When it comes to providing assurance, internal audit isn’t the only player in the game. Boards and executives seek assurance information on the effectiveness of an organization’s governance, risk management, and control processes from a variety of internal and external sources, including external auditors, the risk management function, health and safety auditors, government agencies, the compliance function, and quality auditors. Likewise, internal audit functions rely on other assurance providers for needed expertise.
Given this array of assurance providers, internal audit needs new tools to better monitor and communicate about the effectiveness of the organization’s enterprise risk management (ERM) process. IIA Practice Advisory 2050-2 recommends that CAEs use an assurance map to coordinate assurance activities with other providers to maximize coverage and minimize duplications. An assurance map presents a picture of all assurance activities across the organization that can enable the board and other stakeholders to better exercise their risk management oversight duties.
The many benefits of assurance maps include:
Focusing on the strategic areas of concern and identifying key risk events that can affect the achievement of objectives.
Improving the value of the organization’s assurance activities by evaluating whether a combination of different internal controls have been designed adequately and are operating consistently to mitigate the target risks holistically.
Helping create a more efficient assurance process by spotlighting duplications.
Facilitating identification of key risk areas that have insufficient coverage or gaps.
Providing an integrated and comprehensive report about risk and assurance activities for boards, audit committees, senior executives, and assurance providers that helps them make informed governance decisions.
Helping internal audit provide its opinion on the effectiveness of ERM, wherever required.
Taken together, these benefits can enhance the board’s risk management oversight efforts by helping improve its governance and monitoring processes and structures.
Plotting a Map
The internal audit function’s independent status, close interactions with other assurance providers, and knowledge and methodology for providing assurance services make it well-suited to lead efforts to coordinate assurance services. Moreover, internal audit has a strong vested interest in improving the effectiveness of assurance coordination across all functions, a principle known as combined assurance. Indeed, the internal audit functions of South African companies used assurance maps to achieve combined assurance as required by South Africa’s King Report on Corporate Governance.
The use of an assurance map aligns internal audit efforts with the organization’s identified risks. In one integrated document, the assurance map identifies and presents the specific assurance efforts that will be applied to manage each identified risk. “Risk Management and Assurance Integrated Framework” on page 56 illustrates the format of an assurance map, which internal audit functions can customize to meet their specific needs.
Risk In creating the map, internal auditors should start with the organization’s strategic plan based on its key organizational objectives. Examples include launching three new products by the end of 2017, or reducing staff attrition to less than 7 percent annually by March 31, 2018. Key risks drawn from the organization’s ERM framework should present events that might prevent critical objectives from being achieved. Auditors should group these identified risks by category — strategic, operational, reporting, and compliance — to facilitate assessment and response considerations.
For each key risk, the assurance map should list the risk owner who is accountable for managing the risk and conducting assurance activities. It should rate the inherent risk of events based on their impact and likelihood on a scale ranging from minor (green) to critical (red). Mitigation strategies are designed to either prevent a risk event from occurring or to mitigate the effects after an event has taken place. Key controls are those responses that help manage and reduce risk within the risk appetite. Finally, the map illustrates the residual risk after management has implemented risk response activities.
Assurance The next series of columns provides the coverage of assurance services by the organization’s three lines of defense. Tier 1 shows the process owners’ direct oversight of day-to-day operations. For example, front-line operational managers oversee control self-assessment and monitoring mechanisms and systems. Tier 2 displays the oversight functions that support management by providing expertise for policy development and monitoring their execution. Tier 3 shows the independent and objective providers of assurance on the overall adequacy and effectiveness of risk management, governance, and internal control, as established by the first and second tiers.
The next column on the map, Reliance on Assurance Providers, classifies the assurance coverage provided. Criteria may include:
- Primary, secondary, and tertiary responsibility.
- Significant, moderate, insignificant, and unknown contributor to assurance.
- Extensive, regular, ad-hoc, and no assurance provided.
Internal audit’s overall assessment of both the quality and quantity of assurance received is based on criteria including subject-matter expertise, experience, skills, and methodology. For example, no reliance indicates there is no information available to evaluate the adequacy of the assurance activities provided. Low reliance means there is a lack of information to evaluate the adequacy of assurance activities. Limited reliance means only management reviews of the effectiveness of risk management have been applied. In this case, the organization has had limited or no independent evaluation of control design sufficiency and operating effectiveness. Moderate reliance indicates that oversight functions that support management have consistently evaluated the adequacy of assurance activities. Extensive reliance indicates that independent and objective assurance services have been provided to evaluate the adequacy of assurance activities.
The next column details the remedial actions to address weaknesses and ensure continuous improvement of the assurance process for reaching the desired and aspirational level of assurance. Objectives include eliminating assurance gaps, reducing assurance overlaps, and improving the strength and coverage of the assurance provided by documenting follow-up actions such as:
- Assigning assurance owners.
- Specifying assurance scope and mission.
- Identifying the nature and frequency of assurance activities being undertaken.
- Coordinating planned assurance activities.
- Determining the timing and frequency of assurance reviews.
In the final column, global independent assurance opinion consists of the CAE’s written assessment of the effectiveness of the organization’s approach to managing the risk. For example, “Considering the assurance-based activities undertaken during the year, in our opinion the internal control and risk management systems are effective (ineffective) considering the company’s specified risk appetite.”
An Integrated Process
Assurance maps offer a consolidated picture of the risk and assurance framework by assessing the quality and level of assurance activities being provided against key risks. However, the internal audit function should consider several factors when building such a tool. Assurance maps are a tool whose production is more art than hard science. No assurance map fits all the needs of every organization. Internal audit should start with the top key risks confronting the organization, then expand as desired.
Internal audit also should view the risk management and assurance framework as an integrated process. Assurance maps are not a silver bullet for ensuring adequate risk management. Without a well-developed risk management framework, internal audit and other assurance providers won’t be able to pull the information required to plan their assurance activities appropriately. At the same time, internal auditors should update the assurance map periodically.
Internal audit should leverage the power of data without getting lost in it. To be effective, internal auditors must be able to explain the value, goal, and drivers of the assurance map. Most importantly, they must demonstrate how to use the map to identify assurance gaps that need attention.
Additionally, internal auditors should make assurance maps an informative tool for reporting to the board by focusing on the significant areas of concern. Using color-coded representation can highlight the important findings.
Finally, internal audit should get all assurance providers involved to develop the assurance map and share the results with all providers. Creating and using an assurance map should be a team effort, rather than one dominated by internal audit.
A Catalyst for Assurance
Leading the development of an assurance map and reporting on assurance coverage and gaps offers internal audit functions an opportunity to improve their effectiveness in governance. In addition to enabling internal audit to provide assurance on the organization’s risk management effectiveness, an assurance map can assist internal audit in assigning its resources efficiently with better knowledge about the entire assurance process. The insights gained from visual reporting and analysis of an assurance map also can enable internal audit to strengthen its relationship with management and the board to enhance risk management, internal control, and governance.
The success that South Africa’s internal audit functions have had in using assurance maps demonstrates that a combined assurance approach can help internal audit raise its profile in facilitating the corporate governance process. Assurance maps also can transform internal audit into a catalyst for improving an organization’s assurance services.