Calls for fresh perspectives on risk and governance came thick and fast in the years following the last financial crisis. The received wisdom on what constituted financial and operational strength within apparently solid businesses had been found catastrophically wanting; codes and existing regulatory oversight had lost their credibility. Given high-profile collapses and a growing concern that risk management and assurance were being left to chance, the scramble to reassert both internal controls and external regulatory discipline began. In the UK, the Financial Reporting Council revisited The Combined Code on corporate governance, the Financial Stability Board came into being and stress testing became a regular part of the bank supervisory landscape. Today, within corporations and public sector bodies, however, a more pragmatic framework for providing reassurance about the extent and effectiveness of internal controls is emerging.
FTSE 100 companies’ and large public sector entities’ audit and risk committees have been turning to assurance mapping to provide a framework to their assurance activities and ultimately report on them to the board and the outside world. External regulation and public opinion remain important drivers, but the mechanics of ensuring that risk assurance works is systematically carried out and properly resourced and reported on has been quietly evolving. Assurance mapping has been around for some years in various forms, but recently it has been gaining ground as a viable management tool that can help organisations assess and interrogate their risk frameworks. In essence, assurance maps provide an overview of risk and assurance in diagrammatic form.
The visual nature of the map is one of the great strengths of this approach, says Alison Dundjerovic, technical manager of ICAEW’s non-audit assurance activities. It provides a top-line assessment of an organisation’s risk framework all on one page. More detailed assessments can be constructed: each element of an assurance map can be backed by full reports. Another great strength is their value as an agreed baseline for assurance activities, says John Ward, who chairs ICAEW’s Audit and Assurance Innovation Panel. “The idea behind an assurance map is it enables the range of assurance activities to a business to be mapped against a risk system or process or whatever topic is important to an organisation,” he says.
Having worked for 30 years in internal audit and assurance delivery, Ward has seen the difficulties in working without a framework that different stakeholders within a business can refer to and agree on. “As a practitioner, one of the biggest risks in delivering internal audit advice is that you can agree a plan for internal audit, but if something goes wrong in the business outside that, the audit chair will still ask why that happened. I used to see an enormous number of internal audit plans that would tell you what was planned for internal audit but at audit committee level it was not really possible to challenge them. An assurance map, if properly set out, should be something that everyone can refer to. If something goes wrong in the business, that promotes a sense of everyone being in it together.”
Guidance on assurance mapping from the Big Four advisory firms and other consultancies is not hard to track down, but ICAEW members are well served, with comprehensive information available via its website along with access to two recent webinars describing how assurance maps are constructed and used. Of the most viewed webpages for the Audit and Assurance Faculty for 2018, nine out of 10 are on the subject of assurance, and assurance mapping is the third most viewed page on the microsite. An assurance map, ICAEW says, is “a structured means of identifying and mapping the main sources and types of assurance in an organisation”.
The purpose of the risk map is to provide factual analysis that board members, audit and risk committees, senior managers and internal audit and other risk professionals can agree upon. The first step, says Amarjit Atkar, an assurance and governance professional and member of ICAEW’s Audit and Assurance Innovation Panel, is to identify a sponsor who will be accountable for the map and drive its use across the organisation. This might be the audit and risk commit - tee chair, although a slight downside risk to this is that wider participants in the assurance mapping exercise might tend to then see the map as the preserve of the committee rather than a broad-based management tool.
The next step is to determine if the map is to be a top line assessment of an organisation or cover specific projects or implementations? Assurance mapping can be very granular. In very complex organisations with a high degree of operational and project risk they have been known to take two years to define. A simple assurance map, however, will have across its top line the “four lines of defence”. These are the types of assurance available to the business.
Typically, the first line of defence will be the overarching control framework and management controls. A second line of defence might include internal review functions such as health and safety, the group legal function and a board review. The third line will often be the internal audit function and the fourth may be external auditors and other third-party assurance providers. To structure the detail of the assurance map, organisations need to define the elements that need assurance. So financial reporting, financial controls, legal, IT and treas - ury functions will likely appear in the first column, along with HR, tax and pensions. Assurance maps can also be used to map strategic operational or project risks.
The elements that are important will vary between organisations, but the key is to establish an agreed baseline for discussion and appraisal of assurance activities. The boxes that appear under the top line then provide a high-level analysis of the quality of assurance available in the organisation from high levels through to none. That should immediately demonstrate any gaps in assurance coverage or anomalies – areas where boards and audit and risk committees might discuss providing more resource. That analysis should occur through conversations between the map’s sponsor and its users, taking into account the level of risk associated with each element, its importance and complexity. There may also be assessments and discussions between internal stakeholders and third-party providers. Atkar identifies 10 stages in the process of assembling an assurance map in an Audit and Beyond article (May 2018, pp6-8). A webinar on how to assemble an assurance map can be found on the Audit and Assurance Faculty website.
The most immediate benefit of assurance mapping is the overview it provides of risk assurance within an organisation. It might identify gaps in coverage that could benefit from external expertise in specialist areas such as the need for a regulatory review or cyber security vulnerability assessment. And different parties within an organisation will benefit. “This might be the first time direc - tors have seen a structured analysis on the state of the main areas of risk or concern. It gives them the ability to ask focused questions,” says Ward. Assurance mapping provides a very clear framework for discussions on internal controls and should make clear to senior managers the impact of their choices around assurance.
For example, the use of a third-party assurance provider may provide too much coverage in a particular area or not enough. And an assessment of the assurance services overall may flag areas of residual risk. Assurance mapping should provide reliable factual information on major risk and control areas, identifying gaps and encouraging evidence-based discussion between risk professionals and managers across an organisation. Crucially, in listed companies they will assist with mandatory reporting requirements, enabling boards to sign off on reports on internal controls. In public sector organisations, they would assist the accounting officer with the same ability to meet risk-reporting requirements. Additionally, they help to raise awareness poten - tially within smaller organisations and private companies, providing insight and understanding into their culture and provision of risk management.