Tips and example on assurance mapping



Risk is an omnipresent driving force in all business activities. It requires producing information about the probability of different outcomes in the decision-making process. The assurance services improve the quality of this information across business activities (AICPA, 1996). Assurance, provided by internal and external auditors and many other parties, is the objective examination of evidence to perform an independent assessment over business activities. It adds credibility to the information, from the statutory financial reporting to other non-financial information in environmental and social reports. Assurance is the confidence of what needs to be controlled is actually being controlled in practice.


Since the board is responsible for ensuring that there are robust internal control arrangements across the whole organization, assurance is also a key compliance issue. Moreover, most codes for good corporate governance require the board to attest the effectiveness of the internal control and risk management systems.


There are tools to coordinate and to maximize how to provide assurance services. Assurance maps visually link the assurances from all the providers to the risks that affect the organizational objectives. They explain how the assurance activities (x-axis) apply to key risks in sequential business activities (y-axis). The assurance activities are usually arranged by the three lines of defense or the five lines of assurance models. The maps provide a quick and clear view of processes and risks to the board, in order to ensure a consistent management, oversight and reporting under a common methodology and language. Assurance maps promote the collaboration between departments while being cost effective.

Keys to making decisions on assurance


The primary objective of the assurance mapping is to detect areas of gaps and duplications in assurance efforts between departments. These maps quickly reveal the level of assurance oversight to alleviate low-value and redundant auditing efforts. 

In order to join efforts for a strong GRC function, the risk methodology, particularly related to the taxonomy and the rating scales, should be standardize to express a common and holistic view. It allows the coordination and the interaction between business owners and assurance providers.

With the purpose of identifying processes with missing or unnecessary assurance efforts, the risk exposition can be linked to each process to assess if the assurance costs are justified (“reasonable assurance” for the risk tolerance). When too much assurance is concentrated in one process, the causes for these efforts should be understood before reassigning controls and responsibilities across departments.

When combining assurance programs and coordinating activities, the responsibilities defined by the policies or the audit chapter should be updated. The assurance map is a tool to update and coordinate departmental responsibilities, but not a policy by itself.

Besides combining assurance efforts for duplicated tasks, or reassigning controls on gaps, the communication on issues and action plans for remediation should flow across all the departments. Removing a department to assure a process does not imply that it no longer receives information about the trust and quality of the related information and its controls.

An assurance map in practice
As an example, the following map details the process steps and their risks for a simplified financial month-end closing in a SAP company. This process-based map consolidates controls and risks from assurance providers to assess how much coverage is achieved and needed. It combines the three line of defense model with a standard SAP process for a closing compatible for SOX or COSO compliance.


 
The assurance level rating represents the quality and the level of evidence by each department.

H High Assurance: assurance is detailed and cyclically conducted, the amount of audit evidence reduces risks to a low level (eg. low material accounting misstatement risks), controls are in place and adequately mitigate risks, policies are in place and communicated, IT/BI tools are deployed to automatize controls and to report red-flagged transactions, and performance metrics are closely monitored

M Medium Assurance: assurance is not cyclically performed, controls are not in place to cover some risks, policies are not fully in place or communicated, manual controls are not automated

L Low Assurance: low or none assurance, significant concerns over the adequacy of the controls in place in proportion to the risks; few policies in place

Get the latest in corporate governance, risk, and compliance on Twitter