An assurance map is an important tool to help a range of groups to understand the current assurance mechanisms in place over the key risks facing an organisation. A well-designed map will articulate the sources of assurance across the Three Lines Model © and provide a snapshot of where the assurance is provided.
Whilst a great audit planning tool for internal audit, as there may be little or no assurance in place over a particular risk, it is also an important tool for management, the audit committee and the board. It should be a living document as part of day-to-day business activities not a reference document.
What is an assurance map?
It is visual – a diagram/table or a digital ‘click through’ dashboard.
It can be used to present a simple view of the sources of assurance.
Or it could be used to present the latest set of assurance results in a visual way, including the trend.
It focuses on the key risks to the organisation, the sources of assurance in place and the level of assurance provided.
There are lots of examples of different assurance maps - search ‘assurance map’ on a browser and look at the images for more inspiration.
Depending on the risk maturity of an organisation, in addition to the key risks, it could be helpful to have several assurance maps for complex or high-profile risks such as cyber, culture and ESG or for large programmes/projects and/or for different audiences eg board, audit committee, senior management aligned to the risk escalation framework.
What are the benefits?
Board/Audit Committee
Internal Audit
In addition to the above which improves risk maturity
Creating an assurance map
It can be a major project to create an assurance map. Particularly in a large or complex organisation. This can make it a daunting prospect and a valid reason for putting it off. But even a simple assurance map adds value.
This simple five step approach is a good start point.
One option is to ask the various departments/teams to provide information about what they do in relation to the risks identified. This carries the risk of inconsistency and if not approached in the right way can appear administrative and time consuming.
The internal audit team can use their collective knowledge to populate what is known and build up through day-to-day discussions. This approach does not impact the business but can take a long time to complete.
Another option, is to use the outputs from a CRSA (control risk self-assessment) exercise. This is a useful source of data when first creating an assurance map. Including details such as the 1st line function/individual providing the assurance can help to build accountability.
The Institute provides a virtual course on assurance mapping taking place 5 October 2023 and 7 February 2024.
Further reading
RSM: Board assurance: A toolkit for further education colleges
ICAEW: 10 steps to create an assurance map
HMT Guidance: Assurance frameworks guidance - GOV.UK (www.gov.uk)
The following guidance is only available if you are a member of the Chartered IIA:
Standard: 2050 Coordination and reliance
Implementation guidance: 2050 – Coordination and reliance
Supplemental guidance: Coordinating risk management and assurance
Guidance - Coordination of assurance services