When you have to be right

Audit Technology Insights

Becoming a Relevant
Partner through
Combined Assurance
2 TeamMate Global Audit Solutions | www.TeamMateSolutions.com

Building Relevant Partnerships

We have been talking about internal audit as
a trusted advisor for some time now. Many
departments have excelled in increasing
the presence of internal audit in their
organizations by taking on a risk and control
advisory role, while maintaining independence,
in order to deepen the trust in the auditors
as risk and control experts. Its time for us
to evolve beyond trusted advisor to relevant
partner. An advisor is someone you call
occasionally for an opinion, but a partner is
the one you consider in every decision. Within
internal audit, we have an opportunity to
assume the role of relevant partner through
the process of combined assurance.
Under the broad umbrella of providing
assurance, we find overlapping responsibilities
among groups within many organizations.
Internal Audit, Enterprise Risk Management
(ERM), Environmental, Health & Safety (EHS),
Information Security, Legal Compliance,
Internal Control over Financial Reporting/
Sarbanes Oxley (ICFR/SOX) and many other
teams are working toward a common goal to
provide assurance (see Figure 1) and advisory
services to management to support the
decision making and risk mitigation processes.
Unfortunately, these groups tend to work in
silos, which adds to managements assurance
fatigue . When we look closely at the functions
1
of these departments, internal audit is in a
unique position to build relevant partnerships.
Among the many benefits that we will see
from these new, stronger partnerships, our
Figure 1
organizations will all begin speaking about
topics like risks, controls, and issues using
one consolidated terminology. We will see
increased efficiency in collecting and reporting
information, and ultimately, we will experience
more effective governance, risk, and control
oversight. By building relevant partnerships
with other internal assurance teams, we will
naturally prevent management from being
overwhelmed by information and reports and
succumbing to assurance fatigue.
In an effort to streamline the work of these
teams, and to enhance the organizational
value of everyone involved, we should consider
combining our assurance efforts and aligning
our activities, especially in the areas of audit
planning and board reporting. Based on the
most recent update to the IIA Standards, we
have an opportunity to align our efforts with
our assurance partners in order to ensure
proper coverage and minimize duplication of
effort (IIA Standard 2050).

1
Combined Assurance: One Language, One Voice, One View
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 3

Comprehensive Audit Planning

Organizations are increasingly asked to do Based on this standard, CAEs should be
more with less. Staffing levels often remain reaching out to internal groups to ensure
flat or not increased to a level that would proper coverage and minimize duplication of
significantly alter the scope of the work we efforts. During audit plan development, we
have the capacity to perform. By coordinating should understand the scope and objectives of
with other groups inside our organization, we the work being performed by the other teams.
can increase our audit coverage by leveraging In fact, in a comprehensive risk assessment,
the work already being completed. The IIA does risks related to technology, financial reporting,
provide guidance on this matter in the newly environment, health, and safety should all be
updated Standard 2050 in the International included, and the worked planned by the other
Standards for the Professional Practice of assurance teams can be relied upon for the
Internal Auditing (IPPF). The standard states audit coverage for these area. Once the audit
that chief audit executive should share plan is drafted, we can take the next step and
information, coordinate activities, and consider combine the reporting process with senior
relying upon the work of other internal and management.
external assurance and consulting service
providers to ensure proper coverage and
minimize duplication of efforts. The standard
was updated to highlight the internal reliance
aspect of the statement. In fact, The IIA issued
an interpretation in the Implementation Guide
2050 to very clearly say that in coordinating
activities, the chief audit executive may rely
on the work of other assurance and consulting
service providers. While the associated
Practice Advisory (2050-1) is usually applied to
reliance on work from external auditors, the
standard is written to address coordinating
activities with other internal and external
assurance providers, which would encompass
groups like ERM, EHS, Compliance, Information
Security, SOX and others.
4 TeamMate Global Audit Solutions | www.TeamMateSolutions.com

Reliance
While the idea of relying on the work done by other departments is very attractive, auditors have
a hard time accepting the possibility of trusting poor quality work, and we typically raise our
concerns related to maintaining independence. Thankfully, the IIA has also provided guidance on
the topic of reliance. In this Practice Guide2, the IIA explains the need to assess the other internal
assurance providers objectivity and competence. We can think of this evaluation in much the
same way we would think of a peer review as part of the Quality Assurance and Improvement
Program (QAIP).

Competence Objectivity
To ascertain the internal assurance providers Similarly, the CAE should also decide whether
competence, CAEs need to understand the the group is able to objectively perform the
individuals who make up the other team in audit work. Considering these groups are
much the same way we understand our internal generally not independent like an internal
audit team. audit department, we need to consider the
following:
The qualities we must assess include:
Who does the assurance provider report to in
Education the organization?
Professional experience Will the work performed be influenced by
Professional certification management?
Policies and procedures Are there factors that would prohibit the
Supervision provider from performing the audit?
Documentation standards
Documentation review For our part in internal audit, we always
Performance evaluations reserve the right to not use the work
performed by our partners, and we can retest
or perform our own audit of the area if needed.
In this way, our own independence is not
impaired. In the end, internal audit does not
report to any of the other assurance teams.

