In this article, we consider why - and how – you can start to build an integrated assurance model/map.
In the recent BEIS white paper Restoring trust in audit and corporate governance we see integrated assurance being brought to the fore as a means of achieving the aims of the reform.
Our recent video provides an overview of the white paper recommendations and some tips to strengthen your internal control environments. Here we expand on some of these key themes.
Let’s start with why you want to align your assurance functions
The white paper places an integrated assurance model at the forefront of achieving the reform aims set out by the government. Integrated assurance functions across the organisation, is a cost-effective way of coordinating risk and controls and provides an oversight of the governance responsibilities.
Many organisations have multiple control functions to manage critical risks, which are often siloed with overlapping or uncoordinated activities resulting in gaps, disruption, confusion, or wasted effort. Building an integrated assurance model will create one single view of the effectiveness of your control environment whilst maximising your testing effort.
Assurance mapping aggregates the results of risk assurance activity across all lines of defence enabling an organisation to determine the overall level of confidence it has over its system of risk management and control.
It also determines the quality of assurance contributed from each line of defence to assess areas for improving and optimising risk oversight.
How to get started with integrated assurance mapping
Taking a step back and assessing your organisation’s level of co-ordination of assurance functions and providers can be an initial starting point to achieving integrated assurance within the organisation.
The good news is that you can get started immediately with a current state assessment and initial mapping with very few resource requirements. Speaking to all the key stakeholders can prove challenging due to business commitments, therefore it is good to have this initiative sponsored and driven by the C-suite as well as Audit Committee, Risk Committee and the Board (tone at the top).
There are multiple ways of building an integrated assurance map/model, which can be as detailed or complex as you need. Whichever method adopted, the outcome would allow a snapshot that can easily be shared with the Board, Audit Committee or Risk Committee to provide an overview of the risk coverage and would provide an opportunity to efficiently identify gaps and duplication of efforts.
If you can answer the following questions, you can get started immediately (and if you haven’t, please get in touch as to how we might be able to support)
- What is the organisations business strategy?
- What are the key risks to the organisation?
- What is the structure of the company (i.e. divisions / locations)?
- Who are the key persons across your three lines of defence?
- Who provides you with assurance?
- Who provides assurance and what committees provide oversite?
Once the information is collated, the map can be formed, and gaps and overlaps can be identified. Lines of defence require coordination and an agreed risk scale determined to establish a robust control framework that can be consistently applied across the organisation. As a result, maximising risk and governance oversight and control efficiencies.
The process of integrated assurance mapping doesn’t have to be cumbersome, the key to successfully achieving the objective is communication. It is important to explain what the organisation is aiming to achieve from incorporating integrated assurance. This is the easy part. It is the next steps that take time and planning as it involves co-ordinating and aligning the three lines of defence.
Incorporating the points below within your action plan will help to achieve a well-coordinated, integrated assurance model - which goes hand in hand with a robust control framework:
- Focus on the most significant risks and key controls
- Eliminate duplication and reduce time spent on assessing controls
- Be consistent: talk the same risk language, use the same terminology, uniform rating scales, issue logs and report formats. Consistencies increase efficiency when combining results and reporting to the Audit Committee, Risk Committee and Board.
- Align roles and responsibilities across assurance functions
- Integrate reporting into one system of control
Putting an action plan in place now, to build or enhance your organisation’s integrated assurance model, is the first step towards cost-effective coordination of risk and controls and essential oversight of the governance responsibilities.