Combined Assurance:

RISK

One Language, Fast Fact

One Voice, One View

Sam C. J. Huibers
EMIA, RO, CRMA

Executive Summary Efficiency in collecting and reporting information

In increasingly complex organizations, where more and Common view of risks and issues across the
more players are involved in providing different measures organization
of assurance, how can we prevent management from being More effective governance, risk, and control
overwhelmed by information and reports and succumbing oversight
to assurance fatigue?
Combined assurance can help solve this problem by However, the 2015 CBOK survey results show that
integrating and aligning assurance processes so that senior knowledge and implementation of the combined assur-
management and audit and supervisory committees obtain ance concept is not yet widespread. Specific guidance on
a comprehensive, holistic view of the effectiveness of their how best to implement combined assurance is still limited,
organizations governance, risks, and controls to enable though IIA Standard 2050: Coordination recommends
them to set priorities and take any necessary actions. that the chief audit executive should share information
There are multiple benefits to implementing combined and coordinate activities with other internal and external
assurance, including: providers of assurance and consulting services to ensure
One voice and taxonomy across all governance proper coverage and minimize duplication of effort.
bodies and functions in the organization Additionally, there are different ways of combining
assurance. Depending on the specific requirements and

CBOK
The Global Internal Audit
Common Body of Knowledge
desired integration of activities in individual organizations, to ensure that the organization will benefit over time
the type of coordination varies: from having one language, one voice, and one view.
Ultimately, this will result in fewer unknowns or surprises
Integrated audits: coordination through audit and support progress toward the full realization of an orga-
activities by performing audits jointly nizations objectives and strategy.
Integrated planning and reporting: coordination
through the planning and reporting processes Section 1: Introduction
Alignment of activities: coordination through
When combining assurance, the role of internal
alignment of the activities of separate functions
audit is key in supporting the board in having
Functional integration: coordination through effective oversight of the company. Otherwise, it
hierarchical lines by combining internal audit does not work.
and functions within the organization that Marie-Helene Laimay, CAE,
support management Sanofi, France

For any implementation of combined assurance, it As organizations grow and become more complex, so do
should be noted that the Three Lines of Defense Model, in the number of functions needed to ensure that boards can
which internal audit is positioned as an independent and properly discharge their responsibility for effective control,
separate function in the third line of defense, is consid- compliance, and risk management across the organization.
ered by The IIA to be good practice from the perspective The problem then becomes how to prevent manage-
of independent assurance. Management acts as the first ment from becoming overwhelmed with information and
line of defense (owning the processes, controls, and risks); reports, thus creating assurance fatigue. The purpose of
various support functions, including risk management, combined assurance is to address this problem by inte-
internal control, and compliance, are the second line of grating and aligning assurance processes in a company to
defense (monitoring the processes as well as its risks and maximise risk and governance oversight and control effi-
controls); and internal audit represents the independent ciencies, and optimise overall assurance to the audit and
third line of defense. In light of this model, functional risk committee, considering the companys risk appetite.*
integration is not the preferred way to promote combined By aligning and harmonizing assurance activities and
assurance because of the challenges it causes for auditor ways of working across different functions, delivering
independence and objectivity. assurance becomes increasingly efficient and effective.
The aim of this report is to help internal audit func- Hence, with combined assurance, there will be a number
tions and their organizations embark on the combined of parties involved in providing assurance, and their activ-
assurance journey. Internal audit has a key role to play in ities require coordination and alignment, as shown in
both the implementation and the coordination of activities exhibit 1. These parties are:

as well as ongoing improvement. The report offers high-

1. Management: Responsible for ensuring that a
lights on the current position of internal audit regarding
robust risk and control framework is in place so
implementation of combined assurance, why organiza-
that deviations are identified timely and ade-
tions have embarked on the journey, what lessons can be
quately remedied
learned, and actionable guidance on good practice steps
for implementation.
Combined assurance should be seen by internal audit
* King Code of Governance for South Africa 2009 (Institute of
not as a threat but as an opportunity to play a key role Directors in Southern Africa), 50. http://www.ecgi.org/codes/
in the coordination and alignment of assurance players documents/king3.pdf

