By CPA Peter Kibet Kitur
Internal Auditors Must Collaborate Thoughtfully While Preserving Their Core Principles of Independence and Objectivity
In today’s interconnected governance landscape, effective risk management increasingly depends on collaboration between various assurance functions. Combined Assurance (CA) offers an integrated approach that enhances coordination, reduces redundancy, and strengthens oversight. However, internal auditors must exercise care to ensure that this collaboration does not compromise their professional independence or objectivity. Sound judgment and clear boundaries are essential to maintaining audit integrity within a cooperative assurance framework.
Combined Assurance (CA) marks a major evolution in how organisations approach risk management. It brings together multiple assurance activities across the enterprise, aligning them with the organization’s overall risk framework to create a unified and coordinated effort. This integration helps eliminate duplication, break down functional silos, and strengthen the foundation for sound decision-making.
By adopting CA, organisations can achieve greater transparency over risk exposure, improve operational efficiency, and enhance stakeholder confidence. It ensures that significant risks are addressed cohesively across departments, fostering agility and resilience in an ever-changing environment. In today’s complex and uncertain business landscape, CA is not just a best practice—it is a critical enabler for organizations seeking sustainable growth and long-term success.
This approach aligns closely with the Global Internal Audit Standards (GIAS), particularly IIA Standard 9.5 – Coordination and Reliance, which requires the chief audit executive to collaborate with both internal and external providers of assurance and, where appropriate, rely on their work. Such coordination minimizes duplication of effort, identifies potential assurance gaps for critical risks, and enhances the overall value delivered by assurance functions. The standard reinforces that assurance should not exist in isolation but as part of a collective system of governance and oversight.
By applying CA in line with GIAS 9.5, organisations develop a harmonized assurance ecosystem that leverages the strengths of various providers—internal audit, risk management, compliance, and external audit. This synergy allows internal audit to focus on high-risk and emerging areas, while ensuring that existing assurance efforts across the organisation are optimally used. The result is a more comprehensive, cost-effective, and strategic assurance model that strengthens stakeholder confidence and governance maturity.
A critical tool for Combined Assurance is assurance mapping—a structured method for visualizing and assessing the range of assurance activities across an organisation. An assurance map identifies who provides assurance over which risks and processes, revealing areas of overlap, underlap, or gaps. When properly developed, it provides a clear snapshot of the organization’s overall assurance landscape and enables leadership to make informed decisions about assurance priorities and resource allocation.
Integrating assurance mapping into the CA framework ensures that all assurance efforts are aligned with strategic objectives and that critical risks receive adequate coverage. It promotes clarity of accountability, facilitates communication among assurance providers, and helps boards and audit committees understand where assurance is strongest or weakest. When aligned with GIAS 9.5, assurance mapping becomes an essential governance tool—transforming assurance from a series of disconnected activities into a unified, risk-based, and value-driven approach that enhances organisational resilience and performance.
Benefits of Combined Assurance
Combined Assurance offers several strategic and operational advantages to organisations.
- Enhanced knowledge sharing: Collaboration among internal stakeholders promotes the exchange of insights, professional judgment, and expertise. This collective learning strengthens the organization’s overall understanding of its risk environment.
- Optimized use of resources: By eliminating duplication of assurance activities and identifying opportunities to share work, organisations achieve greater efficiency and reduce unnecessary effort or cost.
- Sharper focus on key risks: With better coordination of assurance functions, internal audit teams can concentrate their efforts on high-priority and emerging risk areas, improving the quality and impact of their assurance coverage.
- Consistent and unified reporting: Combined Assurance ensures that executive management and the board receive coherent, aligned assurance messages. This clarity enables leadership to make more confident and informed decisions.
Exercising Caution in Combined Assurance
Although Combined Assurance strengthens organisational governance and supports effective risk identification and management, internal audit must apply discernment when depending on the work of other assurance providers. Overreliance on external or internal sources can compromise the independence and objectivity of the internal audit function if not carefully managed.
Potential challenges may arise from:
- Inconsistent quality in the work performed by other assurance providers.
- Differences in risk perception or assessment, leading to varying interpretations of severity or impact.
- Lack of impartiality among other assurance contributors can affect the reliability of their findings.
- Perceptions that undermine internal audit’s credibility, particularly if reliance is seen as excessive or unjustified.
Challenges and Solutions in Implementing Combined Assurance
Combined assurance, or integrated risk assurance, seeks to coordinate efforts across all three lines of defense to create an efficient control environment and consistent risk reporting. While its benefits are widely recognized, many organizations struggle to embed it effectively.
1. Lack of Clear Leadership
Different organizational structures make it difficult to identify who should lead combined assurance. Without strong leadership and executive support, initiatives lose momentum.
Solution: Internal Audit should lead the process. According to GIAS, internal auditors are best placed to coordinate combined assurance since they understand processes deeply, operate independently, and have direct access to the Audit Committee.
2. Difficulty Obtaining Stakeholder Buy-In
Some stakeholders believe that combined assurance changes their roles or compromises independence.
Solution: Reassure stakeholders that independence does not mean isolation. By referencing IIA’s Three Lines Model and standards, organizations can show that combined assurance enhances collaboration and value without altering individual mandates or reporting structures.
3. Lack of Visibility into Gaps Despite Strong Assurance
Multiple assurance activities often yield fragmented risk views, leading to duplicate work or missed risks.
Solution: Develop an Assurance Map. Mapping assurance coverage against key risks helps identify overlaps and gaps and provides clarity that all significant risks are addressed.
4. Difficulty Developing a Common Controls Framework
Integrating different frameworks and risk definitions is complex.
Solution: Break large goals into manageable steps. Organizing objectives into simple, shared categories helps stakeholders prioritize, connect ideas, and develop efficient, unified solutions.
5. Decentralized Systems Create Inefficiency
Disparate systems cause inconsistent data and excessive administrative work.
Solution: Centralize assurance data through technology. Migrating risk and control information into one system streamlines processes, improves consistency, and supports unified reporting.
Conclusion
To maximize the value of Combined Assurance, internal auditors must collaborate thoughtfully while preserving their core principles of independence and objectivity. Continuous evaluation of others’ work, adherence to professional standards, and open communication with assurance partners ensure that cooperation enhances rather than weakens audit credibility. When managed effectively, Combined Assurance becomes a catalyst for robust governance and trusted assurance delivery.
CPA Peter Kibet Kitur is an Associate Partner with Bon and Drew Associates, chairs a public entity audit committee, is the ICPAK Central Rift Region’s Immediate Branch Chairman, and a member of ICPAK’s Devolution subcommittee.
