COMBINED ASSURANCE POLICY
FRAMEWORK
APPROVED BY:
IMPLEMENTATION DATE:
��Table of Contents
1 Introduction 1
2 Purpose of the Document 1
3 The Definition of Combined Assurance 1
4 Background 1
5 Process 1
5.1 Step 1: Identifying Role Players 2
5.2 Step 2: Assess potential for combined assurance 2
5.2.1 The first line of defence (Management based assurance): 2
5.2.2 The second line of defence (Risk and compliance based assurance): 2
5.2.3 The third line of defence (Independent Assurance): 2
5.3 Step 3: Test Coverage of Assurance
2
5.4 Step 4: Risk Focus 2-3
5.5 Step 5: Combined Assurance Application 3
6 CULMINATION OF THE PROCESS 4
7 ROLES AND RESPONSIBILITIES 4
8 GLOSSARY OF TERMS 5
�i
�1. INTRODUCTION
The Combined Assurance Model aims to inform, in a simple manner, on the effectiveness of
assurance providers and to create confidence in the assurance provided over key
organizational risks.
2. PURPOSE OF THE DOCUMENT
A framework is defined as a conceptual structure intended to serve as a guide for the
building of something that expands the structure into something useful. The Combined
Assurance Policy Framework(CAPF) is a guide that informs the development of the annual
Combined Assurance Plan (CAP) for WASCO. The annual CAP will be based on the annual
risk assessment facilitated by the ERM Function.
3. THE DEFINITION OF COMBINED ASSURANCE
The planned approach to assess the extent and adequacy of assurance coverage on key
corporate risks and reporting thereon to Management and the Board.
4. BACKGROUND
The International Standards for Professional Practice of Internal Auditing (Standard 2050)
prescribes that the Chief Internal Auditor (CIA) should share information and co-ordinate
activities with other internal and external providers of relevant assurance and consulting
services to ensure proper coverage and minimize duplication of efforts.
The concept of combined assurance is supported by the King Report (King IV) which
recommends that the Finance, Risk and Audit Committee (FRAC) should ensure that a
combined assurance model is applied to provide a coordinated approach to all assurance
activities.
5.0 PROCESS
A five-stage process should be employed in ensuring the success of a combined assurance
model. This process is depicted as follows (read clockwise):
Identify Role
Players
Assess
Combined Potential for
Assurance Combined
ApplIcation Assurance
Test Coverage of
Assurance
Risk Focus
Page 1 of 5
�4.1 Step 1: Identifying Role Players
Step 1 entails WASCO identifying and appointing a Combined Assurance champion and an
Executive sponsor.
4.2 Step 2: Assess potential for Combined Assurance/Identify Assurance Providers
The second step entails establishing a high level understanding of who the assurance
providers are for the risk exposures facing WASCO. Ideally, Assurance Providers should be
separated in terms of first, second and third line of defense i.e management-based
assurance, risk and compliance-based assurance and independent assurance respectively.
The three lines of defense are elaborated as follows:
5.2.1The first line of defence (Management based assurance):
Managers, the risk owners are responsible for ensuring the managing of risk and are termed
the “first line” assurance providers.
The first line of defence is best suited to offer broader assurance coverage.
5.2.2 The second line of defence (Risk and compliance based assurance):
The second line of defence comprises corporate functions such as Risk Management,
Compliance Officer, Environment, Health and Safety, Legal Services, Water Quality
Assurance etc. It is recommended that the Combined Assurance Champion be selected
from the second line of defence.
5.2.3 The third line of defence (Independent Assurance):
The third line of defence may be categorized in terms of Audit and Oversight. Internal Audit,
Finance, Risk and Audit Committee (FRAC), Office of the Auditor-General are examples of
independent assurance providers that form the third line of defence.
During step 2 of the process an assurance profile should be documented.
4.3 Step 3: Test Coverage of Assurance
The third stage in the process is to test the coverage of assurance provided through
interaction with recipients and assessment of reports to establish what is being done and for
what reasons. This test will ensure coordination of efforts and eradicate duplication.