2Combined Assurance: One Language, One Voice, One View

 Section 2: Benefits of Combined
Exhibit 1Parties Involved in the Combined Assurance
Assurance Framework
The foremost key success factor is that you have
Management
to believe in the benefits of combining assurance
yourself and have the energy to embark on the
journey.
Combined Jenitha John, CAE,
Assurance
FirstRand, South Africa
External Internal
assurance assurance Combined assurance is a means of providing assurance
providers providers in an effective and efficient way that overcomes the dif-
ficulties of having different rating systems and reporting
formats provided by different functions. This can lead to
such an overload of information that any message and call
Oversight governance; risks and controls
for action by senior management is actually lost.
Jenitha John, CAE), FirstRand, South Africa, helped to
Source: Adapted from King Code of Governance for implement combined assurance at FirstRand, one of the
South Africa 2009 (Institute of Directors in Southern largest financial institutions in South Africa. She com-
Africa) and Combined Assurance: Case Studies on a
Holistic Approach to Organizational Governance by G. mented that the fruitful implementation of combined
Sarens, Decaux, L., & Lenz, R. (Altamonte Springs, FL: The assurance was preceded by interviews with senior execu-
Institute of Internal Auditors Research Foundation, 2012).
tives and the audit and risk committee to simultaneously
identify potential benefits and obtain buy-in. Exhibit 2
2. Internal assurance providers: Responsible for lists the benefits of combined assurance that were identi-
supporting management, such as risk manage- fied at FirstRand. One board member said that combined
ment, internal control, and compliance functions assurance helped to counteract the challenge of prioritizing
(also referred to as second line of defense func- assurance from multiple sources (commonly called assur-
tions) and internal audit (third line of defense) ance fatigue). He commented: Actually we get too much
assurance, but we do not get a balanced view of what we
3. External assurance providers: Responsible have to act on and in particular what the priorities are.
for independent external assurance, such as the
external financial auditor Key Point
Effective coordination and alignment of a range
Ultimately, a single language (taxonomy), single voice of assurance providers is essential for a board
(e.g., integrated reporting), and a single overview of gover- or supervisory committee to have adequate
nance, risks, and controls will result in fewer unknowns or oversight of the organizations governance.

surprises and will benefit the organization.

So the aim is to connect, analyze, and report the infor-
This report is explorative in nature and is intended to
mation supplied by different assurance providers in such
set out the current position on implementation of com-
a way that senior management, the audit committee, and
bined assurance, why organizations have embarked on the
the supervisory committee receive a comprehensive and
journey, and what lessons can be learned. It focuses on the
holistic view of the effectiveness of governance, risks, and
internal parties involved and offers practical guidance by
controls in their organization to enable them to take any
sharing lessons learned. The report ends with best practice
necessary actions. By aligning and harmonizing assurance
steps for implementing combined assurance.

www.theiia.org/goto/CBOK3
Exhibit 2Ten Ways Combined Assurance Supports Organizational Objectives

1 Eradication of assurance fatigue. Resources are no longer being wasted on unnecessary duplication.

2 Assurance efforts are directed to the risks that matter most. Resources are freed up for more productive
tasks.

3 A common view of risks and issues across the organization is created.

4 Escalation of information to governance committees is more precise and insightful.

5 Assurance activities produce valuable, relevant data based on collaboration and not silos. This facilitates
better decision making.

6 Use of a common language and consistency helps to facilitate value-added discussions.

7 Efficiencies are enhanced by sharing lessons learned.

8 Cost savings are realized through better resource allocation and greater coverage.

9 Commitment to enhance controls is demonstrated.

10 Ultimately, fewer unpleasant surprises will occur.

Source: Adapted from Harnessing the Benefits of Combined Assurance, a presentation by Jenitha John, CAE, FirstRand, South
Africa. Used by permission. FirstRand LTD corporate website (August 16, 2015). http://www.firstrand.co.za

activities and ways of working across different functions, More effective governance, risk, and control
delivering assurance becomes increasingly efficient and oversight
effective. As shown in exhibit 3, the benefits of imple-
menting combined assurance include:
Section 3: Adoption of Combined
Assurance
One taxonomy across all governance bodies
and functions in the organization While the benefits described in the previous section
are extensive, the CBOK 2015 Global Internal Audit
Breaking down of silos and more efficient col-
Practitioner Survey indicates that knowledge and imple-
lection and reporting information
mentation of the combined assurance concept is not yet
A common view of risks and issues across the widespread.
organization In the survey, respondents were provided with the
description of combined assurance from the King Code of
Governance for South Africa 2009 (known as King III) and
asked to indicate whether combined assurance was imple-
Exhibit 3Benefits of Combined Assurance
mented in their organization, or they were not familiar
with the concept.
One Language One Voice One View

One taxonomy Breaking down A common Awareness of Combined Assurance

across all of silos and view of risks
goverance more efficient and issues
Globally, only 59% of respondents were aware of com-
bodies and collection and across the bined assurance, although there were large differences
functions in the reporting of organization
organization information
between regions. Awareness of combined assurance ranged
from a high of 80% in Sub-Saharan Africa to a low of
Resulting in: More effective governance, risk, and
control oversight 46% in South Asia (see exhibit 4).

