Thought Leadership

Paving the way to

Integrated Assurance:
A proactive approach
Jim Pelletier CIA, CGAP Supported by Mark Williams
CIA, CGAP, Lead Product Manager Ways of Working Consultant and Coach
Contents Introduction

Understanding risk and assurance roles 4

3

Trouble in Three Lines paradise 5

A powerful case for integrated assurance 6

The state of integrated assurance 6

Step 1: How business is organized 7

Step 2: Effective collaboration 8

Step 3: Effective internal audit 10

Getting started 12

Leveraging technology 13

Building a supportive culture 14

Conclusion 15

About the Subject Matter Expert

Jim Pelletier CIA, CGAP

Senior Product Manager
Wolters Kluwer TeamMate

Jim has more than 20 years of internal auditing experience in both the public and
private sectors. He is a Senior Product Manager for Wolters Kluwer TeamMate, where
he works to continuously improve audit productivity while delivering strategic insights
via TeamMate’s best-in-class solution. Jim has served in several leadership roles at The
Institute of Internal Auditors as well as City Auditor for the City of Palo Alto, CA, and
was the Chief of Audits for the County of San Diego, CA. His diverse internal auditing
experience also includes roles at the California State University System, PETCO Animal
Supplies, Inc., State Street Corporation, and General Electric.

2 Thought Leadership
Introduction
Integrated assurance offers a proactive approach to
risk management designed to deliver a unified view of
risks in relation to achievement of objectives. Through
coordination and collaboration of varied assurance
providers, it promotes enterprise-wide alignment, agility,
and transparency in managing risks.
The benefits of effective integrated
assurance include: Our survey of 850 audit leaders and
other assurance professionals reflected
• Enabling comprehensive risk reporting that only 16% of respondents feel their
to the Board / Audit Committee. risk management efforts are “clear
and fully aligned”, with 64% managing
• Minimizing assurance fatigue, while multiple risk libraries and 40% struggling
maximizing the impact of assurance with duplicative assurance efforts. The
functions across the organization. opportunities for greater communication,
collaboration, and reporting are evident.
• Reducing overall duplication of work.
This report explores the state of
• Identifying principal risks where collaboration and coordination among audit
no (or limited) assurance is provided. and other assurance providers. It provides
benchmarks on how business is organized
• Accelerating responses when new to manage risk and assurance activities; the
risks emerge. level of collaboration in the context of the
Three Lines Model; and how internal audit
Despite the clear benefits offered by currently supports organizations through an
integrated assurance in an ever-evolving integrated assurance approach and where
risk environment, the percentage of there are opportunities for improvement.
organizations that have effectively It also examines how technology and
embraced this approach is low. A recent corporate culture can support effective
global survey of audit and assurance integrated assurance.
professionals by Wolters Kluwer TeamMate
found entrenched risk silos undermine
the potential for establishing effective
integrated assurance.

Paving the way to Integrated Assurance: A proactive approach 3

Understanding risk and assurance roles
The Three Lines Model (Figure 1) is widely Figure 1
recognized as a useful tool for delineating The Institute of Internal Auditors Three Lines Model
audit, risk management, and assurance
roles in organizations. It identifies internal
and external assurance providers and External assurance providers
distinguishes internal audit’s role from other
internal assurance teams, such as internal Governing body
controls, compliance, risk management, and Accountability to stakeholders for organizational oversight
other second-line functions.
Governing body roles: integrity, leadership, and transparency
The Wolters Kluwer TeamMate survey
found 93% of respondents have adopted
the Three Lines Model to some extent.
This benchmark reflects the model’s Management Internal audit
near universal acceptance and affirms Actions (including managing risk) Independent
the value that organizations find in clear to achieve organizational objectives assurance
audit, risk management, and assurance
roles and responsibilities. First line roles: Second line roles: Third line roles:
Provision of Expertise, support Independent and
products/services monitoring and objective assurance
In the Three Lines Model, the governing to clients; challenge on risk- and advice on all
body oversees first-, second-, and third- managing risk related matters matters related to
line functions. This role is typically served the achievement of
objectives
by the board of directors or committees
of the board, including audit committees
and risk committees. The governing body is Key:
accountable to stakeholders and provides Accountability, reporting Delegation, direction, resources, oversight
leadership, organizational oversight, and Alignment, communication, coordination, collaboration
transparency, both internally and externally.
To be effective, the governing body needs a
clear, holistic view of risk management from
across its assurance teams.

