The topic of corporate governance continues to be at the forefront of boards’ and regulators’ focus.
Whether it be one of the recent public sector failings, or the manipulation of financial markets, getting to grips with the risks that organisations face is harder than it used to be.
Studying this article and answering the related questions (from the 'related links' area of the page) can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest that you use this as a guide when allocating yourself CPD units.
Risks are more complex and increasingly technical (for example, the prefix ‘cyber’ is now a necessary part of boardroom vocabulary) and the recognised root causes of issues often cut much deeper to the heart of the organisation, with an increasing understanding of the role that culture plays. In addition, non-executive directors now face increased expectations of their role.
The need for senior management and boards to understand the enterprise risks, the assurance provided and the effectiveness of controls has never been greater. Many are requesting more and more risk information, and some are turning to an assurance map to help provide this view.
Building an assurance map
The objective of an assurance map is to provide an overview of all assurance activity in order to better understand the risk landscape and the assurance provided (including any gaps in assurance). It could include:
- Build the audit / risk universe - To provide a picture of assurance across an organisation, you first need to map out what the organisation looks like. The most common way of doing this is to identify the audit units by risk category / individual risks, or by organisational structure (by directorate / business unit) and process view. Less common structural approaches are a view by legal entity or by product view. The important factor in deciding the structure of the assurance map is understanding how the organisation is currently managed and aligning it to other performance management information (MI) of the organisation, eg financial MI. This supports with the success of the assurance mapping as it supports clear accountability for the management of risk.
- Consistent risk scoring - Historically, internal audit has always maintained its own view of risk and risk scoring. However, for assurance maps to work, the organisation must have a ‘single view of the truth’ - which means a corporate understanding of the risk universe, a corporate methodology for scoring risk and a corporate methodology and language for assessing the results of assurance.
- Structure of the assurance map - Complicated assurance maps can be contrary to the primary objectives of the assurance map, to build a clear overview of all assurance activity. A common way of structuring the assurance map is to record the audit / risk universe (with risk scoring) on the y axis of the matrix, with the assurance providers recorded across the x axis of the matrix. (A simple example of an assurance map can be downloaded from the 'related links' area of the page.)
- Build a picture of assurance - Finally, map out the conclusion from each assurance provider, against each of the audit / risk units (where applicable), highlighting the last date of review. There is also value in using some form of RAG rating to quickly identify risk hot spots.
Seems straight-forward? Almost. There are a few challenges to producing and maintaining an assurance map, which can impact its interpretation if not fully understood by the reader:
- Definition of assurance - The first challenge is what activities constitutes ‘assurance’? Internal audit as the 3rd line of defence is easy, but how much of what risk and compliance functions (2nd line of defence) produce is assurance? What about management as the 1st line of defence (the control owners), do they produce any assurance? Organisations must be very clear on the key attributes of assurance. These may include principles of being evidence based, supported by sufficient documentation, or a clear link to the risk / controls of an organisation; however, it is for each organisation to confirm what is an acceptable level of assurance provided to be included in the assurance map.
- Level of independence - Another consideration is the relative independence of the assurance provider. Is the value derived from 1st line of defence assurance any less than that provided by internal audit? 1st line of defence assurance has its place and can add significant value to the organisation, but it also runs the risk of being distorted, influenced by bias.
- Scope and extent of assurance provided - Whilst visually easy to read, the use of RAG ratings can distort the actual comfort gained by the reader if they do not fully understand the scope of the assurance activity and the extent of testing undertaken to provide the assurance. This challenge may be lessened if the structure of the assurance map was aligned more closely to individual risks; albeit this level of detail may become a little un-wielding.
What is internal audit’s role in the assurance map?
In addition to being a good sense check of assurance coverage by audit committees / boards, the assurance map is a useful tool for internal audit. It helps to inform internal audit’s assessment of the enterprise-wide control environment and can provide a source of identifying emerging risk events.
However, one of the risks in using the assurance map is that internal audit relies solely on the work of other lines of defence to avoid any duplication of effort.
As was identified above, assurance from the 1st and 2nd lines of defence has its challenges and therefore must not be a total substitute for internal audit’s attention. The Chartered Institute of Internal Auditors (CIIA) issued its guidance for financial services internal audit functions in July 2013 Effective Internal Audit in the Financial Services Sector. In its guidance, the CIIA stated that ’Internal audit must have an enterprise-wide remit - ”the assurance map” cannot be carved up between the internal audit, risk and compliance functions.’
Assurance maps can be a powerful tool for internal audit and can provide great insights for senior management and the board. Before implementation, organisations should seek to align their corporate risk language, the accepted definition of assurance, and the limitations of assurance provided by each line of defence. Being cognisant of these challenges will allow its users to take appropriate comfort over the assurance received, maximising the value from assurance.
Aaron Oxborough is an internal audit director at PwC, specialising in the insurance industry