4Combined Assurance: One Language, One Voice, One View

Exhibit 4Familiarity with Combined Assurance Model

Sub-Saharan Africa 80% 20%

Latin America & Caribbean 70% 30%

Europe 65% 35%

Familiar with the combined
assurance model
Middle East & North Africa 60% 40%
Not familiar with the
North America 53% 47% combined assurance model

East Asia & Pacific 50% 50%

South Asia 46% 54%

Global Average 59% 41%

0% 20% 40% 60% 80% 100%

Note: Q61: Has your organization implemented a formal combined assurance model? Resondents who selected I dont know. I am
not familiar with the combined assurance model are compared to those who were familiar with the model. Due to rounding, some
region totals may not equal 100%. n = 10,417.

Current Implementation of Combined Assurance About 3 out of 10 say their organizations have
Exhibit 5 shows a wealth of information regarding imple- not adopted combined assurance but expect to
mentation of combined assurance among those survey do so in the next two to three years.
respondents who were familiar with the concept. Among The regions most likely to say they would
those familiar with combined assurance, key findings adopt combined assurance in the future were
include: the Middle East & North Africa, Sub-Saharan
Africa, South Asia, and Latin America &
A global average of 40% of respondents say
Caribbean (between 33% and 38%).
their organizations have implemented the
model so far (see the combined total of the No Plans to Adopt Combined Assurance
green and blue bars in exhibit 5). Finally, exhibit 5 shows those who say they have no plans
The lowest level of implementation is in North to adopt combined assurance in the next two to three years
America at 25% and the highest is in South (see the gray bars).
Asia and Sub-Saharan Africa (around 50%).
About 3 out of 10 say their organizations have
Plans to Adopt Combined Assurance in the no plans to adopt combined assurance in the
Future next two to three years.
Exhibit 5 also captures information about those who have North America was by far the least likely to
not implemented combined assurance but plan to do so in
adopt combined assurance in the future, with
the next two to three years (see the gold bars).
49% saying they had no plans to do so in the
next two to three years.

www.theiia.org/goto/CBOK5
Exhibit 5Implementation of Combined Assurance

South Asia 42% 7% 33% 17%

Sub-Saharan Africa 39% 12% 34% 15%

Yes, implemented now
East Asia & Pacific 38% 6% 25% 30%
Yes, but not yet approved
by the board or audit
Europe 34% 7% 28% 31% committee

No, but plan to adopt one

Latin America & Caribbean 30% 12% 33% 24% in the next 2 to 3 years

Middle East & North Africa 24% 10% 38% 28% No, and do not have plans
to adopt one in the next
2 to 3 years
North America 21% 4% 26% 49%

Global Average 32% 8% 29% 31%

0% 20% 40% 60% 80% 100%

Note: Q61: Has your organization implemented a formal combined assurance model? Those who selected I dont know. I am not
familiar with the combined assurance model were excluded from these calculations. Due to rounding, some region totals may not
equal 100%. n = 6,185.

Key Point
Regionally, the highest rates for a written
Knowledge and implementation of the com- assessment are in East Asia & Pacific, Sub-
bined assurance concept is not yet widespread. Saharan Africa, and South Asia, with about 7
out of 10 issuing a written combined assur-
ance assessment. The lowest rates are in North
Written Assessments of Combined Assurance America (44%).
For those who had implemented combined assurance, the
Factors Affecting Adoption of Combined
survey included a follow-up question to find out whether Assurance
they had issued a written combined assurance assessment.
According to the survey results, awareness and imple-
Exhibit 6 shows these findings:
mentation of combined assurance seems low. This may
be because there is no internationally adopted definition
In organizations where combined assurance has
and guidance regarding combined assurance and how to
been implemented, a global average of 27% say
implement it, including the different ways of combining
they have not issued a written combined assur-
assurance and different types of coordination that are
ance assessment.
possible.
Another 12% do not know whether their orga- Additionally, governance codes and requirements vary
nization has issued a written report. by country, and there is no global overarching guidance on
This leaves about 60% of respondents who how to govern a company and ensure effective oversight
say that their organization has issued a written by its board and supervisory committee. One of the most
combined assurance assessment. frequently cited sources of information about combined

6Combined Assurance: One Language, One Voice, One View

Exhibit 6Respondents Issuing a Written Combined Assurance Assessment (Among Those with
Combined Assurance Implemented)

East Asia & Pacific 73% 20% 8%

Sub-Saharan Africa 70% 23% 7%

South Asia 69% 19% 12% Yes

Middle East & North Africa 59% 32% 8% No

Don't know
Europe 56% 28% 16%

Latin America & Caribbean 52% 35% 13%

North America 44% 36% 20%

Global Average 60% 27% 12%

0% 20% 40% 60% 80% 100%

Note: Q62: Does internal audit at your organization issue a written combined assurance assessment as part of the combined
assurance initiative? This question was only answered by those who selected yes, implemented now for Q61. Due to rounding,
some totals may not equal 100%. n = 1,919.

