What is Combined Assurance?
With globalization continually on the rise, a natural outcome for organizations is complex supply chains and business units spread over multiple geographies, along with various players bringing in different measures of assurance. An overwhelming amount of information and disparate reports, along with a lack of a normalization and aggregation mechanism, only adds to this complexity.
The need of the hour is to transcend functional and geographical silos through combined assurance. This is achieved by providing an effective and efficient way to aggregate different assessment and rating systems and reporting formats from multiple, segregated functions.
Combined assurance allows organizations to set priorities for assurance activities harmonized across three parties which are:
Why Do We Need It?
Combined assurance is based on identified risks, and how assurance is achieved and reported to the board through the audit committee. The tangible benefits of combined assurance are not only limited to compliance, but also include:
To sum up, combined assurance provides the senior management, the audit committee, and the supervisory committee with a comprehensive and holistic view of the effectiveness of governance, risk management, and controls in the organization. This enables organizations to make informed decisions through the analyses, aggregation, and reporting of information supplied by various assurance providers.
Combined Assurance and the Three Lines of Defense
Combined assurance is similar to the Three Lines of Defense model endorsed by the IIA, which considers business units and management control as the first line of defense in risk management, while the second line of defense includes the various risk control and compliance oversight functions established by the management. The third line of defense includes independent assurance, or internal audit. The organization’s wider governance framework requires each of these three “lines” to play a distinct role.
Although governing bodies, external regulators, and external auditors are not considered as lines of defense, their role is essential since they are considered as the primary stakeholders for all the three lines, and, in some cases, the fourth line of defense. The role of these parties is to ensure that the organization’s risk management and control process reflects the “Three Lines of Defense” model.
Current State: Awareness and Adoption of Combined Assurance
Although the benefits of a combined assurance model are many, current levels of awareness and adoption still leaves much to be desired. According to the CBOK 2015 Global Internal Audit Practitioner Survey, only 59% of the total respondents were aware of combined assurance, with the figure being as low as 46% in South Asia. The global average in terms of implementation of combined assurance stood at 40%, with a high of 50% in South Asia and Sub-Saharan Africa, and a low of 25% in North America1. About 35% of the respondents in South Asia, Africa, and the Middle East stated that while their organizations did not have a combined assurance approach in place, they plan to adopt it within the next 2 to 3 years.
One of the biggest challenges for organizations is the fact that governance requirements vary for each country, and there is no “one size fits all” approach to implement a combined assurance model. Additionally, the lack of an internationally adopted definition or guideline makes it difficult for organizations to follow a fixed set of instructions.
In most countries, it is mandatory for the management to release a statement on the effectiveness of their internal controls as part of their annual report. To create this statement, the internal audit team often provides reports on risk along with the effectiveness of controls in mitigating those risks. In order to streamline combined assurance reporting, the internal audit team should provide assurance on the effectiveness of the second line of defense as well.
To ensure effective coordination between combined assurance functions, organizations need to integrate processes through efficient planning and reporting. For example, aligning the risk-based audit planning process to the second line functions. Another important factor is the integration of audit with corporate support functions, where audits are performed jointly with these supporting functions. Improved coordination between functions can also be achieved by aligning activities with the lines of defense, and implementing closed loop workflows for continuous improvement.
How to Implement a Combined Assurance Approach
One of the key challenges when implementing a combined assurance approach is aligning the different activities, scoring and rating methodologies, and definitions from multiple assurance providers. Implementing combined assurance is not something that can be achieved overnight; it is a journey – much like MetricStream’s proprietary GRC Journey® program.
One of the foremost needs is to make a business case for combined assurance to ensure full buy-in and support from senior management (Rittenberg, 2013)2. This has to be followed by the creation of a central register with an inventory of all the stakeholders who assist the management in providing assurance on risks and controls in the organization.
Once a central register has been created, it is important to map the risk universe to the relevant assurance providers to monitor these risks. A well-defined assurance plan further lays the foundation for implementing an effective combined assurance model that can be monitored, evaluated, and optimized for continuous improvement. This ensures that the right information is leveraged by the right stakeholder at the right time.
Leveraging Technology for Combined Assurance
Organizational growth leads to increasing complexity owing to the number of functions required to ensure that boards can handle the responsibilities for effective control, compliance, and risk management. It is important to maintain “one voice”, and not suffer from what many term as “assurance fatigue”. To help document, manage, aggregate, and report risks, compliances, internal controls, as well as audit findings centrally, organizations can apply an integrated approach through a centralized platform.
MetricStream helps organizations avoid assurance fatigue by providing senior management and audit and supervisory committees with an integrated and comprehensive view of the organization’s governance, risks, and controls through combined assurance. MetricStream’s industry-leading GRC solution, built on a unified GRC platform, enables organizations to align and harmonize assurance activities and the methodologies used across different functions. The solution extends across the organization to optimize control efficiencies, and provide a holistic view of key operational and compliance risks.
The three parties of the combined assurance model can leverage the solution in the following way:
MetricStream Value Proposition:
Most organizations today already have some form of the “three lines of defense model” or elements of combined assurance already in place. Usually, the first, second, and third line assurance providers are already involved in the business with their roles being fairly mature. However, more often than not, they are operating in silos. For example, most organizations already have a financial control framework in place, but it is not necessarily tied into the ERM process or expanded to cover other non-financial controls.
Reporting is another area of concern, which needs to be streamlined to ensure that the Executive Committee, the Audit Committee, the Risk Committee, and the Board are receiving the right assurance at the right time for informed decision-making.
Combined Assurance offers enterprises innumerable benefits, giving compliant organizations a competitive edge that their competitors will eventually have to follow. In short, combined assurance is not just good for the organization, but is a vital aspect when achieving the next level of GRC maturity.