A combined assurance model effectively co-ordinates the efforts of management and internal and external assurance providers, increases their collaboration and develops a shared and more holistic view of the organisation’s risk profile. Combined assurance is about assurance providers (internal and external) working more closely together to ensure the following:
- Key outcomes of combined assurance;
- Assurance in the right areas is obtained;
- Assurance is obtained from the right resources; and
- Assurance is obtained in the most cost-effective way possible.
The ‘right amount of assurance’ depends on the risk appetite of the organisation. There should be alignment of control validation/assurance approaches and efforts across the organisation, driving efficiency and the right levels of comfort. Risk management is the foundation of the combined assurance process and organisations should establish risk-based criteria for dealing with control failures on a consistent and strategically aligned basis to ensure organisational objectives and goals are achieved.
- Principle 3.5 of the King III Report introduced combined assurance as a recommended governance practice. The recommendation was made following a general understanding that more can be done to improve assurance coverage and quality through better coordination of assurance providers.
- King IV expands on this concept by indicating that a combined assurance model incorporates and optimises all assurance services and functions so that, taken as a whole, these enable an effective control environment, support the integrity of information used for decision-making by management, the governing body and its committees; and support the integrity of the organisation external reports. King IV recommendations do not prescribe the design of the model, but allow for the governing body to exercise its judgement in this regards.
Benefits of combined assurance
- Coordinated and relevant assurance efforts are directed to the risks that matter most.
- Commitment to enhance controls is demonstrated.
- Dashboards that provide an integrated, insightful view.
- Assurance activities produce valuable, integrated data, based on collaboration and not silos.
- Reduction in assurance costs through elimination of duplication and better resource allocation.
- Resources are not wasted on unnecessary duplication.
- A reduction in the repetition of reports by different committees, resulting in improved and more efficient reporting.
- A comprehensive and prioritised approach in tracking of remedial actions on identified opportunities/weaknesses.
- Clarity on risk and audit.
- Planning and implementing a risk assessment on automated controls based on the latest COBIT model.
Root cause analysis – use and benefits
- Clarity on why risks occur.
- Several tools (fishbone diagram and bow-tie)used by auditors are applied to understand the actual root causes.
- Pareto analysis used to focus the attention of the three lines of defense on key risks that should be addressed.
Effective control design to reduce risks economically and efficiently
- Using COSO for control design.
- Exploring prevention versus detection, as well as the use of automated detection controls as an early warning mechanism.
- Using GTAG 8 to review automated applications.
- Using GTAG 14 as a risk model to evaluate user developed applications.
Training and tools will assist to:-
- Develop and implement a flexible and dynamic combined assurance model.
- Develop a combined assurance framework and plan that define the roles, responsibilities and accountability for the combined assurance process.
- Support audit and risk committees in making their control statements in the integrated report regarding the effectiveness and efficiencies of their control environment.
- Develop dynamic reporting that provides insights into assurance of top risks and key mitigating controls, and their impact on achieving the organisation’s objectives and performance.
- Share insights on where assurance works well.
The participant that encounter the module for the first time is assumed to work in close proximity to, or is responsible for RISK MANAGEMENT AND/OR INTERNAL AUDIT in their public sector organisation. This document will set out a framework for the module and the reading expected from students partaking in the study of ENTERPRISE RISK MANAGEMENT AND COMBINED ASSURANCE.
The following outcomes will be met during the assessments and the learning will take place via contact session:
- The ability to understand the growing need for risk management within the local government context, inclusive of information technology risks.
- The ability to identify key players in organizational governance, risk management and combined assurance.
- The ability to develop and implement combined assurance as a solution.
- The ability to understand and implement the recommendations of King III and King IV as it relates to governance, risk and control.
- The ability to understand the design of an effective combined assurance model
- The ability to understand and communicate the benefits, barriers, and challenges of implementing a combined assurance model.
- The ability to determine root causes for risks and evaluating which risks need to be addressed as first priority.
- The ability to understand and execute the critical steps and factors for implementation of combined assurance within a municipality.
- The ability to understand the role of internal audit in the combined assurance model
The ability to recognise the potential challenges for internal audit’s role in the combined assurance model.
- Lectures 17
- Quizzes 0
- Duration 50 hours
- Skill level All levels
- Language English
- Students 52
- Certificate No
- Assessments Yes
- The Growing Need for Risk Management
- Identifying Key Players in Organizational Governance
- The Need to Coordinate Assurance Functions
- King Code, COSO and COBIT
- Understanding Combined Assurance
- Reasons to Implement Combined Assurance
- Benefits, Barriers, and Challenges
- Critical Steps and Factors for Implementation
- The case for integrated assurance
Risk and controls self assessment