assurance is King III, which is a non-legislative code based of the different ways to combine assurance, including
on principles and practices. It adopts an apply or explain specific consideration of the role of the internal auditor,
approach. particularly with respect to safeguarding auditors indepen-
In many countries, management is required to provide dence. The applicable standards are included and reference
a statement on the effectiveness of the internal control is made to the Three Lines of Defense Model.
system as part of the annual report. To create this state-
The IIAs Standards
ment, internal audit often provides reports on risk and
the effectiveness of controls in mitigating those risks. In The Standards are included in The IIAs International
addition, internal audit may provide assurance on the Professional Practices Framework (IPPF), which provides
effectiveness of the second line functions (i.e., second line internal audit professionals worldwide with authoritative
of defense reviews). mandatory and recommended guidance. Although there
is no specific standard in the IPPF on how combined
assurance should be provided, several standards are closely
Section 4: Guidance and Review of related (see exhibit 7).
Combined Assurance
The Practice Advisories related to Standard 2050 give
Specific guidance on how best to implement combined additional helpful information about the coordination of
assurance remains limited. However, it is useful to ref- assurance and consulting activities with other functions.
erence several of The IIAs International Standards for the
Practice Advisory 2050-1 recommends that the CAE
Professional Practice of Internal Auditing (Standards) that
should be responsible for regularly evaluating the
relate indirectly to the need for effective assurance. This
coordination between internal and external auditors.
chapter describes these standards and provides an overview

www.theiia.org/goto/CBOK7
Exhibit 7IIA Standards Related to Combined Assurance

Standard 1000: Purpose, The purpose, authority, and responsibility of the internal audit activity
Authority, and Responsibility must be formally defined in an internal audit charter, consistent with the
Definition of Internal Auditing, the Code of Ethics, and the Standards.
Standard 2050: Coordination The chief audit executive should share information and coordinate activities
with other internal and external providers of assurance and consulting
services to ensure proper coverage and minimize duplication of efforts.
Standard 2060: Reporting to The chief audit executive must report periodically to senior management
Senior Management and the and the board (...) Reporting must also include significant risk exposures
Board and control issues, including fraud risks, governance issues, and other
matters needed or requested by senior management and the board.
Standard 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement
of governance, risk management, and control processes using a systematic
and disciplined approach.

Source: From the International Standards for the Professional Practice of Internal Auditing (Standards) (Altamonte Springs, FL: The
Institute of Internal Auditors, 2013).

Practice Advisory 2050-2 advises taking a stream- audits jointly with supporting functions and/or
lined holistic view of risk monitoring and controls by the external auditor.
mapping assurance coverage against the risks identi-
2. Process integration. Coordination takes place
fied in the organization.
through the planning and reporting processes.
Practice Advisory 2050-3 points out that the internal The risk-based audit plan is fully aligned with
auditor may rely on or use the work of other internal second-line governance functions. Integrated
or external assurance providers in providing gover- reporting can be internally or externally ori-
nance, risk management, and control assurance to the ented. The International Integrated Reporting
board, provided that certain safeguards are in place. Council (IIRC) describes an integrated report
that is externally oriented as: An integrated
In summary, the Standards clearly supports the philos- report is a concise communication about how
ophy of combined assurance. The next question is how an organizations strategy, governance, per-
does internal audit put it into practice? Different types formance, and prospects, in the context of its
of coordination may be used, which is explained in more external environment, lead to the creation of
detail in the next section, along with how this relates to value in the short, medium, and long term.*
the Standards.
3. Alignment through activities. Coordination
Ways of Coordinating Combined Assurance takes place through alignment of activities,
There can be different methods and ways of combining either on a structured or an ad hoc basis. For
assurance, and the Standards does not offer a specific example, informing governance functions
definition. When it comes to the type of coordination, of the scope and outcome of internal audit
variations depend on the specific requirements and the activities allows these to be taken into account
kind of integration of activities that individual organiza- in their own activities (for example, control
tions prefer (see exhibit 8). weaknesses identified by internal audit can be
addressed by internal control).
1. Integrated audits. Coordination takes place
through audit activities; specifically, performing * Integrated Reporting (International Integrated Reporting
Council [IIRC], 2015). http://integratedreporting.org/

8Combined Assurance: One Language, One Voice, One View

Exhibit 8Ways of Coordinating Combined Assurance

Integrated Process Alignment Functional

Audits Integration Through Integration
Activities (Not Preferred)

