If internal audit teams want to deliver the most value to their companies, they often need to go beyond their existing practices of overseeing controls, risk and governance within their organizations. They also need to implement combined assurance, which can be the difference between good and great internal auditing.
As important as internal audit’s responsibilities are, the reality is that many other departments have overlapping or at least complementary roles. So, unless these groups coordinate with one another and leverage combined assurance, internal audit’s presentation of findings to senior management, the audit committee and other stakeholders can fall short.
- Combined assurance for internal audit defined
- Benefits of combined assurance
- How to implement combined assurance
Combined assurance for internal audit defined
Before getting too deep into why and how internal audit should implement combined assurance, it’s important to first define combined assurance.
"Combined
assurance is the process of internal, and potentially external parties,
working together and [combining] activities to reach the goal of
communicating information to management."
- The Institute of Internal Auditors (IIA)1
In other words, combined assurance involves different groups involved in risk management, governance and controls all getting on the same page.
For example, enterprise risk management (ERM); internal control over financial reporting/Sarbanes Oxley (ICFR/SOX); information security; environmental, health & safety (EHS); and legal and compliance can each have some overlapping responsibilities with the internal audit function. Or, they at least can have similar insights that are worth sharing with each other through combined assurance.