All Gone to Custard – Another take on Assurance Maps

A recent survey by the Economic Intelligence Unit indicated that 67% of companies believed they had overlapping coverage in two or more risk functions. 50% suggested there were gaps in coverage between their risk functions, and 62% believed they could get better coverage with less spend. Assurance mapping can be a useful tool for getting better bang for buck and avoiding assurance gaps.

Assurance maps are not a new thing. I saw my first ones in the mid-90s when control self assessment (CSA) and control risk self assessment (CRSA) were the next big things. They produced lovely heat maps. Sagely souls who were in the internal audit profession will tell me assurance maps are just a version of the audit universe with a bit of marketing flair.  To a large degree they’re right – nothing much new under the sun it seems.

The problem of course with a transient profession like internal audit is that we lose a lot of corporate knowledge and finesse and once people move on everything old is new again.  CAATs are now data analytics, CSA and risk software are now GRC and the audit universe is now an assurance map. This is great for ‘old timers’ like myself who are very familiar with ‘old rope’ and can show others what to do with it and how not to get tied up in it as we all did back in the day.  It also helps us distinguish between marketing spin and genuine innovation.

Assurance maps have gained currency again, and this can only be a good thing. They were reintroduced as a recommendation in the King Report in South Africa in 2009, IIA HQ followed with strongly recommended guidance on them and this month IIA Australia has put out a useful example for their Insights ‘audit in a box’.

Assurance maps are not leading practice. They should be an industry norm, but in my travels I’m still surprised at how many audit shops (including outsourced ones) don’t have these in place. Assurance maps help the Chief Auditor and Audit Committee answer the question ‘have we missed anything important?’.  In my mind I’m not sure how those officers can answer this question without some sort of assurance map. In short, if you don’t have an assurance map, you need one.

Taking assurance maps to the next level

IIA Australia’s ‘audit in a box‘ gives a useful example of what most people would understand an audit universe or assurance map to be.  On the vertical axis it shows the list of key processes where assurance may be sought, and on the horizontal axis it lists the business units where coverage may be sought.  This is a very practical first step, and something I would suggest should be an appendix to any audit plan being submitted for approval.

If you read The King Report and IIA’s Practice Advisory closely though, there is a suggestion of taking this a step further, with assurance on key risks rather than just on key processes.  This is a more complex exercise and one likely to cause confusion if you haven’t dealt with the audit universe first and don’t have a mature risk function.  I spent several years of my life developing methodologies for the big 4 to do this and my view from this work is that it’s difficult to simplify these risk assurance maps to a page at a glance, and if you’re doing to do these types of assurance maps, you still need to do the audit universe. Of course your ability to do this will depend on how mature your risk function is.  Alas many risk functions are not mature enough or well enough integrated with internal audit to do this.

Taking it further – the custard chart

Ever heard that saying – “it’s all gone to custard?”.

From an assurance standpoint, process variations, system failures and control breakdowns tend to happen for a range of reasons which may or may not appear on the businesses risk radar on a timely basis, or potentially at all.

From my perspective, these sorts of risks – the risks that internal audit is normally concerned with arise from the following:

• New processes (re-engineering or new areas of business)

• New IT systems

• Changed accountability  (changes in organisaton structure or changing out of key management personnel)

• Staff turnover beyond say 20% (due to growth, churn or both)

In these cases, any assurance you’ve had in the past is null and void, and this is when greater assurance is likely required. Typically I used to highlight these in yellow (custard) as set out below.

I’m a big fan of using charts to convey a message. During a reorganisation it can be a very effective way of getting people’s attention by highlighting the areas under change in yellow with a message of “chances are, its all going to custard, you need assurance”, or being able to visually give the all clear.

An assurance heat map highlights hot spots in the business where these changes are happening.  It enables recalibration of the audit plan to identify when support is needed and avoids ‘bayoneting the wounded’ after things have gone off the rails. By comparison:

• an audit universe is static – it shows what you’ve looked at in the past without a sense of whether that assurance is still valid.

• A risk coverage map by it’s nature is hard to update and represent in real time, particularly if your risk framework is immature.

Our view

IIA Standards set the minimum acceptable standards for internal audit and tend to be lagging by nature.  By definition our maturity model tends to rate anything in International Professional Practices Framework as a 3 out of 5 at best. If you regularly find things in the IPPF that you’re not doing yet, you are lagging and probably need to lift your game.

Our thoughts on assurance mapping:

Level 2 or below

No assurance mapping as yet – you are unlikely to be meeting your professional responsibilities or enabling your stakeholders to meet theirs.  Start working on your audit universe in the format provided by IIA Australia in time for the next audit plan.

Level 3

Audit universe (processes by business unit) in place and updated periodically – you are operating at the required industry standard.  Your challenge will be to present this in a way to your stakeholders that they can take in.  You are now ready to implement the assurance heat map which will help you become more proactive in a measured way.

Level 4 and above

Risk assurance map – you are probably in the upper quartile of organisations and your peers would benefit from hearing about what you’re doing and how it works.  We suggest also maintaining the audit universe type map so you don’t inadvertently stray too far from your core areas and some sort of assurance heat map to make sure your view of audit risk is up to date.

Assurance heat map (Custard chart) – you are leading practice. Your audit plan probably changes quarterly and your stakeholders are delighted at how you’re able to anticipate their needs before they even realise they need help.  Again, your peers would benefit from hearing about what you’re doing and how.

About TDA

Todd Davies & Associates is a boutique firm specialising in leading practices in internal audit, risk and assurance.  We work with organisations to help them define and achieve leading practice.  What could you achieve with TDA on your team?