Best Practice Framework for Advancing Combined Assurance
Unlock the benefits of a coordinated approach to risk management with this framework for advancing combined assurance from audit technology & methodology expert Mike Gowell and AuditBoard’s Anand Bhakta — and download the 8-step PDF Checklist below!
While the concept of combined assurance first gained prominence with the publication of the King Report on Governance in South Africa in 2009, it is still being talked about as an aspirational concept. The benefits of combined assurance (namely the reduction of gaps and overlaps in coverage that naturally occur in a siloed approach to risk management) are readily apparent and significant — however, many organizations struggle to implement this concept.
The release of IIA Standard 2050 in 2017 required Internal Audit to take the first step in the journey towards combined assurance by stating that the CAE should “share information, coordinate activities, and consider relying on the work of other internal and external assurance and consulting providers to ensure proper coverage and minimize duplication of efforts.”
Although compliance with Standard 2050 provides a solid foundation on which to build a combined assurance framework, significant planning and effort is required to move beyond this foundational stage to unlock the significant benefits of combined assurance. Get started right by understanding key benefits and following 8 steps to build a successful combined assurance program in your organization.
Benefits of Advancing Combined Assurance in Your Organization
In an age where organizations have a robust variety of assurance providers, informed decision-making is difficult when risk data is siloed throughout the organization. Those that achieve maturity on the combined assurance model will be best positioned to manage risk in their organization by delivering benefits which include:
- A single cohesive executive management and board report with a common view of risks and issues across the organization.
- A reduction in overall assurance costs and control owner fatigue by minimizing redundancies and overlaps in risk coverage.
- Enhanced risk management activities by focusing relevant assurance efforts to the risks that matter most.
What Combined Assurance Is Not
An important caveat is that advancing combined assurance in your organization does not change the mission statement, reporting structure, or capabilities of each individual assurance provider. Each assurance function remains distinct and continues to execute its unique role as part of a fully integrated effort in reducing risk within the organization. In short, mature combined assurance bridges The IIA’s recently updated Three Lines Model, while maintaining the integrity of the functional units within each line of defense.
Best Practice Framework for Advancing Combined Assurance
The first step in advancing combined assurance is to evaluate your organization’s current level of maturity. Once you have established your position on the Combined Assurance Maturity Curve you can use the following steps to build a successful combined assurance program in your organization.
1. Prepare a formal business case in support of internal audit leading a combined assurance initiative.
Articulate why Internal Audit is best-suited to take on a leadership role in implementing combined assurance. Explain the anticipated benefits of combined assurance to the organization. Highlight current pitfalls of the existing siloed approach. Prepare a sample assurance map as a useful visual for communicating existing gaps and overlaps in the current approach. Highlight the anticipated benefits of combined assurance. Reference:
- IIA Standard 2050
- The Three Lines Model
- Sample Assurance map
2. Gain support and backing from the Audit Committee and Senior Management.
Present your business case from Step 1 to leadership and hold a discussion about the challenges of the siloed approach and the anticipated benefits of combined assurance. Before moving on to the next step, stakeholders must understand and support the combined assurance approach. Their buy-in is key to gaining the support of other assurance providers and creating a successful combined assurance program. Bring:
- A list of all known assurance providers.
- Sample Assurance map.
- Examples of various Assurance Reports.
- The Three Lines Model.
3. Take an inventory of assurance providers in your organization.
Before seeking support and buy-in from assurance providers, perform an inventory exercise to ensure you are targeting all of them. Assurance providers can be internal or external; in addition to the common assurance providers like IT Security, Risk Management, and Compliance, other providers may include Legal, Ethics and Integrity, Insurance, Investigations, Human Capital, or Quality. Identify assurance providers by:
- Reviewing the organization chart.
- Reviewing Board meeting agendas and Board minutes.
- Interviewing the Chief Risk Officer.
4. Hold initial meetings with each of the assurance providers.
Leverage components of the business case to explain the concept of combined assurance to each group. Tailor your message to articulate the value of the benefits of this approach specific to the interests of each assurance provider. For instance: more exposure to the Board and management, enhanced training and education, shared technology and budget to roll out shared initiatives. Meeting objectives include:
- Explain the concept of combined assurance.
- Emphasize that the goal is not to change reporting structures or mission statements.
- Share objectives, scope, and timing of upcoming reviews and assessments.
- Document the key characteristics of each department in a profile or scorecard.
5. Determine and document a basis for reliance on the work of other assurance providers.
Assurance providers are not auditors and may lack an auditor’s level of skepticism when looking at a process. Therefore, internal audit must evaluate the quality of work and objectivity of results before placing reliance on their work. Reference IIA Standard 2050 and ISA Standard 620 for considerations and methodology for evaluating the scope of work for reliance. Document the basis of reliance based on where each provider falls in your method of rating. Assess:
- Independence
- Objectivity
- Skills
- Knowledge
- Reporting
- Methodology
- Scope
6. Formalize an assurance working group.
Establish a formal combined assurance working group that includes members representing each major assurance provider, and identify the project benefits for all parties. Establish a regularly scheduled meetings (e.g. quarterly) and formally sharing schedules, findings & reports, risk information, and significant risks and changes to risk profiles. Prepare a:
- Formal combined assurance charter defining the role of each function, the common goal, and the expectation of the work, relationships, and activities.
- Formal combined assurance map.
7. Leverage technology to combine key activities and reports.
To advance your combined assurance program to full maturity, technology is a key enabler. Approach the Board and Executive Management for a budget for software and training. Look for a platform that will bring together your organization’s risk data in a common taxonomy and risk definition through the implementation process. If possible, bring references of what your data looks like in a technology solution to show the value, such as sample reports or even manually prepared actual reports including:
- Single Integrated Issues report.
- Consolidated Assurance report.
- Combined Schedule.
8. Combine assurance activities into one seamless process.
Achieving the ultimate level of combined assurance maturity involves formal agreement on the combined assurance approach from the Audit Committee and Executive Management. Characteristics of a seamless process include:
- One enterprise-wide risk assessment.
- One consolidated schedule (consider jointly staffed engagements).
- One consolidated knowledge management program.
- Jointly developed and cross-functional data analytics.
- Joint training on common topics.
Once this level of maturity is achieved you can begin additional additional assurance providers into your combined assurance framework over time. In order to sustain stakeholder “buy-in” be sure to provide the audit committee and executive management with periodic progress updates.
For any organization that is serious about reaching combined assurance maturity, it is important to recognize this initiative is a multi-year journey, not a one-time project that may be completed in a few months. However, the benefits — a single view of risk across the organization, increased knowledge sharing across assurance groups, and enhanced visibility into the full scope of assurance — are significant and lasting. Not only is it Internal Audit’s responsibility to take the lead in combined assurance, but the function is uniquely fit to do so due to its independence and objectivity. Moreover, taking the lead in this initiative will ultimately enable Internal Audit’s ability to have a seat at the table.
Download a PDF Checklist version of this 8-step Framework for Advancing Combined Assurance below.
Fill out the form to get your free checklist-style Combined Assurance Framework.
Mike Gowell is considered a foremost expert on audit technology and methodology, and draws on 30+ years of audit industry experience to provide consulting services to enterprise organizations. Mike was the co-founder of TeamMate Audit Management Software and managed TeamMate global operations for 12 years at Wolters Kluwer. Prior to Wolters Kluwer, he spent 22 years at PwC, where he was an Auditor and Managing Director at the PwC Center for Technology and Innovation (CTI). Mike is a Senior Advisor to AuditBoard.
Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.