Combined Assurance Model – A Tool Kit For Harmonizing Multiple Assurance Reports and Reinforcing Confidence and Trust On Internal Controls Over Financial Reporting.

How combined assurance model brings solutions to the current issues with assurance delivery

Combined Assurance Model is defined as “a coordinated approach” introduced by Kings Committee – Code of Corporate Governance South Africa to ensure that all the assurance activities provided by all the assurance providers in an organization are well coordinated right from planning to completion and reporting. The primary objectives are to increase the visibility of all the risk exposures in the organization and ensure adequate coverage of the audit universe and key risk exposures and provide unbiased opinions on the assurance findings and reports.

Presented below is a high-level overview of the combined assurance model and the key components to make it work.

The Kings Committee recommends that the board audit committee should be responsible for ensuring that their organization implements Combined Assurance Model.

Based on the above mandate from the Kings Committee. Internal Audit function should have the responsibility for the actual coordination of the implementation and usage of combined assurance model in any organization. However, an organization may decide that beyond the Internal audit function, other assurance function such as enterprise risk management or compliance may assume the coordination responsibility

The Benefits Of Implementing Combined Assurance Model

The assurance providers use combined assurance model to raise their credibility and respect in the organizations, gain better trust and confidence from the business leaders and win auditees’ admiration. Specifically, combined assurance model helps the assurance providers to achieve the following:

• support the executive management and board in making their control certification statements in the annual audited financial statement reports as may be required by the legal and regulatory standards in the jurisdiction. For example, in Nigeria, the Investment and Securities Act (ISA) 2007, Company and Allied Matters Act (CAMA) 2020, and National Code of Corporate Governance (NCCG) 2018 require company boards and officers signing audited financial statement reports to make such declaration in the annual audited financial statement reports.
• focus on the top risks that matter to the organization and maximize performance, productivity and cost savings,
• build better understanding of the key business performance drivers, strategies, challenges and the solutions needed to overcome the challenges.
• explore and maximize improvement opportunities, innovations and creativity,
• gain better insight of the assurance needs vis-vis the stakeholders’ expectations, assurance activities and providers, key beneficiaries of the assurance reports and performance gaps,
• leverage the strengths of other assurance providers and work results to prevent blind spots, missed risk exposures, operational disruptions to the auditees and assurance fatigue often caused by multiple visits to auditee locations by the many assurance functions,
• validate and substantiate perceptions on the organization’s risk profiles by providing greater visibility and common view of the risk exposures, risk impacts and actionable advice.

Where Is Your Organization In The Combined Assurance Journey?

The journey of a thousand mile starts with a step is a popular adage.

Taking Combined Assurance Journey involves five key levels, namely: level 1, level 2, level 3, level 4 and level 5 as depicted in the diagram below:

Presented below is the high-level description of the different levels of the Combined Assurance Journey:

• Level 1 – Not yet a priority. This means that adopting Combined Assurance Model is not yet a priority to the organization, possibly, because of lack of clarity and understanding of the benefits of Combined Assurance Model or lack of resources to support the implementation and usage.
• Level 2 – Decision Made. This means that decisions have been made to implement Combined Assurance Model possibly because the benefits are clear and well understood by the business leaders. or the legal and regulatory framework made it mandatory.
• Level 3 – Implementation ongoing. This means that the implementation of the Combined Assurance Model has started and currently ongoing. The organizations have established the key performance measurement matrices, tracking actual performance and incidents, doing well in change management mechanisms and reporting to ensure successful adoption. adoption.
• Level 4 – Live usage. This means that the project implementation phase has been completed and the Combined Assurance Model principles are being used in the day-to-day assurance activities in the organization. Mistakes are being made and learning are being learnt and applied to detect and correct known mistakes and also prevent similar mistakes in the future,
• Level 5 – Optimizing, transforming and leading. This means that Combined Assurance Model has been mastered in the organization, everyone is comfortable in the usage and efforts are being made to introduce innovations and creativity in the standards to stand out from peers and others in the industry. The company is being used as a role model by other best practices organizations.