First line roles include the business units

responsible for delivering products and
services to clients and driving revenue for
the organization. Second line roles provide
expertise, support, and assurance over
the work performed, particularly in more
complex business areas. First and second
line roles typically are tasked with designing,
developing, and implementing risk controls
over financial reporting, operations,
governance, and regulatory compliance.

Finally, in its third line role, internal audit

provides objective assurance and advice,
independent from management, on all
matters related to risk management and
assists the organization with achieving its
business goals.

4 Thought Leadership
Trouble in Three Lines paradise
Figure 2 The large percentage of organizations that
“Siloism” recognize the value of clear risk manage-
ment and assurance roles and responsibil-
ities is encouraging, but effectively inte-
Silos where first, second and third grating those roles is a different challenge.
lines independently develop their Second line internal controls, compliance,
own systems, language, processes, First line and risk management roles have increased
and ways of working. Business units in recent years, and for some organizations,
Provision of products
or services to clients,
this change has led to “siloism.” (Figure 2)
managing risks
Second line Silos are formed where second and third
lines develop their own systems, language,
Risk IT processes, and ways of working, which can
Security Third line
Sustainability EHS lead to discrepancies in messaging to the
Siloism Internal Audit
Board / Audit Committee, disjointed risk
Independent and
objective risk assessments, gaps in assurance coverage,
Internal
Compliance Control assurance and increased assurance fatigue. (Figure 3).
Quality
As the risk landscape has grown in scope
and complexity, risk management and com-
pliance functions have expanded beyond
“niche” players to more formalized and
Figure 3
influential areas within the organization,
When Assurance lacks coordination
often reporting back to the Board and/or a
Risk Committee. These areas, typically sec-
ond-line functions, grew and matured into
siloes focused on their specific objectives.
In most cases, they defined what risk meant
Board & Senior Management Audit Committee
to them, developed their own processes,
Multiple and/or partial versions of the truth lead to a fragmented view on Risk and invested in distinct software tools
focused on their specific tasks. While this
allowed them to perform their responsibil-
ities, it did not consider the larger picture
of risk management and assurance across
the organization required to support better
decision-making by senior management
Lack of transparency causes duplication in Risks and Controls and the Board. Siloism leads to a fractured
or disjointed depiction of risk management
presented to decision makers and limits
their ability to see the bigger picture of risk
Chief Risk Chief Head of Chief Chief Chief Audit across the entire company.
Officer Compliance Internal Information Sustainability Officer
Officer Controls Security Officer Officer

First Line
Business Units

First Line experiences Assurance Fatigue as sometime duplicate and/or overlapping

requests come from across the organization.

Paving the way to Integrated Assurance: A proactive approach 5

Each organization is unique
in the context of its risk A powerful case for
management needs and
perspectives. There is no integrated assurance
one-size-fits-all solution. The challenges associated with running a that risk management isn’t important
This is why coordination, modern business are myriad. While many work. However, inefficient and misaligned
of those are related to risk management, risk management creates unnecessary
communication, and the first line must prioritize work that and unwelcome burdens for the first
transparency are critical services customers and maximizes profits line, including duplicative requests and
for shareholders. When the first line is assurance fatigue. It is imperative that risk
to effective and aligned responding to multiple assurance requests management be as efficient as possible
risk management. from second- and third-line assurance to minimize the time the first line spends
functions, they are being distracted from away from its top priorities.
that essential work. That’s not to say

The state of
integrated assurance
An integrated approach to risk management and discussed. Through such collaboration,
and assurance demands transparency a comprehensive and aligned view of
rather than isolation created by silos. While risk emerges. This positions all three
each function still plays its part — with lines to speak accurately and uniformly
some important overlaps — integrated to senior management and the Board /
assurance requires all risk managers and Audit Committee who, in turn, can make
assurance providers to connect the dots more informed strategic decisions.
by deploying a shared knowledge and
language, even as they maintain their own There are three fundamental steps to
perspectives. What’s more, it is imperative achieving fully aligned risk management:
that internal auditors understand the clearly delineating risk and assurance
second line’s focus to enable them to roles and responsibilities across the
perform their jobs well. organization, effectively coordinating
across the three lines, and ensuring a
This is not to say that everyone should high-performing internal audit function.
have a single view of risk. What is What follows is an assessment of those
important is that different views are three steps based on data from the
shared, and misalignments are reviewed Wolters Kluwer TeamMate survey.

