Practice Advisory 2050-2:

Assurance Maps

Primary Related Standard

2050 Coordination
The chief audit executive should share information and coordinate activities with other internal
and external providers of assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.

1. One of the key responsibilities of the board is to gain assurance that processes are
operating within the parameters it has established to achieve the defined objectives. It is
necessary to determine whether risk management processes are working effectively and
whether key or business-critical risks are being managed to an acceptable level.

2. Increased focus on the roles and responsibilities of senior management and boards has
prompted many organizations to place a greater emphasis on assurance activities. The
Standards Glossary defines assurance as “an objective examination of evidence for the
purpose of providing an independent assessment on governance, risk management, and
control processes for the organization.” The board will use multiple sources to gain reliable
assurance. Assurance from management is fundamental and should be complemented by
the provision of objective assurance from internal audit and other third parties. Risk
managers, internal auditors, and compliance practitioners are asking: “Who does what and
why?” Boards in particular are beginning to question who is providing assurance, where is
the delineation between the functions, and if there are any overlaps.

3. There are fundamentally three classes of assurance providers, differentiated by the

stakeholders they serve, their level of independence from the activities over which they
provide assurance, and the robustness of that assurance.

Those who report to management and/or are part of management (management

assurance), including individuals who perform control self-assessments, quality
auditors, environmental auditors, and other management- designated assurance
personnel.
Those who report to the board, including internal audit.
Those who report to external stakeholders (external audit assurance), which is a role
traditionally fulfilled by the independent/statutory auditor.

The level of assurance desired, and who should provide that assurance, will vary depending
on the risk.

4. There are many assurance providers for an organization.

Line management and employees (management provides assurance as a first line of

defense over the risks and controls for which they are responsible.)
Senior management
Internal and external auditors
Compliance
Issued: July 2009 PA 2050-2
Revised: Page 1 of 3

© 2009 The Institute of Internal Auditors

 Quality assurance
Risk management
Environmental auditors
Workplace health and safety auditors
Government performance auditors
Financial reporting review teams
Subcommittees of the board (e.g., audit, actuarial, credit, governance)
External assurance providers, including surveys, specialist reviews (health and safety),
etc.

5. The internal audit activity will normally provide assurance over the entire organization,
including risk management processes (both their design and operating effectiveness),
management of those risks classified as “key” (including the effectiveness of the controls
and other responses to them), verification of the reliability and appropriateness of the risk
assessment and reporting of the risk and control status.

6. With responsibility for assurance activities traditionally being shared among management,
internal audit, risk management, and compliance, it is important that assurance activities
be coordinated to ensure resources are used in the most efficient and effective way. Many
organizations operate with traditional (and separate) internal audit, risk, and compliance
activities. It is common for organizations to have a number of separate groups performing
different risk management, compliance, and assurance functions independently of one
another. Without effective coordination and reporting, work can be duplicated or key risks
may be missed or misjudged.

7. While many organizations monitor the activities of internal audit, risk, and compliance, not all
view all their activities in a holistic way. An assurance mapping exercise involves mapping
assurance coverage against the key risks in an organization. This process allows an
organization to identify and address any gaps in the risk management process and gives
stakeholders comfort that risks are being managed and reported on, and that regulatory and
legal obligations are being met. Organizations will benefit from a streamlined approach,
which ensures the information is available to management about the risks they face and
how the risks are being addressed. The mapping is done across the organization to
understand where the overall risk and assurance roles and accountabilities reside. The aim
is to ensure that there is a comprehensive risk and assurance process with no duplicated
effort or potential gaps.

8. Often an organization will have defined the significant risk categories that make up its risk
management framework. In such cases, the assurance map would be based on the
structure of this framework. For example, an assurance map could have these columns:

Significant risk category

Management role responsible for the risk (risk owner)
Inherent risk rating
Residual risk rating
External audit coverage
Internal audit coverage
Other assurance provider coverage

Issued: July 2009 PA 2050-2

Revised: Page 2 of 3

© 2009 The Institute of Internal Auditors

 In this example, the chief audit executive (CAE) would populate the internal audit coverage
column with recent coverage. Often each significant risk has a risk owner or a person
responsible for coordinating assurance activities for that risk and that person would populate
the other assurance provider coverage column. Each significant unit within an organization
could have its own assurance map. Alternatively, the internal audit activity may play a
coordinating role in developing and completing the organization’s assurance map.

9. Once the assurance map for the organization has been completed, significant risks with
inadequate assurance coverage, or areas of duplicated assurance coverage, can be
identified. Senior management and the board need to consider changes in assurance
coverage for these risks. The internal audit activity needs to consider areas of inadequate
coverage when developing the internal audit plan.

10. It is the responsibility of the CAE to understand the independent assurance requirements of
the board and the organization, to clarify the role the internal audit activity fills and the level
of assurance it provides. The board needs to be confident that the overall assurance
process is adequate and sufficiently robust to validate that the risks of the organization are
being managed and reported on effectively.

11. The board needs to receive information about assurance activities, both implemented and
planned, in regard to each category of risk. The internal audit activity and other assurance
providers offer the board the appropriate level of assurance for the nature and levels of risk
that exist in the organization under the respective categories.

12. In organizations requiring an overall opinion from the CAE, the CAE needs to understand
the nature, scope, and extent of the integrated assurance map to consider the work of other
assurance providers (and rely on it as appropriate) before presenting an overall opinion on
the organization’s governance, risk management, and control processes. The IIA’s Practice
Guide Formulating and Expressing Internal Audit Opinions provides additional guidance.

13. In instances where the organization does not expect an overall opinion, the CAE can act as
the coordinator of assurance providers to ensure there are either no gaps in assurance, or
the gaps are known and accepted. The CAE reports on any lack of input/involvement/
oversight/assurance over other assurance providers. If the CAE believes that the assurance
coverage is inadequate or ineffective, senior management and the board need to be advised
accordingly.

14. The CAE is directed by Standard 2050 to coordinate activities with other assurance
providers; the use of an assurance map will help achieve this. Assurance maps increasingly
offer an effective way of communicating this coordination.

***

Issued: July 2009 PA 2050-2

Revised: Page 3 of 3

© 2009 The Institute of Internal Auditors