Moving forward in the Combined Assurance Journey depends on two factors, namely: perceptions about combined assurance model in the organizations and Laws and regulations. These two factors drive the extent to which combined assurance model is widely accepted in the organizations.  

• Perception – Combined assurance model is viewed in different perspectives by many people. The optimists view combined assurance in the positive as “a synergic transformational process to achieve performance enhancement across the organization. They see the collaboration and resource sharing efforts as mechanisms to reduce assurance fatigue and create opportunities to achieve more for the organization while maintaining work life balance for both the auditees and auditors, improve individual’s career goals and the welfare of the collective workforce. The pessimists view combined assurance model in the negative as “a cost reduction project initiative”. They see the collaboration and resource sharing as efforts to downsize the workforce and internal control processes in the organizations.

• Laws and regulations reinforce wide acceptance and successful adoption of combined assurance model in the organizations. In countries where combined assurance is a mandatory legal or regulatory compliance requirement, the model is widely accepted and successfully implemented. For example, in South Africa, combined assurance model has been made mandatory by the legal and regulatory framework for some categories of organizations to adopt as a key component of good corporate governance principles and reporting.
• In countries with no legal and regulations requiring mandatory adoption or organizations where majority of the key decisions makers perceive combined assurance in the negative, adoption of combined assurance model will not receive the required acceptance level, particularly by the second and third lines of defense. Organizations adopting the model in this type of environment may likely experience greater challenges in achieving successful implementation and live usage.

Changes Required To Achieve Successful Combined Assurance Integration

Significant changes will be required on the assurance delivering processes to achieve the combined assurance objectives. Some of the notable key changes that will be required will include the following.

• High attention on exceptions and actions tracking, reporting and status monitoring across the three lines of defense. A centralized database will be maintained to track all assurance findings and incidents directly by the different assurance providers. Auditees will have access to the database to provide responses to assurance findings and the resolution status. This means that self-review and reporting of incidents including errors and mistakes should across all levels particularly at the core business line levels.
• Adoption of Continuous Control Monitoring & Auditing by the three lines of defense assurance functions. This requires end to end automation of the assurance management processes, deployment of data analytics tools and continuous usage to track exceptions online real-time and alert notifications to the relevant departments for quick response.
• Allocation of assurance workload. This means that each of the line of defense (line 1, line and line 3) will focus on specific areas while leveraging the work efforts and results of others to gain assurance comfort for the areas outside their own assurance scope. At the moment about 98% of the assurance workload are provided by the 2nd and 3rd lines of defense while the 1st line of defense who are the risk, process and control owners provide about 2% assurance over the risks, business processes and controls they own. This should not be the case as the 1st line of defense should take more of the proactive responsibilities to prevent, detect and correct issues at the first instance before others outside their business units. Combined assurance will change the current assurance workload to ensure that the 1st line of defense is empowered to own their risks, processes, controls and take full responsibilities to provide greater assurance comfort. For example,
• The 1st Line of defense will focus on preventive risks and control activities and meeting at least 95% of the proactive, preventive and detective assurance comfort.
• The 2nd Line of defense will focus on transactions and policy level controls monitoring, compliance enforcement and meeting about 3% of the proactive, preventive and detective assurance comfort.
• The 3^rd Line of defense which is Internal Audit will focus on meeting about 2% of the proactive, preventive and detective assurance comfort and conducting regular reviews of the exceptions and action trackers, establishing root causes and checking that appropriate actions are matched to resolve the root causes, conduct quarterly reviews on sample basis, and the audit of the 1^st & 2^nd Line of defense processes to assess the appropriateness of the assurance performance and also provide opinion on the “overall assessment” on the effectiveness of the enterprise risk management, internal control and compliance management systems.