Designing an Effective EOFY Assurance Program for a Commonwealth Entity

For Finance Teams, the last half of the financial year brings a flurry of activity. First, there is FBT season with the FBT year closing on 31 March. Then, just three months later it is end-of-financial-year (EOFY). During this period, the workload is unrelenting. The focus is completing the next group of tasks and keeping moving so you can meet your deadlines.

In this blog, I want to take a look at what it takes to design an effective assurance program for EOFY. We will not focus on financial statement assurance – most entities have well-established practices in this regard and the financial statement audit process provides a valuable feedback loop on those practices. I want to consider the broader assurance opportunity.

Before we go any further, let’s remind ourselves about what assurance is. There are many technical definitions but let’s go for a simple plain-English version: Assurance provides confidence to those that are expecting a particular outcome. Simply put, assurance is a mechanism to let us know if we are on track. If something is important, it is therefore also important that we know if it is going well, or not. That is the role of assurance.

For some organisations, assurance is the missing piece in their governance. One clue that this is the case is where there is not a documented assurance framework and policy. Without assurance, our ability to form a view about everything from the operation of controls right through to our performance against our strategic objectives is constrained. In other words, assurance is an important component of good governance.

First, let’s think about some principles that might guide us in designing an effective assurance program. I want to propose four principles that can guide us in designing our assurance program.

  1. Clear objectives: This is the “Why”. Why are we undertaking the assurance program? The assurance program should have clear and measurable objectives. This includes identifying the scope, objectives, and expected outcomes of the assurance activities.
  2. Value: The assurance program must add value to the organisation. This means that the outcomes of the assurance process should be both useful and usable for stakeholders.
  3. Risk-based: The assurance program should be designed to focus on the things that are most important to the organisation and/or present the most risk to the organisation. This means identifying the things that are a priority for the organisation, and identifying the risks that are most critical, and focusing assurance efforts on those areas.
  4. Ongoing and continuous improvement: The assurance program should be designed to continually improve. This means evaluating the effectiveness of the assurance activities and making adjustments as needed to ensure that they are meeting the organisation’s needs.

EOFY assurance for Commonwealth entities

The end of the financial year provides an opportunity for Commonwealth entities to not only report on their financial performance for the preceding year, and prepare corporate performance information for the annual report, but to consider their performance more holistically. The Public Governance, Performance and Accountability Act 2013 (PGPA Act) details specific duties for accountable authorities and officials. Given the specific nature of these duties – and the fact that they are in legislation – it would seem prudent that accountable authorities and audit committees ensure appropriate assurance mechanisms are in place so that they can be satisfied that the duties are being met.

The end of the financial year is a convenient and relevant time to gain assurance around these duties to provide a more comprehensive view of entity performance and governance for accountable authorities, other senior leadership, and the audit committee. Here are some of the things we are seeing Commonwealth entities do at end of financial year:

  • Verify that the risk management framework and policy is up to date, and that risk is being managed appropriately across the organisation
  • Review the entity control framework and seek assurance that controls are registered, assigned ownership, appropriately designed, and operating correctly
  • Seek management assurance certification from senior staff against specific governance, risk and compliance (GRC) issues in their area of responsibility
  • Undertake targeted assurance against specific government policy, such as procurement (e.g. procurement of advisory services), fraud control, risk management etc.
  • Seek confirmation from all staff members that they have no conflicts of interest, or if they do, that a declaration of interest has been made
  • Update conflicts of interest declarations for all key boards and committees

Processes such as these play a useful role in not only providing valuable assurance information to accountable authorities and audit committees, but also signal to staff members within the organisation the importance of these matters in the context of the organisation.

Some final observations:

  1. As a critical element of good governance, an assurance framework and policy is a necessary foundation for delivering an efficient and effective assurance program within an organisation.
  2. Assurance must be intentional. Assurance should not be an afterthought. It is important that organisations have an assurance plan that clearly documents the “why, what, who, and when”.
  3. Assurance must be targeted. Assurance is potentially an endless enterprise. Assurance should be targeted based on risk and those matters that are important to the organisation.
  4. Assurance must be ongoing. Assurance should not be something we only think about at the end of the financial year. An ongoing stream of assurance data provides a valuable source of insight to decision-makers and information to those responsible for oversight.

This article was written by Zane Edwards, Global Director of GRC at LighthouseGRC. Zane is a chartered accountant and has 20 years experience in Government and Private sector GRC management. Not only is he passionate about the digital transformation of governance, but he is also a skilled and influential communicator with extensive national and international experience in a variety of channels, including conferences, radio, television, and video.