Combined Assurance Model – A Tool Kit For Harmonizing Multiple Assurance Reports and Reinforcing Confidence and Trust On Internal Controls Over Financial Reporting.

Practical Steps For Integrating Combined Assurance Model With The Organizational Processes.

The successful integration of combined assurance model in the assurance delivering processes requires quality change management procedures to be adopted throughout the combined assurance project implementation lifecycle. Presented below are the five common steps widely adopted by most organizations that have implemented Combined Assurance Model Successfully:

• Step 1: Combined Assurance Readiness Assessment.
• Step 2: Current State Assurance Mapping and Gap Analysis.
• Step 3: Design of Target Blueprint and Reporting Templates.
• Step 4: Implementation and Hand Holding Support.
• Step 5: Post Implementation Quality Reviews. 

The activities in steps 1 to step 5 are very important to achieving a successful implementation. However, steps 1 to 3 appear to be the most challenging in terms of complexity, volume of work, technical competences and timeline required. Any mistake in steps 1, 2 or 3 above will have significant impact on the project completion and quality of deliverables. Steps 2 and 3 takes about 80% of the project duration because of the level of work and diligence required.

Presented below is an overview of the specific activities involved in each of the five steps.

Step 1: Combined Assurance Readiness Assessment

The activities performed in step 1 involve benchmarking the existing Enterprise Risk Management (ERM) Capability Maturity level in the organization against a combination of the global standards which may include: COSO frameworks, RIMS Risk Management Maturity Model, Australian Government Risk Management Maturity Model, ISO 31000 Risk Management Standard and the applicable local standards in the jurisdiction.

 Step 2: Current State Assurance Mapping and Gap Analysis

The primary purpose of step 2 is to gain proper understanding of the specific assurance activities performed by each of the assurance functions across the organization and assess the quality in meeting the business needs and the principal stakeholders’ expectations. The key activities performed are:

• taking inventory of the assurance universe which include the key risk exposures, business processes and various assurance providers.
• Creating assurance maps by working with the assurance providers in a workshop forum to map the specific assurance activities performed against the key risk exposures and business processes.
• validating the accuracy, validity and completeness of the assurance maps with the assurance providers and process owners to void surprises and push backs that may arise during the gap analysis stage.
• Perform gap analysis on the assurance maps to determine the quality of the assurance provided. Quality of assurance is measured using five key parameters namely: adequate assurance, limited assurance, over assurance, no assurance or not applicable.

Presented below are the interpretation of the key parameters to measure assurance quality:

• Adequate Assurance means that appropriate assurance is provided on a regular basis on all critical risks, process and controls in line with the business needs, principal stakeholders expectations, approved risk appetite and tolerance levels.
• Limited Assurance means that assurance is provided on some critical risks, processes and controls. However, significant improvement opportunity exists in other key risks, processes and controls.
• Over Assurance means that the benefit of providing the assurance is not balanced with the efforts, resources and costs applied. The scope of work done, resources allocated, time and effort utilized are much higher than the expected derivable benefits.
• No Assurance means that no assurance is provided around the critical risks, processes and controls either due to negligence, knowledge gaps or non-availability of resources or intentionally not covered due to valid reasons.
• Not Applicable means that the key risks, processes and controls do not require assurance to be provided. This may apply where the organization has not undertaken investment or business operation in the area the risk affects.

Step 3: Design of Target Blueprint and Reporting Templates

This refers to the envisioned assurance environment or expected combined assurance framework the organization wishes to have. The framework highlights the specific key risks, processes, controls, assurance activities to be provided, assurance providers/responsibilities for providing the assurance activities and the overall quality expected.

The key elements required to be considered in the design of the target combined assurance map and reporting templates are the following:

• the improvement needs identified in Steps 1 and 2 above,
• the business needs and value propositions,
• stakeholders’ expectations
• the applicable statutory compliance and regulatory requirements.
• Approved risk appetite and tolerance levels.

The design activities are to be done with full involvement of the nominated assurance providers and the owners of risks, processes and controls selected across all levels in the organizations. The combined assurance project champions (internal staff) and external consultant will provide support and guidance to ensure that the design reflects the achievable realities and practicality.

Step 4: Implementation and Hand Holding Support

The activities involve providing hand holding support of the Combined Assurance Project Champions and target end users by the external consultant. The primary objective for the handholding support is to embed the Target Combined Assurance Blueprint and Reporting Templates into the day-to-day business operations. The specific activities involved include the following:

• Identifying the training needs for the different levels in the organization covering the operational staff, senior and executive management, board and board committee members, Internal Control, Internal Audit, Compliance, Risk Management functions and other assurance providers.
• developing training materials customized for each of the specific levels as identified above,
• facilitating the trainings in line with the training materials and schedules,
• supporting the organization to deploy a Combined Assurance Technology Management Software including data analytics.
• tracking continuous control monitoring reviews and audit finding issues,
• monitoring risks and control statuses and collating reports,
• interpreting the collated reports and presentation to the different levels in the organization including the board, board committees, executive management, departmental level supervisors and managers.

Step 5: – Post Implementation Quality Reviews.  

The activities involve conducting Internal self-assessment driven quality reviews by the internal staff while the independent assessment quality reviews are done by an external consultant. The primary objectives for the quality reviews are the following:

• assess the extent that the organization’s combined assurance implementation is meeting the needs and expectations of the organizations and different stakeholders as well as conforming with the legal and regulatory compliance requirements,
• identify the gaps, root causes, improvement opportunities and provide actionable recommendations, and
• reinforce the appreciable values of the combined assurance model to the organization.

Performing self-driven quality assessments at least on annual basis and before the independent assessment review is done is necessary to avoid surprises that often arise when an external driven independent quality assessment is done.  The self-assessment enables organization to know the issues before the independent assessors in order to take proactive actions to close the observed gaps.