What Is Combined Assurance? 7 Steps to Start a Successful Program

What Is Combined Assurance? 7 Steps to Start a Successful Program

Learn 7 practical steps to create a successful combined assurance program from scratch or increase the effectiveness of your current coordinated assurance efforts, and download our full guide, Advancing Combined Assurance to Manage Key Risks.

Are you looking to implement a combined assurance approach in your organization? Combined assurance aims to align assurance processes between internal audit and other assurance providers to deliver deeper insights on governance, risk, and control management to senior management and the Audit Committee.

A well-executed combined assurance approach helps to standardize messaging, reduce duplicative efforts, provide a common view of risks, and deliver more effective oversight — with the ultimate goal of strengthening assurance and collectively adding more value to the organization. The qualitative and quantitative benefits of increased alignment across assurance providers are clear, but knowing how to get started can be the hardest part. 

Whether you are embarking on your combined assurance journey or you are considering amping up current efforts, we’ve collected seven steps to set you on the path to create a successful combined assurance program. 

What Is Combined Assurance?

From an internal audit perspective, combined assurance is often associated with the Institute of Internal Audit (IIA) Standard 2050, which focuses on the importance of coordination: “the chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.”

Internal assurance providers are represented by oversight functions that may include areas such as environmental, financial control, health and safety, IT security, legal, risk management, compliance, or quality assurance. These are part of what is commonly referred to as the second line of defense

True combined assurance represents the ultimate level of coordination, including such elements as combined scheduling, consolidated planning and reporting, shared terminology, and use of common and shared technology. However, any increase in your level of communication and knowledge sharing will be a step toward further aligning with Standard 2050 — a worthy goal. 

7 Steps to Get Started With Combined Assurance

1. Establish a Baseline

Assess your current environment and take stock of what coordinated activities — if any — are already taking place. For example:

  1. Are you sharing results of your work with other assurance providers? 
  2. Do you have regular meetings to discuss planning of your respective activities? 
  3. Do you place any reliance on each others’ work?

Once you have your baseline established, you can use it as a starting point to consider what additional activities are desired, appropriate, and realistic.

2. Outline and Define Your Objectives and Expected Benefits

Having a clear understanding of what defines success will allow you to track progress along the way and assess the results at the end. 

  1. Clearly state what you’re trying to achieve and hoping to gain, both within and outside of internal audit.
  2. Determine in what ways you expect the project to improve the ability of your parent organization to achieve its business objectives and goals. 
  3. Clarify what is excluded from this combined assurance effort (e.g., a functional reorganization or changes in basic roles or reporting relationships). 

Knowing what you are trying to achieve will prepare you to better articulate your strategy to all other parties involved. 

3. Obtain Involvement of Other Assurance Providers

Success will depend on strong support and participation from other assurance providers within your parent organization. Without their ability and willingness to cooperate, the project doesn’t stand a chance.

  1. Help other assurance leaders to understand the value that they would receive and why it’s important to work with internal audit to strengthen the alignment and coordination of the organization’s assurance efforts. 
  2. Identify specific areas, processes, or activities, such as knowledge sharing, where enhanced coordination is likely to have an immediate, positive impact on everyone. 
  3. Look for the easy wins that you can point to as indicators of success as the project progresses.

Alignment of the individual assurance groups will provide a strong argument for obtaining project support from key stakeholders.

4. Communicate With, Educate, and Obtain Sponsorship of Key Stakeholders

Strong backing from the audit committee and senior management is essential to ensure success. 

  1. In order to obtain their support, you should clearly and succinctly convey your goals, objectives and project plan to key stakeholders along with the anticipated benefits of enhanced coordination for internal audit, other assurance players, and the organization as a whole. 
  2. In order to sustain their buy-in, be sure to provide the audit committee and management with periodic progress updates.

By obtaining and maintaining stakeholder support, you can initiate your project with confidence and defend against potential criticism and/or resistance during implementation. 

5. Take an Iterative, Step-by-Step Approach

No matter what the objectives you’ve defined are, success is more likely using a step-by-step, incremental approach

  1. Resist the urge to spend months creating an elaborate plan and then implementing everything all at once. Organizations do not exist in a static state, and planned activities may already be invalid by the launch date. 
  2. Proceed in a deliberate and step-by-step manner, fine-tuning and correcting issues as they come up. 

Throughout the iterative implementation, give all stakeholders time to understand and adapt to the new processes being put in place. 

6. Create a Change Management Plan

You may encounter resistance from teams or individuals that provide assurance as new processes are introduced. An effective way to minimize pushback is to create an internal change management plan that anticipates concerns and drives communication efforts. 

  1. Provide up-front and ongoing communications about the reasons for undertaking these changes and the expected benefits.
  2. Solicit and listen to feedback from key stakeholders about what is working, as well as what isn’t showing an ROI. 

A change management plan will help to reduce friction as your organization initiates combined assurance processes and progresses toward a more advanced level of coordination.

Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk

7. Measure and Report on Success Against Expected Benefits

As a part of the iterative rollout, make sure to periodically evaluate the success of your program against the criteria you established in Step 2. 

  1. Regularly evaluate what you set out to do, what you have achieved thus far, and appropriate next steps to address blockers or build on successes.
  2. Ensure that you do not simply evaluate the program, but also report on it to relevant stakeholders. 

Tracking the program’s achievements against initial objectives and regularly communicating the results will drive further acceptance and adoption, especially as benefits are realized. 

To successfully kick off a combined assurance initiative, synchronized communication is key. In these early stages, it is critical to check in regularly to ensure all stakeholders are on board and aligned with the goal of coordinating assurance efforts. There will be significant benefits to be gained as your combined assurance approach increases in maturity, from more efficient data collection and reporting to reduced duplication of efforts and a common view of risks and issues across the organization. For a deeper dive into advancing combined assurance maturity, download our full guide, Advancing Combined Assurance to Manage Key Risks.


Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.


Sarah Myers is Sr. Manager of Customer Advocacy at AuditBoard. Previously with Wolters Kluwer and PwC, she has over 20 years of experience in internal audit, specializing in audit technology. Connect with Sarah on LinkedIn.