Internal Audit related assurance maps
In applying the principles of Assurance mapping it is often the case that, in practice, there is no individual within the organisation who has the relevant skills to start the process. It may also be the case that the Head of Internal Audit wants to help kick-start the process in order to showcase what can be achieved with assurance mapping.
In such situations the Head of IA may take it upon themselves to include an assurance map in the strategic internal audit plan. This can be achieved relatively easily in most organisations provided that it is handled at a suitable level of detail. Many if not most of the key benefits of Assurance Maps can be obtained by introducing them through this route. Perhaps most significantly their use can:
- Create a clearer factual basis for senior management and the A&RC to make judgements about internal audit coverage; and
- Help to close the expectation gap between senior management, A&RC and the head of internal audit regarding the content, focus, adequacy of internal audit plans.
In the linked slides to this note we show how a strategic internal audit plan, for a small investment management business, can include the elements that demonstrate the benefits that senior management can obtain from an Assurance Map. The pages we include are of course examples and do not show the complete suite of pages required.
A description is provided below for each of the example slides to help provide the context.
It is important to understand the organisational structure of the entity and to reflect back to management a structure that they buy into and understand. The model shown here was developed with the organisation’s management based on their pre-existing manuals but refined to show a clearer distinction between the various levels and types of system. Therefore, it is supported in practice by the organisation’s existing control structures.
A part of the organisation’s risk mapping processes was to identify those systems and parts of the organisation most impacted by each risk in the register; there were about 50 risks.
In this display both the gross and net levels of risk (before and after control) are captured to help demonstrate where the major risks lay across the organisational structure.
While these risks self-evidently change during a year this provides a good starting point for a consideration of the state of risk when the internal audit plan is being prepared and the focus of planned work established.
Based on this initial assessment of the state (and nature) of risk a high level plan of internal audit is mapped out showing against each element from the organisational universe the focus of a potential audit and its timing across the (three year) strategic period. The descriptions of focus are very high level but designed to identify and capture the key risks and concerns as expressed through the risk register and past evidence from management, internal audit and other third party reviews.
It is worth noting that more detailed thumbnails of the core focus and scope of each audit for the next year can easily be provided and attached to such a plan to enable effective challenge by senior management and the A&RC members. The spread of coverage enables a challenge to the timing and frequency of work. The overall plan also enables a challenge to the balance of audit focus between core systems, support and governance matters.
It is important that the plan and strategy should show audits in the form of the previous page to enable a reader to understand what is being proposed. This appendix allows the question to be asked from the perspective of just the risks and explains what is being or has been done in the recent past.
It acts as a cross-check on the developing coverage and overall picture of the assurances being provided to the Board through the A&RC. This also makes it easier for the members of the Board and A&RC to question timing, balance and focus in a way with which they are comfortable.