Five steps to create an assurance map

An assurance map is an important tool to help a range of groups to understand the current assurance mechanisms in place over the key risks facing an organisation. A well-designed map will articulate the sources of assurance across the Three Lines Model © and provide a snapshot of where the assurance is provided.  

Whilst a great audit planning tool for internal audit, as there may be little or no assurance in place over a particular risk, it is also an important tool for management, the audit committee and the board. It should be a living document as part of day-to-day business activities not a reference document.  


What is an assurance map?

It is visual – a diagram/table or a digital ‘click through’ dashboard.

It can be used to present a simple view of the sources of assurance.

 

Or it could be used to present the latest set of assurance results in a visual way, including the trend.

It focuses on the key risks to the organisation, the sources of assurance in place and the level of assurance provided.

There are lots of examples of different assurance maps - search ‘assurance map’ on a browser and look at the images for more inspiration.

Depending on the risk maturity of an organisation, in addition to the key risks, it could be helpful to have several assurance maps for complex or high-profile risks such as cyber, culture and ESG or for large programmes/projects and/or for different audiences eg board, audit committee, senior management aligned to the risk escalation framework.


What are the benefits?

Board/Audit Committee

  • An assurance map brings an organisation’s risk appetite to life.
  • It highlights assurance gaps and shows where there is potential duplication or too much assurance – which management can address. For example, a risk averse appetite to a particular risk should see a range of assurance mechanisms in place. The same risk with a higher appetite would have fewer sources of assurance detailed on the map.
  • It provides evidence when producing statutory governance statements concerning the control environment.
  • It provides a comprehensive view of the control environment by looking across the organisation rather than at individual reports.
  • It raises understanding of the risk profile and strengthens ownership of controls across the first and second line.
  • It breaks down siloed thinking. 
  • It drives positive behaviours by enabling robust discussions about risk, educating on the value of assurance and aiding collaboration between functions. 

Internal Audit

In addition to the above which improves risk maturity

  • It enables effective use of internal audit resource in defining the audit plan.
  • It helps internal auditors when scoping an engagement and when discussing findings.
  • Demonstrates conformance with the Standards (2050).
  • Facilitates a consistent assurance language across the organisation.
  • Encourages consolidated, proportionate and appropriate reporting across the three lines.
  • Enables better use of assurance skills and resources across the three lines.

Creating an assurance map

It can be a major project to create an assurance map. Particularly in a large or complex organisation. This can make it a daunting prospect and a valid reason for putting it off. But even a simple assurance map adds value.

This simple five step approach is a good start point.  

  1. On a spreadsheet, identify down the left-hand side the critical elements for your organisation today – this is typically the key risks facing the organisation.
  2. Then identify across the top all the functions that provide assurance to the board/audit committee including external parties. This should be categorised within the three lines model - first line (Management), second line (oversight functions such as risk and compliance), third line (internal audit) and fourth line (other independent external assurance such as external audit, regulators and independent legal counsel).
  3. Populate the detail.

One option is to ask the various departments/teams to provide information about what they do in relation to the risks identified. This carries the risk of inconsistency and if not approached in the right way can appear administrative and time consuming.

The internal audit team can use their collective knowledge to populate what is known and build up through day-to-day discussions. This approach does not impact the business but can take a long time to complete.

Another option, is to use the outputs from a CRSA (control risk self-assessment) exercise. This is a useful source of data when first creating an assurance map. Including details such as the 1st line function/individual providing the assurance can help to build accountability.

  1. Review and challenge the assurance map (ideally in a group meeting); ask all the who, what, why, where, when, how questions such as what is missing on either axis, who should fill that gap, which is the most trustworthy assurance where there is duplication, etc
  2. Once populated and the executive are happy with the draft map, share the draft map with the audit committee chair. In addition to starting the discussion about the provision of assurance, they may have a different perspective on the critical elements...and so the process of refining and maintaining the document begins. 

The Institute provides a virtual course on assurance mapping taking place 5 October 2023 and 7 February 2024.  


Further reading

RSM: Board assurance: A toolkit for further education colleges

ICAEW: 10 steps to create an assurance map

HMT Guidance:  Assurance frameworks guidance - GOV.UK (www.gov.uk)

The following guidance is only available if you are a member of the Chartered IIA:

Standard: 2050 Coordination and reliance

Implementation guidance: 2050 – Coordination and reliance

Supplemental guidance: Coordinating risk management and assurance

Guidance - Coordination of assurance services

holding eg1

holding eg2