Tag Archives: Governance & Risk Assurance

Speaking at IIA HIA Conference

Internal Audit Leaders’ Conference 16th March 2016 

Combined assurance, one language, one voice, one view
James Paterson | Director, Risk & Assurance Insights Ltd.

  • consistent messaging across all governance bodies and functions within an organisation
  • breaking down silos and more efficient collection and reporting of information
  • a common view of risks and issues.

Further details about the conference can be found here.

Assurance ratings – simplistic approaches are not always a good idea

I talked in an earlier blog about the benefits and drawbacks of having a ‘standardized approach’. Here is another example from assurance mapping where ‘standard’ terms can cause problems. Consider the standard assurance ratings as follows:

  • Low assurance confidence – where management are self assessing their own work
  • Medium assurance confidence – where the second line of defense (compliance and risk functions etc.) are checking what is being done
  • High assurance confidence – where there is independent checking of  (say) >50% or 75% of key controls

These seem so sensible and reassuring – let’s use these criteria to produce an assurance map! The importance of independent checking by Internal Audit will become clear!

The problem with this sort of standardized assessment is that it implicitly downplays assurance from the first and second lines of defense and favours audit work in a way that can cause significant issues when management are told about their low levels of assurance.  Lets consider this question more closely how confident should we be with each type of assurance:

1)    Management

Of course there is always a risk of self-deception in self-assessment by managers of their own activities, but if the criteria management should apply are clearly spelled out, and the manager concerned is experienced and unafraid to be honest, we can take a lot from their assessment. This is all the more so when management may be reporting upwards that they have issues and concerns that need to be addressed.  Thus it is a dangerous over simplification to say that all management assurance is only of low quality. Continue Reading

Using tools – when to standardize and when not

At the moment I am working on a big GRC change project for a client and we are starting to think about software tools for control self assessments. The initial interest was to see if some of the existing in-house applications in use for other purposes, but we have discounted these because they do not adequately allow for the aggregation and analysis of results, nor do they enable effective tracking of open issues until closure (after all what is the point of reporting an area for improvement if you cannot be confident it has been dealt with?)

We are now in the process of looking for solutions that some of my other clients have used, adapted for the needs of this client. Here my advice is simple: What is the point of reinventing the wheel? Lets select something that works well elsewhere – our needs are not that different because this is about largely mechanical process of collecting a specific sort of information, categorizing it and then deciding what to do about it.

At the same time I have been working with another client on assurance mapping, focusing on several specific areas of interest to senior stakeholders. Here there was interest at first in me offering a standardized approach, standardized report – and ideally – a simple tool to use. The attraction of a standardized approach and a simple tool is clear, but my client has recognized – over the course of our work together – that force fitting a standard approach would not work for them.

In particular, my client recognized that the real purpose of asking me to work with them to map assurances was not really simply about mapping assurances, but to identify areas for improvement in areas where there had been question marks previously. Continue Reading

Join our mailing list

We will keep you updated with news and events.


Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914

Please also use our contact form