Definition of Combined Assurance
Combined assurance — where internal audit aligns with other assurance providers to deliver consistent messaging, a comprehensive view of risks, and more effective oversight — has a surprising amount in common with parenting best practices in today’s complex world. Learn how to make a case for the benefits of a combined assurance model when raising a child and in enterprise risk management!
As organizations grow more complex and geographically dispersed, the challenge of coordinating assurance activities has grown as well. Combined assurance offers a solution for internal audit and other assurance providers to streamline their processes and strengthen independent reporting to the board and senior management. The concept of combined assurance has existed for a decade, yet adoption beyond a basic level is not yet widespread. One potential reason for this delayed adoption is that the processes, goals, and benefits may not be properly understood by all parties.
There are remarkable similarities between combined assurance and one of the most common human activities: parenting. In our increasingly complex world, it takes coordination among caregivers to raise a child, keep them from harm, and help them reach their full potential. To aid auditors in speaking about combined assurance, this article breaks down five key benefits of a combined assurance model by comparing it to parenting best practices. I hope it will help you make a case for implementing combined assurance in your organization — or explain the role of audit and other assurance providers to friends and family.
What Does Combined Assurance Mean for Internal Audit?
Despite working toward a common goal, the business functions — such as audit, compliance, legal, and risk — responsible for providing assurance in an organization are often siloed. Combined assurance works to harmonize assurance providers’ activities to provide consistent messaging, a holistic view of risks, and more effective oversight. When these assurance providers are aligned and sharing information, it can decrease the risk of harm as well as inefficiencies, duplicated efforts, wasted resources, and unnecessary complications. This will result in the executive committee, audit committee, and board receiving a comprehensive view of the organization’s risk management efforts.
The term “combined assurance” was first introduced in the 2009 King III Report on Corporate Governance, with further elaboration by the IIA in Combined Assurance: One Language, One Voice, One View, a follow up to its 2015 Common Body of Knowledge (CBOK) survey. Combined assurance aligns with internal audit best practices as outlined by the IIA’s IPPF Standard #2050: Coordination, which recommends that “the chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of effort.” If combined assurance is not already implemented in your organization, internal audit is well positioned to take on a leadership role and make a strong business case for the holistic assurance approach.
Why Do We Need Combined Assurance in Audit — and in Parenting?
Assurance professionals strive to safeguard their organization against undue risk and enable it to achieve the best results possible. Likewise, it’s in the best interests of parents and caregivers to implement practices that will protect children while helping them realize their full potential. In both organizational risk management and parenting, shared information and coordination can support these aims. Below are five key benefits to mention when making the case for establishing or expanding a combined assurance approach in your organization.
1. One voice and taxonomy
Just as there can be multiple control and assurance groups that call for alignment within an organization (audit, compliance, legal, risk, etc), there are multiple influencers in the life of a child (parents, step-parents, teachers, coaches, etc.). With each of these entities having their own perspectives, priorities, and ways of communicating, the same information can come across differently based on the way it’s presented.
The more aligned the different stakeholders are in their tone, language, and message, the more understandable that message will be to the person receiving it. If we can eliminate or reduce confusion, the actions that follow are more likely to comply with expectations and produce better results.
2. More efficient data collection and reporting
With people operating in separate as well as remote locations, not only do functional silos exist, but geographic silos as well. Duplicate reports and version control issues can become the norm. The use of a centralized, shareable repository of information can provide real-time, secure access to results and progress of work, identification of issues, and updates that provide a single source of truth.
In the parental realm, without a common platform for communication, parents, teachers, and other caregivers are forced to rely on individual messages that may not get transmitted correctly. No one wants their kid to be the last one waiting after practice because someone forgot to pick them up. Technology can play a big role in knowledge transfer, from shared calendars that keep all parties aware of schedules, to platforms that allow teachers and parents to share information about grades, absences, and other academic details to keep a child’s progress on track.
3. Common view of risks and issues
Identification and resolution of risks and issues are a key part of the assurance and control review process. As these items are documented, the ability to share them with each other can provide added insights into common problems and the best way to address them, as well as those that have not surfaced previously that need to be taken into consideration.
Likewise, when a child misbehaves, it can be effective to address it immediately in the context where it occurred. Yet, if the child exhibits that behavior in another setting — at school or at a friend’s house — and the parent is not informed, they may not recognize that the behavior is a pervasive issue that may need to be addressed differently. A shared understanding of issues between parents and other caregivers can lead to a more coordinated and effective disciplinary process.
4. More effective oversight
With combined assurance, the audit committee and senior management are given holistic insights on governance, risk management, and control effectiveness. When sharing and communication is taking place on a regular basis between key stakeholders and assurance providers, it will result in better reporting and, ultimately, better decision making. If the audit committee and management are provided with a comprehensive view of risks, issues, and mitigation activities, they can more confidently consider ways to address them.
This holds true when charting a long-term course for a child to attend a university of choice. A shared view of the child’s emerging strengths, weaknesses, and activities will help the caregivers provide guidance to ensure a college-bound path.
5. Reduced repetition and duplication of efforts
No one appreciates having to repeat themselves or perform duplicate work. We’ve all seen a child roll their eyes or express their frustration when asked the same question by more than one adult. In the workplace, unaligned assurance providers can lead to “audit fatigue” for auditees when asked to provide the same document or answer multiple times to different auditors.
The increased communication and collaboration that takes place with combined assurance helps minimize duplicated effort, and reduces time demands on auditees.
Effective combined assurance will help ensure that business areas and functions responsible for providing assurance are working toward a common goal and providing a transparent and uniform messaging to executive management and the board. How you go about implementing a combined assurance model in your organization — or in parenting — will be based on the importance placed on strengthening this process, the tools available to you, and the commitment of individual groups to compromise and work in a more aligned manner. For more information about implementing a combined assurance approach, see the IIA’s guide to Combined Assurance.
Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.
Sarah Myers is Sr. Manager of Customer Advocacy at AuditBoard. Previously with Wolters Kluwer and PwC, she has over 20 years of experience in internal audit, specializing in audit technology. Connect with Sarah on LinkedIn.