Audits Coordinated Sharing of Combining

Performed Planning and Information to Hierarchical
Jointly Reporting Align Activities Lines

SEPARATE INTERNAL AUDIT COMBINED

FUNCTION FUNCTIONS

4. Functional integration. Coordination takes internal audit and the second lines of defense, released in
place through hierarchical lines by combining 2014.*
internal audit and functions that support man- Exhibit 9 provides more details about different ways of
agement, such as risk management, internal combining assurance, including specific consideration of
control, and compliance. the role of the internal auditor, particularly with respect
to safeguarding auditors independence. References to the
Internal audit stays separate from other governance Standards are included.
functions in the first three described ways of coordinating
assuranceintegrated audits, process integration, and Combined Assurance and the Three Lines of
Defense Model
alignment of activities. Consequently, these ways are not
mutually exclusive but should be seen as complementary. The IIA endorses the Three Lines of Defense Model. Each
Regarding the fourth way (functional integration), it of the three lines plays a distinct role within the organiza-
should be noted that The IIA strongly promotesfrom tions governance framework. The different lines of defense
auditors objectivity and independence point of viewto within the organization may be described as follows:
maintain a separate internal audit function. Therefore,
First line of defensemanagement. Business
functional integration is not a preferred option by The
management has primary responsibility for
IIA. If functional integration occurs, it is preferably done
monitoring and controlling operations. They
on a temporary basis with the end goal of having fully
are the owners of the processes and account-
separated functions (see The IIA Position Paper, The
able for risk identification and mitigating
Three Lines of Defense in Effective Risk Management and
controls.
Control). In such cases, safeguards and conditions should
be put in place to minimize the negative impact on the Second line of defensegovernance sup-
auditors objectivity and independence. Examples include port functions. Management is supported
situations where the maturity of the governance functions
* S. C. J. Huibers, G. M. Wolswijk, and P. A. Hartog,
is not strong enough yet and internal audit plays a role
Combining Internal Audit and Second Line of Defense
in developing risk and compliance activities. For further Functions (The Institute of Internal Auditors Netherlands,
discussion, see The IIANetherlands whitepaper about 2014). http://tinyurl.com/pftg2o2

www.theiia.org/goto/CBOK9
Exhibit 9Special Considerations for Ways of Coordinating Combined Assurance

Type of Means of
Description Consideration Guidance
Coordination Coordination
Integrated Audits performed Coordination Audit to coordinate All IPPF Performance
audits together with through audit audit execution and Standards apply
second line of activities ensure compliance (The IIA, 2013)
defense functions with IPPF standards

Process Integrated Coordination Audit coordinates Enhanced Integrated

integration planning of through planning planning and Reporting
assurance and reporting provides integrated (Enhanced Integrated
activities and process reports on the Reporting, Internal Audit
reporting assessment of Value Proposition, The
governance, risks, IIA, 2015)
and controls to the
board and audit
committee

Alignment Coordination Coordination Coordination The Three Lines of

through through alignment through alignment through alignment Defense in Effective Risk
activities of activities of activities can Management and Control
be either on a (The IIA Position Paper,
structured or an ad 2013)
hoc basis
Functional Internal audit and Coordination Consider safeguards Combining Internal
integration second line of through hierarchical and boundaries Audit and Second Line
defense functions lines to ensure of Defense Functions
combined independence (Whitepaper by The IIA
Netherlands, 2014)

in its monitoring responsibility by dedicated Fourth line of defenseexternal auditors,

functions that help to implement a sound regulators, and external bodies. Independent
framework and monitor risks and controls. assurance is offered by external third parties,
Examples of these second line of defense func- typically the companys financial auditor who
tions are risk management, internal control, provides assurance regarding the financial
and compliance. statements.
Third line of defenseinternal audit.
Primary responsibility for maintaining robust controls
Internal audit provides additional indepen-
and ensuring compliance with procedures and legislation
dent assurance on the activities of the first
lies with management. However, increasingly, dedicated
and second lines of defense. This may include
functions are being established to support and oversee
assessing the design of various processes and
these control activities. At the same time, the growing
effectiveness of controls, compliance with pro-
number of functions and bodies within the organization
cedures, and review of the effectiveness of the
may cause management to become overloaded with infor-
second line of defense. Internal audit may also
mation and reports. To avoid this, internal audit may:
play an advisory role, according to The IIAs
Definition of Internal Audit. Coordinate and align assurance activities by
participating in joint audits or integrating the
Sometimes reference is also made to a so-called fourth
planning and reporting of different assurance
line of defense by external assurance providers:
providers.

