With the introduction of the new Companies Acts and other Corporate Governance requirements, assurance levels are only going to become more onerous. Assurance mapping is increasingly mentioned as a solution to help Directors meet these requirements, although there is still a limited understanding as to what this entails.
What is assurance mapping?
Assurance mapping is a technique which enables a visual representation of comfort (assurance) activities as they apply to a specific set of risks or compliance requirements facing an organisation. It can be used to map out detailed compliance requirements (for example health and safety requirements or directors’ duties) or to map out the top risks of the organisation. Activities are then documented to cover all areas identified (at a basic level you might have had a health and safety audit recently and have a Health and Safety officer who provides assurance etc. for health and safety risks).
It is important that assurance on the specific risk/compliance requirements is provided and documented in relation to the three lines of defence. These are: the assurances gained from management (i.e. that designed controls are being implemented on a day-to-day basis); the assurances gained from the risk management and compliance functions; and the internal audit function or other external assurance provider/ specialist.
Assurance mapping takes the risk-set or compliance-set identified and details where the assurance for each of the risks or compliance requirements can be obtained. Once operating, it should also indicate the strength of assurances provided and the last time an independent review of these assurances was carried out. This gives a clear visual representation to the reader of the strength of the assurances.
The benefits of assurance mapping
With an increased focus on compliance aspects in organisations in addition to governance and the Board’s responsibilities in the last number of years, assurance mapping can be a useful technique to enable directors to understand how they can obtain assurance on the key risks and compliance requirements facing the organisation.
There are a number of reasons why organisations are turning to assurance mapping. Once you have mapped out where you are obtaining assurance from (for example, an external provider has completed a specialised review on this area in the past 12 months etc.) you will be able to identify if there are any gaps in assurance. Quite frequently, although there are assurance activities taking place, they may not cover all of the areas relating to the organisation’s key risks or compliance obligations. This enables informed decision-making with regard to utilising available resources (e.g. utilising resources used on specialists to provide assurances on key risk areas instead of health and safety which is fairly well-assured).
The other key benefit to organisations is that it can help to identify duplicated effort. Quite often assurance is provided separately on the same area across an organisation. Assurance mapping can be used to identify and eliminate these duplications. For example, a health and safety expert may have been in the organisation completing a review of health and safety. Health and safety compliance may be an item on the internal audit agenda. This might result in the internal audit plan being changed (assuming there were no high priority issues emerging from the health and safety review) and freeing up internal audit resources to complete a review on an alternative area.
There are increased assurances being sought from board members, from the new compliance statement requirements and the codified directors’ duties under the new Companies Bill which is due to be enacted shortly, to the increased vigilance being required of directors. One of the real benefits of using assurance mapping is the level of transparency that is offered to directors with regard to the assurance available to enable them to make the required statements and/ or fulfil their duties as directors.
Some common issues
Although in theory the process seems quite straightforward, there are a couple of common issues that can arise when an organisation first embarks on an assurance mapping exercise. The first is that an attempt might be made to create an “all-encompassing” map. The process can become over-engineered and complex quite quickly which can fail to get the right level of buy-in and may not produce the required information. It is best to trial the process with a specific set of risks/ compliance requirements and broaden it once you have reached adequate conclusion on the piloted risks/ compliance area.
Another common issue can be relying on old/ irrelevant assurances. For example, an external review of information security may have been carried out 18 months ago but the organisation may have implemented new IT systems since then. This would make the assurance at least partially redundant. It is important that the assurances mapped are current and relevant.
Summary
If the right approach is adopted, organisations can obtain a high level of assurance, in the right areas, with the best use of their inputs. Onerous compliance and assurance requirements are here to stay and organisations should look now at streamlining their assurance processes to get the most from their resources.