6 Thought Leadership
Step 1:
How business is organized
As noted earlier, the vast majority (93%) of inefficiency in their assurance work with
organizations recognize and embrace the 40% acknowledging the existence of
value of delineating clear risk management duplicative effort at the senior executive
and assurance responsibilities across the and board level as well as a concerning
organization. What’s more, data from the 64% stating that their organizations
Wolters Kluwer TeamMate survey confirms manage multiple risk libraries, and the
the need for stronger collaboration among existence of significant and unnecessary
risk and assurance providers with only duplication of effort. Additionally, survey
16% responding that their messaging respondents indicated the need to work
to senior management and the board more collaboratively to improve risk
is “Clear and fully aligned.” At the same management and assurance.
time, organizations are suffering from

Paving the way to Integrated Assurance: A proactive approach 7

 Step 2:

Effective collaboration
Senior management and Boards / Audit effective organizational governance, the first
Committees are under ever-increasing line owns and defines its risks, often with
pressure to stay afloat on a complex support from the second line. Depending
and growing sea of risks that can limit on the maturity and/or complexity of risk
the achievement of business objectives. management within an organization, the first
Risk alignment is nearly impossible when line can delegate some of its risk ownership
organizations have multiple assurance to second-line functions. However, data
functions all reporting to the Board / Audit from the survey reflect middling success in
Committee but failing to use a common risk this area. It found:
taxonomy and risk rating system. Simply put,
the Board / Audit Committee cannot be as 64%
effective when it receives partial or biased
44%
versions of the truth.
41%
Additionally, internal audit cannot effectively
support sound decision-making if auditors
64% of respondents say the first line owns
are not aligned with the other assurance
and defines its risks (at times with support
functions. Indeed, it would be irresponsible
from the second line).
and damaging to the success of an
organization not to address the problem.
44% said the first line performs periodic
risk assessments.
Several factors contribute to the level
of collaboration among risk managers
41% said that the first line self-assesses
and assurance providers within an
its controls.
organization. From the perspective of

8 Thought Leadership
The survey also indicates an overall Use a single risk taxonomy, and rating and This is not to say that
immaturity in current working methods and scoring methodology. Speaking the same
a “strong” or “critical” need for change. language is vital to effective communication
everyone should have a
and collaboration. Yet only 55% of single view of risk. What is
• Only 18% of respondents stated that respondents have a single risk taxonomy,
alignment, communication, coordination, and just 59% operate a single risk and
important is that different
and collaboration are “fully established scoring methodology. views are shared, and
and mature” across the Three Lines Model.
Conduct a single enterprise-wide risk
misalignments are reviewed
• 56% indicated a “strong” or “critical” need assessment. Assessing risk is critical and discussed. Through
for greater alignment, communication, to setting priorities in managing risk.
coordination, and collaboration. Understanding risk across the organization
such collaboration, a
allows for a comprehensive understanding comprehensive and aligned
of risk and prioritization that supports
Working collaboratively operational strategies. However, only 28%
view of risk emerges.
Each organization is unique in the
conduct enterprise-wide risk assessments. This positions all three
context of its risk management needs
Operate a single assurance map. Assurance
lines to speak accurately
and perspectives. There is no one-size-
fits-all solution. This is why coordination,
mapping provides boards and executive and uniformly to senior
management with a clearer understanding
communication, and transparency are
of the efficacy of risk controls, particularly
management and the Board
critical to effective and aligned risk
management. As risk environments have
when reported in heat maps or other / Audit Committee.
visual presentations. Assurance maps that
grown in their dynamics, complexity, and
incorporate risk controls throughout the
speed, several best practices have emerged
organization are even more valuable. Fewer
that support effective integrated assurance.
than 4 in 10 (39%) of respondents use
What follows is a list of processes and tools
combined assurance mapping.
that support integrated assurance, along
with the percentage of survey respondents
Create a “single source of truth.” Creating
that report using them. These include:
and maintaining a single repository of risk
management processes, controls, relevant
Maintain a single risk library. Creating
regulations, and tools that risk managers
a comprehensive risk library allows risk
and assurance providers can access is
and assurance managers to understand
the ultimate achievement for integrated
risk management needs throughout the
assurance. A single source of truth is key to
organization and discourages siloed views
a holistic approach to risk management and
of risk. Yet only 59% of respondents either
assurance. It enables the governing body
have a system in place or are moving in
to make critical decisions based on clear
this direction.
risk insights. But less than 60% claim to
have the components for that elusive single
Operate a single library of controls. Risks
source of truth:
and controls are the foundation of risk
management. Building a comprehensive
• 56% maintain a repository of policies,
list of controls allows for shared
linking policies to risks and controls.
knowledge of what types of controls are
effective and identify controls that could
• 46% maintain a repository of regulations
be in conflict. Fewer than half (46%) of
that link regulations to risks and controls.
those taking the survey report having a
combined library of controls.
• 56% map business processes that link to
risk and controls.

