IIA South and IIA East

Assurance Mapping
2nd February 2018

David Alexander
daa.risk@gmail.com
07584 092411
TODAY’S PROGRAMME
• Examine the benefits and pitfalls associated with
assurance mapping

• Review examples and highlight where to look for

further guidance

• Examples from delegates – successes and challenges

• Try to bring Assurance Mapping to life!

Initial audience feedback (via Slido)
1. How well does your organisation embrace the 3LOD concept?

Completely: 28% Mostly: 28% Partially: 20% Limited: 24%

2. Has anyone used an assurance map in your organisation?

Yes: 66% No: 17% Don’t Know: 17%

3. If you asked your Audit Committee chair their prime source of

assurance that risk and control framework is working effectively?

Exec Management: 3% 2nd Line: 0% Internal Audit: 97%

There is a ton of Guidance:

• IIA

• ICAEW

• OECD

• EU

• Professional firms
Some Quotes
• “Assurance mapping – it’s too complicated, too time
consuming – I’ve got an audit plan to complete!” (HIA)

• “Nobody’s really interested, apart from the Head of Audit,

who uses it to tell us how to do our jobs better!” (Compliance
Manager)

• “Apart from IA, has anyone else in our company got the
word “assurance” in our job description? No – so why are
you telling me I have to do it?” (Risk Manager)

• “The results and comments to date have been very

encouraging …..” (HIA City Council)
Assurance …..

…. is an objective examination of evidence for the

purpose of providing an independent assessment on
governance, risk management and control processes
for the organisation.

An Assurance Map ……

….. is a structured means of identifying and mapping

the main sources and types of assurance in an
organisation, and coordinating them to best effect.
An assurance map is the tool that enables the
evidence to be assembled. It also provides the evidence
that may be needed to support:

• management confidence in their assertions;

• audit committee assurances to the board on the state

of internal controls; and

• public statements by the board as to the state of

internal control.
In a smaller or less complicated organisation a full
assurance map will not be needed.

However, the same principles apply and the

assurance mapping approach can still be a useful
guide for thinking through the connection between
risk management and assurance.
2050-2 Assurance Maps
The chief audit executive should share
information and coordinate activities with
other internal and external providers of
assurance and consulting services to
ensure proper coverage and minimize
duplication of efforts.

There are fundamentally three classes

of assurance providers, differentiated
by the stakeholders they serve, their
level of independence from the activities
over which they provide assurance, and
the robustness of that assurance.

• Reporting to: 1. Management; 2. the Board and 3. external stakeholders

It is the responsibility of the CAE to understand
the independent assurance requirements of the
board and the organization, to clarify the role the
internal audit activity fills and the level of
assurance it provides.

In organizations requiring an overall opinion from the CAE, the

CAE needs to understand the nature, scope, and extent of
the integrated assurance map to consider the work of other
assurance providers (and rely on it as appropriate) before
presenting an overall opinion on the organization's
governance, risk management, and control processes.
Extract from OECD report post financial crisis

“At the moment, there is a sense in which assurance simply

happens. It is not a planned activity in the way in which parts
of it are executed:
……. for example most internal audit departments normally
prepare an annual plan which is presented to and discussed
with the Audit Committee.
However, there is rarely an overall, documented plan for
the totality of assurance that is required at board level
and which the board needs to provide to other stakeholders.”
In order to assess the requirements for resources and funding
for assurance purposes, the board should annually prepare
or update an assurance map which should as a minimum:

1. Document the people to whom assurance is required to

be provided (eg regulators, investors, customers and so
on), the nature of the assurance, how that assurance is to
be provided and how the board is going to satisfy itself
that the assurance that is being provided is truthful, correct
and appropriate in all the circumstances.
2. Document the manner in which the board will seek and
obtain assurance that what they are told is happening in
respect of the business is indeed happening in order to
discharge the assurance aspects of their Corporate
Governance duties to exercise risk management oversight.

3. Document the way in which the board is assessing,

monitoring and managing the risk management culture, and
progress towards becoming a risk intelligent organisation
ASSURANCE MAPS – THE PRINCIPLES (2015)
“…. ensuring the disparate assurance mechanisms
are harnessed and focused to provide the best results
in a proportionate and effective manner.”
Pre-requisites for successful creation of an assurance
framework include:
• Support and direction from the board and ownership for the framework at
Board level;
• Clarity on what you want it to achieve (particularly encompassing Board needs);
• Building the framework first within a manageable boundary (beginning with the
high level strategic and key process risks);
• Simplicity – don’t try to cover too much in a single assurance map (some
organisations have different maps at different levels or separate maps for
planning and evaluation); and
• Avoid technical jargon; processes should aim to foster a common clearly
understood language.
http://www.anao.gov.au/
BENEFITS FOR BOARDS AND SENIOR MANAGEMENT

• Provides timely and reliable information on the

effectiveness of the management of major strategic and
operational risks and significant control issues.

• Provides an opportunity to identify gaps in assurance

needs that are vital to the organisation, and to address them
in a timely, efficient and effective manner.

