Developing a combined assurance framework for municipalities

Posted on July 20, 2022


Only 41 of South Africa’s 257 municipalities have a clean bill of financial health, according to the local government 2020/21 Audit Report by Auditor-General South Africa. This is 14 more than in the 2019/20 Audit Report. In the Western Cape input of the latest Audit Report, the Auditor-General South Africa states that “all municipalities should ultimately strive to attain levels where control environments and robust risk-assessment processes are institutionalised - with clean audits as a by-product.

This highlights a need for improved risk management focused on achieving more effective combined assurance at municipalities. This article begins by highlighting the roles of each of the so-called five lines of assurance combined assurance spheres at municipalities, to form the basis of a municipal combined assurance framework. Combined assurance integrates and aligns assurance processes in an entity to maximise risk oversight and optimise overall assurance when reporting to the risk and audit committees. Identifying risks to service delivery (while considering the municipality’s risk appetite) helps to focus the activities of the municipal manager on managing service delivery risks; combined assurance presents the council with assurances on the status of municipal services and service delivery. The focus on risks requires that a critical precondition for combined assurance is present in the form of a culture of effective risk management throughout the municipality. Risk management, when practiced throughout an entity, is also called integrated risk management (IRM). To improve risk management and combined assurance in municipalities, it is important to first identify the roles and responsibilities of each of the five lines of assurance.

Five lines of assurance

The first line of assurance is the front-line operational managers who are directly linked to service delivery channels. In municipalities, operational management engages directly with the provision of basic services to the communities, such as water and electricity as well as solid waste disposal and general municipal infrastructure. Operational managers are thus the service delivery owners who plan, execute, monitor and evaluate the processes of the production of services, which includes managing the risks and using controls to ensure the service delivery objectives are not threatened. The operational manager is accountable to the municipal manager, to whom s/he reports on the status of the service delivery process. Operational managers manage the risks that can directly impact the services they are responsible for: the importance of their reporting channel thus provides the first level of assurance. The second line of assurance supports operational management’s efforts to render services by bringing specialist expertise and monitoring to help the municipality achieve its overall objectives.

The second line of assurance includes interaction with specialised services of finance, procurement, human resources, occupational health and safety, information technology, compliance and risk management. For example, the risk management unit is responsible for assisting the municipality to embed risk management as an operational mindset in all staff, and thus leverage its benefits to enhance performance and by regularly conducting risk assessments they are able to identify emerging risks. This second line reports the results of their monitoring activity to the municipal manager and the portfolio committees. However, the risk management unit also reports to the risk management committee.

This second level of reporting is the second line of assurance that the service delivery goals are on track, or the channel through which risk areas that threaten the service delivery goals are highlighted. The third line of assurance is an internal audit function that provides an independent, objective assurance that the first and second lines are executing their functions effectively. Internal audit is an assurance provider and not a management function, and is thus functionally different from the other two lines of assurance. Internal audit provides independent assurance on the effectiveness of governance, risk management and controls. Internal audit assurance helps the municipal manager and portfolio committees to understand the residual risks potentially impacting service delivery, the fourth line of assurance is the external assurance providers. In local government the auditor general is used to provide assurance on whether the spending of public funds and resources were used for the intended purposes with regard to economy, efficiency and effectiveness. The fifth line of assurance is the audit committee, which is the committee of the council. The Audit Committee is an independent committee responsible for oversight of the municipality’s control, governance and risk management. This committee provides regular feedback to the council on the adequacy and effectiveness of risk management in the municipality and recommends any form of improvement.

Understanding the steps in developing a combined assurance framework can help to move from understanding the individual roles of the lines of assurance to achieving an optimised overview of assurance: this is achieved using the following three steps. The first step is to optimise the implementation of enterprise risk management; the second is responsibility allocation, and the process ends with assurance mapping.

Integrated risk management (IRM)

Risks cannot be effectively managed in isolation or individually: an inclusive, integrated approach that is embedded throughout the organisation should be used. The objectives of IRM are to identify the risks which may hinder the achievement of objectives and to identify potential mitigating factors. The first step to achieving an IRM system is to develop the governance framework on which risk assessment is based. The second step is to determine overall organisational and individual business units’ objectives. The third step is the risk identification and analysis that determines the likelihood and impact of such risks.

The development of strategies to reduce or avoid the risks, and to maximise opportunities, is the fourth step. The fifth and final step is the monthly reporting system comprising the analysis by the IRM department, and their continuous monitoring of the process. The Benefits of IRM are seen in more effective decision making, an increased likelihood of achieving the entity’s objectives, better management of residual risk and more effective organisational processes. Better risk management effectively supports assurance efforts that focus on high-risk areas. However, it is important to clearly allocate the responsibilities of risk management and assurance. Responsibility allocation the governing body (municipal council) is important for developing the overall approach to the organisation’s risk management by ensuring that proper structures and processes are in place for effective governance.

This article was first published in the Municipal Edge magazine. The article is based on research done by Ntombizamatolo Lugongolo for her MPhil Internal Auditing degree at the Department of Auditing in the Faculty of Economic and Management Sciences at the University of Pretoria under the supervision of Dr Blanche Steyn.

- Author Ntombizamatolo Lugongolo and Dr Blanche Steyn

Copyright © University of Pretoria 2024. All rights reserved.

FAQ's Email Us Virtual Campus Share Cookie Preferences