Tag Archives: Governance & Risk Assurance

Not as straightforward as it seems – Adding value – Assurance maps

I ran a workshop in London over the past two days on the topic of Assurance Maps. Readers will not be surprised to learn that one of the key ingredients for a successful Assurance Map is to be clear about the added value that managers and senior managers will derive from the exercise (often board and audit committee members recognise that an assurance map will help “join up the jigsaw” of assurance efforts, and therefore tend to be supportive).

At face value this may seem to be a straightforward matter – if the board and audit committee can be persuaded support an assurance map, would it really matter if managers and senior managers were not that enthusiastic? In my experience working on assurance mapping efforts for the past 15 years, this is an important question, because there is a big difference between managers and senior managers tolerating an assurance map, but not seeing much benefit in what it gives; compared to them seeing it as a useful management tool that will help them manage aspects of their organisation. Clearly, in the latter case, you are much more likely to get ongoing interest in, and support for, further development of assurance maps from management; rather than them seeing an assurance map as a one-off activity that should be completed and then shelved.

What follows is a summary of our discussions. As you will see, the key message is the importance of being focused, specific and realistic about the added value goals being sought, and the need to think ahead, and manage proactively, how this added value might unfold (or not!). Continue Reading

Speaking at IIA HIA Conference

Internal Audit Leaders’ Conference 16th March 2016 

Combined assurance, one language, one voice, one view
James Paterson | Director, Risk & Assurance Insights Ltd.

  • consistent messaging across all governance bodies and functions within an organisation
  • breaking down silos and more efficient collection and reporting of information
  • a common view of risks and issues.

Further details about the conference can be found here.

Assurance ratings – simplistic approaches are not always a good idea

I talked in an earlier blog about the benefits and drawbacks of having a ‘standardized approach’. Here is another example from assurance mapping where ‘standard’ terms can cause problems. Consider the standard assurance ratings as follows:

  • Low assurance confidence – where management are self assessing their own work
  • Medium assurance confidence – where the second line of defense (compliance and risk functions etc.) are checking what is being done
  • High assurance confidence – where there is independent checking of  (say) >50% or 75% of key controls

These seem so sensible and reassuring – let’s use these criteria to produce an assurance map! The importance of independent checking by Internal Audit will become clear!

The problem with this sort of standardized assessment is that it implicitly downplays assurance from the first and second lines of defense and favours audit work in a way that can cause significant issues when management are told about their low levels of assurance.  Lets consider this question more closely how confident should we be with each type of assurance:

1)    Management

Of course there is always a risk of self-deception in self-assessment by managers of their own activities, but if the criteria management should apply are clearly spelled out, and the manager concerned is experienced and unafraid to be honest, we can take a lot from their assessment. This is all the more so when management may be reporting upwards that they have issues and concerns that need to be addressed.  Thus it is a dangerous over simplification to say that all management assurance is only of low quality. Continue Reading

Using tools – when to standardize and when not

At the moment I am working on a big GRC change project for a client and we are starting to think about software tools for control self assessments. The initial interest was to see if some of the existing in-house applications in use for other purposes, but we have discounted these because they do not adequately allow for the aggregation and analysis of results, nor do they enable effective tracking of open issues until closure (after all what is the point of reporting an area for improvement if you cannot be confident it has been dealt with?)

We are now in the process of looking for solutions that some of my other clients have used, adapted for the needs of this client. Here my advice is simple: What is the point of reinventing the wheel? Lets select something that works well elsewhere – our needs are not that different because this is about largely mechanical process of collecting a specific sort of information, categorizing it and then deciding what to do about it.

At the same time I have been working with another client on assurance mapping, focusing on several specific areas of interest to senior stakeholders. Here there was interest at first in me offering a standardized approach, standardized report – and ideally – a simple tool to use. The attraction of a standardized approach and a simple tool is clear, but my client has recognized – over the course of our work together – that force fitting a standard approach would not work for them.

In particular, my client recognized that the real purpose of asking me to work with them to map assurances was not really simply about mapping assurances, but to identify areas for improvement in areas where there had been question marks previously. Continue Reading

Join our mailing list

We will keep you updated with news and events.


Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914

Please also use our contact form