2
Reliance by Internal Audit on Other Assurance Providers, The IIA 2011
TeamMate Global Audit Solutions | www.TeamMateSolutions.com
Holistic Reporting
We can also gain efficiency when reporting
results to senior management and the board.
At the beginning of the year, both the CAE and
the heads of other teams, like the Director
of EHS, submit summaries of their respective
planned audit activities, staffing plan, and
budget to senior management and the board.
By combining these presentations, we can help
our stakeholders better understand the scope
of the work and planned audit coverage.
The same holds true for interim and year end
results reporting. By co-presenting the results
of multiple assurance providers at once, we can
help management focus their efforts and set
priorities for the organization. Of course, we
must be careful not to overwhelm the board
with endless information. Always present
summary information, ideally with visuals,
and provide any details as an appendix to the
summary. Remember that senior management
has a very limited amount of time to dedicate
to your data, so be succinct and provide your
reports well in advance of any meetings.
3
Implementing a combined assurance approach in the era of King III, 2010 PricewaterhouseCoopers.
4
IIA Position Paper The Three Lines of Defense in Effective Risk Management and Control (2013)
5
Risk Reporting
In line with our respective audit processes,
we should provide more risk information to
the audit committee. One way to highlight the
current state of our organizational risk profile
is with a risk coverage map. One of the best
examples of a risk coverage map in a combined
assurance setting Ive found comes from a
PwC report titled Implementing a combined
assurance approach in the era of King III3 (see
figure 2). In this report, the authors present the
major risk topics for an organization along with
the groups within the Three Lines of Defense4
who are providing assurance services related
to each risk.
From an internal audit perspective, the risk
coverage map shows exactly which group has
responsibility for risk management and to what
extent the coverage extends. In the example
below, you can see that Internal Audit has
minimal coverage on environmental risk, but
this may be appropriate since there is an EHS
team and special projects that include heavier
coverage on this area of risk.
6 TeamMate Global Audit Solutions | www.TeamMateSolutions.com

Three lines of defense assurance providers

First line of defense Second line of defense Third line of defense

Management-based assurance Risk and legal-based assurance Independent assurance

Processes

Consulting engineers
Management review

Risk management

ISO certification
Health & safety
Special project

Special project
External audit

Internal audit
assessment

Compliance
Control self

SOX
Strategic

Cash/finance
and treasury

Funding

Sustainability

Growth/
mergers &
acquisitions

Alliances

Operational

Financial

IT

Treasury

Human
resources

Supply chain
management

Quality

Environment

Customers

Products &
Services

Figure 2
TeamMate Global Audit Solutions | www.TeamMateSolutions.com
In the end, the risk coverage map serves as
both a responsibility chart as well as a way to
demonstrate to management which risks are
getting the most attention by all aspects of
the organization. If we use a risk assessment
that includes a comprehensive view of risks
identified by all assurance providers in our
organization, and a combined assurance
risk map to show coverage, we will present
management with a more complete, and more
understandable picture of our organizational
risk profile.
7
Audit Results Reporting
At the end of an audit, our work product
is the audit report. For management, all
they generally see produced by the audit
department will be the engagement letter
and the audit report. Rightly so, we spend
inordinate amounts of time perfecting our
report templates, formatting the report, and
agonizing over the wording of each finding
we present. We are so focused on delivering a
flawless audit report that we may forget that
other assurance providers are also providing
management with their reports and lists of
issues. One way to reduce assurance fatigue
through combined assurance is to coordinate
our reporting standards. If all of the assurance
groups can decide on both a common format
and common taxonomy regarding audit
findings, management will be able to more
easily absorb the information we are all
presenting.
8 TeamMate Global Audit Solutions | www.TeamMateSolutions.com
Technologys Role
Internal auditors have traditionally led the
charge in risk assessment, control monitoring,
and testing techniques. We have surpassed
others in adopting new technology designed
to improve our testing effectiveness and
efficiency. As a relevant partner, we should
share our tools with other assurance functions
in our organization. We are in a fantastic
position to act as a business partner to those
in our organization who share responsibility
for managing risk. Based on the Three Lines
of Defense Model we can organize most risk
management processes into three groups:
Management Oversight, Control Monitoring (e.g.
SOX, Quality Control, EHS, etc.), and Internal
Audit (see Figure 3).
Figure 3
In many organizations, the monitoring and
testing processes used by management in
the first line are overly dependent on manual
review with limited or no use of technology.
When we audit these areas, we can very quickly
test controls and find management is not
getting the timely information they need for
proper oversight due to a lack of technology.
Control monitoring functions may be more
advanced in their assessment and monitoring
activities, but their technology or software
solutions may not integrate with those internal
audit is using for similar tasks.
When we look at all of the technology
available across the spectrum of assessment,
monitoring, and testing of processes, risks,
and controls, there are several opportunities
to increase the effectiveness of organizational
risk management while increasing the
efficiency of internal audits role through the
use of software solutions and tools. Many of
these tools are already in place in most audit
departments.
Management Oversight as the first
line is responsible for monitoring
and controlling processes
Control Monitoring groups as the
second line ensure properly designed
processes and controls are in place
Internal Audit as the third line
provides independent assurance
over processes and controls
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 9