10Combined Assurance: One Language, One Voice, One View

 Give assurance to management by reviewing Africa, indicating opportunities for further education (see
the effectiveness of the so-called second line of exhibit 11).*
defense functions.
Considerations on the Adoption of the Three
Lines of Defense Model
In the CBOK 2015 Global Internal Audit Practitioner
Survey, of the respondents who are familiar with the Still today, in many companies, the board has
Three Lines of Defense Model, between 45% and 64% never heard about Three Lines of Defense. We, as
indicated that internal audit operated as a fully separate internal auditors, have the responsibility to explain
independent function in the third line of defense in their what it means.
organization (see exhibit 10). However, on average, 19%
Rene Andrich, Internal Audit Manager,
of the respondents who were familiar with the Three Lines Latin America, Electrolux, and member
of Defense Model, and whose organizations had adopted of the Board of Directors, IIABrazil
the model, indicated that the split between the second
and third line was not clear, or internal audit operated as a
second line of defense function (instead of being an inde- * See the report by Larry Harrington and Arthur Piper, Driving
Success in a Changing World: 10 Imperatives for Internal Audit
pendent third line assurance provider). There is a lack of from the Global Internal Audit Common Body of Knowledge
familiarity with the model in certain regions, particularly (CBOK) Practitioner Survey (Altamonte Springs, FL: The
South Asia, North America, and the Middle East & North Institute of Internal Auditors Research Foundation, 2015).

Exhibit 10Usage of the Three Lines of Defense Model

Europe 64% 14% 3% 15% 5%

Yes, and internal audit is
considered the third line of
East Asia & Pacific 62% 11% 6% 17% 4% defense.

Yes, but the distinction

Sub-Saharan Africa 53% 15% 8% 19% 5% between the second and third
line of defense is not clear.
South Asia 50% 13% 10% 16% 10%
Yes, but internal audit is
considered the second line of
North America 50% 15% 6% 22% 6% defense in our organization.

No, my organization does not

Middle East & North Africa 45% 10% 10% 25% 10%
follow this model.

Latin America & Caribbean 45% 12% 5% 31% 6% No, this model is not applicable
for my organization.

Global Average 56% 13% 6% 20% 5%

0% 20% 40% 60% 80% 100%

Note: Q63: Does your organization follow the three lines of defense model as articulated by The IIA? Those who responded I am
not familiar with this model were excluded from these calculations. Due to rounding, some region totals may not equal 100%.
n = 9,093.

www.theiia.org/goto/CBOK11
Exhibit 11Respondents Not Familiar with the a dedicated separate independent internal audit function
Three Lines of Defense Model may prevail over more internally oriented considerations.
The whitepaper also provided further direction about
South Asia 43% minimum requirements and safeguards to ensure audi-
tors independence. The starting point is that combining
North America 25%
functions is not the preferred way of working from the
Middle East
24%
auditors objectivity and independence point of view. It
& North Africa
should be noted that in some sectors, such as the financial
East Asia
& Pacific
22% services and insurance industry, regulations apply that stip-
ulate the establishment of dedicated risk management and
Latin America
19% compliance functions, with internal audit acting as an inde-
& Caribbean
Sub-Saharan pendent assurance provider in the third line of defense. The
15%
Africa determining factor will be the sector-specific regulations
Europe 12% with which the organization has to comply, including any
guidance set by the applicable governing bodies.
Global Average 20%

0% 10% 20% 30% 40% 50% Section 5: How to Implement

Combined Assurance
Note: Q63: Does your organization follow the three lines of
defense model as articulated by The IIA? This exhibit shows When combining assurance, the role of internal
respondents who chose the option, I am not familiar with this
model. n = 11,255. audit is key in supporting the board in having
effective oversight of the company. Otherwise, it
does not work.
Why do organizations have so many different gover- Marie-Helene Laimay, CAE,
nance structures? One reason is that some organizational Sanofi, France
structures may have developed organically; therefore,
leadership was not making explicit rational decisions about When implementing combined assurance, one of the
how to optimize the organizations governance structure. key challenges is in aligning the different activities, ways of
As a result, the design of the assurance model varies by working, definitions, and rating systems of different assur-
organization and also may by driven by stakeholders other ance providers.
than the internal audit function, such as the board and the From interviews and other research, it can be concluded
supervisory committee (supported by the audit commit- that implementing combined assurance is not something
tee), and what their members consider desirable. that can be achieved from one day to the nextit should
The IIANetherlands whitepaper addressed the be considered a journey. The key lessons learned are listed
concerns about these instances when internal audit is com- in exhibit 12.
bined with other governance functions. It also noted that One of the foremost lessons is the need for full buy-in
when management considers combined functions, it may and support from senior management. To get this support
also consider optimizing efficiency gains by having one in her organization, Jenitha John from FirstRand said that
person report to the board for all assurance-related mat- a member of the executive committee was assigned to
ters. On the other hand, the supervisory board may have sponsor the initiative, endorsed by the audit committee,
other considerations, such as the safeguarding of assets while the role of internal audit was to drive the actual
and compliance with laws and regulations, so establishing implementation supported by the board. To give practi-
tioners multiple ways to address this challenge, The IIA

