Where Are You on the Combined Assurance Maturity Curve?

Where Are You on the Combined Assurance Maturity Curve?

Reaching a mature state of Combined Assurance is a substantial endeavor that takes time. A best practice when beginning is to view combined assurance as an iterative process, with each incremental success creating new momentum to propel your organization toward a mature state. For assurance and advisory providers to orient themselves when starting out, the first step is to establish a baseline by assessing your current environment’s place on the Combined Assurance Maturity Curve. 

Benchmark your organization’s maturity against the four stages below, and download the full guide, Advancing Combined Assurance to Manage Key Risks, for more leading practices to maturing combined assurance in your organization.

Where Are You on the Combined Assurance Maturity Curve?

The following are the four stages of maturity on the curve: 

  1. Basic Coordination. Internal audit takes inventory of all assurance units and begins communicating with them. Activities: 
    1. Assurance provider inventory and meetings begin.
    2. A consistent process for the basis of reliance is established.
    3. Internal audit considers placing reliance on other assurance providers’ work.
  2. Enhanced Coordination. Assurance providers have begun the initial knowledge sharing process. Activities:   
    1. Issue and report sharing.
    2. Sharing of risk-related data and information.
    3. Schedule coordination and plan sharing.
  3. Optimized Coordination. Assurance providers move beyond sharing to extensive consolidation and integration of data, activities, and reporting. Activities: 
    1. Consolidated issue reporting and tracking.
    2. Formal process for knowledge sharing established.
    3. Formal coordination of schedules and planning across GRC functions. 
  4. Combined Assurance. There is clear and formal communication among GRC stakeholders and one seamless model for assurance that has been rolled out to additional business units. Activities: 
    1. A single enterprise-wide risk assessment.
    2. Clear and formal communication with stakeholders. 
    3. Rollout of model to additional assurance functions.

When establishing your baseline, ask yourself the following questions to determine where your current environment is on the combined assurance maturity model. 

  • Are you sharing results of your work with other assurance providers? 
  • Do you have regular meetings to discuss planning of your respective activities? 
  • Do you place any reliance on each others’ work?

Use this baseline as a starting point to consider what additional activities are desired, appropriate, and realistic for advancing combined assurance in your organization. Download the full guide, Advancing Combined Assurance to Manage Key Risks, to learn other leading practices for maturing your organization’s combined assurance practices. 


Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.