According to PwC’s 24th Annual Global CEO Survey for 2021, CEOs were ‘extremely concerned’ about the spread of misinformation. At its core, misinformation reflects today’s historically low levels of trust. In order to protect stakeholder trust, boards must take a broader and more holistic approach in identifying and managing risk. One such approach to risk management includes the principle of combined assurance as set out in King IV
- Coordinated and relevant assurance efforts that are directed to the risks that matter most
- Commitment to enhance controls
- Dashboards that provide an integrated, insightful view for management decision-making
- Assurance activities produce valuable, integrated data based on collaboration and not silos
- Reduction in assurance costs through elimination of duplication and better resource allocation
- A reduction in the repetition of reports by different committees resulting in improved and more efficient reporting
- A comprehensive and prioritised approach in tracking of remedial actions on identified opportunities/weaknesses, and
- The use of combined assurance to support the audit committee and board in making their control statements in the integrated report
Building a successful combined assurance blueprint is not without its challenges. These might include inadequate culture and behaviour at board level in support for this manner of risk management, a lack of balance between risk resilience and readiness, a lack of board confidence in the effectiveness of governance, risk and control processes and the quality and reliability of management reporting.
These challenges may result in a blurred lines-of-defence model rather than a combined assurance model, resulting in irrelevant, inefficient and inadequate coordination of assurance efforts.
King IV does not prescribe the blueprint of a combined assurance model. As a result, an organisation should consider what it has in place to protect itself in the context of four lines of defence. These lines of defence reside in the organisation’s people, systems and controls, risk management and compliance function, internal audit function, and independent external assurance. By using the combined assurance model, assurance gradually increases over the four lines, with the fourth line providing the highest and strongest level of assurance.
The role-players in this process of building a combined assurance blueprint include the board and board subcommittees, the executives, management and staff, internal assurance providers as well as external assurance providers. Internal Audit or Risk Management are usually best placed to take on the combined assurance champion role. They have an overall understanding of the organisation, are familiar with the assurance concepts and have a strong vested interest in making sure the approach is effective. A suggestion is to set up a combined assurance forum comprising a minimum of a representative of the external auditors, internal auditors, governance/sustainability assurance providers, legal services and representatives of the other governance, risk and compliance functions within the organisation. The members of the combined assurance forum should represent the different assurance providers within the group and be of the relevant level of seniority to be able to make decisions on behalf of the assurance function. The diligence and effort in establishing an effective combined assurance approach must be matched by on-going efforts to ensure the approach provides the value it is designed to provide.
While a combined assurance model includes several role-players, there is increased market focus on obtaining external assurance over the whole integrated report. In a recent article by Kevin Dancey and Charles Tilley, representing the IFAC and IIRC, they call for urgent progress in the interest of building trust in integrated reporting.1 They believe that even though a handful of assurance providers have recently provided limited assurance over integrated reports, there is an urgent need for innovative solutions that would enable reasonable assurance to be provided over the whole integrated report. They also refer to the recent actions by the IFRS Foundation to form a sustainability standards board (SSB) and develop a global set of sustainability standards as a catalyst for this drive.
It is clear from the overwhelming support from various regulators, preparers and other stakeholders that the IFRS Foundation will go ahead with their intention to establish the SSB. The compilation of a single set of sustainability standards as well as the developments in the assurance standards to enable an external auditor to provide reasonable assurance over an integrated report will take time. The urgency expressed by all the stakeholders involved does, however, indicate that things will be moving at a faster pace than expected.
It is the author’s view that combined assurance will always play a role in risk management, regardless of whether the integrated report is required to be externally assured. The board is ultimately responsible for ensuring that business-critical risks are being adequately managed. The four-lines-of-defence model strengthens the independent assurance reporting to the board and senior management on the critical risks facing the organisation. It also enables the board and executive to take a holistic approach to risk management by receiving a continuous update on the effectiveness of the first three lines of defence. The use of combined assurance remains critical to supporting the audit committee and board in making their control statements in the integrated report and enables them to bridge the corporate reporting trust gap.
1 K Dancey and C Tilley, A roadmap for accelerating integrated reporting assurance, 2021, https://www.ifac.org/knowledge-gateway/supporting-international-standards/discussion/roadmap-accelerating-integrated-reporting-assurance.