10 steps to create an assurance map
Assurance maps are a useful tool that provide a structured way to identify the main sources and types of assurance in an organisation, and to ensure they are coordinated. The Audit and Assurance Faculty outlines the 10 key steps to follow when creating an assurance map.
1. Identify your sponsor
Every assurance map needs a clearly defined sponsor. This may be the main user, but could be another senior staff member who will champion the map’s use. The sponsor will:
- Be clear on the reason why the map is needed.
- Agree the scope of the map - components and elements.
- Agree the focus when looking at assurance activity eg, amount, frequency, scope, and whether the quality of assurance will also be in scope.
- Be involved in determining the required levels of assurance for the elements.
- Recommend the approval and use of the map to the relevant risk or audit committee, along with any resultant actions that come from production of the map.
Accountability for the map lies with the sponsor. Confirmation of the output would be with them at each stage of the process.
2. Determine your scope
The scope of the assurance map needs to be determined, which involves identifying the elements requiring assurance. This requires the use of a number of sources of information and close working with the sponsor as there is no definitive way to determine that all elements have been captured and the elements will vary greatly depending on the component for which the assurance map is being prepared. Elements may include:
- Relevant operational/business processes eg, finance, commercial, personnel, logistics, business resilience and fraud.
- Board level or strategic risks.
- Strategic programmes.
- Governance requirements eg, leadership, culture, vision and stakeholder engagement.
- Compliance with third party regulations.
A number of information sources can be used to confirm which elements may require assurance. Examples include:
- Application of your own business/organisation knowledge and understanding.
- Board and audit committee papers.
- Performance and risk reports.
- Annual assurance report.
- Review of key corporate documents, such as:
- corporate plan;
- business plan;
- other strategic documents;
- organisation charts;
- business impact assessments, which show the critical activities performed; and
- internal audit annual plan or report.
Once identified the elements should be confirmed with your sponsor, senior management and the main users of the map, for example, the audit committee and/or the board, to assess the completeness of the elements identified.
3. Assess the required/desired amount of assurance for each element
Through conversations with your sponsor, senior management and the main users of the map, it is key to understand what the required or desired amount of assurance is across the organisation’s elements.
When assessing the desired amount of assurance the following should be considered:
- Risk associated with the element.
- Importance of the element to the existence and continued function of the component.
- Complexity of the element.
- Past experience of the organisation.
Your sponsor and the main users of the map should approve the desired amount of assurance for each element.
Once this has been determined it will act as the benchmark when assessing where there are potential gaps or excess assurance across the organisation.
4. Identify your assurance providers
Assurance providers are assigned to each of the four lines of defence. Once the elements requiring assurance have been defined, identifying some likely assurance providers will aid your work and direct initial interviews.
While best practice is to start with some known assurance providers being categorised by their relevant line of defence, others may be identified during the process. The creation of the map is an iterative process.
The following have been identified as potential starting examples for each of the four lines of defence:
|Line of defence
|First line of defence - management within the organisation
|Second line of defence - functins within the organisation
|Third line of defence - activities which are outside the direction of management
|Fourth line of defence - External providers from outside of the organisation entirely
Some assurance providers are more identifiable than others, and can be expected to provide assurance to more than one element. Conversations with those who ‘own’ or who are key within each element alongside review of available documentation will identify other assurance providers.
5. Identify your assurance activities
a. Identify and review relevant documents available
Prior to speaking with the key personnel for each element/assurance provider, it is advised to review any relevant documents in order to identify assurance activities which have or are planned to take place. This would include the following:
- Policy documents.
- Internal audit plan for the past and current year and relevant internal audit reports.
- Meeting agendas and minutes from key board/committee meetings.
- Performance and risk reports.
- Risk registers.
- Annual assurance report.
- Internal control framework risk and control matrices.
Across most elements, we would expect documents to be available as a starting point to begin understanding the assurance activities taking place.
b. Identify and interview relevant practitioners
Once the elements have been determined and relevant documents reviewed, interviews can begin with those who lead on these areas.
It is important to select the right person within the element or assurance provider to get an overview of the big picture but with sufficient detail to identify individual activities. The senior manager responsible for the element is often a good person to start with. Open questions with the senior manager will allow for clarity of what is important and where activity is focussed. More in depth understanding can then be gained from either the senior manager or their team with more specific knowledge.
Through the use of probing questions explore the following with the interviewee to understand more about the assurance performed:
- Describe the scope/function of the relevant element in more detail.
- What assurance is provided?
- What is the scope of the assurance?
- Who is performing the activity and what are their qualifications? Are they external or internal resources?
- How often does the activity get performed eg, annually, monthly or on request?
- Who is the activity reported to eg, management, the board, a subcommittee or the audit committee?
- What value does the assurance activity add?
- Is it assurance rather than a business as usual activity?
The assurance activity should be marked on the map, with the detailed information included in the form describing each activity provider.
c. Collating the assurance provider information
To assess the quality of the assurance providers fully, using the following list allows you to examine and gather the information in more depth, to understand what the activity is, and how the assurance provider operates to deliver the output. The attributes you are looking to capture include:
- Name of the assurance provider.
- What is being assured and the scope of the activities.
- The methods and technologies used and evidence that is obtained.
- What reporting is involved, including who it is reported to. For example, does it include audit committee reporting and how frequent is the reporting.
- When was the most recent assurance activity or report provided.
By gathering this information during the process, it will support the details in the map and allow for reference to be made to explain and justify the quality of assurance identified.
Other tools are available and may provide alternative views and presentation techniques, for example a Microsoft Access database could be used to populate the assurance providers in more detail.