12Combined Assurance: One Language, One Voice, One View

Exhibit 12Lessons Learned for Implementing 3. Map risks to assurance providers. Map the
Combined Assurance risks universe and relate this to the assurance
providers who are monitoring those risks.
Lessons Internal audit has a key role to play in
Learned driving the implementation. 4. Design the combined assurance plan.
Buy-in and support is required from the Identify who will provide assurance across the
top. risk universe, including the role of internal
Anticipated value should be articulated audit, specifying what assurance will be
up front. provided.
All participants should reach a consensus 5. Create an implementation roadmap. Define
on taxonomy.
a roadmap with key milestones. One of these
Control assessment and risk ratings
should be standardized.
must be to align the definitions and risks rat-
ings used among the assurance providers to lay
The level of maturity of the different
players in the combined assurance field the foundation for implementing an effective
should be identified. combined assurance model.
6. Plan for continuous improvement. Evaluate
Research Foundation published Combined Assurance: Case the assurance model on a regular basis, identi-
Studies in a Holistic Approach to Organizational Governance fying areas for improvement and deciding how
written by an academic research team from Universit information and assurance services to manage-
Catholique de Louvain (Belgium).* ment could be further optimized.
Another set of helpful guidelines was developed by
Larry Rittenberg, Chair Emeritus of the Committee of Conclusion
Sponsoring Organizations of the Treadway Commission
(COSO).** He recommends the following steps when By aligning and harmonizing assurance activities and ways
implementing combined assurance: of working across different functions, delivering assurance
becomes increasingly efficient and effective, avoiding the
1. Make the business case. Spell out the benefits pitfall of boards becoming overloaded with information
of implementing combined assurance and esti- and eventually resulting in assurance fatigue. At the
mate the project costs for doing so. same time, care must be taken to ensure that combined
assurance is implemented in a form that preserves the
2. Inventory who provides assurance. Perform
distinction between the three lines of defense.
an inventory of all the players who assist man-
Clear benefits of implementing combined assurance
agement in providing assurance on risks and
among different assurance providers have been identified.
controls in the organization.
However, understanding and implementation of the com-
bined assurance concept is not yet widespread.
There are different ways to combine assurance depend-
* G. Sarens, L. Decaux, and R. Lenz, Combined Assurance: ing on the specific requirements and desired type of
Case Studies in a Holistic Approach to Organizational Governance integration of activities in individual organizations. As the
(Altamonte Springs, FL: The Institute of Internal Auditors
saying goes, all roads lead to Rome, and in-depth inter-
Research Foundation, 2012).
views with CAEs globally show that implementing
** Larry Rittenberg, Internal Audit Challenges: Integration of
combined assurance should be considered a journey, not
Strategy, Risk, Control, and Combined Assurance. Presentation
delivered at the Clain Conference, May 17, 2013. something that can be put in place from day one.

www.theiia.org/goto/CBOK13
Therefore, we strongly recommend following a structured, He has written various articles on internal auditing,
project-based approach with a roadmap that includes clear provides training to auditors, and speaks at international
milestones to ensure new ways of working are fully imple- conferences and round tables. His credentials include MSc
mented and benefits are completely delivered over time. (master of science in business administration), EMIA
(executive master internal auditing), RO (Dutch certified
Key Point internal auditor), and certified risk management assurance
Having one language, one voice, one view (CRMA).
will benefit all by supporting progress toward
More information about Sam Huibers is available on
the full realization of a companys objectives
and strategy. Linkedin: https://www.linkedin.com/in/samhuibers.

Acknowledgments
It is also clear that internal audit has a key role to play
both in the implementation and the coordination of com- The author thanks the following internal audit leaders for
bined assurance activities as well as in ensuring ongoing being interviewed for this project:
and continuous improvement. However, the most import- Marie-Helene Laimay, Chief Audit Executive,
ant message is that full buy-in and support from senior Sanofi, France
management are essential when embarking on the com-
Jenitha John, QIAL, Chief Audit Executive,
bined assurance journey. In the end, having one language,
FirstRand Ltd., South Africa
one voice, one view will benefit all by supporting progress
toward the full realization of a companys objectives and Rene Andrich, Internal Audit Manager, Latin
strategy. America, Electrolux, and member of the Board
of Directors, IIABrazil
About the Author Qing Xia, Vice President Supervision and
Auditing Department, China Unionpay
Sam C. J. Huibers has extensive experience in a range
Merchant Services Company, China
of international managerial business, audit, and advi-
sory functions in multinational organizations, including
The author also thanks the editor (Ian Phillipson) and
Heineken and DSM. As a member of the Dutch IIA
proofreader (Myriam Southgate) who worked with him in
Professional Practices Committee, he leads task forces
developing this report.
such as the Three Lines of Defense and the Project
Auditing advocacy initiatives and performs research in
cooperation with the Management Innovation Centre.
He is also the coordinator and lecturer of Internal Audit
Excellence of the Executive Internal Auditing Programme
at the Amsterdam Business School of the University of
Amsterdam.

