Assurance Mapping for Connected Risk Visibility

Assurance Mapping for Connected Risk Visibility

The complexity of key risks grows constantly, and every team needs help tackling risk management. The new IIA Standards have reinforced the need for internal audit to better coordinate and collaborate with other assurance providers in Standard 9.5 Coordination and Reliance. While the standard is similar to the prior version, The IIA provides more detail on how practitioners can demonstrate the execution of the standard, and reintroduced a tool internal auditors can use to help them do so and to do so quickly — assurance maps. 

This article demonstrates two methods for creating an assurance map and breaks down a list of comprehensive resources on the subject. My hope is that your internal audit team will be able to leverage this powerful tool to improve the organization’s understanding of risk exposure and achieve conformance with the new Standards.

Why Focus on Assurance Mapping?

Even with a strong understanding of the three lines model, many companies have never formally identified and documented the full population of internal and external assurance providers within their organization. 

In a June 2024 Flash poll of 1573 internal audit professionals, nearly half of respondents reported not having assurance maps built out to document the teams and activities providing assurance over key risks. 42% of internal audit teams had created their own set of assurance maps, and 11% were leveraging assurance maps created by a second-line function. For the group that doesn’t yet have an assurance map — the IIA Standards are a great opportunity to prioritize creating a resource that will be valuable to you and your second-line colleagues.

Assurance Mapping for Connected Risk Visibility - Graph

We can only claim to know how risks are managed if we know who is involved in the assurance process. In the Considerations for Implementation section of the standard, The IIA points out that the lack of visibility leads to “gaps and duplications in assurance coverage” (see excerpt below). The best way to avoid this situation is to strategically leverage the other assurance providers in the organization to effectively combat rapidly changing risks and staffing constraints. 

Standard 9.5 Coordination and Reliance Considerations for Implementation One method to coordinate assurance coverage is to create an assurance map, or a matrix of the organization’s risks and the internal and external providers of assurance services that cover those risks. The assurance map links identified significant risk categories with relevant sources of assurance and provides an evaluation of the level of assurance for each risk category. Because the map is comprehensive, it exposes gaps and duplications in assurance coverage, enabling the chief audit executive to evaluate the sufficiency of assurance services in each risk area. The results can be discussed with the other assurance providers so that the parties may reach an agreement about how to coordinate activities. In a combined assurance approach, the chief audit executive coordinates the internal audit function’s assurance engagements with other assurance providers to reduce the frequency and redundancy of engagements, maximizing the efficiency of assurance coverage.
IIA Global Internal Audit Standards

What Is an Assurance Map?

An assurance map is a collaborative tool that breaks down silo walls and allows everyone involved in risk assurance to coordinate their efforts. It includes a listing of the assurance teams and the work they perform related to key risks. With all of the efforts laid bare, the teams have a consolidated view of the organization’s full risk management portfolio. This collaborative approach ensures that all teams are involved and have a say in the risk management process. 

How to Build an Assurance Map

In practice, an assurance map typically starts from a risk perspective that maps to activities performed by assurance providers. For this exercise, I will assume the CAE is leading this effort. Our goal is to document the assurance teams and their efforts and then map the efforts to key risks while showing a relative level of risk coverage. The CAE can provide a model for the other teams by sharing the audit plan and any continuous monitoring or other programs within the team. This approach ensures the teams include all their risk-related activities, but it can lead to a subjective mapping of the efforts to key risks. 

In the example assurance map from KPMG below, each team is listed, and each activity is mapped to a key risk.

Sample Assurance Map KPMG
Sample Assurance Map, KPMG.

By starting from a risk perspective, the CAE sets the baseline for the conversation as an inventory of key risks to the organization. They likely have a good starting point from a recent risk assessment. Next, they will map audit plan activities to the key risks to show coverage provided by internal audit. This approach ensures that all teams have a common starting point for key risks, which may help them consider more activities, and they can add to the list of risks as needed. The downside is that they may limit their response to the risks the CAE provided. However, this method provides a balanced view of the assurance mapping process, allowing for a comprehensive understanding of the approach. 

Assurance Mapping in Practice

I recently discussed the practice of assurance mapping with Scott St. John, the VP of Internal Audit at Darden Restaurants. The internal audit team at Darden uses the second method, starting from a list of key top enterprise risks. To give their assurance partners a common starting point, they create an initial version of a map for a given risk that includes critical data points such as:

  • Risk description
  • Sub-risk considerations/trends
  • Principal risk owners/functions
  • Mitigating controls, policies, and practices
  • Control maturity
  • Key metrics/KRIs
  • Existing external provider and/or internal audit control assurance
  • Potential additional assurance opportunities

Scott explains, “Giving our assurance partners a common starting point ensures a consistent level of conversation since we are all speaking the same risk language.” He noted that his team has found several ways to make documenting assurance maps easier: “First, having a dedicated and structured risk and control matrix makes centralizing an assurance map much simpler. We have also found that having internal audit present for second-line function activities such as periodic business reviews, various risk committee discussions, and incident response tabletop exercises helps us gain better insight into the risks associated with current business initiatives as well as facilitate conversations around potential incremental control and assurance needs.”

Guidance From Partners on Creating an Assurance Map

Assurance mapping has become essential for internal auditors looking to provide comprehensive oversight of organizational risks and controls. As its adoption grows, many leading audit and consulting firms have released valuable guidance to help professionals implement assurance mapping effectively. 

Because there are so many nuances to creating an assurance map, instead of being prescriptive, I have compiled key insights from prominent firms as well as professional organizations like ISACA and The IIA. Each offers a unique perspective on aligning risk management and compliance through assurance mapping, providing a holistic view to enhance audit efficiency and risk assessment.

An Assurance Map Is Just the Beginning

The potential benefits of assurance mapping are significant. A comprehensive view of the organization’s risk management portfolio allows for better coordination, resource allocation, and a stronger assurance process. However, an assurance map is the first step to ensuring adequate risk coverage. Gaps in coverage or weak coverage areas highlight the need for additional assurance efforts. Strategic audit teams closely review assurance work done by all internal and external assurance teams and, when possible, validate the adequacy of that work and then rely on it instead of re-performing assurance steps as part of their planned engagements. The audit team can then reprioritize their time and resources on other assurance needs.

Internal audit teams that dedicate more time to building their assurance maps will find they will provide more assurance because they can rely on other assurance providers’ work. The audit team consolidates more knowledge about their organization’s top risks and can use that knowledge to influence their different activities and services.

Tom

Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.