Leadership · Insight · Knowledge

Welcome to the Institute of Internal Auditors New Zealand, the professional body for internal auditing

About UsJoin Us

What is internal audit?

Internal audit is a dynamic profession that provides independent assurance that an organisation's risk management, governance and internal control processes are operating effectively Essentially, Internal Auditors help organisations to succeed.

Read More

Membership benefits

Join our professional community and access a range of local and international benefits to expand your thinking, knowledge and networks.

Learn MoreJoin Now

Events & training

Connect with other internal audit, risk and assurance professionals and grow your knowledge and skills with a range of online and local events.

Find out more

Subscribe to newsletters

Subscribe to monthly IIA NZ Newsletters here

Subscribe

home | News & Media | All News

 

Maintaining Trust & Integrity

Establishing the right level of assurance and independent review


James Jong
IIA NZ Advocacy Committee Chair

Trust is essential for the conduct of most human interactions. Every time citizens access information, use services, respond to emails, buy things, and make payments etc., they implicitly trust it is accurate, legitimate, safe, and secure to do so. It is our default mindset.

New Zealanders trust that everyone will be diligent at work and honest in behaviour unless proven otherwise. We also think that organisational systems and process designed to deliver, monitor, and regulate our interactions won't fail us. But they invariably can; and sometimes do.

When things go wrong, trust and confidence are often disproportionately eroded; more so than if we did not expect better. It matters greatly to Aotearoa New Zealand simply because our national ethos would not accept anything less.

Four things to consider

Four things for governors and executive management to consider about trust.

Identify key trust areas

First, what are the activities that your organisation must get right first time, upon which trust and confidence of your customers, stakeholders and the wider public critically depend? These will be myriad and interrelated, and entail core services, hygiene factors, and a wide range of customer / public facing activities.

Collating an inventory of activities that could put trust and integrity at risk will inform your priorities. Anchoring these against your organisation's purpose and objectives will help keep them front of mind.

Know your vulnerabilities

Second, what are the vulnerabilities for each of these critical activities and how could their failure manifest in reputational consequences. We know management is responsible for managing risks and implementing controls, which is a medium-to-long term investment. But we also know they could be incentivised for short term performance. In the context of delivery in a fast-changing and increasingly connected interactions, the human tendency for optimism bias is a vulnerability not to be underestimated.

It is instructive to understand the cascading effects of failure, systemic or random, so that these risks can be prioritised for mitigation.

Calibrate assurance to risk tolerance

Third, the nature and extent of assurance should be calibrated to the risk tolerance of the entity and whether such failures are likely to be damaging.

For example, procurement probity is critical in the public service. Agency chief executives and governors will want assurances that organisational process and systems for disclosing conflicting interests are not left to chance or goodwill. In this instance, assurance attestations from line management may not be sufficient. Independent and periodic assurance from the Internal Auditor or an external probity reviewer could be warranted - particularly for high-stakes or high-value supply.

Assurance should be layered such that higher priority trust and integrity risks are safeguarded by multiple lines of defence.

How you respond can make all the difference

Fourth, recognising that it is nigh on impossible to control for every risk (and remain a viable business), how organisations respond when things go wrong can make all the difference. Affected customers and other stakeholders rightly expect an explanation of what happened, and reassurance that it won't happen again.

Often, a statement is provided by the part of the organisation responsible for the issue, which may be a proportionate response for minor issues. But for major or systemic issues, a higher degree of independent assurance is invariably required to avoid any appearance of disingenuity or lack of transparency. In such instances, it is helpful to have an assurance capability that is independent, and not mired with other management responsibilities.

Trust is hard earned and easily lost

Trust and integrity are hard earned, and easily lost. Unless we have had first-hand experience of reputational damage, our national psyche that "she'll be right" could cloud executive judgement. I hope this article encourages healthy scepticism and increases the appreciation of independent assurance to protect and strengthen confidence in your organisations.



MoST Content Management V3.0.8753