Driving Success with Combined Assurance in Your Organization
While Combined Assurance is not a new concept, many organizations still struggle to fully realise its benefits. First introduced in King III and later refined in King IV, this governance principle highlights the importance of integrating assurance providers to enhance oversight and risk management.
In today’s fast-paced business environment, organizations must ensure transparency, streamline assurance efforts, and leverage technology to optimize risk management. To implement Combined Assurance effectively, organizations must establish clear structures, foster collaboration, and utilize innovative tools.
Key Steps to Successful Combined Assurance Implementation
1. Establish a Clear Framework
A structured framework defines roles and responsibilities across assurance providers, internal audit, risk management, compliance, and external auditors. Organizations should:
- Define the scope and objectives of Combined Assurance.
- Identify key stakeholders and align assurance activities.
Focus on critical risks to prevent duplication and ensure comprehensive oversight.
2. Define Roles and Responsibilities
Clarity in assurance roles enhances accountability and efficiency. Organizations must explicitly outline the duties of management, internal audit, risk management, compliance teams, and external auditors to ensure seamless coordination.
Traditionally, there are the three lines of defense, which have been expanded to five. The First Line of Defense is the Management & Operational Control. This includes frontline employees and management who are directly responsible for identifying, assessing, and managing risks. They implement internal controls and ensure compliance with policies and procedures.
The Second Line of Defense consists of Risk Management & Compliance Functions. These teams provide oversight and support to the first line by monitoring risks and ensuring adherence to regulations. They help develop risk frameworks, policies, and compliance programs.
The Third Line of Défense is the independent assurance provided by Internal audit through the provision of an independent and objective assurance on the effectiveness of risk management and internal controls. They assess whether the first and second lines are functioning properly and report findings to senior management and the board.
The Fourth Line of Défense is the External Assurance Providers, External auditors, regulators, and certification bodies provide independent validation of risk management and governance practices. The role is to ensure compliance with industry standards and legal requirements.
The Fifth Line of Défense includes Board & Executive oversight. The board of directors and executive leadership provide strategic oversight and governance. They set the tone for risk management and ensure accountability across all lines.
By integrating these lines of defense within a Combined Assurance framework, organizations can enhance risk oversight, improve efficiency, and strengthen governance.
3. Foster Collaboration and Communication
Siloed assurance efforts lead to inefficiencies. To achieve a unified approach, organizations should:
- Encourage interaction between assurance providers through regular meetings.
- Share risk assessments and findings across departments.
- Align assurance priorities with strategic business goals.
- Promote open communication to strengthen coordination and effectiveness.
4. Leverage Technology for Efficiency
Technology plays a crucial role in Combined Assurance by streamlining processes, enhancing collaboration, and improving risk visibility. Organizations can leverage various digital tools to maximize the effectiveness of assurance activities. Some of the ways is through automating risk assessment and monitoring. There are tools to help identify emerging risks in real time, this allows for predictive modelling allowing a more proactive approach to mitigate threats. Technology also allows for real-time collaboration & communication that enhance communication between assurance providers. By integrating smart technology into Combined Assurance, organizations can improve efficiency, reduce duplication, and enhance overall risk management.
5. Ensure Leadership Oversight
A governance structure must be in place to oversee the assurance process. Governing bodies, including audit and risk committees and boards should actively monitor Combined Assurance to ensure alignment with strategic objectives and regulatory requirements.
6. Develop a Transparent Reporting System
Consolidated reporting helps stakeholders gain a clear understanding of risks and controls. Organizations should adopt a unified assurance reporting system to enhance decision-making and accountability.
7. Commit to Continuous Improvement
To maintain effectiveness, organizations must conduct periodic reviews of the assurance framework and adapt methodologies to address emerging risks. This will ensure that a culture of ongoing enhancement exists within the organisation.
Combined Assurance drives efficiency, strengthens governance, and enhances risk oversight. By defining clear roles, fostering collaboration, leveraging technology, and ensuring leadership engagement, organizations can integrate assurance efforts successfully. As business landscapes evolve, organizations must continuously adapt their assurance framework to remain resilient and responsive to emerging challenges.
Bagaka will be happy to assist in the development of the framework or perform reviews on effectives and adequacy of the your framework separately or as part of a Internal Audit Quality Assurance Programme.
