishing and facilitating reporting on metrics

Contact one of our audit & assurance specialists today. We can help you assess how resilient your organisation currently is, support and promote continuous improvement, and help your organisation achieve its goals and objectives.

Contact us

1 Association of School Business Administrators (ASBA) Tasmanian State Conference 2022, ‘Hope, Resilience & Change – Leading for the Future’. Synectic presenters: Ben Coull (Director) and Claire Smith (Senior Consultant)

About the authors

Ben Coull

Ben Coull is a director of Synectic and leads our audit and assurance team. With over 25 years’ experience in audit, financial reporting and corporate advisory services, he has a passion for excellence in client services and the benefits which come from a high-quality audit. Ben believes in pragmatic, relevant advice which helps clients to improve their operations, governance and internal controls. Ben has extensive corporate advisory experience and has been responsible for the delivery of a range of audit services to substantial entities in the public and not-for-profit sectors.

Claire_Smith - Senior_Consultant - internal audit Tasmania
Claire Smith
Senior Consultant

Claire Smith is a senior executive and accountant with almost 20 years’ experience across the private and public sectors. She is an Associate Member of the Institute of Internal Auditors, an Internal Quality Auditor, and an independent member of the Department of Treasury and Finance Audit & Risk Management Committee. Claire is passionate about business performance and has an extensive background in risk management, strategy and business development, workforce development, and digital transformation.

Contact Claire or Ben today to discuss how Synectic can support you to build resilience in your organisation.

Contact us