Every business is organized differently depending on its size, industry, and years of operation. Organizations with multiple risk management functions may struggle to identify and agree upon the right team or individual to lead their combined assurance efforts. Without proper leadership that can advocate for Board and management support and backing from the Audit Committee, combined assurance efforts may quickly lose steam in the business.
In 2017, the Institute of Internal Auditors (IIA) announced the new Coordination and Reliance standard that recommends auditors initiate combining assurance efforts with other risk parties. IIA Standard 2050 states:
“The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.”
Internal audit is one of the few groups in the business that has the most in-depth understanding of the organization’s processes and controls, as well as a direct line to the Audit Committee. Moreover, as the independent line of assurance in the business, internal audit is already conditioned to operating at the most granular level of detail before forming opinions on controls. As a result, it is the natural function to lead this effort.
A common misperception is that combined assurance requires reorganizing and changing the basic roles of the three lines and their reporting structure. It is important to communicate to your stakeholders that adopting a combined assurance model is not a mutually exclusive exercise, but an effort to coordinate efforts and share knowledge to ultimately add value to the organization.
When meeting with other assurance stakeholders, communicate that advancing combined assurance in your organization is for the greater good of the organization and all stakeholders involved. Reference IIA Standard 2050, The IIA’s updated Three Lines Model, and messaging from external assurance providers such as Deloitte and PwC. Emphasize that combined assurance does not change the mission statement, reporting structure, or capabilities of each individual function. Each business function remains distinct and continues to execute its unique role as part of a fully integrated effort in reducing risk within the organization.
Organizations may lack a comprehensive understanding of the key risks facing their business, despite extensive risk management work being performed by multiple functions. One way this manifests is in conflicting issue reports; for example, an internal audit report on a particular business unit comes back as satisfactory, while a health and safety report on the same business unit may include several high-risk issues. Negative consequences of poor risk visibility include: gaps in coverage, significant control failures, and unexpected risk events — despite significant time and resources spent on assurance.
Poor visibility and misaligned reporting is often the result of various modes of risk categorization and terminology. Initiating a combined assurance effort presents an opportunity to take stock of the gaps in your organization by creating an assurance map. An assurance map like the sample below is a living document that helps identify any gaps or overlaps in your business’s risk management processes.
To create an assurance map:
Performing this exercise can quickly help you identify your key assurance stakeholders, their coverage, and address gaps. This is an important tool to bring to combined assurance meetings to give stakeholders comfort that A) risks are being managed and reported on, and B) regulatory and legal obligations are being met.
Designing a common controls framework for use across functions is the foundation for unified issue reporting. However, mapping multiple requirements across different frameworks, while integrating various risk ranking criteria and risk definitions into a single risk taxonomy, is arguably the most complex hurdle in combined assurance.
This is an opportune moment for assurance stakeholders to step back and strategize at the highest level. Organize your combined assurance goals into common buckets that can be easily referenced, such as in the example below, and from there prioritize how to tackle them based on majority opinion.
Visualizing your combined assurance goals in this way can help you establish connections between goals, which can help stakeholders brainstorm solutions together that can efficiently address multiple goals at once.
When attempting to unite siloed business functions under the goal of combined assurance for the first time, a major hurdle is making sense of disparate risk and controls data exported from multiple systems. A February 2021 AuditBoard poll of over 1,500 audit, risk, and compliance professionals found that 56% of respondents stated their respective department function managed its data in multiple systems of record.
Source: AuditBoard Poll, February 2021
As a result, assurance stakeholders working in decentralized environments spend a significant amount of their time reconciling version control issues and cleaning data. The same poll found nearly 50% of respondents spend between 25% to 50% of their time on administrative tasks, while 15% spend over 50% of their time on administrative tasks.
A combined assurance initiative can be seen as an opportunity to solve multiple problems by working together. Use your combined assurance effort as a dual front for helping stakeholders organize their records by migrating their risk data into a centralized system of record. Not only will this help to alleviate decentralization issues for individual GRC functions, but it also serves to streamline several major goals of combined assurance, including:
Reaching a state of mature combined assurance can give businesses a competitive advantage in a volatile risk environment. Download our full guide, Advancing Combined Assurance to Manage Key Risks, for more ways to mature your organization’s combined assurance practices.