IIA South and IIA East. Assurance Mapping. 2 nd February David Alexander

Transcription

1 IIA South and IIA East Assurance Mapping 2 nd February 2018 David Alexander daa.risk@gmail.com

2 TODAY S PROGRAMME Examine the benefits and pitfalls associated with assurance mapping Review examples and highlight where to look for further guidance Examples from delegates successes and challenges Try to bring Assurance Mapping to life!

3 Initial audience feedback (via Slido) 1. How well does your organisation embrace the 3LOD concept? Completely: 28% Mostly: 28% Partially: 20% Limited: 24% 2. Has anyone used an assurance map in your organisation? Yes: 66% No: 17% Don t Know: 17% 3. If you asked your Audit Committee chair their prime source of assurance that risk and control framework is working effectively? Exec Management: 3% 2 nd Line: 0% Internal Audit: 97%

4 There is a ton of Guidance: IIA ICAEW OECD EU Professional firms

5 Some Quotes Assurance mapping it s too complicated, too time consuming I ve got an audit plan to complete! (HIA) Nobody s really interested, apart from the Head of Audit, who uses it to tell us how to do our jobs better! (Compliance Manager) Apart from IA, has anyone else in our company got the word assurance in our job description? No so why are you telling me I have to do it? (Risk Manager) The results and comments to date have been very encouraging.. (HIA City Council)

6 Assurance... is an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. An Assurance Map.. is a structured means of identifying and mapping the main sources and types of assurance in an organisation, and coordinating them to best effect.

7 An assurance map is the tool that enables the evidence to be assembled. It also provides the evidence that may be needed to support: management confidence in their assertions; audit committee assurances to the board on the state of internal controls; and public statements by the board as to the state of internal control.

8 In a smaller or less complicated organisation a full assurance map will not be needed. However, the same principles apply and the assurance mapping approach can still be a useful guide for thinking through the connection between risk management and assurance.

9 Assurance Maps The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. There are fundamentally three classes of assurance providers, differentiated by the stakeholders they serve, their level of independence from the activities over which they provide assurance, and the robustness of that assurance. Reporting to: 1. Management; 2. the Board and 3. external stakeholders

10 It is the responsibility of the CAE to understand the independent assurance requirements of the board and the organization, to clarify the role the internal audit activity fills and the level of assurance it provides. In organizations requiring an overall opinion from the CAE, the CAE needs to understand the nature, scope, and extent of the integrated assurance map to consider the work of other assurance providers (and rely on it as appropriate) before presenting an overall opinion on the organization's governance, risk management, and control processes.

11 Extract from OECD report post financial crisis At the moment, there is a sense in which assurance simply happens. It is not a planned activity in the way in which parts of it are executed:. for example most internal audit departments normally prepare an annual plan which is presented to and discussed with the Audit Committee. However, there is rarely an overall, documented plan for the totality of assurance that is required at board level and which the board needs to provide to other stakeholders.

12 In order to assess the requirements for resources and funding for assurance purposes, the board should annually prepare or update an assurance map which should as a minimum: 1. Document the people to whom assurance is required to be provided (eg regulators, investors, customers and so on), the nature of the assurance, how that assurance is to be provided and how the board is going to satisfy itself that the assurance that is being provided is truthful, correct and appropriate in all the circumstances.

13 2. Document the manner in which the board will seek and obtain assurance that what they are told is happening in respect of the business is indeed happening in order to discharge the assurance aspects of their Corporate Governance duties to exercise risk management oversight. 3. Document the way in which the board is assessing, monitoring and managing the risk management culture, and progress towards becoming a risk intelligent organisation

14 ASSURANCE MAPS THE PRINCIPLES (2015). ensuring the disparate assurance mechanisms are harnessed and focused to provide the best results in a proportionate and effective manner. Pre-requisites for successful creation of an assurance framework include: Support and direction from the board and ownership for the framework at Board level; Clarity on what you want it to achieve (particularly encompassing Board needs); Building the framework first within a manageable boundary (beginning with the high level strategic and key process risks); Simplicity don t try to cover too much in a single assurance map (some organisations have different maps at different levels or separate maps for planning and evaluation); and Avoid technical jargon; processes should aim to foster a common clearly understood language.

15

16

17 BENEFITS FOR BOARDS AND SENIOR MANAGEMENT Provides timely and reliable information on the effectiveness of the management of major strategic and operational risks and significant control issues. Provides an opportunity to identify gaps in assurance needs that are vital to the organisation, and to address them in a timely, efficient and effective manner. Can be used to raise understanding of the risk profile, and strengthen accountability and clarity of ownership of controls and assurance thereon, avoiding duplication or overlap.

