Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3D.3 Assurance Mapping<br />
Senior management and the governing body receive assurance from various internal providers<br />
(e.g., management, internal control, risk and compliance, and internal audit) and external<br />
providers (e.g., SAI, inspectors, and other consultants). An assurance map is used to record<br />
which party is providing assurance on each group of key risks and control to avoid unwanted<br />
gaps and unnecessary overlaps and duplication. Some gaps may be deliberate, especially<br />
where management regards those risks as being of a lower priority or controls are known to be<br />
reliable and effective. Likewise, some overlap and duplication is intentional for high risk areas,<br />
new risks, or areas requiring a high degree of specialist expertise where a second opinion is<br />
valued.<br />
Assurance mapping can also help with audit fatigue which can arise in teams subject to multiple<br />
reviews, inspections, and investigations in a relatively short period of time. Assurance provides<br />
can collaborate on timing to minimize this danger. Alternatively, two audits may be conducted<br />
together.<br />
Internal audit may use the map to inform their planning and determine whether there is scope to<br />
use the work of other assurance providers rather than repeat it. Management may use the map<br />
to ensure resources and structures are being utilized with the greatest efficiency and<br />
effectiveness.<br />
The internal audit function is well laced to create such an assurance map.<br />
The IIA guide Coordination and Reliance: Developing an Assurance Map suggests five steps for<br />
producing an assurance map:<br />
1. Identifying sources of risk information.<br />
2. Organizing risks into risk categories for consolidated viewing.<br />
3. Identifying assurance providers.<br />
4. Gathering information and documenting assurance activities by risk category.<br />
5. Periodically reviewing, monitoring, and updating the assurance map. 49<br />
A further advantage of the assurance mapping process is it requires assurance providers to<br />
share information with each other and thus help to create a more coherent view of the<br />
organization.<br />
An assurance map can take many forms. It will likely reflect the risk categories adopted by the<br />
organization and used in the risk register. An example assurance map is shown below. The<br />
example does not include external assurance providers which should be considered for a<br />
comprehensive picture.<br />
49<br />
Coordination and Reliance: Developing an Assurance Map, The IIA, 2018.<br />
78
Change language