Table of Contents

2 Introduction

3 The Pitfalls of a Siloed Approach to Risk

5 Benefits of Advancing Combined Assurance

6 Starting Out: Creating Success to Create Momentum

6 The Combined Assurance Maturity Model

8 5 Common Combined Assurance Challenges and Solutions

13 Checklist for Advancing Combined Assurance

16 Conclusion

www.auditboard.com 1
Introduction

As the independent and trusted advisor to the business, internal audit has long been the
de-facto function tasked with providing assurance regarding the effectiveness of governance
and risk management activities. However, the underlying assumptions behind assurance have
recently become more specific. Last year The Institute of Internal Auditors (IIA) updated its
guidance to stress that regular interaction between internal audit and management is critical to
internal audit’s ability to deliver optimal assurance. In its 2020 Three Lines Model Update, The
IIA writes:

“There is a need for collaboration and communication across both the first and second line roles of
management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.”

The idea that collaboration is critical to assurance is what lies at the heart of the combined
assurance movement. At its most basic level, combined assurance – also known as integrated
risk assurance – involves combining risk management efforts across the three lines (and their
external assurance providers) to enable an effective control environment and uniform risk
reporting to executives and the board.

Though most governance, risk, and compliance (GRC) leaders agree that combined assurance is
an efficient approach to risk management, many struggle to effectively embed the model in their
organizations. In this guide, we will discuss the benefits of a combined assurance approach, how
to measure your progress on your journey, and common challenges to its implementation. Then
we will discuss best practices for overcoming these challenges to create an optimal, thorough,
and balanced approach to risk management in your organization.

www.auditboard.com 2
The Pitfalls of a Siloed Approach to Risk

“The main barriers to creating a comprehensive risk picture are neither technological nor financial but
rather organizational, particularly when it comes to risk assurance.”
– Deloitte, Integrated Risk Assurance Report, 2018.

Traditionally, the responsibility for managing risk falls under a wide umbrella of governance, risk,
and compliance providers, including internal audit, compliance, risk management, legal,
information security, and SOX. Despite intersecting responsibilities and a common goal of
supporting management in achieving organizational objectives and making risk-informed
decisions, these groups tend to work in silos largely independent of one another. A March 2021
AuditBoard poll of over 1,000 GRC professionals found nearly 60% of respondents have limited to
no visibility into the issues identified by other teams. Such limited visibility can result in gaps in
coverage, inefficiency, and control owners experiencing “assurance fatigue” as a result of being
repeatedly asked to provide the same information to different teams with duplicative requests.

Source: AuditBoard Poll, March 2021

www.auditboard.com 3
Not only are GRC providers and their stakeholders plagued by inefficiency, but executive
management and the Board are also affected by inconsistent reporting on risks. The same
AuditBoard poll reveals almost 70% of respondents stated there was not consistent reporting on
risk and controls data across GRC functions to executive management.

Source: AuditBoard Poll, March 2021

This lack of consistency can send confusing and mixed messages to leadership regarding the
relevance and priority of the organization’s strategic risks. Not only is this frustrating for report
readers, but lack of cohesive reporting can also lead to an incomplete perspective on the
organization’s true risk profile, which can leave the business exposed to risks and prevent business
leaders from making risk-informed decisions.

www.auditboard.com 4
Benefits of Advancing Combined Assurance

Combined assurance requires that various governance and risk management groups in an
organization meticulously coordinate their efforts and efficiently share their resources. When
successfully implemented, this model results in a more holistic, organized, and accurate view of
risk, as well as the following:

www.auditboard.com 5
Starting Out: Creating Success to Create Momentum

For assurance and advisory providers to orient themselves when starting out, the first step is to
assess your current environment’s place on the Combined Assurance Maturity Curve.

www.auditboard.com 6
The following are the four stages of maturity on the curve:

1. Basic Coordination. Internal audit takes inventory of all assurance units and begins
communicating with them. Activities:
a. Assurance provider inventory and meetings begin.
b. A consistent process for the basis of reliance is established.
c. Internal audit considers placing reliance on other assurance providers’ work.

2. Enhanced Coordination. Assurance providers have begun the initial knowledge sharing
process. Activities:
a. Issue and report sharing.
b. Sharing of risk-related data and information.
c. Schedule coordination and plan sharing.

3. Optimized Coordination. Assurance providers move beyond sharing to extensive

consolidation and integration of data, activities, and reporting. Activities:
a. Consolidated issue reporting and tracking.
b. Formal process for knowledge sharing established.
c. Formal coordination of schedules and planning across GRC functions.

4. Combined Assurance. There is clear and formal communication among GRC stakeholders
and one seamless model for assurance that has been rolled out to additional business units.
Activities:
a. A single enterprise-wide risk assessment.
b. Clear and formal communication with stakeholders.
c. Rollout of model to additional assurance functions.

Reaching a mature state is a substantial endeavor that takes time. A best practice when beginning
is to view combined assurance as an iterative process, with each incremental success creating new
momentum to propel your organization toward a mature state.

www.auditboard.com 7
First Steps: 5 Common Combined Assurance Challenges
and Solutions

When beginning the journey to combined assurance, risk leaders often come across several
common challenges that impede their ability to reach a mature state of combined assurance. We
discuss some of these challenges below as well as their solutions.