Paving the way to Integrated Assurance: A proactive approach 9

 Step3:

Effective internal audit

Effective risk management relies on
the work of first- and second-line risk
Internal audit independence
managers and assurance providers. In its
Concerns about maintaining internal
third line role, internal audit provides vital
audit independence can be a barrier to
independent and unbiased assurance on
effective collaboration. Internal auditors
those risk management efforts. Internal
providing independent and unbiased
audit can extend its value by building
assurance over risk management is
collaborative relationships with the first
bedrock to the profession, and in the
and second lines.
past, practitioners resisted getting
“too cozy” with the first and second lines
Going a step further, integrated assurance
in fear of eroding that independence.
relies not just on collaboration but also
on effective coordination, communication,
The survey asked how far greater
and alignment among all three lines. The
communication, coordination,
internal audit function can effectively
collaboration, and alignment could
engage the first line only when the
progress before respondents became
second line and internal audit itself are
concerned about the independence of the
also effectively engaged. Otherwise, the
internal audit function. One internal audit
various assurance functions independently
leader provided the following observation:
reaching out to the first line can become
overburdening, duplicative, and wasteful.

10 Thought Leadership
“There is great opportunity to align on Planning and performance Internal audit as an integrated
taxonomy, risk and issue ratings, clarity and
coordination of coverage across different
assurance leader
Beyond communication, coordination,
groups, and better sharing of information, collaboration, and alignment, effective
Integrated assurance provides a significant
none of which should interfere with how we integrated assurance requires internal
opportunity for internal audit to take on
think about, select and perform our work.” audit to perform at a high level within its
an enhanced leadership role. This does not
own processes. In today’s dynamic risk
mean internal audit should do the work of
Both the Three Lines Model and The IIA’s environment, this assumes that internal
second line functions, such as ERM, risk,
new Global Internal Audit Standards make audit will be responsive and agile in its
or compliance. Instead, it can lead the
clear that internal audit’s independence audit engagements, and flexible and
coordination and integration of assurance
does not mean working in isolation. resilient in its planning.
functions so that the organization
Indeed, Global Internal Audit Standard
understands the big picture based on
9.5 Coordination and Reliance, requires Survey data reflect a middling grade in
the totality of the work. Because of its
chief audit executives to “coordinate these areas.
independence from management, internal
with internal and external providers of
audit is well-positioned to objectively
assurance services and consider relying Most internal audit functions (82%) continue
evaluate the work of first- and second-
upon their work.” to create annual audit plans with scopes
line functions, coordinate efforts across
that are largely fixed. Operating rigidly
the lines, and even determine what work
within such annual plans was the norm
Communication in the past, but the demands of today’s
internal audit can rely upon, thus freeing
up internal audit resources to focus on
dynamic and rapidly evolving risk landscape
Internal audit leaders have long more strategic risks, ultimately leading
make that dangerous and impractical.
campaigned for unfettered access to to more-informed decision making by
information as it is fundamental to effective organizational leadership.
Continuous or rolling plans with varying
internal auditing. Integrated assurance
levels of adaptiveness and responsiveness
requires that mindset to be applied to When it comes to resolving disagreements
to change are increasingly prevalent among
internal audit’s work, as well. Internal on taxonomy, the internal audit department
forward-thinking internal audit functions.
auditors must be willing to share their own should not shy away from taking the lead.
As internal audit understands more about
data and knowledge. The survey found While it should not dictate the taxonomy,
the work others are doing across the
there is room to improve in this area. it can play a crucial role in facilitating
organization, they must be able to pivot
agreement. This can be achieved by
and quickly adapt the audit plan as needed.
• Less than half (45%) of survey establishing working groups with leaders
The survey found:
respondents say they have weekly or bi- from the second and third lines, and by
weekly update meetings with second line providing joint training to ensure a mutual
• 40% said they apply hybrid fixed/
colleagues operating in the same area or understanding of risk management.
fluid plans with rolling 3+3, 3+9, or 6+6
with similar subject matter knowledge. Such alignment does not compromise
schedules (e.g., the next 3 months fixed
independence; rather, it fosters relationships
scope), with the scheduled audits for the
• Only 40% said internal audit shares and coordination. This coordination is not
remaining months remaining adaptive
its data analytics scripts with second just an opportunity for the internal audit
and fluid to change.
line functions. function, but a crucial responsibility. It can
help minimize duplication of efforts, identify
• 46% indicated they had a continuously
Communication is key not only for building gaps in risk coverage, and enhance the
rolling audit plan.
effective collaboration with assurance overall value added by providers.
partners but also in keeping them
• In terms of audit plan updates, 38% of
informed about findings and observations
survey respondents report they update
during audit engagements. The survey
plans annually, 15% semi-annually, and
found an encouraging:
25% quarterly.

