What Is Assurance Mapping – A good audit planning process should serve as a platform to demonstrate what an audit can do and build close relationships with key stakeholders, says James C. Patterson writes.
For the past 10 years I have been conducting a course on audit planning. It lasts two days and we often start with audit managers and audit managers explaining their planning process. Common planning steps include consulting with managers and the audit committee, updating the audit committee, and considering areas of concern for internal audit and/or the controller. After that, the differences start to appear:
What Is Assurance Mapping
Further differences arise when discussing the length of any audit cycle or what items are in/outside the scope of the audit universe and what are the weighting factors for the risk ranking of the audit universe.
Internal Audit Performance
Many understand that their audit planning process is a jumble of historical steps with specific priorities that cannot be justified other than by explaining specific factors and weights:
The bottom line is that some audit activities present audit “significant risks”: ie. strategic risks, key programs and projects and key third party dependencies, while others mainly audit basic compliance, controls and other standard processes.
We discuss key findings from the IIA’s recent external quality assessments and learn that many audit functions do not conform to the IIA’s design standard and the IIA’s integration requirements. Requirements include:
Therefore, the reason for deficiencies in audit plans is that they are often based on stakeholder and audit committee feedback, which is then tied back to key risks, etc. Most decent EQAs today will say that the plan was prepared that way and may have concerns about why certain items are in/out of the audit plan.
Rend Building On Assurance Map? Is This A Bug Or Is It Just Rare?
You don’t get a good plan by just pushing input into a model and hitting the calculate button, and you don’t have a good audit plan because everyone is happy! Hybrid assurance, also known as integrated risk assurance – integrates the risk management efforts of all three channels (and their external assurance providers) to enable an effective control environment and integrated risk reporting for executives and the board.
When implemented successfully, this model results in a complete, organized and accurate view of risk and more efficient and cost-effective risk management activities. Most governance, risk and compliance (GRC) leaders agree that blended assurance represents an effective approach to risk management. Learn how to address these challenges below and download the full guide Advanced Blended Assurance for Critical Risk Management for best practices for developing blended assurance in your organization.
Each company is organized differently based on size, industry and years of operation. Organizations with multiple risk management functions can find it difficult to identify and agree on the right team or individual to lead their collective assurance efforts. Without adequate leadership who can advocate for board and executive support and audit committee support, an integrated assurance initiative can quickly lose traction in the business.
In 2017, the Institute of Internal Auditors (IIA) published a new Alignment and Reliance Standard that recommends auditors begin combining assurance efforts with other risk parties. The IIA 2050 standard specifies:
Solving The Integrated Risk Assurance Puzzle
“The chief audit executive must share information, coordinate activities, and depend on the work of other internal and external assurance and consulting providers to ensure adequate coverage and minimize duplication of effort.”
Internal audit is one of the few groups in an organization that has the most in-depth understanding of the organization’s processes and controls and direct communication with the audit team. Additionally, internal audit, as an independent assurance within an organization, is conditioned to operate at a very fine level of detail before forming opinions about controls. As a result, leading this initiative is a natural activity.
A common misconception is that integrated assurance requires restructuring and change in the basic roles of the three lines and their reporting structures. It is important to convey to your stakeholders that adopting a hybrid assurance model is not a mutually exclusive exercise, but rather an effort to align efforts and share knowledge that will ultimately add value to the organization.
When you meet with other assurance stakeholders, communicate that advancing integrated assurance in your organization is in the best interest of the organization and all stakeholders involved. The IIA 2050 standard, the updated IIA three-line model and communications from external assurance providers such as Deloitte and PwC. Emphasize that integrated assurance does not replace each individual function’s mission statement, reporting structure, or capabilities. Each business function is separate and continues to play its unique role as part of a fully integrated effort to reduce risk across the organization.
Quality Assurance Mapping
Despite extensive risk management work undertaken by many functions, companies may lack a comprehensive understanding of the key risks facing their business. One way this manifests is in conflicting statements of problems; For example, an internal audit report for a particular business unit may be rated as satisfactory, while a health and safety report for the same business unit may contain several high-risk issues. Negative consequences of poor risk visibility include: gaps in coverage, significant control failures, and unexpected risk events—despite significant time and resources spent on assurance.
Poor visibility and inconsistent reporting are often the result of different ways of classifying risk and terminology. Launching a joint assurance initiative provides an opportunity to review the gaps in your organization by creating an assurance map. An assurance map like the model below is a living document that helps you identify potential gaps or overlaps in your organization’s risk management processes.
By undertaking this exercise, key assurance partners can quickly identify their coverage and address gaps. It is an important tool for collective assurance meetings to assure stakeholders that A) risks are managed and reported and B) regulatory and legal obligations are met.
Establishing a common control framework for use across operations is fundamental to uniform problem reporting. However, integrating different risk classification criteria and risk definitions into a single risk taxonomy and mapping multiple requirements across different structures is a more complex obstacle for hybrid assurance.
Qualitative Performance Assessment Of Semiconductor Switching Device, Converter And Generator Candidates For 10 Mw Offshore Wind Turbine Generators
This is a great time for committed stakeholders to step back and strategize at a higher level. Organize your shared assurance goals into easy-to-reference common buckets, as in the example below, and prioritize how to tackle them based on majority opinion.
Visualizing your shared assurance goals in this way will help you make connections between goals, which will help stakeholders think together about solutions that effectively address multiple goals simultaneously.
Understanding the various risks and controlling data exported from multiple systems is a major hurdle when trying to bring together separate business functions under the goal of unified assurance. In a February 2021 survey of more than 1,500 audit, risk and compliance professionals, 56% of respondents indicated that their department’s function manages its data across multiple systems of record.
As a result, assurance partners working in decentralized environments spend more time coordinating version control issues and cleaning up data. The same survey found that nearly 50% of respondents spend between 25% and 50% on administrative tasks, while 15% spend more than 50% on administrative tasks.
Bluefin’s Pipeline Deposit Mapping — Gate Energy
A coordinated assurance effort can be viewed as an opportunity to solve multiple problems by working together. Use your integrated assurance initiative as a dual front to help stakeholders organize their records by moving their risk data to a centralized record system. This will not only help alleviate decentralization issues for individual GRC functions, but also streamline several key goals of integrated delivery:
Achieving a mature integrated assurance position can provide organizations with a competitive advantage in a changing risk environment. For more ways to improve your company’s integrated assurance practices, check out our full guide to improving integrated assurance for managing key risks.
Anand Bhakta is Senior Director of Risk Solutions and Co-Founder and Director at SAS. He has over twenty years of auditing and consulting experience. Prior to SAS, Anand was with Ernst & Young for 8 years and was a trusted advisor to several internal audit and group executives. Connect with Anand on LinkedIn.
AI Adoption for Workplace Risk Management ITRM Risk Management Strategies IT ESG Risk Assessment Fundamentals and Best Practices Why ESG Risk Challenges Internal Audit Audit Impact Assessment and Assurance Map are interdependent – and the best possible starting point for Blen. An impact assessment begins with a critical review of your organization’s current status or existing. As you review your current position, use your findings to create your commitment map. You really can’t do one without the other. The map will therefore reveal potential overlaps and gaps and provide insight
Risk Assurance Map, L’outil De Cartographie Des Activités Assurance
What is data mapping, what is idea mapping, what is brain mapping, what is mind mapping, assurance mapping, what is digital mapping, what is venous mapping, what is story mapping, what is journey mapping, what is customer mapping, assurance mapping pwc, what is process mapping