ICAEW.com works better with JavaScript enabled.

Assurance mapping: A vital governance and management tool

Assurance maps can be a powerful tool providing great insights for boards, senior management and audit committees. By allowing the decision-makers to take appropriate comfort from the assurance provided, these maps maximise the value of that assurance for the whole organisation. Here the Audit and Assurance Faculty explores the concept of assurance maps and the benefits to various stakeholders.

From risk management to assurance

Many organisations of all sizes invest heavily in risk management. The benefits of identifying and managing strategic and operational risks, within the boundaries of the organisation’s risk appetite, are widely recognised.

For a small start-up this may be as simple as investing executive time in assessing and weighing the risks. Larger organisations often implement Enterprise Risk Management systems to expand the reach of their risk assessment and control. Boards, management executive groups and audit committees receive regular risk reports which set out the key controls and mitigations strategies in place to manage these risks along with additional mitigations proposed to bring the risks to level compatible with their risk appetite.

When sound risk management practices are in place a key question is for all organisations is: How do we get assurance regarding the effectiveness of these controls and mitigations?  

Assurance can of course come from a variety of sources, and the number and complexity of these also changes as an organisation grows. Boards and senior management can be overwhelmed by the number of reports from different sources providing assurance over different aspects of risks and issues leading them to think that associated risks are being controlled effectively when they may, in fact, not be. This is because the assurances are frequently not well coordinated, and there can be gaps and cracks, as well as overlaps. Even worse, some of the assurances may not match well against the underlying risk leading to inappropriate reliance.

As technology allows organisations to monitor risks and develop controls in increasingly sophisticated ways, the job of getting the right assurance in the right place must also become more sophisticated.

Assurance maps are designed to help businesses overcome these weaknesses and can create considerable value for the organisation.

What is an assurance map?

Assurance is an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. An assurance map is a structured means of identifying and mapping the main sources and types of assurance in an organisation across the four lines of defence, and coordinating them to best effect.

In a smaller or less complicated organisation, a full assurance map will not be needed. However, the same principles apply and the assurance mapping approach can still be a useful guide for thinking through the connection between risk management and assurance.

While good risk management practices will help an organisation to identify and focus well on its major risks, good governance also requires effective management and mitigation of those risks. An effective and efficient framework is needed to give sufficient, continuous and reliable evidence of assurance on organisational stewardship and the management of the major risks to organisational success and delivery of improved, cost effective services. An assurance map is the tool that enables this evidence to be assembled. It also provides the evidence that may be needed to support:

  • management confidence in their assertions;
  • audit committee assurances to the board on the state of internal controls; and
  • public statements by the board as to the state of internal control.

An assurance map shows:

  • Key elements over which assurance is required. This will change depending on the type and size of organisation.
  • The 'four lines of defence'. The details of who provides what can vary for each organisation.
  • Any gaps where no assurance is provided.
  • Further useful information can be added to enhance the example given, such as the quality of assurance provider and the outcome of the assurance.

An example of a simple assurance map

An assurance map shows:

  • Key elements over which assurance is required. This will change depending on the type and size of organisation.
  • The ‘four lines of defence’. The details of who provides what can vary for each organisation.
  • Any gaps where no assurance is provided.
  • Further useful information can be added to enhance the example given in Figure 1, such as the quality of assurance provider and the outcome of the assurance.

The benefits of assurance mapping

An assurance map can provide a basis on which to communicate with stakeholders and begin quality conversations. This is because there are benefits for each of the groups (or the four lines of defence) that may make use of the map. Together they should enable the board to make more reliable and robust reports to its stakeholders about the organisation’s state of internal control.

The benefits of assurance maps for each group are broadly as summarised below.

 
For boards and senior management
Provides timely and reliable information on the effectiveness of the management of major strategic and operational risks and significant control issues.
Provides an opportunity to identify gaps in assurance needs that are vital to the organisation, and to address them in a timely, efficient and effective manner.
Can be used to raise understanding of the risk profile, and strengthen accountability and clarity of ownership of controls and assurance thereon, avoiding duplication or overlap.
Can clarify, rationalise and consolidate multiple assurance inputs, providing greater oversight of assurance activities.
Facilitates better use of assurance skills and resources.
Ultimately allows the analysis and comparison of assurance against the totality of internal controls. This enables evidence based corporate reporting and statements about the effectiveness of internal controls to be properly supported in a structured manner.

 

 
For the risk and audit committees
Assists them in understanding the current state of assurance, highlighting areas of low coverage, extensive or over coverage and gaps in understanding
Allows decisions about relative risk to be made and direction provided to Internal Audit and other assurance provider resources to fill any gaps
Allows better evidence to be assembled to support the assurances provided to the Board on the state of internal control, as well as public reports on governance and statement of internal control.