• 65% of respondents have weekly

Agility, rapid feedback loops,
or bi-weekly updates and
responsiveness, and the ability to adjust
collaboration meetings with
audit projects and the audit plan as
audit clients and stakeholders.
necessary are critical to working in a more
integrated manner, as is the ability to
quickly respond to feedback gained from
better coordination with others.

Paving the way to Integrated Assurance: A proactive approach 11

Getting started
Effective integrated assurance creates Map assurance activities. Lead an effort
conditions that enable nimble, forward-
Maturing integrated assurance to map all assurance activities across the
looking, and aligned risk management. organization. This map would identify
Internal audit leaders can direct efforts
That desirable state supports strategic overlaps and gaps in coverage and
in several areas that support the
decision-making by the governing body would serve as a tool for planning and
organization’s maturing journey toward
that is grounded in a clear-eyed and coordination among all assurance providers.
effective integrated assurance. For example:
accurate view of risk conditions across the
organization. However, building integrated Leverage technology for data sharing.
Develop a unified assurance framework.
assurance programs can seem daunting, Implement or enhance IT systems that
Spearhead the creation of a unified
particularly in organizations with complex enable real-time data sharing and analysis
assurance framework that clarifies the
and/or wide-ranging risks. across assurance functions providing
roles and responsibilities of all assurance
an integrated view of risks and controls
providers, defines a shared taxonomy, and
Internal audit can help get the ball and improving the speed and accuracy of
drives a common scoring methodology.
rolling by examining the organization’s assurance activities.
existing internal controls. As noted earlier,
Promote collaboration across functions.
internal controls are key elements of risk Pilot integrated reporting. Develop
Establish an Integrated Assurance Steering
management frameworks used to assess, integrated reporting mechanisms that
Committee to encourage and facilitate
measure, mitigate, and monitor risks. consolidate findings and insights from
regular communication and collaboration
Identifying and understanding relevant various assurance functions into a
between different assurance functions.
internal controls are part of every internal cohesive report to the board and senior
This could involve regular meetings, shared
audit engagement. management. This integrated report
platforms for information exchange, and
should provide a comprehensive overview
joint training sessions to foster a culture of
By coordinating with control functions from of the organizational risk landscape and
teamwork and mutual understanding.
the second line, internal audit can lead the effectiveness of controls enhancing
an exploration of controls that seeks out strategic decision-making.
commonalities, conflicts, and/or overlaps.
Through such an exercise a more holistic
view of risk management can emerge. It
also can identify areas for cooperation and,
most importantly, identify and help break
down risk management silos.