Challenge 1: Lack of clear leadership.

Every business is organized differently depending on its size, industry, and years of operation.
Organizations with multiple risk management functions may struggle to identify and agree upon
the right team or individual to lead their combined assurance efforts. Without proper leadership
that can advocate for Board and management support and backing from the Audit Committee,
combined assurance efforts may quickly lose steam in the business.

Solution: Internal Audit should take the lead.

In 2017, the Institute of Internal Auditors (IIA) announced the new Coordination and Reliance
standard that recommends auditors initiate combining assurance efforts with other risk parties.
IIA Standard 2050 states:

“The chief audit executive should share information, coordinate activities, and consider relying upon
the work of other internal and external assurance and consulting service providers to ensure proper
coverage and minimize duplication of efforts.”

Internal audit is one of the few groups in the business that has the most in-depth understanding of
the organization's processes and controls, as well as a direct line to the Audit Committee.
Moreover, as the independent line of assurance in the business, internal audit is already

www.auditboard.com 8
conditioned to operating at the most granular level of detail before forming opinions on controls.
As a result, it is the natural function to lead this effort.

Challenge 2: Difficulty obtaining stakeholder buy-in.

A common misperception is that combined assurance requires reorganizing and changing the
basic roles of the three lines and their reporting structure. It is important to communicate to your
stakeholders that adopting a combined assurance model is not a mutually exclusive exercise, but
an effort to coordinate efforts and share knowledge to ultimately add value to the organization.

Solution: Provide reassurance that independence does not imply isolation.

When meeting with other assurance stakeholders, communicate that advancing combined
assurance in your organization is for the greater good of the organization and all stakeholders
involved. Reference IIA Standard 2050, The IIA’s recently updated Three Lines Model, and
messaging from external assurance providers such as Deloitte and PwC. Emphasize that combined
assurance does not change the mission statement, reporting structure, or capabilities of each
individual function. Each business function remains distinct and continues to execute its unique
role as part of a fully integrated effort in reducing risk within the organization.

Challenge 3: Lack of visibility into gaps, despite strong assurance.

Organizations may lack a comprehensive understanding of the key risks facing their business,
despite extensive risk management work being performed by multiple functions. One way this
manifests is in conflicting issue reports; for example, an internal audit report on a particular
business unit comes back as satisfactory, while a health and safety report on the same business
unit may include several high-risk issues. Negative consequences of poor risk visibility include:
gaps in coverage, significant control failures, and unexpected risk events – despite significant time
and resources spent on assurance.

www.auditboard.com 9
Solution: Create an assurance map.
Poor visibility and misaligned reporting is often the result of various modes of risk categorization
and terminology. Initiating a combined assurance effort presents an opportunity to take stock of
the gaps in your organization by creating an assurance map. An assurance map is a living document
that helps identify any gaps or overlaps in your business’s risk management processes. To create
an assurance map:

1) Map assurance coverage against the key risks in your organization.

2) Identify and address the gaps and overlaps in your risk management processes.

Performing this exercise can quickly help you identify your key assurance stakeholders, their
coverage, and address gaps. This is an important tool to bring to combined assurance meetings to
give stakeholders comfort that A) risks are being managed and reported on, and B) regulatory and
legal obligations are being met.

Sample Assurance Map

www.auditboard.com 10
Challenge 4: Difficulty developing a common controls framework.
Designing a common controls framework for use across functions is the foundation for unified
issue reporting. However, mapping multiple requirements across different frameworks, while
integrating various risk ranking criteria and risk definitions into a single risk taxonomy, is arguably
the most complex hurdle in combined assurance.

Solution: Break down big goals into manageable goals.

This is an opportune moment for assurance stakeholders to step back and strategize at the highest
level. Organize your combined assurance goals into common buckets that can be easily
referenced, and from there prioritize how to tackle them based on majority opinion. See below for
an example:

Example of Goals

Visualizing your combined assurance goals in this way can help you establish connections between
goals, which can help stakeholders brainstorm solutions together that can efficiently address
multiple goals at once.

Challenge 5: Decentralized systems create inefficiency.

When attempting to unite siloed business functions under the goal of combined assurance for the
first time, a major hurdle is making sense of disparate risk and controls data exported from
multiple systems. A February 2021 AuditBoard poll of over 1,500 audit, risk, and compliance
professionals found that 56% of respondents stated their respective department function
managed its data in multiple systems of record.

www.auditboard.com 11
Source: AuditBoard Poll, February 2021

As a result, assurance stakeholders working in decentralized environments spend a significant

amount of their time reconciling version control issues and cleaning data. The same poll found
nearly 50% of respondents spend between 25% to 50% of their time on administrative tasks, while
15% spend over 50% of their time on administrative tasks.