Three of the most critical methods for Controls Monitoring

leveraging technology across three lines of From a control perspective, we can share a
defense are (see Figure 4): common library of controls to be owned by
management, monitored by control teams, and
1. Sharing your data analytics audited by the internal audit department. By
tools with management using controls management software, we can
2. Maintaining common control ensure there is only one current version of
monitoring software each control documented in our organization,
3. Leveraging common risk assessment tools and we can speed up the process for control
4. Using collaborative testing and monitoring. The topic of controls
documentation solutions monitoring typically comes up when we are
bringing SOX compliance or other internal
Data Analytics control over financial reporting teams under
Internal auditors have a secret weapon the umbrella of combined assurance. These
that we need to share with the rest of our groups are generally very closely related to
organizations: data analytics. We are certainly the internal auditors, and we should consider
not the only people who use analytics, but we this relationship as a prime candidate for a
may be the only ones using it for monitoring combined assurance partnership.
and testing. Other groups use analytics for data
modeling and decision making. All too often
we perform a test in an audit, and the process
owner is shocked we found any exceptions. It
would be in everyones best interest to give
management access to our data analytics tools
and teach them to perform continuous auditing
on their own. Their management process will
be more effective, and auditors will spend
less time dealing with testing exceptions. By
distributing our data analytics tools to both
the second and third lines of defense, we can
enable all of our assurance partners to perform
smarter, more complete monitoring activities.
10 TeamMate Global Audit Solutions | www.TeamMateSolutions.com

Risk Assessment Documentation

Audit departments are required to complete
risk-based auditing. However, many other
functions in an organization perform risk
assessments for a variety of purposes. ERM
teams are looking at the risks that impair
meeting strategic objectives, internal
audit is trying to determine the audit plan,
and other groups like SOX and EHS are
managing compliance risk related to specific
regulations. Other groups may have a deeper
understanding of their respective areas, and
we can incorporate their information into
our annual plan. If we all use a common
risk assessment tool, which may already be
included in your audit management software,
we will be able to share results and leverage
the work of each team. By relying on the efforts
of the entire organization, we can get even
closer to achieving continuous risk assessment.
When we take combined assurance to the
fullest extent, we should certainly consider
sharing our documentation tools. Internal audit
departments have matured past using only
Microsoft Office tools like Word and Excel when
documenting our audit work in audit software.
As we bring other assurance teams closer to
our operations, we should share our audit
management software. The tools that we all
use should have the capability to let all of the
assurance teams maintain their independence
while sharing insights into the work that has
been planned and completed, and the issues
that came from the work.

We have an opportunity to improve the overall

risk management of our organizations while
expanding the view of internal audit as a
partner to management. Take an inventory of
the technology you already have in place in
the audit department and consider how these
tools could be leveraged by all three lines of
defense. If you find that the technology at your
disposal does not include the capability for
sharing data analytic tools, risk assessment
results, and a common control library, it may
be time to revisit your standing on the audit
technology maturity curve5.

5
IIA Special Report - Developing an Effective Internal Audit Technology Strategy (2012)
TeamMate Global Audit Solutions | www.TeamMateSolutions.com 11

Data
Analytics Management

Internal
Audit
Risk
Assessment

Controls
Monitoring

Controls
Management
Figure 4

Conclusion
As we all strive to provide our organizational management with useful and concise information
for their decision making process, combining efforts between internal audit and other assurance
groups will lead to improvement. We will better understand our audit coverage, and we will
gain efficiencies in our audit planning and reporting activities. Ultimately, by strengthening
the relationship between these similar functions, we will improve our ability to protect overall
organizational value while increasing our value as a relevant partner to the broader assurance
function as well as to the entire organization.
Contact information:
UNITED STATES & LATIN AMERICA
The Towers at Westshore
1410 N. Westshore Boulevard
Suite 400
Tampa, FL 33607
United States
1 888 830 5559

CANADA
Suite 300, 90 Sheppard Ave. E. Please visit
Toronto, Ontario M2N 6X1
Canada
1 800 461 5308, ext. 6853
TeamMateSolutions.com
EUROPE, MIDDLE EAST, AFRICA
25 Canada Square
41st Floor for more information.
London, E14 5LQ
United Kingdom
+44 20 3197 6566

ASIA PACIFIC
15/F, W Square
312-324 Hennessey Road
Wan Chai
Hong Kong
+ 852 2610 7080

Copyright 2017 Wolters Kluwer Financial Services, Inc. All rights reserved. 10198

When you have to be right