Assurance mapping

Assurance mapping’ can sound like the latest consultancy fad destined to develop into a bureaucracy before it becomes shelfware alongside its predecessors. But stakeholders – Boards. Audit Committees and senior management – would be wrong to dismiss an approach that can do much to enhance the understanding of the assurance mechanisms available to a business.

There are, as ever, many ways of pulling together an assurance map, and the first step is to clarify which risks it is going to cover. All of the risks on the risk register might be too big a step to begin with, so should it just focus on, say, the top five or the risks associated with one project or a particular activity?

Thereafter you can get into familiar territory by identifying the first, second and third lines of defence for each of the key risks in the business. The first and second lines may already be well known, but the third line should be extended as widely as possible to include all third parties who are in some way involved in receiving and reviewing reports from the business, or carrying out some kind of inspection on any part of the business even if only occasionally.

Mapping all of this and then analysing the matrix horizontally and vertically will demonstrate where assurance is coming from and lead to the following questions:

• Are there some risks on which virtually no assurance is being received at all?
• Are there others where there is too much assurance and various bodies are duplicating work?
• Are there bodies claiming to provide assurance who don’t actually appear to be providing any?
• Is the assurance being received adding value and really addressing the risk?
• Is the Audit Committee receiving sufficient information from the various assurance providers to obtain a good view of the assurance available? If not, how could this be provided?

In many organisations it is the Internal Audit function that is leading on this. There are other options, but Internal Audit already has an organisation wide remit. They are also in a position to assess the efficacy of other forms of assurance identified and to use the information collected to ensure their own internal audit plans take appropriate account of the work of others. And where they are providing an annual assurance opinion to the Audit Committee or Board, incorporating the additional information obtained via an assurance mapping exercise can only enhance the value of that opinion.

Assurance mapping is a useful tool to ensure all sources of assurance are taken into account as part of the assessment of the effectiveness of risk management procedures and can also be used to ensure that the assurance is being provided as efficiently and effectively as possible.

Please let us have your thoughts on this. Is this more than a fad? How have members made practical use of assurance mapping? All thoughts are welcome.