This paper provides insights on how combined assurance is a vital aspect when achieving the next level of GRC maturity.Download a White Paper
What is Combined Assurance?
With globalization continually on the rise, a natural outcome for organizations is complex supply chains and business units spread over multiple geographies, along with various players bringing in different measures of assurance. An overwhelming amount of information and disparate reports, along with a lack of a normalization and aggregation mechanism, only adds to this complexity.
The need of the hour is to transcend functional and geographical silos through combined assurance. This is achieved by providing an effective and efficient way to aggregate different assessment and rating systems and reporting formats from multiple, segregated functions.
Combined assurance allows organizations to set priorities for assurance activities harmonized across three parties which are:
- Management: to ensure assurance through a robust risk and control framework
- Internal Assurance Providers: to provide support to the management through risk management, internal control, and compliance functions
- External Assurance Providers: independent external assurance through independent and objective assurance of the overall adequacy and effectiveness of governance, risk management, and controls
Why Do We Need It?
Combined assurance is based on identified risks, and how assurance is achieved and reported to the board through the audit committee. The tangible benefits of combined assurance are not only limited to compliance, but also include:
- One taxonomy across all functions and governance bodies within the organization, providing a single source of truth
- Coordinated and relevant assurance efforts focusing on key risk exposures
- Comprehensive and prioritized tracking of remedial action on identified improvement opportunities/ weaknesses
- The collection and reporting of assurance information across silos
- A common view of issues, risks, and controls across the organization, and improved reporting to the board and committees
To sum up, combined assurance provides the senior management, the audit committee, and the supervisory committee with a comprehensive and holistic view of the effectiveness of governance, risk management, and controls in the organization. This enables organizations to make informed decisions through the analyses, aggregation, and reporting of information supplied by various assurance providers.
Combined Assurance and the Three Lines of Defense
Combined assurance is similar to the Three Lines of Defense model endorsed by the IIA, which considers business units and management control as the first line of defense in risk management, while the second line of defense includes the various risk control and compliance oversight functions established by the management. The third line of defense includes independent assurance, or internal audit. The organization’s wider governance framework requires each of these three “lines” to play a distinct role.
Although governing bodies, external regulators, and external auditors are not considered as lines of defense, their role is essential since they are considered as the primary stakeholders for all the three lines, and, in some cases, the fourth line of defense. The role of these parties is to ensure that the organization’s risk management and control process reflects the “Three Lines of Defense” model.
Current State: Awareness and Adoption of Combined Assurance
Although the benefits of a combined assurance model are many, current levels of awareness and adoption still leaves much to be desired. According to the CBOK 2015 Global Internal Audit Practitioner Survey, only 59% of the total respondents were aware of combined assurance, with the figure being as low as 46% in South Asia. The global average in terms of implementation of combined assurance stood at 40%, with a high of 50% in South Asia and Sub-Saharan Africa, and a low of 25% in North America1. About 35% of the respondents in South Asia, Africa, and the Middle East stated that while their organizations did not have a combined assurance approach in place, they plan to adopt it within the next 2 to 3 years.
One of the biggest challenges for organizations is the fact that governance requirements vary for each country, and there is no “one size fits all” approach to implement a combined assurance model. Additionally, the lack of an internationally adopted definition or guideline makes it difficult for organizations to follow a fixed set of instructions.
In most countries, it is mandatory for the management to release a statement on the effectiveness of their internal controls as part of their annual report. To create this statement, the internal audit team often provides reports on risk along with the effectiveness of controls in mitigating those risks. In order to streamline combined assurance reporting, the internal audit team should provide assurance on the effectiveness of the second line of defense as well.
To ensure effective coordination between combined assurance functions, organizations need to integrate processes through efficient planning and reporting. For example, aligning the risk-based audit planning process to the second line functions. Another important factor is the integration of audit with corporate support functions, where audits are performed jointly with these supporting functions. Improved coordination between functions can also be achieved by aligning activities with the lines of defense, and implementing closed loop workflows for continuous improvement.