The IIA Standard 2110 states that the Internal Audit activity must coordinate the activities of
and communicate information among the Board, External and Internal auditors and
Management. Accordingly, the third stage in the process should be assigned to the Internal
Audit Activity.
4.4 Step 4: Risk Focus
In the fourth stage a full understanding is established of what assurance is currently being
provided and what needs to be provided based on the strategic and operational risk profiles
of WASCO. This step will allow a detailed gap analysis to be developed and to inform the
next step in the process.
Here the different lines of defence will be mapped to the identified risks and detail work
actually performed and the expected assurance.
Page 2 of 5
�It is not feasible to consider all identified risks in the Combined Assurance Model. Wasco will
at minimum set the limit to cover the high to very high inherent risk ratings of its approved
risk universe. The risk rating will therefore be the criteria for incorporation in the Combined
Assurance Model. This approach will simultaneously ensure that assurance is worth the time
and efftort.
4.5 Step 5: Combined Assurance Application
The final stage requires stakeholder acceptance of the approach and respective
responsibilities through identifying and recommending areas of assurance and articulating
the nature of the assurance activities.
The detailed gap analysis should highlight areas of extensive assurance, moderate
assurance, inadequate assurance, no assurance.
In this instance WASCO shall apply its discretion in defining extensive, moderate and
inadequate assurance
Where there is inadequate assurance, an agreement will be reached as to who will take
responsibility for assurance in the identified areas and the nature of activities and /or reports
to be provided.
The third line of defence will then be responsible for reporting on the adequacy of assurance
provided by implementation of combined assurance
Lastly, the assurance provided must be credible. Management and the Board will ensure
that that both internal and external assurance providers are appropriately skilled and
experienced to follow an adequate approach.
5. CULMINATION OF THE PROCESS
The aforementioned process can be documented and reflected in a Combined Assurance
Plan (CAP). The CAP details the three lines of defence which is mapped to the current
WASCOs risk profile. The cross reference will then detail the assurance coverage.
Judgement can be made on over or under assurance and adjustments may be made
accordingly. The CAP can also be used for reporting processes. An annual process must be
developed to evaluate and report to the Finance, Risk and Audit Committee of the adequacy,
effectiveness and of the development and implementation of the Combined Assurance
Framework. The CAP should be recommended for approval by FRAC on an annual basis.
6. ROLES AND RESPONSIBILITIES
The table below summarizes the roles and responsibilities as of different role players:
Role-player Roles and responsibilities
Chief Executive Appoint the champion and executive sponsor
Champion Coordinate the Combined Assurance process
Internal Audit Test for under or over assurance coverage.
Recommend the adjustment of coverage. Test
effectiveness of implementation.
Finance, Risk and Audit Committee Ensure and monitor the application of Combined
Page 3 of 5
� Assurance and report to Board
Recommend to Board the Approve the Combined
Assurance Plan on an annual basis.
Page 4 of 5
�7. GLOSSARY OF TERMS
Framework A conceptual structure intended to serve as a guide for the
building of something that expands the structure into
something useful
Assurance A declaration that inspires or is intended to inspire
confidence
Combined assurance The individual appointed to coordinate the combined
Champion assurance process and ensure process continuity
Executive sponsor The senior individual appointed toprovide authority, oversee
the combined assurance process and ensure cooperation
throughout the initiative.
First line of defence “Risk owners “responsible for ensuring the management of
the risk.This line of defence has direct involvement, as the
executing leg, and will therefore offer broader assurance
coverage.
Second line of defence Internal assurance functions (internal risk and compliance
units) such as enterprise Risk Management, Health and
Safety, Legal services etc
Third line of defence Independent (external or not line function) oversight
activities/functions such as Internal Audit, Audit Committee,
Auditor-General.
Extensive assurance All lines of defence are responding to the risk to the extent
that coverage is duplicated.
Moderate assurance There is a balance between risk severity and assurance
coverage.
Inadequate assurance The assurance coverage is not sufficient to ensure effective
risk management
No assurance The risk has eluded all lines of defence and action is needed
to respond to the risk.
Page 5 of 5
