As the famous Benjamin Franklin proverb goes: “In this world nothing can be said to be certain, except death and taxes.” Now, 200 years on, we can safely add another certainty to old Ben’s list – risk in operating a business. Risk is involved in nearly every aspect of running a business, and that doesn’t go away as the business grows and becomes more successful – the risk often increases with the growth as well.
Modern business leaders need to be more certain than ever their organization’s processes are operating effectively to identify and mitigate risk. A variety of interconnected processes can create risk factors that may be related to regulatory concerns, information technology, financial impact, or fraud. These risks could cost an organization decreased efficiency, lost revenue, increased expenses, and, in some cases, pose a considerable threat to the organization’s security. It is the responsibility of the organization’s auditors, the leadership team, and the governing board to identify these risks and take action to ensure appropriate independent assurance [1] review procedures are in place.
Procedural assurance is achieved through the collective effort of various groups, including management, internal audit, and external providers. These assurance providers seek to identify and address risk throughout an organization, often examining many of the same processes
How then, does an organization properly protect itself from too little, or too much, process assurance? By utilizing an Assurance Map.
Assurance Mapping
The preparation of an Assurance Map will provide management with a tool for addressing these concerns. The Institute of Internal Auditors (IIA) recently published a Supplemental Guidance Practice Guide entitled Coordination and Reliance: Developing an Assurance Map [2]. This guide was prepared based on IIA Standards [3] and describes the use of an Assurance Map as well as the procedures for preparation.
An Assurance Map is a document that is supplemental to the organization-wide risk assessment and audit plan. The IIA describes it in its simplest form “as a matrix that lists the organization’s risk categories in the first column, with additional column headings for each assurance provider, enabling assurance coverage for each risk category to be identified throughout the organization.” Coverage is indicated by mapping the risks to the appropriate assurance providers within the matrix.
With new legislation being imposed on corporate entities and greater internal governance from the organizations themselves, assurance mapping is an effective means to meet and address these requirements. Its visual representation creates an easy-to-follow model enabling the “Three Lines of Defense” to communicate and cover each area of assurance effectively. The Three Lines of Defense, outlined by the IIA, represent the areas of assurance protected by the organization’s operational management, risk and compliance, and the internal audit activity, which work in conjunction to protect the entire organization from risk.
The Assurance Map is an operationally beneficial tool in several ways. It increases overall organizational risk awareness, delineates the functions providing specific assurance coverage, and enhances the opportunity for collaboration between providers. It also has the added benefit of potentially increasing audit efficiency.
The IIA guidance provides five steps for the preparation of an Assurance Map, which have been summarized below:
- Identify Sources of Risk Information – Information describing organizational risk can take many forms. In addition to audit reports and risk assessments, an organization should consider a wide variety of risk information sources, such as strategic documents, policies, board minutes, or periodic financial reports. Information gathering should be collaborative and involve management, internal audit, process owners, and other assurance providers.
- Organize Risk by Category for Consolidation – In order to allow for organization-wide analysis, risks should be grouped and categorized by business function, processes, or programs. These categories are designed to align with the organization’s strategic objectives, and enhance the relevancy for management decision-making. Risk categories are listed in the leftmost column of the Assurance Map.
- Identify Assurance Providers – The IIA recommends employing the Three Lines of Defense model, which identifies operational management, risk and compliance management, and internal audit as the key organizational assurance providers. Additional assurance may be found through external auditors and consultants. Assurance providers are listed as column headings across the top row of the Assurance Map. Each one is grouped by its specific line of defense. This grouping allows management to better understand the levels of independence associated with assurance over individual risk areas.
- Gather & Document Assurance Activity by Risk Category – The party tasked with preparing the Assurance Map should meet with risk owners and assurance providers to validate the understanding of the risks covered. Risk coverage will then be indicated on the Assurance Map by marking the box that coincides with the appropriate risk category and assurance provider. The preparer then chooses to indicate the level of coverage for each risk area (e.g. total, partial, limited, none).
- Review, Monitor, and Update the Assurance Map – The Assurance Map should be reviewed and updated on a regular basis to ensure changes to risk and assurance are appropriately captured and incorporated. The IIA recommends, as a minimum, the Assurance Map be updated annually. It is prudent to revise the Assurance Map anytime significant changes are identified. The Assurance Map is a constantly evolving model and should be regularly evaluated in conjunction with each of the Three Lines of Defense to ensure continued accuracy and efficiency.
When considering the implementation of an Assurance Map, organizations need to evaluate their existing risks and processes – and it’s not for everyone. The size of an organization plays a considerable role in determining the necessity for an Assurance Map. Large corporations with many departments and teams can certainly benefit when cross communication between divisions and even geographic regions becomes challenging. It is also highly recommended for publically traded companies that typically have many internal and third party auditors in addition to all of the complex rules and regulations required for SEC reporting. Any industry faced with heavy regulation like healthcare and government contracting benefits from the extra layer of assurance offered by an Assurance Map.
An organization struggling to stay on top of its risks – and efficiently document and communicate assurances – should consider implementing an Assurance Map. It’s a relatively simple process that produces significant organizational benefits. Consult with your internal audit team, or an experienced independent advisor like SC&H Group’s Risk Management practice, to determine if an Assurance Map can provide increased risk protection for your organization. You can reach out to us here if you’d like to learn more.
——–
[1] The IIA defines assurance services as an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
[2] https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/coordination-and-reliance-developing-an-assurance-map.aspx
[3] Standard 1000- Purpose Authority and Responsibility; Standard 2050- Coordination and Reliance; Standard 2100- Nature of Work