14Combined Assurance: One Language, One Voice, One View

 About CBOK

SURVEY FACTS T he Global Internal Audit Common Body of Knowledge (CBOK) is the worlds
largest ongoing study of the internal audit profession, including studies of inter-
nal audit practitioners and their stakeholders. One of the key components of CBOK
Respondents 14,518*
Countries 166 2015 is the global practitioner survey, which provides a comprehensive look at the
Languages 23 activities and characteristics of internal auditors worldwide. This project builds on two
previous global surveys of internal audit practitioners conducted by The IIA Research
EMPLOYEE LEVELS Foundation in 2006 (9,366 responses) and 2010 (13,582 responses).
Chief audit
Reports will be released on a monthly basis through July 2016 and can be
executive (CAE) 26%
downloaded free of charge thanks to the generous contributions and support from
Director 13% individuals, professional organizations, IIA chapters, and IIA institutes. More than
Manager 17% 25 reports are planned in three formats: 1) core reports, which discuss broad topics,
Staff 44% 2) closer looks, which dive deeper into key issues, and 3) fast facts, which focus on a
specific region or idea. These reports will explore different aspects of eight knowledge
*Response rates vary per
tracks, including technology, risk, talent, and others.
question.
Visit the CBOK Resource Exchange at www.theiia.org/goto/CBOK to download
the latest reports as they become available.

CBOK 2015 Practitioner Survey:Participation from Global Regions

Europe 23%

North
America 19%
Middle East
& North 8%
Africa South
Asia 5%

Latin East
America 14% Asia 25%
& Caribbean & Pacific
Sub-
Saharan 6%
Africa

Note: Global regions are based on World Bank categories. For Europe, fewer than 1% of respondents were from Central Asia.
Survey responses were collected from February 2, 2015, to April 1, 2015. The online survey link was distributed via institute email
lists, IIA websites, newsletters, and social media. Partially completed surveys were included in analysis as long as the demographic
questions were fully completed. In CBOK 2015 reports, specific questions are referenced as Q1, Q2, and so on. A complete list of
survey questions can be downloaded from the CBOK Resource Exchange.

www.theiia.org/goto/CBOK15
Your About The IIA Research
Donation
Dollars at Foundation
Work CBOK is administered through The IIA Research Foundation (IIARF), which has provided
CBOK reports are groundbreaking research for the internal audit profession for the past four decades. Through
available free to initiatives that explore current issues, emerging trends, and future needs, The IIARF has been a
the public thanks driving force behind the evolution and advancement of the profession.
to generous
contributions CBOK Development Team
from individuals,
organizations, IIA CBOK Co-Chairs: Primary Data Analyst: Dr. Po-ju Chen
chapters, and IIA Dick Anderson (United States) Content Developer: Deborah Poulalion
institutes around the Jean Coroller (France) Project Managers: Selma Kuurstra and
world. Practitioner Survey Subcommittee Chair: Kayla Manning
Michael Parkinson (Australia) Senior Editor: Lee Ann Campbell
Donate to IIARF Vice President: Bonnie Ulmer

CBOK Report Review Committee

www.theiia.org/ Urton Anderson (United States) Michael Parkinson (Australia)
goto/CBOK Adil Buhariwalla (United Arab Emirates) Estanislao Sanchez (Mexico)
Jenitha John (South Africa) Ad Smits (Netherlands)
Contact Us Marie-Helene Laimay (France) Gerard Wolswijk (Netherlands)

The Institute of
Internal Auditors Limit of Liability
Global Headquarters
The IIARF publishes this document for information and educational purposes only. IIARF does
247 Maitland Avenue not provide legal or accounting advice and makes no warranty as to any legal or accounting
Altamonte Springs, results through its publication of this document. When legal or accounting issues arise, profes-
Florida 32701-4201, sional assistance should be sought and retained.
USA
Copyright 2015 by The Institute of Internal Auditors Research Foundation (IIARF). All rights
reserved. For permission to reproduce or quote, contact [email protected]. ID # 2015-1481

CBOK Knowledge Tracks

Future Governance Risk Talent

Global Standards &

Perspective Certifications Technology
Management