Professional Documents
Culture Documents
2 Introduction
16 Conclusion
www.auditboard.com 1
Introduction
As the independent and trusted advisor to the business, internal audit has long been the
de-facto function tasked with providing assurance regarding the effectiveness of governance
and risk management activities. However, the underlying assumptions behind assurance have
recently become more specific. Last year The Institute of Internal Auditors (IIA) updated its
guidance to stress that regular interaction between internal audit and management is critical to
internal audit’s ability to deliver optimal assurance. In its 2020 Three Lines Model Update, The
IIA writes:
“There is a need for collaboration and communication across both the first and second line roles of
management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.”
The idea that collaboration is critical to assurance is what lies at the heart of the combined
assurance movement. At its most basic level, combined assurance – also known as integrated
risk assurance – involves combining risk management efforts across the three lines (and their
external assurance providers) to enable an effective control environment and uniform risk
reporting to executives and the board.
Though most governance, risk, and compliance (GRC) leaders agree that combined assurance is
an efficient approach to risk management, many struggle to effectively embed the model in their
organizations. In this guide, we will discuss the benefits of a combined assurance approach, how
to measure your progress on your journey, and common challenges to its implementation. Then
we will discuss best practices for overcoming these challenges to create an optimal, thorough,
and balanced approach to risk management in your organization.
www.auditboard.com 2
The Pitfalls of a Siloed Approach to Risk
“The main barriers to creating a comprehensive risk picture are neither technological nor financial but
rather organizational, particularly when it comes to risk assurance.”
– Deloitte, Integrated Risk Assurance Report, 2018.
Traditionally, the responsibility for managing risk falls under a wide umbrella of governance, risk,
and compliance providers, including internal audit, compliance, risk management, legal,
information security, and SOX. Despite intersecting responsibilities and a common goal of
supporting management in achieving organizational objectives and making risk-informed
decisions, these groups tend to work in silos largely independent of one another. A March 2021
AuditBoard poll of over 1,000 GRC professionals found nearly 60% of respondents have limited to
no visibility into the issues identified by other teams. Such limited visibility can result in gaps in
coverage, inefficiency, and control owners experiencing “assurance fatigue” as a result of being
repeatedly asked to provide the same information to different teams with duplicative requests.
www.auditboard.com 3
Not only are GRC providers and their stakeholders plagued by inefficiency, but executive
management and the Board are also affected by inconsistent reporting on risks. The same
AuditBoard poll reveals almost 70% of respondents stated there was not consistent reporting on
risk and controls data across GRC functions to executive management.
This lack of consistency can send confusing and mixed messages to leadership regarding the
relevance and priority of the organization’s strategic risks. Not only is this frustrating for report
readers, but lack of cohesive reporting can also lead to an incomplete perspective on the
organization’s true risk profile, which can leave the business exposed to risks and prevent business
leaders from making risk-informed decisions.
www.auditboard.com 4
Benefits of Advancing Combined Assurance
Combined assurance requires that various governance and risk management groups in an
organization meticulously coordinate their efforts and efficiently share their resources. When
successfully implemented, this model results in a more holistic, organized, and accurate view of
risk, as well as the following:
www.auditboard.com 5
Starting Out: Creating Success to Create Momentum
For assurance and advisory providers to orient themselves when starting out, the first step is to
assess your current environment’s place on the Combined Assurance Maturity Curve.
www.auditboard.com 6
The following are the four stages of maturity on the curve:
1. Basic Coordination. Internal audit takes inventory of all assurance units and begins
communicating with them. Activities:
a. Assurance provider inventory and meetings begin.
b. A consistent process for the basis of reliance is established.
c. Internal audit considers placing reliance on other assurance providers’ work.
2. Enhanced Coordination. Assurance providers have begun the initial knowledge sharing
process. Activities:
a. Issue and report sharing.
b. Sharing of risk-related data and information.
c. Schedule coordination and plan sharing.
4. Combined Assurance. There is clear and formal communication among GRC stakeholders
and one seamless model for assurance that has been rolled out to additional business units.
Activities:
a. A single enterprise-wide risk assessment.
b. Clear and formal communication with stakeholders.
c. Rollout of model to additional assurance functions.
Reaching a mature state is a substantial endeavor that takes time. A best practice when beginning
is to view combined assurance as an iterative process, with each incremental success creating new
momentum to propel your organization toward a mature state.
www.auditboard.com 7
First Steps: 5 Common Combined Assurance Challenges
and Solutions
When beginning the journey to combined assurance, risk leaders often come across several
common challenges that impede their ability to reach a mature state of combined assurance. We
discuss some of these challenges below as well as their solutions.
“The chief audit executive should share information, coordinate activities, and consider relying upon
the work of other internal and external assurance and consulting service providers to ensure proper
coverage and minimize duplication of efforts.”
Internal audit is one of the few groups in the business that has the most in-depth understanding of
the organization's processes and controls, as well as a direct line to the Audit Committee.