 

 
For internal auditors
Enables them to evaluate the state of risk and control more quickly and more effectively and in line with management perspectives.
Enables them to focus their effort where there are gaps in the first and second lines of defence and to include providing an independent assessment of the quality of assurance provided by the first and second lines of defence.
Relates the state of risk after internal audit engagements to the totality of internal control and identify pervasive issues more easily.
Enables them to report more readily on their own perspective of the state of internal control based on the extent of their own work and evaluation of the management profile as set out in the assurance map.

 

 
For external assurance providers
Enables the auditors to identify risk and focus more quickly and easily on the key issues likely to impact the external audit or other assurance engagement
Aids their understanding of the overall control environment as required by auditing and other assurance standards
Enables the reliability of internal audit to be identified more readily. It will also help to focus on the areas where reliance might be placed and the extent to which reliance might be placed
Also helps to identify the actual state of internal control prior to the external assurance engagement, and where any work may need to be focused.

Without an assurance map it is unlikely that the audit and risk committee will have access to a sufficiently well-structured analysis or assurance to enable them to evidence, safely, their satisfaction with the state of internal control.

At the very least the assurance map will enable the members of the committee to focus on those specific areas that remain a concern.

With an assurance map, the board will have evidence to support its assertions as to the state of internal control in any public reports and as communicated to the external auditors and shareholders.

With a map, the assurance-related work of the individuals operating within the four lines of defence can be best directed to avoid overlaps. 

Preparing your assurance map

An assurance map can be prepared within any level of an organisation – for the organisation as whole, key strategic and operational risks or at a divisional level. We will use the term “component” as a broad term to imply any level of organisation.

An assurance map is not a form of assurance in itself. The assurance map provides a summary and analysis of the assurances being sought throughout the organisation or component assessed, but in and of itself, it does not provide any assurance.

10 steps to prepare your assurance map

To support the creation of useful and relevant assurance maps, we have idenfitied 10 key steps to follow: 

  1. Identify your sponsor
  2. Determine your scope
  3. Assess the required/desired amount of assurance for each element
  4. Identify your assurance providers
  5. Identify your assurance activities
  6. Reassess your scope
  7. Assess the quality of your assurance activities
  8. Assess the aggregate actual amounts of assurance for each element
  9. Analyse the gaps and overlaps in assurance for each element
  10. Determine your course of action

Maintenance and reassessment

An assurance map is a live document that should be constantly reassessed and updated. At a minimum, it should be reassessed and approved annually, following the 10 steps to determine if there are new or changed elements, assurance providers or assurance activities. The desired or required amounts of assurance may also change for a variety of reasons, which would also lead to a new assessment of the map and updated action plan.

Risk and risk mitigation

Potential pitfalls and risk areas may arise throughout the preparation of the assurance map. This is not meant to be a complete list, but does highlight the importance of thoroughness in each of the 10 steps.

Risk
Priority
Action to mitigate
Elements requiring assurance are not complete
High
Mitigated by performing detailed review to identify elements, including significant collaboration across management and from the sponsor.
Assurance providers are not complete
Medium
 Mitigated by reviewing the assurance activities and reports which may identify additional providers.
Identified assurance provider is not providing any assurance, but is just delivering on a task
High
Mitigated by an independent party reviewing the activities provided by that person to verify they are providing assurance; further mitigated by interviewing those who receive assurance from that provider to understand what assurance they are gaining.
Assurance activities identified are not complete
Medium
Mitigated by holding thorough interviews and performing detailed research regarding all elements requiring assurance, as well as by sign off of the sponsor and main users of the map.
Amount of required or desired assurance is not assessed appropriately
High
Mitigated by involving the appropriate people in the determination of the required or desired amount of assurance, including the sponsor and main users of the map.
Amount of assurance gained from an activity is not assessed appropriately
High
Mitigated by performing detailed research regarding the activity.
Change in, or discontinuance of, an assurance activity and the assurance map owner is not made aware 
High 
Mitigated through appropriate maintenance of the assurance map.
Assurance map document owner does not understand how to prepare or maintain the map
High
Mitigated through involvement of a specialist co-sourced provider.
Assurance map user does not understand how to interpret the map 
Medium
Mitigated through appropriate awareness of and training on the use of the assurance map; and related covering report that attaches to the assurance map; alongside involvement of a specialist co-sourced provider.

Download a template assurance map

Get started on following the 10 steps and preparing an assurance map for your organisation, by downloading a template assurance map.

 

What do you think?

To learn more, get involved, or tell us what you think, please email ruth.ward@icaew.com

 

Page reviewed March 2018. Next review due March 2019

 

ICAEW's assurance resource

This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.

Find out more.