Combined Assurance: Why It Threatens Audit Independence

ombined assurance is the coordination of assurance activities across an organization (the first line, the second line, and internal audit) so the board receives one consolidated view of risk and control coverage. It is promoted in governance codes such as King IV and sits on top of the IIA's Three Lines Model.

The intent is to reduce duplication and "assurance fatigue." The problem is how it is usually implemented: by merging the work itself, not just the reporting.

What the Three Lines Really Are

Strip away the diagrams and the model is simpler than it looks.

The first line implements. It owns the policies, the procedures, and the controls embedded in day-to-day operations. It is the doer.

The second line advises. In most organizations it develops, or supports the development of, the policies and frameworks the first line operates. It is, in effect, the in-house consultant. The one partial exception is compliance, which performs a narrow checking role: it asks whether the organization is compliant or non-compliant, not whether a control is well designed or actually works.

The third line, internal audit, is the only function whose entire reason for existing is to independently evaluate both the design and the operating effectiveness of controls, and to say so without fear or favour.

Those are three fundamentally different activities. Doing, advising, and independently checking are not variations of the same task. They are different jobs, with different incentives, different skills, and, critically, different relationships to the truth.

The Three Lines at a Glance

The Inconvenient Reality

Combined assurance quietly assumes these activities can be pooled into one coherent picture. In practice, they cannot, because the incentives do not align.

The first line will not volunteer its own significant control failures. Not because people are dishonest, but because no operating function is structurally motivated to advertise the gaps it is responsible for. That is human, and it is universal.

The second line, advisory by nature, is often assessing frameworks it helped create. Compliance aside, much of the second line is in no position to challenge work it had a hand in shaping.

That leaves internal audit as the only genuinely independent check on whether controls are designed properly and working. It is the one voice in the system with both the mandate and the independence to say "this does not work."

So when we "combine" assurance, what are we actually combining? We blend the candour-constrained first line, the largely advisory second line, and the one independent function, then present the result as a single, reassuring view.

The most independent voice gets averaged into the least independent ones, and the board ends up with consolidated comfort rather than independent challenge. That is not assurance. That is the appearance of assurance.

Coordinate the Lines, Don't Converge Them

None of this means the lines should work in isolation. They should absolutely share a common risk taxonomy, align their planning calendars, map who covers what, and report through a consolidated dashboard so the board can see coverage and gaps at a glance.

But there is a world of difference between combined reporting and combined execution.

I am entirely in favour of the first. Independent execution, aligned reporting. Each function does its own work, to its own standards, answering to its own accountabilities, and then the outputs are mapped and consolidated for the board.

The board gets its single view. Internal audit keeps its independence. Nobody's scepticism is diluted on the way to a tidy slide.

What I resist is the version that merges the doing, the advising, and the checking into one operationally coordinated machine and calls the output independent. It is not. The moment the only independent function is asked to plan, scope, or soften its work in service of a unified picture, the picture stops being worth having.

The Bottom Line

Combined assurance, as commonly practised, optimises for the board's comfort and the organisation's efficiency. Those are not bad goals. But assurance does not exist to make boards comfortable. It exists to tell them the truth, including the parts they would rather not hear, and the function most able to do that is the one combined assurance is most likely to compromise.

Coordinate the calendars. Share the taxonomy. Consolidate the dashboard. But let each line do its own work, and protect, fiercely, the independence of the only line whose job is to check.

That is a model I can defend to any board. Combined assurance, in its popular form, is not.

Key Takeaways

• Combined assurance coordinates assurance across the three lines into one board view; it is promoted in governance codes and built on the Three Lines Model.

• The first line implements, the second line advises, and only internal audit independently checks control design and effectiveness.

• The incentives don't align: the first line won't advertise its own gaps, and the advisory second line often assesses frameworks it helped build.

• Merging execution averages the one independent voice into the least independent ones, producing the appearance of assurance.

• Combined reporting is valuable; combined execution is not.

• Share the taxonomy, align calendars, consolidate the dashboard, but protect internal audit's independence to plan, scope, and report its own work.