Practice Advisory 2050-2: Assurance Maps Primary Related Standard 2050 Coordination The chief audit executive should

share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

1. One of the key responsibilities of the board is to gain assurance that processes are operating within the parameters it has established to achieve the defined objectives. It is necessary to determine whether risk management processes are working effectively and whether key or business-critical risks are being managed to an acceptable level. 2. Increased focus on the roles and responsibilities of senior management and boards has prompted many organizations to place a greater emphasis on assurance activities. The Standards Glossary defines assurance as an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. The board will use multiple sources to gain reliable assurance. Assurance from management is fundamental and should be complemented by the provision of objective assurance from internal audit and other third parties. Risk managers, internal auditors, and compliance practitioners are asking: Who does what and why? Boards in particular are beginning to question who is providing assurance, where is the delineation between the functions, and if there are any overlaps. 3. There are fundamentally three classes of assurance providers, differentiated by the stakeholders they serve, their level of independence from the activities over which they provide assurance, and the robustness of that assurance. Those who report to management and/or are part of management (management assurance), including individuals who perform control self-assessments, quality auditors, environmental auditors, and other management- designated assurance personnel. Those who report to the board, including internal audit. Those who report to external stakeholders (external audit assurance), which is a role traditionally fulfilled by the independent/statutory auditor. The level of assurance desired, and who should provide that assurance, will vary depending on the risk. 4. There are many assurance providers for an organization. Line management and employees (management provides assurance as a first line of defense over the risks and controls for which they are responsible.) Senior management Internal and external auditors Compliance
Issued: July 2009 Revised: 2009 The Institute of Internal Auditors PA 2050-2 Page 1 of 3

Quality assurance Risk management Environmental auditors Workplace health and safety auditors Government performance auditors Financial reporting review teams Subcommittees of the board (e.g., audit, actuarial, credit, governance) External assurance providers, including surveys, specialist reviews (health and safety), etc. 5. The internal audit activity will normally provide assurance over the entire organization, including risk management processes (both their design and operating effectiveness), management of those risks classified as key (including the effectiveness of the controls and other responses to them), verification of the reliability and appropriateness of the risk assessment and reporting of the risk and control status. 6. With responsibility for assurance activities traditionally being shared among management, internal audit, risk management, and compliance, it is important that assurance activities be coordinated to ensure resources are used in the most efficient and effective way. Many organizations operate with traditional (and separate) internal audit, risk, and compliance activities. It is common for organizations to have a number of separate groups performing different risk management, compliance, and assurance functions independently of one another. Without effective coordination and reporting, work can be duplicated or key risks may be missed or misjudged. 7. While many organizations monitor the activities of internal audit, risk, and compliance, not all view all their activities in a holistic way. An assurance mapping exercise involves mapping assurance coverage against the key risks in an organization. This process allows an organization to identify and address any gaps in the risk management process and gives stakeholders comfort that risks are being managed and reported on, and that regulatory and legal obligations are being met. Organizations will benefit from a streamlined approach, which ensures the information is available to management about the risks they face and how the risks are being addressed. The mapping is done across the organization to understand where the overall risk and assurance roles and accountabilities reside. The aim is to ensure that there is a comprehensive risk and assurance process with no duplicated effort or potential gaps. 8. Often an organization will have defined the significant risk categories that make up its risk management framework. In such cases, the assurance map would be based on the structure of this framework. For example, an assurance map could have these columns: Significant risk category Management role responsible for the risk (risk owner) Inherent risk rating Residual risk rating External audit coverage Internal audit coverage Other assurance provider coverage
Issued: July 2009 Revised: 2009 The Institute of Internal Auditors PA 2050-2 Page 2 of 3

In this example, the chief audit executive (CAE) would populate the internal audit coverage column with recent coverage. Often each significant risk has a risk owner or a person responsible for coordinating assurance activities for that risk and that person would populate the other assurance provider coverage column. Each significant unit within an organization could have its own assurance map. Alternatively, the internal audit activity may play a coordinating role in developing and completing the organizations assurance map. 9. Once the assurance map for the organization has been completed, significant risks with inadequate assurance coverage, or areas of duplicated assurance coverage, can be identified. Senior management and the board need to consider changes in assurance coverage for these risks. The internal audit activity needs to consider areas of inadequate coverage when developing the internal audit plan. 10. It is the responsibility of the CAE to understand the independent assurance requirements of the board and the organization, to clarify the role the internal audit activity fills and the level of assurance it provides. The board needs to be confident that the overall assurance process is adequate and sufficiently robust to validate that the risks of the organization are being managed and reported on effectively. 11. The board needs to receive information about assurance activities, both implemented and planned, in regard to each category of risk. The internal audit activity and other assurance providers offer the board the appropriate level of assurance for the nature and levels of risk that exist in the organization under the respective categories. 12. In organizations requiring an overall opinion from the CAE, the CAE needs to understand the nature, scope, and extent of the integrated assurance map to consider the work of other assurance providers (and rely on it as appropriate) before presenting an overall opinion on the organizations governance, risk management, and control processes. The IIAs Practice Guide Formulating and Expressing Internal Audit Opinions provides additional guidance. 13. In instances where the organization does not expect an overall opinion, the CAE can act as the coordinator of assurance providers to ensure there are either no gaps in assurance, or the gaps are known and accepted. The CAE reports on any lack of input/involvement/ oversight/assurance over other assurance providers. If the CAE believes that the assurance coverage is inadequate or ineffective, senior management and the board need to be advised accordingly. 14. The CAE is directed by Standard 2050 to coordinate activities with other assurance providers; the use of an assurance map will help achieve this. Assurance maps increasingly offer an effective way of communicating this coordination. ***

Issued: July 2009 Revised: 2009 The Institute of Internal Auditors

PA 2050-2 Page 3 of 3