18 BENEFITS FOR BOARDS AND SENIOR MANAGEMENT Can clarify, rationalise and consolidate multiple assurance inputs, providing greater oversight of assurance activities. Facilitates better use of assurance skills and resources. Ultimately allows the analysis and comparison of assurance against the totality of internal controls. This enables evidence based corporate reporting and statements about the effectiveness of internal controls to be properly supported in a structured manner.

19 BENEFITS FOR THE RISK AND AUDIT COMMITTEES Assists them in understanding the current state of assurance, highlighting areas of low coverage, extensive or over coverage and gaps in understanding Allows decisions about relative risk to be made and direction provided to Internal Audit and other assurance provider resources to fill any gaps Allows better evidence to be assembled to support the assurances provided to the Board on the state of internal control, as well as public reports on governance and statement of internal control.

20 BENEFITS FOR INTERNAL AUDITORS Enables them to evaluate the state of risk and control more quickly and more effectively and in line with management perspectives. Enables them to focus their effort where there are gaps in the first and second lines of defence and to include providing an independent assessment of the quality of assurance provided by the first and second lines of defence. Relates the state of risk after internal audit engagements to the totality of internal control and identify pervasive issues more easily. Enables them to report more readily on their own perspective of the state of internal control based on the extent of their own work and evaluation of the management profile as set out in the assurance map.

21 BENEFITS FOR EXTERNAL ASSURANCE PROVIDERS Enables the auditors to identify risk and focus more quickly and easily on the key issues likely to impact the external audit or other assurance engagement Aids their understanding of the overall control environment as required by auditing and other assurance standards Enables the reliability of internal audit to be identified more readily. It will also help to focus on the areas where reliance might be placed and the extent to which reliance might be placed Also helps to identify the actual state of internal control prior to the external assurance engagement, and where any work may need to be focused.

22 Without an assurance map. it is unlikely that the audit and risk committees will have access to a sufficiently well-structured analysis or assurance to enable them to evidence, safely, their satisfaction with the state of internal control. At the very least, the assurance map will enable the members of the committees to focus on those specific areas that remain a concern.

23 With an assurance map. the board will have evidence to support its assertions as to the state of internal control in any public reports and as communicated to the external auditors and shareholders.. the assurance-related work of the individuals operating within the lines of defence can be best directed to avoid overlaps.

24 Pitfalls.. Vision v. Reality

25 Pitfalls..

26 Other Pitfalls.. attempting to create an all encompassing map that quickly becomes over-engineered and complex and can fail to produce the required information. relying on out-of-date or irrelevant assurances. For example: o an external review of information security may have been carried out 18 months ago but the organisation may have implemented new IT systems since then; or o the last IA review maybe 1 year old but management have a more up-to-date report on recent improvements (or Op Risk may have a report on a recent incident). There may be too many gaps and no-one wants to admit to owning a gap!

27

28 King III (2009) The audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities

29 While management does provide extensive risk assurance through performance management and reporting, it is not factored into combined assurance as this would require comment/ evaluation on its effectiveness as management.

30 King IV (2016) The governing body should oversee that the combined assurance model is designed and implemented to cover effectively the organisation s significant risks and material matters through a combination of the following assurance service providers and functions as is appropriate for the organisation: 1. The organisation s line functions that own and manage risks. 2. The organisation s specialist functions that facilitate and oversee risk management and compliance. 3. Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries. 4. Independent external assurance service providers such as external auditors. 5. Other external assurance providers such as sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors. 6. Regulatory inspectors.

31

32

33 The best assurance maps are inside the Head of Internal Audit Awareness and insight of the key sources of assurance are core to annual audit planning and the development of the HIA s overall opinion on risks and controls.

34 Practical Steps Forward Collaborate Find a champion (hopefully the AC Chair) Try it for one or two risk categories Use facilitated workshops (with guidance) Anticipate the pitfalls Take input from co-source and external audit Look for quick wins anomalies, red flags,. Care how gaps may be perceived Present to CEO (& exec), then AC Chair (& Committee)

35 What can Assurance Mapping learn from Cricket?

36 Football now has VAR.. Tennis has Hawkeye.... And Cricket has the 3 rd umpire

37 Assurance Mapping on the cricket pitch

38 Some CEOs will always think they know better!

39 What can Internal Audit learn from this? Are we the Third Umpire.? Should we give an opinion only when referred to? How can we better use the information we have available? Relationship management Reviews and Evidence Board, Exec and other Performance Reports How reliable is each element of assurance? Most of the time, you have to trust the first umpire

40 40