Internal audit is one of many sources of assurance that boards and audit committees rely on in their oversight role. In many organisations this can create a complex or even conflicting picture. An assurance map is a practical tool for chief audit executives (CAEs) to use on two levels; demonstrating the depth/gaps in assurance and to plan audit activity.

As organisations grapple with cost challenges due to the effects of the pandemic on the economy, it is crucial that CAEs are able to advise on potential changes within the control environment. This guidance explores the benefits of assurance mapping, faces up to the challenges of introducing the concept and outlines an approach to creating one.

What is an Assurance map?

An assurance map is a structured way of identifying and presenting the sources of assurance over how risks are being managed. It is an essential element of mature risk management practices. It considers all types of assurance:

• 1^st line – management, owning and managing the risk
• 2^nd line – oversight, specialists, risk functions, usually reporting to management
• 3^rd line – independent oversight, internal audit

And potentially a fourth in some instances:

• 4^th line – external oversight, external audit, certification assessors (e.g. BSI), regulators

A map is visual and can be used in a variety of ways from presenting a basic picture of assurance resources, perhaps also showing the frequency of the assurance.

Even without any knowledge of the risks or the organisation, it is possible to ask;

• Why does internal audit support the cyber perspective on risk 1, why the difference?
• What non-financial risk did EA miss on risk 2?
• Is there sufficient assurance over risk 3? Is this a board level risk?
• Where is the agenda item to discuss risk 4 in detail?
• Is there too much assurance…