How to Implement a Combined Assurance Approach
One of the key challenges when implementing a combined assurance approach is aligning the different activities, scoring and rating methodologies, and definitions from multiple assurance providers. Implementing combined assurance is not something that can be achieved overnight; it is a journey – much like MetricStream’s proprietary GRC Journey® program.
One of the foremost needs is to make a business case for combined assurance to ensure full buy-in and support from senior management (Rittenberg, 2013)2. This has to be followed by the creation of a central register with an inventory of all the stakeholders who assist the management in providing assurance on risks and controls in the organization.
Once a central register has been created, it is important to map the risk universe to the relevant assurance providers to monitor these risks. A well-defined assurance plan further lays the foundation for implementing an effective combined assurance model that can be monitored, evaluated, and optimized for continuous improvement. This ensures that the right information is leveraged by the right stakeholder at the right time.
Leveraging Technology for Combined Assurance
Organizational growth leads to increasing complexity owing to the number of functions required to ensure that boards can handle the responsibilities for effective control, compliance, and risk management. It is important to maintain “one voice”, and not suffer from what many term as “assurance fatigue”. To help document, manage, aggregate, and report risks, compliances, internal controls, as well as audit findings centrally, organizations can apply an integrated approach through a centralized platform.
MetricStream helps organizations avoid assurance fatigue by providing senior management and audit and supervisory committees with an integrated and comprehensive view of the organization’s governance, risks, and controls through combined assurance. MetricStream’s industry-leading GRC solution, built on a unified GRC platform, enables organizations to align and harmonize assurance activities and the methodologies used across different functions. The solution extends across the organization to optimize control efficiencies, and provide a holistic view of key operational and compliance risks.
The three parties of the combined assurance model can leverage the solution in the following way:
- Management: The MetricStream solution comprising the Enterprise Risk Management and Compliance Management apps ensure that a robust risk and control framework is in place so that all risks, threats, and compliance deviations are identified and remedied in a timely manner.
- Internal assurance providers: MetricStream apps support the management in efficiently performing multiple functions, such as internal control, risk management, and compliance, which are in line with the three lines of defense (through the Compliance Management, Enterprise Risk Management, and Internal Audit Management apps).
- External assurance providers: The MetricStream solution facilitates independent and objective assurance of the overall effectiveness of risk management, governance, and internal control within the organization as established by the first and second lines of defense. Additionally, the audit committee is supported by the MetricStream Internal Audit Management App.
MetricStream Value Proposition:
- Facilitates a systematic and streamlined approach aligned with corporate objectives and strategy
- Produces valuable and relevant data based on collaboration to transcend silos and enable better decision making
- Enables the identification of priorities to reduce fatigue
- Features a common set of libraries for risks, controls, processes, policies, organizations, and regulations to help ensure consistency, while minimizing duplication of effort
- Provides a unified view of the enterprise risks and compliance programs to get a thorough understanding of the risks and processes
- Coordinates key GRC activities and information sharing across business units and functions
- Improves overall process efficiency through clearly articulated risk and control taxonomy, metrics, and monitoring
- Tracks and reports issues centrally across GRC process, and enhances cross-functional collaboration on issue investigation
- Provides a comprehensive and in-depth view of processes and data through multiple reports, dashboards, and analytics
- Implements a mature GRC process through the MetricStream GRC Journey program
Most organizations today already have some form of the “three lines of defense model” or elements of combined assurance already in place. Usually, the first, second, and third line assurance providers are already involved in the business with their roles being fairly mature. However, more often than not, they are operating in silos. For example, most organizations already have a financial control framework in place, but it is not necessarily tied into the ERM process or expanded to cover other non-financial controls.
Reporting is another area of concern, which needs to be streamlined to ensure that the Executive Committee, the Audit Committee, the Risk Committee, and the Board are receiving the right assurance at the right time for informed decision-making.
Combined Assurance offers enterprises innumerable benefits, giving compliant organizations a competitive edge that their competitors will eventually have to follow. In short, combined assurance is not just good for the organization, but is a vital aspect when achieving the next level of GRC maturity.