The demands on businesses to provide assurance to stakeholders that they are effectively managing their risks has grown significantly since the financial crisis in 2008, and the responsibilities of Boards of Directors in meeting these demands has been the focus of significant attention. On top of this, the challenges of rapid technological change have seen a dramatic increase in the scale of data collection and sharing, and a recognition that cyber security is one of the greatest threats to businesses around the world.
All of this means that businesses must respond to a plethora of legal and regulatory requirements, AND, demonstrate to stakeholders that they are meeting them.
The updated UK Corporate Governance Code issued in 2016 and the supporting guidance on risk management and internal control, confirms the responsibility of Boards to determine business objectives, identify risks and implement systems of control to mitigate these risks.
Historically, internal audit has been the prime focus for delivering reports concerning the effectiveness of internal controls. External Audit would rely to some extent on these reports when considering how they might impact upon the preparation and subsequent audit of the financial statements, but external audit is primarily concerned with the integrity of financial reporting.
In support of achieving business objectives many businesses have also developed risk management processes designed to identify risks with the aim of ensuring adequate controls are in place to mitigate these risks. These processes are often free standing, perhaps reporting to a risk committee, or the Audit Committee. Some businesses have adopted control risk self-assessment techniques as part of their process, where individuals are identified as risk managers for an area of the business and are accountable for effectively managing that risk.
But as businesses have become more complex and the assurance requirements of Boards and their stakeholders more extensive, additional assurance is often required. Consider some of the following possible assurance sources:
International standards and independent accreditation
As IT techniques and processes have advanced, external stakeholders may require assurance that the business is managing the technology effectively so that they can be confident that there will be no business disruption or that key information exchanges remain confidential. The adoption of the international standard for information security management systems (ISO 27001), an externally assured annual accreditation, provides such assurance.
Similar externally assured accreditations to international standards can be commissioned for business continuity, quality management and environmental management, among others. These standards can facilitate the required discipline for ensuring the business meets the requirements of the new General Data Protection Regulations, (GDPR), that will come into force on 25th May 2018.
In November 2016, the UK government launched a new National Cyber Security Strategy designed to bolster the UK’s cyber security. It sets out action to protect the UK economy and to encourage industry to improve its own prevention measures. The government supported Cyber Essentials scheme is an important element of the Strategy and its assurance framework provides for two levels of certification awards that provides comfort to clients that basic cyber security controls have been implemented. Firstly, Cyber Essentials certification is based on a self-assessment questionnaire, verified by an independent Certification Body who evaluates whether the required standard has been adopted. Cyber Essentials Plus provides additional assurance by independently testing that the measures are in place.
Why not read our blog post on Cyber Essentials – what are they?
Controls assurance reports
The International Auditing and Assurance Standards Board (IIASB) sets international standards for assurance engagements and its International Standard on Assurance Engagements (ISAE 3402) is often adopted when service organisations require an external assurance report on their internal controls. A wide range of businesses adopt this standard for reports on their controls, including those providing services in IT, investment management, private equity, hedge funds, property management and pensions administration.
Controls assurance reports may also take the form of one of the three types of Service Organisation Control, (SOC) reports, (SOC 1 – financial reporting), (SOC 2 – technology), or (SOC 3 – summary reports), or reports based upon the Technical Release AAF 01/06 issued by the Institute of Chartered Accountants England & Wales