By James C Paterson
It’s actually my 15th anniversary working on assurance mapping, first as head of audit for AstraZeneca and, for the past 10 years, consulting to clients and leading training for the IIA on this topic (next for the IIA Netherlands on 6th-7th May 2020).
As readers may appreciate, an assurance map involves measuring the amount of assurance from different parts of the organisation, and – since 2017 – this is now an expected part of the IIA’s standard 2050 on co-ordination and reliance, where it explains “a consistent process for the basis of reliance [on others] should be established”. The idea here is that we ought to be able to “join together the jigsaw puzzle” of different assurances and be objective about other assurances (e.g. from Health & Safety, Risk, Legal and Finance), not just do this based on impressions.
People will often ask me for a “route map” to deliver a successful assurance map, and a simple formula to measure the amount of assurance being given by different parts of the organisation. There are important key lessons to share, but my overall advise is: “I can point out a likely route, but we need to be clear with where you are now, and whether there are likely to be any significant difficulties and obstacles that you might face, so we can agree where best to start and how quickly to progress”.
It might seem strange to be talking about difficulties and obstacles for such an “obviously good” idea, but time and time again, what seems to be sensible and straightforward turns out to be more complicated; sometimes for technical reasons, and sometimes for practical and political reasons. Here are some of the pitfalls to watch, alongside some advice, which we will explore in much more detail at the workshop.
Danger zone 1: Assuming everyone agrees how much assurance is needed
You would think that everyone might agree how much assurance is needed for a risk, but experienced auditors will recognise a mindset from some managers that says: “The risk must be under control, since I’ve not heard any bad news to date.” Now if this concerns a low impact risk area, where management are relaxed about some issues arising, this is fine; but if it is a high priority risk area where even minor issues could be problematic, then more assurance will be needed.
Advice 1: Recognise that what constitutes “reasonable assurance” will depend on the risk appetite in relation to the risk. And if the risk appetite is unclear then assurance mapping will reveal this, whether you like it or not!
Danger zone 2: Mistaking process assurance for risk assurance
Many organisations create processes for procurement, for anti-bribery and anti-corruption etc. and then progress their assurance efforts by looking at whether controls are in place in the process, and how they are being checked or assured. However, the fact that a process is working well does not mean that the risk is being managed well, since a key risk might be that the process is being by-passed in some areas!
Advice 2: Remember IIA standards insist on risk-based audit work and risk-based assurance; therefore do not accept process assurance as automatic confirmation all is well. Remember that risks can be like wild animals, and may do their best to avoid being controlled.
Danger zone 3: Focussing on assurance functions and internal audit
It’s so easy to think of risk assurance mapping and assurance co-ordination as something that primarily concerns specialist functions and to not involve staff and management. It is vital that relevant key staff and managers are engaged in assurance efforts, because they may carry out control activities or monitoring, or commission consultants to work on risks and processes, all of which has a direct impact on the amount of assurance being provided; for example what’s the point of doing an audit review if a risk area is being benchmarked, or improved already, via help from a consultant!
Advice 3: Ensure all three lines of defence are represented in an assurance map. Note this is expected from the IIA practice advisory on assurance maps, where it says: “assurance from line management is fundamental.”
Danger zone 4: Watch out for over-simplistic assessments of assurance.
People will sometimes ask me “do you think this function is in the first line or the second line.” And I will say: “Why does this matter”? The response is often that if the assurance is line 2, then that will mean that the level of assurance provided is better. Based on my experience as a CAE, and work with clients, I would say that you can’t always tell how much assurance you are getting just because something is in the second line of defence. Some second line functions do lots of monitoring and checking of activities, whilst others confine themselves to just writing policies and letting the organisation worry about implementing them. Likewise some managers are very professional and detailed conscious and when they check something carefully they will be (effectively) providing assurance, whereas others are causal and don’t check at all. Likewise, even internal audit levels of assurance can vary considerably depending upon the scope of an assignment, the amount of time devoted to sampling etc. and the frequency since it was last checked.
Advice 4: Recognise the quality of risk assurance is not automatically dependent upon which line of defence. A good assurance map will recognise good and bad assurance is possible in all lines of defence.
Danger zone 5: Underestimating the importance of accountabilities
In my role I have had the opportunity to review countless assurance documents and one of the common pitfalls I see is that whilst they may consider high level accountabilities for a risk, they may not necessarily resolve role ambiguities “on the ground”. Common problems include making assumptions that line managers are accountable for a risk area because this is stated in a policy or procedure, without actually establishing whether they do, in fact, feel accountable. Time and time again you will hear: “I thought [someone else] was accountable for that”. Note also that functions such as Health & Safety, Data Privacy or IS Security, may not always agree that they are accountable for the risks they have an interest in; here you may hear: “I only write the policy and offer guidance when there are concerns, its senior managers in the business that must implement policies and provide assurances”.
Advice 5: Do not ignore roles and accountabilities when doing an assurance map, including what assurance exactly is being provided by second line functions. This means getting proficient in accountability mapping tools such as RASCEIO (which is a development from RACI).
Danger zone 6: Not thinking through the “so what” and “now what”
A good assurance map will highlight gaps and overlaps in the assurance jigsaw. In practical terms this may mean needing to clarify detailed management accountabilities for a risk, the risk appetite in relation to a risk, or the need to strengthen (or reduce) the amount of monitoring or auditing of a specific risk areas. This means that there will need to be actions proposed after an assurance mapping exercise, and a resolution / agreement what will be done, by who and by when. This means it is important to think ahead who will need to be engaged to help drive any final decision; this may mean engaging a risk committee or even the chief executive if it involves strengthening the authority of the head of legal or head of health and safety. In addition, managers and stakeholders are entitled to ask “ how often will you carry out an assurance mapping exercise” and “doesn’t this duplicate work being done by risk or compliance?” Which means you need to think carefully about how to integrate key assurance concepts into other business as usual activities, such as performance management and risk management, so that assurance work doesn’t become a burden.
Advice 6: Take time, before launching an assurance mapping initiative, to think through “so what” scenarios, so that you can explain to stakeholders what they might be asked to decide, and also to reassure them that assurance work will not just create more and more bureaucracy.
It’s also worth being aware that stakeholders may have “agendas” about what they want an assurance map to say, which can result in discomfort if the assurance map does not confirm what they were expecting, and/or puts them in a bad light. For this reason, keeping both the audit committee and senior management on board is vital when progressing an assurance map, and likewise its normally preferable to try some pilot assurance maps first (GDPR assurance maps, project assurance maps and third-party assurance maps seem to be most popular at the moment).
In conclusion, I would encourage those reading to regard assurance mapping and assurance co-ordination techniques as a vital tool to help any internal audit function move to the next level (and to pass an EQA!). That said, note that there are complexities from assurance mapping that are best thought through in advance.
As one head of audit said to me after the first day of the assurance mapping workshop in November last: “I thought this was quite a straightforward topic, but now I think about it, I need to be more thoughtful about the why, where, when and how of this. And I see much more clearly now why some others have got into difficulties”.
If you feel the same, or have insights to share, then please join us in early May – otherwise best of luck!
About James C Paterson
James C Paterson is a former CAE and runs training for 12 IIA institutes in Europe, including the IIA NL. He is also the author of the book “Lean Auditing” published by J Wiley in 2015.
James will present at the IIA NL conference on internal audit and politics in June 2020, and also be at the IIA international conference in Miami in July presenting on lean and agile and also root cause analysis. He will be back again in the Netherlands in late September.