Moreover, as the independent line of assurance in the business, internal audit is already
www.auditboard.com 8
conditioned to operating at the most granular level of detail before forming opinions on controls.
As a result, it is the natural function to lead this effort.
www.auditboard.com 9
Solution: Create an assurance map.
Poor visibility and misaligned reporting is often the result of various modes of risk categorization
and terminology. Initiating a combined assurance effort presents an opportunity to take stock of
the gaps in your organization by creating an assurance map. An assurance map is a living document
that helps identify any gaps or overlaps in your business’s risk management processes. To create
an assurance map:
Performing this exercise can quickly help you identify your key assurance stakeholders, their
coverage, and address gaps. This is an important tool to bring to combined assurance meetings to
give stakeholders comfort that A) risks are being managed and reported on, and B) regulatory and
legal obligations are being met.
www.auditboard.com 10
Challenge 4: Difficulty developing a common controls framework.
Designing a common controls framework for use across functions is the foundation for unified
issue reporting. However, mapping multiple requirements across different frameworks, while
integrating various risk ranking criteria and risk definitions into a single risk taxonomy, is arguably
the most complex hurdle in combined assurance.
Example of Goals
Visualizing your combined assurance goals in this way can help you establish connections between
goals, which can help stakeholders brainstorm solutions together that can efficiently address
multiple goals at once.
www.auditboard.com 11
Source: AuditBoard Poll, February 2021
www.auditboard.com 12
Solution: Use technology to jumpstart combined assurance.
A combined assurance initiative can be seen as an opportunity to solve multiple problems by
working together. Use your combined assurance effort as a dual front for helping stakeholders
organize their records by migrating their risk data into a centralized system of record. Not only will
this help to alleviate decentralization issues for individual GRC functions, but it also serves to
streamline several major goals of combined assurance, including:
1. Prepare a formal business case in support of internal audit leading a combined assurance
initiative. Articulate why internal audit is best-suited to take on a leadership role in
implementing Combined Assurance. Reference:
www.auditboard.com 13
2. Gain support and backing from the Audit Committee and Senior Management. Present
your business case and discuss the challenges of the siloed approach and the anticipated
benefits of Combined Assurance. Bring:
4. Hold initial meetings with each of the assurance stakeholders. Explain the concept of
Combined Assurance and tailor your message to each business function. Meeting
objectives include:
5. Determine and document a basis for reliance on the work of other assurance providers.
Document the basis of reliance based on where each provider falls in your method of
rating. Assess:
❏ Independence.
❏ Objectivity.
❏ Skills.
❏ Knowledge.
www.auditboard.com 14
❏ Reporting.
❏ Methodology.
❏ Scope.
6. Formalize an assurance working group. Identify the project benefits for all parties and
establish regularly scheduled meetings (e.g. quarterly). Prepare a:
❏ Formal Combined Assurance charter defining the role of each function, the
common goal, and the expectation of the work, relationships, and activities.
❏ Formal Combined Assurance map.
❏ A single consolidated issues report to demonstrate the value to Senior
Management and to make the case for investment in technology.
7. Leverage technology to combine key activities and reports. Make the business case for a
technology platform that enables Combined Assurance, and bring references of what your
data looks like in a technology solution such as sample reports including:
8. Combine assurance activities into one seamless process. A mature Combined Assurance
process includes formal support from the Audit Committee and Executive Management, as
well as:
www.auditboard.com 15
Conclusion
Reaching a state of mature combined assurance can give businesses a competitive advantage in a
volatile risk environment. The key to unlocking a solid governance program’s true potential is by
breaking down the barriers between assurance stakeholders and uniting their efforts under their
shared goals. By working toward their common goals, combined assurance providers can eliminate
redundant efforts and provide more useful and concise information for executive leadership to
make strategic, risk-informed decisions. In the process, GRC functions benefit from greater
understanding of the organization’s data, reduced assurance fatigue, and overall improved
efficiency. Ultimately, when GRC providers strengthen their relationships with one another, they
amplify their ability to protect overall organizational value while increasing their individual value
as trusted partners to one another and the entire organization.
www.auditboard.com 16
About the Author
Anand Bhakta
Sr. Director of Risk Solutions,
AuditBoard
Anand Bhakta is the Sr. Director of Risk Solutions at AuditBoard. He has over fifteen years of risk
management, internal audit and compliance experience. Anand has helped various multinational companies
set up and enhance their risk management and compliance programs. Anand is recognized for his ability to
develop and implement proactive and agile risk management programs. Additionally, he has assisted clients
comply with Sarbanes-Oxley from both an advisory and attestation perspective.
About AuditBoard
AuditBoard transforms how audit, risk, and compliance professionals manage today’s dynamic risk
landscape with a modern, connected platform that engages the front lines, surfaces the risks that matter,
and drives better strategic decision-making. More than 25% of the Fortune 500 leverage AuditBoard to
move their businesses forward with greater clarity and agility. AuditBoard is top-rated in audit management
and GRC software on G2, and was recently ranked as one of the 100 fastest-growing technology companies
in North America by Deloitte.
www.auditboard.com 17