• Combined Assurance: is it working?
Articles:

Combined Assurance: is it working?

17 July 2018

George Williams , National Head: Risk Advisory Services |

JSE listing requirements require companies to adopt the recommendations of the King IV report, which makes it fundamental to corporate governance in South Africa. King IV recommends that affected businesses adopt a combined assurance model, but recent corporate failures and security breaches indicate that risks are not being adequately addressed.

It’s worth identifying why this is, if we are to avoid future scenarios like the Steinhoff collapse and the Liberty data protection failure. Is combined assurance working, and is it being properly implemented?

King III initially developed a combined assurance model that covered the traditional three lines of defence – management control; risk control and compliance oversight functions; and independent assurance.

King IV has changed the focus to “five lines of assurance”, in order to incorporate more role players, with an even greater emphasis on providing combined assurance.

Under combined assurance, the assurance is provided by risk and opportunity line functions, specialist functions, internal audit, external audit as well as the governing body.

With all these portfolios providing assurance under the combined assurance model, how effective are these processes? My experience is that combined assurance is at an embryonic stage of development in South Africa. Many companies are not yet sure how to implement it.

A company failure, by implication means there has been a failure of either enterprise risk management (ERM) or combined assurance. Even in the case of fraud, or other malfeasance, this should have been identified as a risk, and strategies devised to mitigate it.

The possible failures can be identified as process, application or oversight. The fraud may have gone undetected because there was no process in place to pick up the problem. Or the process was in place, but it was not applied. Finally, there could have been a process, it was applied, but there was a lack of oversight by the audit committee and the board.

An article by Forte and Barac in The South African Journal of Accountability and Auditing Research1 Journal following research into the uptake of combined assurance, found that there was a dependency on ERM processes as a prerequisite for the implementation of the combined assurance process.

ERM is about identifying risk and opportunities that could impact an organisation’s objectives. Combined assurance on the other hand, maps assurance to the organisation’s risks. So, there is a logic to establishing ERM before embracing combined assurance.

My empirical experience as an invitee of various audit committees is that companies are aware of the combined assurance model, but they don’t know how to apply it.

The practical application of combined assurance is complex, because the respective assurance providers are protective of their turf. They are reluctant to see their fees shrink, simply because the combined assurance model is being implemented.

The internal auditors want to look after their particular area. Legal and compliance have their area... They all have power bases and income streams to protect.

One effective way to apply combined assurance is for the audit committee is to get all assurance providers in a room, decide on the combined assurance budget, then leave the providers to decide on responsibilities and how the fees will be shared.

The goal should be to ensure client interests are protected, and that there is no duplication of effort between the various portfolios. Combined assurance provides for a matrix of controls, which should not overlap.

Assurance activities do not exist to protect vested interests, but to provide assurance on company risks.

In listed companies, the audit committee should oversee the implementation of the combined assurance model, coordinating activities across the various lines of assurance so that assurance has the appropriate depth and reach.

Oversight is critical with a combined assurance mandate. My experience is that many companies work in silos. External audit presents a report. Management talk about their results. Internal audit provides feedback on their audit reviews. Is this combined assurance?

All the guidance on how a governing body should oversee compliance is in King IV. The report explains how the governing body should delegate to the audit committee, to provide direction on the combined assurance model. Following these recommended practices will ensure an effective control environment, and the integrity of information used for reporting and decision-making.

For guidance on implementing combined assurance as required by King IV, and to develop a relevant CA model, companies should consult an audit and assurance specialist. The stakes are high, and there are tools available to assess risk and provide optimal assurance.

Read more BDO Insights