Source: AuditBoard Poll, February 2021

www.auditboard.com 12
Solution: Use technology to jumpstart combined assurance.
A combined assurance initiative can be seen as an opportunity to solve multiple problems by
working together. Use your combined assurance effort as a dual front for helping stakeholders
organize their records by migrating their risk data into a centralized system of record. Not only will
this help to alleviate decentralization issues for individual GRC functions, but it also serves to
streamline several major goals of combined assurance, including:

- Establishing a risk taxonomy.

- Establishing a risk ranking system.
- Creating a common controls framework.
- Mapping controls to strategic objectives.
- Mapping controls to requirements and risks.
- Centralizing issue data into a single issues register.
- Standardizing reporting.

Checklist for Advancing Combined Assurance

Once you have established a baseline for your organization’s place on the combined assurance
maturity model, the following is a general guideline for advancing along the maturity scale to
combined assurance.

1. Prepare a formal business case in support of internal audit leading a combined assurance
initiative. Articulate why internal audit is best-suited to take on a leadership role in
implementing Combined Assurance. Reference:

❏ IIA Standard 2050.

❏ The Three Lines Model.
❏ Sample Assurance map.

www.auditboard.com 13
 2. Gain support and backing from the Audit Committee and Senior Management. Present
your business case and discuss the challenges of the siloed approach and the anticipated
benefits of Combined Assurance. Bring:

❏ A list of all known assurance providers.

❏ Sample Assurance map.
❏ Examples of various Assurance Reports.
❏ The Three Lines Model.

3. Take an inventory of assurance providers in your organization. Perform an inventory

exercise to identify all assurance providers. Identify them by:

❏ Reviewing the organization chart.

❏ Reviewing Board meeting agendas and Board minutes.
❏ Interviewing the Chief Risk Officer.

4. Hold initial meetings with each of the assurance stakeholders. Explain the concept of
Combined Assurance and tailor your message to each business function. Meeting
objectives include:

❏ Explain the concept of Combined Assurance.

❏ Emphasize that the goal is not to change reporting structures or mission
statements.
❏ Share objectives, scope, and timing of upcoming reviews and assessments.
❏ Document the key characteristics of each department in a profile or scorecard.

5. Determine and document a basis for reliance on the work of other assurance providers.
Document the basis of reliance based on where each provider falls in your method of
rating. Assess:

❏ Independence.
❏ Objectivity.
❏ Skills.
❏ Knowledge.

www.auditboard.com 14
 ❏ Reporting.
❏ Methodology.
❏ Scope.

6. Formalize an assurance working group. Identify the project benefits for all parties and
establish regularly scheduled meetings (e.g. quarterly). Prepare a:

❏ Formal Combined Assurance charter defining the role of each function, the
common goal, and the expectation of the work, relationships, and activities.
❏ Formal Combined Assurance map.
❏ A single consolidated issues report to demonstrate the value to Senior
Management and to make the case for investment in technology.

7. Leverage technology to combine key activities and reports. Make the business case for a
technology platform that enables Combined Assurance, and bring references of what your
data looks like in a technology solution such as sample reports including:

❏ Single Integrated Issues report.

❏ Consolidated Assurance report.
❏ Combined Schedule.

8. Combine assurance activities into one seamless process. A mature Combined Assurance
process includes formal support from the Audit Committee and Executive Management, as
well as:

❏ One enterprise-wide risk assessment.

❏ One consolidated schedule (consider jointly staffed engagements).
❏ One consolidated knowledge management program.
❏ Jointly developed and cross-functional data analytics.
❏ Joint training on common topics.

www.auditboard.com 15
Conclusion

Reaching a state of mature combined assurance can give businesses a competitive advantage in a
volatile risk environment. The key to unlocking a solid governance program’s true potential is by
breaking down the barriers between assurance stakeholders and uniting their efforts under their
shared goals. By working toward their common goals, combined assurance providers can eliminate
redundant efforts and provide more useful and concise information for executive leadership to
make strategic, risk-informed decisions. In the process, GRC functions benefit from greater
understanding of the organization’s data, reduced assurance fatigue, and overall improved
efficiency. Ultimately, when GRC providers strengthen their relationships with one another, they
amplify their ability to protect overall organizational value while increasing their individual value
as trusted partners to one another and the entire organization.

www.auditboard.com 16
About the Author

Anand Bhakta
Sr. Director of Risk Solutions,
AuditBoard

Anand Bhakta is the Sr. Director of Risk Solutions at AuditBoard. He has over fifteen years of risk
management, internal audit and compliance experience. Anand has helped various multinational companies
set up and enhance their risk management and compliance programs. Anand is recognized for his ability to
develop and implement proactive and agile risk management programs. Additionally, he has assisted clients
comply with Sarbanes-Oxley from both an advisory and attestation perspective.

About AuditBoard

AuditBoard transforms how audit, risk, and compliance professionals manage today’s dynamic risk
landscape with a modern, connected platform that engages the front lines, surfaces the risks that matter,
and drives better strategic decision-making. More than 25% of the Fortune 500 leverage AuditBoard to
move their businesses forward with greater clarity and agility. AuditBoard is top-rated in audit management
and GRC software on G2, and was recently ranked as one of the 100 fastest-growing technology companies
in North America by Deloitte.

To learn more, visit: auditboard.com.

www.auditboard.com 17