6. Reassess your scope
In reviewing relevant documents and interviewing practitioners, we would expect that additional elements requiring assurance and assurance providers would be identified. While this falls as step 5 in the process, the reassessment of the outline and related completeness of the elements and providers should be considered and updated continuously throughout the process.
An assurance map is a live document that is never definitively “complete” and therefore elements and assurance providers can be added and removed at any time when they become or stop being relevant. While a change in board risks or policies may trigger an obvious need for a change in the map, events such as personnel movements may also impact the assurance activities and related quality.
Another example of an event that may prompt a need to update the map would include changes in an assurance provider, for example the person performing the activity. These can be difficult to identify on a timely basis as you may be relying on notification from outside parties, but through raising awareness of the map, the business should be more forthcoming in sharing these insights as they happen.
7. Assess the quality of your assurance activities
An assurance map can be created without an assessment of the quality of the assurance activities. However, the assurance map is not being used to its full extent if the assessment of quality is not performed, as reliance may be placed on activities of variable quality.
Once it is understood what assurance activities are taking place, we need to assess their quality in terms of the following attributes:
|Breadth of scope
|| How much of the element is being covered by the activity? Is it assessing all aspects of the element or specifically focussing on one small part of the overall picture. For example a narrow scope may provide high quality assurance, but only on one small part of an element, therefore other activities will need to be identified to provide assurance on the rest.
|Depth of scope
|| How detailed is the review? How deep does the assurance activity go to assess the risks and mitigations in place? Be aware of ‘False Assurance’. This can exist where a user of assurance believes that it has covered more scope or at a greater depth than is the case.
|Competence of assurance provider
||The person performing the activity should be knowledgeable of both the element being assured and have the skills to provide the assurance required. This can be assessed through understanding the qualifications held and experience in the organisation and/or industry. The methodology the assurance provider operates should also be assessed. For example, where an assurance provider follows guidance set by a regulatory body, high quality assurance may be provided from that activity.
|Frequency of review
|| Some activities will be repeated every year, or every month, whilst others will take place on a three yearly cycle, or just as an ad hoc review. The more recent and timely the activity, the more relevant and reliable the information and assurance will be.
|Line of defence providing assurance
||Each line of defence has strengths. The fourth line of defence is the most independent and therefore may provide high quality assurance, but activities are often infrequent and lack detailed insight into behaviours. The first line of defence performed by management is closer to the detail of the controls and is often more frequent, however, it can lack independence therefore impacting the quality.
Some activities will be deep and detailed, but focussed on a small part of the element, while others will be broad brush high level reviews. Some assurance outputs will not provide opinions, but instead will state the results of performing a series of tasks.
When assessing the quality of the assurance, it is critical that all aspects of assurance provision are taken into account, drawing on the knowledge of the practitioner and assessing the attributes in the round.
8. Assess the aggregate actual amounts of assurance for each element
For each element requiring assurance, the total amount of assurance needs to be assessed, collating all the assurance being provided by each of the four lines of defence and considering its quality as determined in step 7. The following should be considered:
- Number of assurance activities - more may indicate more assurance.
- Depth and breadth of the activities - the deeper, wider scope may indicate more assurance.
- Internally or externally provided assurance - involving both internal and external assurance providers is likely to provide the component with a broader assessment of the risks and controls, leading to more variety in the challenge provided.
- Line of defence providing the assurance - a mix of activities across the four lines of defence is likely to give a richer balance of assurance.
- Frequency of the assurance activity - more frequently, may indicate more assurance.
9. Analyse the gaps and overlaps in assurance for each element
In step 6, we assessed the required or desired amount of assurance for each element. Now that the actual amount of assurance has been determined, it should be compared to the desired amount to determine if there are gaps or overlaps. Where a higher amount of assurance is required, the assessment of the quality of related activities should be more in-depth and rigorous than in those areas where required assurance is lower.
The determination of potential gaps and overlaps in assurance is not a straightforward process and will require input from a number of different parties, including the sponsor and the main users of the map. For example:
Consideration also needs to be given to the nature or focus of the assurance relative to the risk. For example, assurance over the operation of a process may not contribute much value in relation to concerns about actual performance levels in a business unit.
10. Determine your course of action
Once the assurance map has been developed and the assurance assessment performed, recommendations should be made for appropriate resulting actions. While there may be areas where there is no or insufficient assurance compared to the desired or required amount, there may be others where more assurance than needed is currently obtained.
Action planning should be done with the sponsor and the main users of the map to ensure the outcomes are in line with their needs and expectations.
Each action point should be specifically detailed, with a responsible person assigned and a timeline for follow up. This plan should be considered in the maintenance of the map. As actions are done and gaps and overlaps are dealt with, the map should be updated on a timely basis to reflect those changes.
A covering report should outline for the sponsor and the users of the map what the results of the map are, including gaps and overlaps, as well as the recommended action plan.
To help practioners implement the 10 steps, the Audit and Assurance Faculty has created an example assurance map prepared in Microsoft Excel.
The row headings include a list of all areas, risks and processes over which the component is seeking assurance. We will refer to these as “elements”. Elements may include: areas of governance, defence tasks, board risks, strategic programmes and defence authorities.
The column headings include all the assurance providers by the four lines of defence. Assurance providers are specific teams, boards, committees, firms and people within each of the four lines of defence who are performing assurance activities in relation to the various elements.
When an activity that provides assurance is identified; that assurance activity is matched against the relevant element requiring assurance and relevant assurance provider. An assurance activity can be included in the assurance map across any number of elements, as applicable.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.