Assurance mapping
Internal audit is one of many sources of assurance that boards and audit committees rely on in their oversight role. In many organisations this can create a complex or even conflicting picture. An assurance map is a practical tool for chief audit executives (CAEs) to use on multiple levels; creating the audit plan, demonstrating the depth/gaps in assurance and developing the audit strategy.
With uncertainty and volatility across the risk landscape, it is crucial that CAEs are able to advise on potential changes within the control environment. This guidance explores the benefits of assurance mapping, faces up to the challenges of introducing the concept and outlines an approach to creating one.
What is an Assurance map?
An assurance map is a structured way of identifying and presenting the sources of assurance over how risks are being managed. It is an essential element of mature risk management practices. It considers all types of assurance:
- 1st line – management, owning and managing the risk
- 2nd line – oversight, specialists, risk functions, usually reporting to management
- 3rd line – independent oversight, internal audit
And potentially a fourth in some instances:
- 4th line – external oversight, external audit, certification assessors (e.g. BSI), regulators
A map is visual and can be used in a variety of ways from presenting a basic picture of assurance resources, perhaps also showing the frequency of the assurance.
Even without any knowledge of the risks or the organisation, it is possible to ask;
- Why does internal audit support the cyber perspective on risk 1, why the difference?
- What non-financial risk did EA miss on risk 2?
- Is there sufficient assurance over risk 3? Is this a board level risk?
- Where is the agenda item to discuss risk 4 in detail?
- Is there too much assurance over risk 5?
An enterprise level assurance map (the whole organisation) should ideally be aligned to risks; underpinning risk-based internal auditing and providing the board with visibility that the organisation is operating within risk appetite. It is also practical and insightful to align to objectives, core processes or risk themes. There are no set rules. For an assurance map to be of value it must be relevant to the organisation taking into consideration its risk maturity and culture.
Benefits and challenges
The key benefit for the organisation is the effective and efficient use of resources to provide assurance. An assurance map highlights areas where excessive assurance has built up over time, perhaps due to a historic issue or reassessment of risk. Importantly it also highlights gaps and areas where there is over reliance on internal audit.
The benefits table relates to mapping at an enterprise level, although maps can also be created for sizeable projects or complex programmes of activity. Such temporary maps provide a clear picture of assurance over different phases, elements and also act as a steering mechanism.
Global Standard 9.5 recognises that internal audit is not the only provider of assurance in an organisation stating that the CAE should share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.
To enable auditors to place reliance upon the results of others, CAEs must first be confident in the quality of their work. Using a map to decide which areas to evaluate is useful and the findings could also be shown in some form on the overall map to share with the board/audit committee.
For CAEs that have not previously engaged with this concept, it can appear an overwhelming task especially if working solo or with a small team. As Head of Risk Assurance for the London 2012 Olympic and Paralympic Games, Mary Hardy, now a NED on various boards, has often cited it as being an invaluable tool in ensuring both 2012 Games were successful.
To validate for yourself the value of assurance mapping this take a moment to think about the critical risks/processes and how confident you are that risk ownership is clear; Are first line employees taking responsibility for risk management? Is there effective challenge over key internal controls without reliance on an internal audit review?
Each potential barrier that the business foresees can be viewed as both a benefit with additional opportunities for internal audit as shown below. For example there may be negative reactions to highlighting assurance gaps as it generates discussion about additional resource requirements, cost, changing particular roles and outsourcing. Highlighting gaps is imperative for CAEs and ensuing conversations also provide an opportunity for a constructive discussion around risk appetite, which risks can be tolerated and where assurance is really needed when resources are limited.
Getting started
As previously stated for an assurance map to be of value it needs to be appropriate and proportionate to the complexity, culture and risk maturity of an organisation. The process below is a generic guide to getting started. Examples of assurance maps have been included here.
The nature of an assurance map is such that only a CAE or head of risk is in a position to create it. And it does requires creation, it will not happen symbiotically. Fear not! This is not an altruistic task for the busy CAE just to court favour with the audit committee; it is an expedient way to ensure the best use of internal audit resource to deliver holistic, comprehensive assurance confident in the knowledge of what others are doing and when, working collaboratively without compromise to independence and in so doing also complying with IPPF standard 9.5.
Depending on budget and complexity of task, there is a variety of software that can be explored although spreadsheets are an equally good tool for creating them, readily available, easy to use and adaptable. Data can be consolidated and exported into other formats for reporting, including data visualisation tools for board reporting. The benefit of data visualisation tools is that information can be clicked into to provide the detail if questions are asked rather than having to go back at a later date at which point the discussion has lost value.
The data required by the assurance community, particularly internal audit in an assurance coordinator role, is more granular than that required by the board and senior management. At the detail level for example, it is useful to capture the assurance mechanics for accurate sales incentive scheme data across the Three Lines Model, which examines what, how often, where is it reported to, what measures are used, performance criteria etc. This would be consolidated as a cost/performance line for senior management and consolidated again within performance controls for the board. Could robust assurance mapping have highlighted issues at Carillion, Debenhams, Oxfam, Wells Fargo and other scandals that have led to the need to restore trust in audit and corporate governance.
Closing thoughts
When risks materialise the spotlight falls on the assurance community, who did what, who said what to whom. There is a requirement for open, honest, transparent communication about the management of risk and the effectiveness of internal controls. It is also a requisite that plans to address weaknesses are identified and tracked to completion or risk acceptance documented. The assurance community, particularly CAEs and heads of risks, must be able to collectively demonstrate their role in the governance of an organisation. Assurance mapping offers a practical solution and the opportunity to support effective decision-making and strategic success.