Mapping assurance to support the audit committee

An assurance map is an invaluable tool to help internal audit communicate clearly with the audit committee. Assurance is complex and internal audit is just one source that the audit committee relies upon; understanding who provides assurance over what and where the gaps are is critical for robust oversight of the organisation. 

The COVID-19 crisis has thrown organisations into disarray; imagine for a moment you are a member of the audit committee providing oversight at the moment…what and who can you trust?

Internal audit can provide a simple, relevant and easy to read table on a page that guides the audit committee to answer this question: an assurance map.

Let’s take a quick look at what an assurance map is, the benefit of having one and how you can create one today.

 


What is an assurance map?

A well-constructed assurance map focuses on the key risks to the organisation, the sources of assurance and the level of comfort provided. It can also focus on key controls.

In addition to independent assurance over key risks, as appropriate internal audit should also provide assurance over the quality of first and second-line assurance providers.

An assurance map is visual and can be used in a variety of ways from presenting a basic picture of assurance resources.

 

Or it could be used to present the latest set of assurance results in a visual way, including the trend.

 

Even without any knowledge of the risks or the organisation, using this example it is possible to ask:

  • Why do the compliance and risk functions have a different perspective on cyber to internal audit and the cyber function?
  • What non-financial risk did external audit miss on risk 2?
  • Is there sufficient assurance over risk 3? Is this a board level risk?
  • Where is the agenda item to discuss risk 4 in detail?
  • Is there too much assurance over risk 5?

A useful toolkit is freely available from RSM, designed for the education sector. The guidance and templates provided as part of the toolkit are easily transferable to any organisation. Appendix 5 is a good example of how to summarise assurance information for the audit committee.


Why are they worth the effort?

An assurance map brings an organisations risk appetite to life. At the same time as highlighting assurance gaps, it also shows where there is duplication or too much assurance. It is a simple way of aligning assurance resource, risk and internal control. 

It improves awareness of the control environment by looking across the organisation rather than at individual reports which can lead to siloed thinking. 

It drives positive behaviours by enabling robust discussions about risk, educating on the value of assurance and aiding collaboration between functions. 

Collectively, the assurance community of an organisation often has a more powerful voice when it works together; an assurance map is a practical platform benefiting all parties. 

It also supports Performance Standard 2050


Creating an assurance map

ICAEW has a comprehensive 10 step approach to producing an assurance map. This is an ideal world approach and may take too long and be too resource intensive during the current crisis. It can be adapted and where relevant data is not readily available, a prudent approach should be taken to produce a basic document. It is better to begin than not to start…it can be refined in the weeks to come with the support of the business and the audit committee.


Call to action

We suggest a simplified approach to create a ‘starter for ten’ today using internal audit knowledge. 

  1. On a spreadsheet, identify down the side the critical elements for your organisation today – that might be risks, controls or processes or even a combination to make it relevant and meaningful.
  2. Now identify across the top all of the functions that provide assurance to the board or external parties against those elements.
  3. Using existing data, populate the latest assurance opinion from each provider.
    - If data is not routinely shared with internal audit, this is a good time to request it and start to build relationships.
    - In an ideal world everyone will use the same rating scale, if not, use what they have. If there is no rating scale in use, use whatever language the board understands, do not introduce something new at this point, it can be modified and refined later.
  4. Using recent internal audits, populate the internal audit opinion.
  5. Review and challenge the assurance map (ideally as a virtual team meeting); ask all the who, what, why, where, when, how questions such as what is missing on either axis, who should fill that gap, which is the most trustworthy assurance where there is duplication and how does our audit plan relate to this?
  6. Share the draft assurance map with the audit committee chair. In addition to starting the discussion about the provision of assurance, they may have a different perspective on the critical elements...and so the process of refining and maintaining the document begins. 

In addition to member guidance on the topic, the Institute has created a virtual course on assurance mapping taking place in June 2020. All courses are open to non-members. 


Further reading

RSM: Board assurance: A toolkit for further education colleges

ICAEW: 10 steps to create an assurance map

The following guidance is only available if you are a member of the Chartered IIA:

Standard: 2050 Coordination and reliance

Implementation guidance: 2050 – Coordination and reliance

Supplemental guidance: Coordinating risk management and assurance

Guidance - Coordination of assurance services