Articles Joe Tarshish, CIA, COSO ERM certificate, Jennie Wallace, CPA, CISA, CGMA, Joe Ciancimino, CISA, CRISC Aug 11, 2025
This approach not only improves alignment and transparency, but also reduces redundancy and mitigates the strain of “audit fatigue.”
Combined assurance delivers a unified, holistic view of risk and control effectiveness. This approach not only improves alignment and transparency, but also reduces redundancy and mitigates the strain of “audit fatigue.”
This need for enhanced coordination is underscored by recent research from the Internal Audit Foundation and Baker Tilly. The report, Enhanced Enterprise Risk Management and Strategic Decision-Making, reveals only 49% of global risk professionals agree or strongly agree that risk awareness resonates throughout their organizations, and 40% indicate that ERM insights are not effectively integrated into strategic decision-making processes.
Internal audit, through combined assurance, can play a pivotal role in bridging these gaps and unlocking greater value from ERM.
Combined assurance breaks down silos among business teams to improve efficiency and elevate internal audit’s strategic role. According to The IIA’s recent Global Practice Guide, Coordination and Reliance: Working With Other Assurance Providers, adopting an integrated assurance model can reap other benefits, including:
By coordinating with second-line assurance functions, internal audit can strengthen governance and support more effective ERM. Such collaboration reinforces the connection between strategy and risk — an approach emphasized in COSO’s Enterprise Risk Management–Integrating With Strategy and Performance guidance.
The IIA’s Three Lines Model encourages collaboration, coordination, communication, and alignment to enhance governance and risk management. According to The Institute’s Executive Knowledge Brief, Combined Assurance: Aligning Assurance for Effective Risk Management, “such a flexible approach creates a collaborative environment that is ripe with possibilities, and it is within this structure that the value of combined assurance can reach its full potential.” Combined assurance coordinates the assurance activities of the three lines to ensure an effective approach to governance and risk management and a unified view of risk.
In today’s evolving risk management landscape, roles within the three lines are expanding. Second line roles, such as controls monitoring functions that test the execution of IT controls, can be found within operations. Embedding second-line expertise in day-to-day operations builds ownership of risk and makes controls more responsive.
Further, independent testing teams are found within second-line functions, such as groups assessing compliance activities. With mature methodology, review, documentation, and reporting processes, these second-line groups often resemble audit functions.
To better understand internal audit’s role in combined assurance initiatives, it helps to turn to The IIA’s Global Internal Audit Standards and guidance. Standard 9.5 Coordination and Reliance places special emphasis on the importance and value of internal audit working with other assurance providers. It notes, “Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers.”
The standard’s Considerations for Implementation recommend that internal auditors use management’s risk management information to provide joint risk assessments and create a shared risk register or to combine results for joint reporting.
The Coordination and Reliance Practice Guide offers greater detail on how internal audit can align joint risk assessments as part of an ERM approach and:
The guidance also recommends that internal audit evaluate the work of internal and external assurance providers by documenting the level of assurance they provide over risk areas, determining how much internal audit can rely on their work, and raising any concerns with senior management and the board.
Per Standard 9.5, an evaluation of other assurance providers “should consider the providers’ roles, responsibilities, organizational independence, competency, and objectivity, as well as the due professional care applied to their work.” The Coordination and Reliance guidance continues this theme, outlining five elements for assessing reliance: purpose, independence and objectivity, competency, elements of practice, and communication of results.
Internal audit and other assurance providers can use combined assurance methods to synthesize system and organization controls (SOC) reports, Sarbanes-Oxley testing, and internal audit risk assessments, delivering a comprehensive and actionable view of an organization’s risk. These three areas present opportunities for easy wins, given the maturity of their testing, documentation, and reporting processes.
The CAE is ideally suited to link the efforts of these activities among the various assurance activities. By synthesizing findings from SOC, Sarbanes-Oxley, and internal audit assessments, the CAE can provide valuable risk insights. Where there is a dedicated ERM function, the CAE can further collaborate with that team to strengthen risk awareness and decision-making.
SOC Reviews. A SOC 2 Type II review, which evaluates the effectiveness of nonfinancial controls, can yield particularly valuable risk insights because it tests controls over time rather than at a point in time. These reviews often cover domains such as data integrity and availability, change management, logical security, and physical access. Increasingly, cloud-service vendors are centralizing logical access controls, making it essential for the organization to assess whether all its vendors are robustly applying access provisioning, modification, and deprovisioning protocols.
SOC 2 reviews also assess how organizations manage subservice providers, including third- and fourth-party vendors, throughout the full vendor life cycle. A key part of this process includes verifying whether appropriate user entity controls are in place to complement vendor safeguards.
Findings or opportunities for improvement identified during SOC walkthroughs or operating effectiveness tests should be considered in the risk assessment and internal audit plan. Ensuring the CAE has transparent access to the methods and results of SOC 2 testing helps ensure internal audit’s risk-based planning is consistent with conclusions made by other assurance providers.
Say, for example, SOC testing reveals that certain user roles could alter financial data within a critical application, and assurance providers have not considered this in their quarterly user-access reviews. Management can respond by including the user roles in future access reviews. Further, internal audit can review whether the issue has caused any adverse impact.
Sarbanes-Oxley Reviews. While SOC 2 focuses on operational and IT-related domains, Sarbanes-Oxley testing concentrates on internal controls over financial reporting. These are the processes and mechanisms that ensure the completeness and accuracy of financial reporting. Sarbanes-Oxley assessments often encompass accounts payable and receivable, cash management, the financial close process, and operational areas such as inventory management and order fulfillment.
Failures uncovered through Sarbanes-Oxley testing may initially appear isolated — for example, weak review controls or gaps in vendor management — but they also can signal deeper process flaws. If an organization cannot maintain effective internal controls over financial reporting despite their regulatory visibility and importance, this could indicate even greater weaknesses in less scrutinized areas.
For internal audit, such findings may warrant a more thorough follow-up. If internal audit follows a dynamic risk-based audit plan, it can adjust the plan to address control failures as soon as they are identified.
Coverage of SOC and Sarbanes-Oxley often overlap, especially for IT general controls. To optimize risk insights, reduce audit fatigue, save costs, and streamline the audit process, the organization must ensure internal audit, the SOC vendor, and the Sarbanes-Oxley team are aligned and coordinated, such as through a combined assurance model.
For example, say during Sarbanes-Oxley testing, the external assurance provider discovers that while access to database tables directly tied to financial reporting was appropriately restricted, controls were lacking across other tables in the same system. The organization achieved compliance by only including the Sarbanes-Oxley-relevant tables in their scope. However, this finding exposed a larger issue with access management. Internal audit can note the concern and initiate a broader audit of database access management.
Internal Audit Risk Assessments. Conducted regularly, these risk assessments help provide a broader picture of enterprise risk and identify key risk themes. Organizational change and talent shortages, for example, can result in unclear ownership of controls, insufficient role backups, or knowledge loss — all of which affect the reliability of processes.
Internal auditors also can be asked to detect compliance readiness gaps and assess other types of risk exposures in advisory engagements, particularly in areas governed by evolving regulations, such as environmental, social, and governance disclosures or data privacy laws. The evolution of technology poses additional challenges, with risks emerging around artificial intelligence and data governance, cloud migration, access management, and incident response.
Combined assurance has its snags. Internal audit needs to be proactive and formulate a plan to mitigate risks inherent in an integrated approach. It can do this by:
Internal audit does not need to own ERM to communicate risk themes and insights. When the organization uses an enterprisewide approach to managing risks, internal auditors can be part of important conversations about key risk issues — and even lead them.