Future of Control | Integrated Assurance: Assurance Heath Check & Digitization

Cementing and reshaping the three lines of defense for risk management

As one of the themes of our “Future of Control” vision, Integrated Assurance continues to be a focus for organizations — we see growing challenges for the traditional three lines of defense model, such as unclear responsibilities for risk identification and control, poor synergy between the three lines of defense, increased burden due to potential repeated or inefficient work, and lack of definite business value as a driver. 

Deloitte China has extensively studied these challenges, and has a dedicated team of experts to focus on research into a theoretical framework as well as technological development and practice. Through this we have now developed a mature methodology to help our clients achieve visibility of key risks, coordination between departments and functions, and continuous monitoring, which improves risk management and governance while assisting clients in creating value and boosting operational performance in an environment with constantly changing risks.

1. Integrated Assurance service framework

Based on many year of practice, Deloitte developed a business-driven model for Integrated Assurance Service:

1st layer: Start with the business drivers of value

Decision makers receive massive amounts of information every day, but are unable to quickly identify which is the most important and valuable. To address major risks, our Integrated Assurance service pays greater attention to enterprise value and business drivers. This is inseparable from the enterprises’ business strategy, operating performance, and external business environment, which need to be clearly defined and comprehended to ensure the Integrated Assurance service creates value for enterprises.

2nd layer: Understand the underlying principal risks

Integrated Assurance identifies and assesses the most significant risks and value-enhancing business drivers, i.e., factors most likely to negatively or positively affect business outcomes, by leveraging technologies such as process mining, AI, big data analysis, and blockchain. This analysis determines the required levels of assurance based on the organization’s risk appetite and the expectations of its stakeholders — customers, partners, regulators, shareholders, and employees.

3rd layer: Planning and executing the risk assurance cycle

This model of risk assurance organizes reporting around risk themes: groupings of similar or related risks that can most affect the drivers of value. Those drivers also dictate the assurance priorities that need to align with business strategy and operations. The risk themes will then guide decisions about assurance planning and execution so that resources are optimally allocated and reporting and monitoring are integrated.

2. Integrated Assurance solutions

This model of risk assurance organizes reporting around risk themes: groupings of similar or related risks that can most affect the drivers of value. Those drivers also dictate the assurance priorities that need to align with business strategy and operations. The risk themes will then guide decisions about assurance planning and execution so that resources are optimally allocated and reporting and monitoring are integrated.

Case 1: Assurance Health Check

Assurance Health Check changes how an organization improves its processes by running transaction-level analysis to identify errors and the relevant root causes, and then developing a workable solution. Process analysis visualizes process execution while simultaneously optimizing processes, patching security, and strengthening controls, directly unveiling the system-based processes to let you see what’s inside and take fact-based actions.

Assurance Health Check uses Deloitte’s proprietary intelligent process tool for deep mining of the transaction data. Users can directly apply the tool to their existing financial or reporting systems, identifying actual end-to-end processes to help enterprises prioritize assurance activity and change requests based on factual data, thus achieving more intelligent insights.

Assurance Health Check delivers great value, including:

1. Assurance targeting: With clearer, more panoramic views of all critical risks to the organization and of efforts to address them, by reducing “assurance fatigue” in business units and functions and, potentially, ensuring that each assurance provider is focused on the right areas and risks in the organization.
2. Advise: With actionable insights and advice on ways to manage these risks, build resilience and create value, by improving the understanding of risks that impact business strategy, operational performance, and the business environment.
3. Perception of the future: Identify and analyze emerging problems and risks by using risk perception technology and other cutting-edge technologies, enhancing risk prediction ability and understanding of the problems that may affect business planning and decision-making.

Case 2: Assurance Digitalization

Assurance Digitization is a flexible multi-technology approach to facilitate integrated control testing automation and create opportunities for continuous control monitoring. This service enables automated sample selection or full-sample testing, more robust audit and assurance, as well as insight into business operations. Continuous monitoring can be used by assurance providers across the three lines of defense and provides more focus on digital risk.

Deloitte automates control testing spanning from data extraction, verification, to working paper generation by leveraging predefined or custom scripts as well as Robotic Process Automation and AI technology. Deloitte independently developed the automation technology and can provide it to the clients’ technical team for integration, scheduling, and application to manage control testing.

Overall the value of Assurance Digitization, is that it makes the work of assurance providers more efficient and effective. It also provide a common platform through which assurance providers can co-ordinate their testing activity, minimizing duplication.

In short, our Integrated Assurance service integrates enterprises’ operations and risk management activities, and applies the most advanced technologies and Deloitte’s independently developed tools to help management formulate more insightful reporting and cement the three lines of defense to improve overall risk management.