How many times have you heard, "Why are you auditing us again? Didn't we just do this?" In these instances, another assurance function may have recently conducted a review, creating the potential for internal audit to perform redundant work. How many audits are being conducted within your organization at any given time? Perhaps management has difficulty distinguishing internal audits from other types of audits and reviews, such as those from regulators, compliance, or environmental, health and safety departments. Do you know whether all risks – strategic, operational, human resources, financial, regulatory and compliance, and technology – are covered by an assurance provider?
One of internal audit's key responsibilities is to provide assurance to senior management and the board/audit committee that organizational risks are understood and are being managed appropriately. To fulfill that responsibility, internal audit requires tools and techniques customized to the organization that can assist in identifying, organizing, and presenting this information. Creating an assurance map may assist internal audit in providing those entities a clear understanding of risk and assurance coverage throughout the organization.
The IIA addresses this need with a new Practice Guide, "Coordination and Reliance: Developing an Assurance Map." It outlines a process the internal audit activity can use to create and maintain a robust assurance map.
Assurance maps can be used organizationwide; their function is broader than internal audit alone. An assurance map can support:
- A shared understanding of the risks faced by the organization aligned by risk categories.
- Identification of the organization's risk management and assurance roles/functions.
- Development of a holistic, comprehensive assurance framework that can be useful during times of transition – such as when mergers and acquisitions, organizational restructuring, or strategic changes occur.
- Collaboration among assurance providers to facilitate the efficient and effective use of resources.
Common Risk Language
A key component of a robust assurance framework is that the organization has a common language around risk. In practical terms, the auditable risk universe used by the internal audit activity is not all-encompassing, so internal audit's typical risk language may not be familiar across the organization. Many risk areas are not impactful enough to rise to internal audit's risk universe but must still be addressed per regulations.
Other risk areas may be related to strategy, which would exceed the scope of a typical internal audit engagement but still prove useful for the organization. Creating an assurance map allows the organization to develop a comprehensive risk universe; and for all risk discussions and reporting organizationwide to be understood by everyone involved, a common risk language is necessary.
Clear Roles and Responsibilities
Once all risk categories, risks, and assurance providers have been identified, the assurance map can be completed to document which providers are covering which risks. This allows management to see where risk management activities are occurring and what risks are covered or not covered by an assurance provider.
An assurance map does not have to be restricted to assurance providers only. If there are operational areas that manage risks or risk categories, they may also be included. If any areas lack clarity regarding what they should be doing in terms of risk management, the assurance map will help management address the issue resulting in more comprehensive risk coverage organizationwide.
Comprehensive Assurance Framework
A comprehensive assurance framework ensures that the organization is addressing all of its risks appropriately and timely. Creating an assurance map assists the organization in documenting its risk management approach, and it can be used to facilitate risk identification, assessment, management, and monitoring exercises that will assure senior management and the board all of the organization's assurance providers are working together to manage risk.
Many organizations across industries operate in silos. Operational divisions work separately from the control functions (e.g., legal and compliance), and the control functions work separately from internal audit. Working this way inhibits communication about risks and leaves management with a fragmented view of risk coverage in the organization. If management is unclear about who is managing what risks, duplication of efforts can result, which wastes valuable resources and can create audit fatigue among auditable entities. Creating an assurance map can be a beneficial exercise to bridge these silos and begin operating in a more cohesive manner.
Once an assurance map is created, the organization's risks can easily be linked to its objectives and strategies. Risks, risk management, and assurance process are dynamic in all organizations, and a well-designed assurance map can allow the organization to keep pace with the changing environment and jump-start a robust risk management program that benefits the entire organization. An assurance map can, if thoroughly documented and maintained, be used to build the foundation not only for a coordinated and robust assurance management framework but an enterprisewide risk management framework as well.