• Can be used to raise understanding of the risk profile, and

strengthen accountability and clarity of ownership of controls
and assurance thereon, avoiding duplication or overlap.
BENEFITS FOR BOARDS AND SENIOR MANAGEMENT

• Can clarify, rationalise and consolidate multiple assurance

inputs, providing greater oversight of assurance activities.

• Facilitates better use of assurance skills and resources.

• Ultimately allows the analysis and comparison of assurance

against the totality of internal controls. This enables
evidence based corporate reporting and statements about
the effectiveness of internal controls to be properly
supported in a structured manner.
BENEFITS FOR THE RISK AND AUDIT COMMITTEES

• Assists them in understanding the current state of

assurance, highlighting areas of low coverage, extensive
or over coverage and gaps in understanding

• Allows decisions about relative risk to be made and

direction provided to Internal Audit and other assurance
provider resources to fill any gaps

• Allows better evidence to be assembled to support the

assurances provided to the Board on the state of internal
control, as well as public reports on governance and
statement of internal control.
BENEFITS FOR INTERNAL AUDITORS

• Enables them to evaluate the state of risk and control more quickly
and more effectively and in line with management perspectives.

• Enables them to focus their effort where there are gaps in the first
and second lines of defence and to include providing an independent
assessment of the quality of assurance provided by the first and
second lines of defence.

• Relates the state of risk after internal audit engagements to the totality
of internal control and identify pervasive issues more easily.

• Enables them to report more readily on their own perspective of the

state of internal control based on the extent of their own work and
evaluation of the management profile as set out in the assurance map.
BENEFITS FOR EXTERNAL ASSURANCE PROVIDERS

• Enables the auditors to identify risk and focus more quickly and
easily on the key issues likely to impact the external audit or
other assurance engagement

• Aids their understanding of the overall control environment as

required by auditing and other assurance standards

• Enables the reliability of internal audit to be identified more readily. It

will also help to focus on the areas where reliance might be placed
and the extent to which reliance might be placed

• Also helps to identify the actual state of internal control prior to the
external assurance engagement, and where any work may need to
be focused.
Without an assurance map …….

…… it is unlikely that the audit and risk committees will have

access to a sufficiently well-structured analysis or assurance
to enable them to evidence, safely, their satisfaction with the
state of internal control.

At the very least, the assurance map will enable the

members of the committees to focus on those specific areas
that remain a concern.
With an assurance map ……

…. the board will have evidence to support its assertions

as to the state of internal control in any public reports and
as communicated to the external auditors and shareholders.

…. the assurance-related work of the individuals operating

within the lines of defence can be best directed to avoid
overlaps.
Pitfalls …..

Vision v. Reality
Pitfalls …..
Other Pitfalls …..
• attempting to create an “all encompassing” map that quickly
becomes over-engineered and complex and can fail to produce
the required information.

• relying on out-of-date or irrelevant assurances. For example:

o an external review of information security may have been
carried out 18 months ago but the organisation may have
implemented new IT systems since then; or
o the last IA review maybe 1 year old but management have
a more up-to-date report on recent improvements (or Op
Risk may have a report on a recent incident).

• There may be too many gaps and no-one wants to admit

to owning a gap!
King III (2009)
“The audit committee should ensure
that a combined assurance model is
applied to provide a coordinated
approach to all assurance activities”
While management does provide
extensive risk assurance through
performance management and
reporting, it is not factored into
combined assurance as this would
require comment/ evaluation on its
effectiveness as management.
King IV (2016)
The governing body should oversee that the combined
assurance model is designed and implemented to cover
effectively the organisation’s significant risks and
material matters through a combination of the following
assurance service providers and functions as is
appropriate for the organisation:

1. The organisation’s line functions that own and manage risks.

2. The organisation’s specialist functions that facilitate and oversee risk
management and compliance.
3. Internal auditors, internal forensic fraud examiners and auditors,
safety and process assessors, and statutory actuaries.
4. Independent external assurance service providers such as external
auditors.
5. Other external assurance providers such as sustainability and
environmental auditors, external actuaries, and external forensic
fraud examiners and auditors.
6. Regulatory inspectors.
The best assurance
maps are inside the
“Head” of Internal Audit

Awareness and insight of the key

sources of assurance are core to
annual audit planning and the
development of the HIA’s overall
opinion on risks and controls.
Practical Steps Forward ……
• Collaborate
• Find a champion (hopefully the AC Chair)
• Try it for one or two risk categories
• Use facilitated workshops (with guidance)
• Anticipate the pitfalls
• Take input from co-source and external audit
• Look for quick wins – anomalies, red flags, ….
• Care how “gaps” may be perceived
• Present to CEO (& exec), then AC Chair (& Committee)
What can Assurance Mapping learn from Cricket?
Football now has VAR ….. Tennis has Hawkeye …..

….. And Cricket has the 3rd umpire

Assurance Mapping on the cricket pitch
Some CEOs will always think they know better!
What can Internal Audit learn from this?

• Are we the Third Umpire ….?

• Should we give an opinion only when referred to?

• How can we better use the information we have available?

• Relationship management
• Reviews and Evidence
• Board, Exec and other Performance Reports

• How reliable is each element of “assurance”?

• Most of the time, you have to trust the first umpire

40