Combined Assurance – just another buzzword?
Over the last few years the term “Combined Assurance” has become quite a buzzword and a lot of organisations have started putting a lot of time, money and effort into understanding and implementing the concept. But is it just a fading craze or is there real value in structuring and maintaining an effective combined assurance framework?
Simply put, Combined Assurance is about ensuring that a co-ordinated (combined) approach is applied in receiving assurance on whether key risks are being managed appropriately within an organisation. This seems to be a very logical and simple concept and has in fact been applied within every successful organisation for many years.
Combined Assurance should be approached keeping the following essential concepts in mind. The backbone of a Combined Assurance model is a commonly accepted view of the risks facing the organisation. The absence of a robust, mature Risk Management process will definitely result in an inefficient and ineffective Combined Assurance model. Conversely, an organisation that has a Risk Management process, but no Combined Assurance model, is not yet ultimately applying assurance information in the best possible way
The next concept is the so-called “lines of defence”. KING IV is suggesting five lines of defence as a basis for the typical Combined Assurance model. These defence lines typically consists of:
- First line: Management – the organisation’s line functions that own and manage risks.
- Second line: Specialist functions that facilitate and oversee risk management and compliance – Risk Management, Compliance, and Legal functions.
- Third Line: Independent Internal Assurance providers – Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries.
- Fourth line: Independent external assurance providers such as external auditors.
- Fifth line: Other external assurance providers such as sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors.
KING IV further recommends that the Governing Body of an organisation and its committees should assess the output of Combined Assurance to determine the degree to which an effective control environment has been achieved.
With the above structures in place a holistic view should be taken when assessing the management of risks of an organisation. For example, if management (the first line of defence) provides the necessary assurance that a risk has been identified and mitigated to acceptable levels, there should not be any further need for any of the other lines of defence confirming that view. Alternatively, if management, the Risk Management function and an external assurance provider all indicate that a risk is being appropriately managed; there should be no need for Internal Audit to spend time confirming that view. This can however only be the case if all parties mentioned (including and especially the Governing Body) have intentionally agreed on the level of risk to be acceptable and assurance required regarding this specific risk.
It is suggested that the Combined Assurance model is maintained by the Internal Audit function, as they are best positioned to understand the Risk Management process, as well as being able to assess and interpret the assurance received from the different providers.
If properly executed, the Combined Assurance model is a natural conclusion to the Risk Management process. It plays a vital and indispensable role in ensuring the appropriate management of key risks by ensuring appropriate depth of and maximum benefit from assurance activities and is certainly the way to create value and guarantee success of any business.
The Crest Advisory Africa courses presented on Combined Assurance is aimed at not only transferring the theoretical knowledge about Combined Assurance but to also empower both Internal Auditors and management to successfully implement and maintain an effective Combined Assurance model for their organisation. Your attendance at these courses will be a valuable investment is this regard.