250. Every listed company must put in place a Combined Assurance to –
a) coordinate the work of all assurance providers that, either directly or indirectly, provide the board and management with certain assurances;
b) provide a communication forum for the work of internal audit, external audit, third party assurance providers and management in support of the need to report in an integrated and holistic manner to the audit committee;
c) standardize risk assessment processes and foster the use of a common risk language in order to promote comparability across the company;
d) discuss and create common approaches to risk management and coordinate management control self-assessments; and
e) ensure that a combined assurance report is presented to the risk committee quarterly.

251. The key stakeholders in the combined assurance process are the internal audit unit, the
external auditors and management.

252. The internal audit unit should –
(a) annually conduct a formal and documented review of the design, implementation and
effectiveness of internal financial controls;
(b) provide independent assurance on the integrity and robustness of the risk management processes and a written assessment of the effectiveness of the system of internal control and risk management to the Board;
(c) evaluate governance processes including ethics and setting the right “tone at the top”.
(d) assure the Board that the combined assurance model is coordinated to best optimize
costs, avoid duplication and prevent an assurance overload; and
(e) report to the audit committee on how management has or will repair deficiencies in
the system of governance and the risk control framework.

• According to the NATIONAL CODE ON CORPORATE GOVERNANCE ZIMBABWE