assurance, risk assurance, assurance mapping

Insights

Assurance mapping

With the introduction of the new companies act and other corporate governance requirements, assurance levels look set to become more onerous. Assurance mapping is increasingly mentioned as a means of helping meet these requirements but there is some mystery as to what the term means. Ailbhe Moynihan describes what’s involved and the key benefits.

First published in Accountancy Ireland: April 2014.

Assurance mapping is a technique that uses a visual representation of assurance activities to demonstrate how they apply to a specific risk or set of compliance requirements.The map might depict top risks (for example,the top five strategic risks of the organisation) or a sub-set of these risks (for example, health and safety risks) or might map more detailed compliance requirements (for example, directors’ duties).The assurance activities documented typically involve functions including compliance, internal audit and external audit.

Assurance in organisations is provided through the three lines of defence:

  • assurances from management that designed controls are being implemented on a day-to-day basis;
  • assurances from the risk management and compliance functions;
  • assurance from the internal audit function.

Assurances from third parties such as external auditors and other specialists can also be taken into account.

Assurance mapping takes the ‘risk-set’ or ‘compliance-set’identified and details where the assurance for each of the risks or compliance requirements can be obtained. When operational, it indicates the strength of the assurances provided and notes the last time an independent review on these assurances was carried out.This gives the reader a clear visual representation of the strength of the assurances.

Benefits of assurance mapping
Assurance mapping is a useful technique to enable directors to understand the mitigation of key risks and compliance requirements of an organisation.

There are a number of reasons why organisations are turning to assurance mapping.Once you have mapped out where you are obtaining assurance from – for example, internal audit have included this area on the internal audit plan or an external provider has completed a specialised review on this area in the past 12 months – you will be able to identify any gaps.Often,although assurance activities take place, they do not cover all areas relating to a risk.

From both management’s perspective and a non-executive director’s perspective, it is useful to have a full understanding of any gaps. Assurance mapping enables informed decision-making. For example, it might be decided to amend an internal audit plan so as to provide the required assurance on risk or compliance in a particular area or to engage an external consultant (such as a data protection expert, a health and safety firm or a regulatory compliance expert) to gain the required additional assurance.

Another benefit of assurance mapping is that it can help an organisation to identify duplicated effort which often occurs when different elements of organisations work in siloes.For example,where a health and safety expert has completed a review of health and safety,it may be possible to remove this from the internal audit agenda thereby freeing up internal audit resources for other areas.

As increased assurances are sought from board members,the real benefit of assurance mapping is the level of transparency it gives directors to enable them to fulfil their duties.

Some common issues
Common issues that can arise when an organisation first embarks on an assurance mapping exercise include:

  • attempting to create an “allencompassing” map that quickly becomes over-engineered and complex and can fail to produce the required information. It is advisable to trial the process with a specific set of risks/compliance requirements and broaden it when you are satisfied that it is working effectively;
  • relying on out-of-date or irrelevant assurances. For example, an external review of information security may have been carried out 18 months ago but the organisation may have implemented new IT systems since then.This would make the assurance at least partially redundant. It is important that the assurances mapped are current and relevant.

Where the right approach is adopted, assurance mapping can deliver a high level of assurance. Organisations should look at streamlining their assurance processes to get the most from their resources.

Assurance mapping

Written by Ailbhe Moynihan, a senior manager Risk Advisory services with Deloitte. (amoynihan@deloitte.ie, +353 1 417 2821)

Did you find this useful?