12 Thought Leadership
Leveraging technology “There is great opportunity
to align on taxonomy,
In modern business, technology is the How artificial intelligence fits in risk and issue ratings,
ultimate two-edged sword. As enablers, clarity and coordination of
technological breakthroughs hold the Gathering, interpreting, managing, and
promise of improved efficiency and protecting data have become critical to
coverage across different
productivity, expanded product and business success and risk management. groups, and better sharing
service lines, and access to new markets. A variety of new artificial intelligence (AI)
They also can intensify known risks, tools introduced this decade have the
of information, none of
accelerate new and emerging risks, and potential to enhance business success, which should interfere with
disrupt the competitive playing field. overall risk management, effective
internal audit, and integrated assurance.
how we think about, select
Beyond its risk impacts on operations and perform our work.”
and competition, technology risks grow Natural language processing (NLP) in data
out of IT systems in use throughout analysis, large language models (LLMs) such
any organization. Indeed, cybersecurity as ChatGPT, machine learning (ML), and
remains the top-ranked risk in most risk predictive analytics each can contribute to
surveys around the world. improved efficiency in risk management
and integrated assurance. For example,
However, shared IT systems can make NLPs and LLMs can be trained to collect and
integrated assurance easier. They enable interpret data stored in different formats or
assurance partners to work with the same unstructured texts and combine them into a
information — the sought after single single, searchable database.1
source of truth that allows each function
to perform its work. Collaboration with Predictive analytics, meanwhile, can
second-line functions must include key use ML to extract trends, patterns, and
leaders in this space including chief behaviors from datasets. It can also
information officers (CIOs) and chief provide insights into key risk indicators.
information security officers (CISOs). With data mining and statistics, predictive
Internal audit must provide effective analytics can help with risk assessment
assurance over IT systems, as well. and testing of controls.2

 lex Hunt, “The role of artificial intelligence in risk and assurance,” Grant Thornton, Jan. 22, 2024.
1 A
2 ibid Paving the way to Integrated Assurance: A proactive approach 13
Building a supportive culture
When implemented effectively, integrated maintain proper oversight,” he writes in function within a corporation ‘owns’ ethics.”
assurance can mature into part of the the April-June 2024 edition. “Leveraging Adding an assurance context makes clear
workplace culture. Each player in the risk insights from data analytics, increasing that ethics is not a simple operational
management and assurance ecosystem efficiency out of centralized monitoring, exercise but a focus on “company culture
understands not only its role, but also how audits and remediation, and a continually and societal expectations.”
it fits into the organization’s overall goals screening new assurance topics (especially
and strategies. Klaus Moosmayer, Novartis regarding evolving ESG regulations) are He concludes, “When designed and
chief ethics risk and compliance officer, essential elements of an agile, developing implemented correctly, with support
writes about building trust within such assurance system.” from senior management and the board,
systems in Risk & Compliance Magazine. an ethics, risk and compliance function
What’s more, Moosmayer writes can drive an integrated assurance system
“Collaborating with the internal audit that beyond the need for effective that removes siloes in governance,
function is key to achieving a joint organizational and process setup, risk management, compliance and
taxonomy and root cause analysis to successful integrated assurance requires internal controls, without creating
enable management to exercise its the courage to address ethical issues and, unnecessary bureaucracy.”3
duties and to keep the board informed to “the humility to acknowledge that no single

14 Thought Leadership 3 Klaus Moosmayer, “Ethics and Integrated Assurance: The Challenge of Building Trust,” Risk & Compliance Magazine, April-June Issue, 2024.
Conclusion
When properly executed, integrated risk management. Additionally,
assurance provides the Board / Audit integrated assurance relieves
Committee with a comprehensive the first line of assurance fatigue
and actionable view of risk to better and allows it to remain focused
drive the business forward. Even on driving revenue and serving
as first-, second-, and third-line customers. It also provides internal
functions may differ in their views audit the opportunity to demonstrate
of risk, integrated assurance allows it can be a leader in improving risk
for better coordination around management across the organization.

Paving the way to Integrated Assurance: A proactive approach 15

Contact information
Americas Please visit tm.wolterskluwer.com
4221 W Boy Scout Blvd #500 for more information.
Tampa, FL 33607
U.S.A.

Europe, Middle East, and Africa

8th Floor
30 Churchill Place
Canary Wharf
London
E14 5RE
United Kingdom

Asia Pacific
5 Shenton Way
#20-01/03 UIC Building
Singapore 068808

Copyright © 2024 Wolters Kluwer Financial Services, Inc.