• Blog

Thinking Like an Auditor

  • The Value of Assurance Mapping

    October 20, 2017 | By Toby DeRoche MBA, CIA, CCSA, CRMA, CICA, CFE

    As we look for ways to provide relevant risk information to the audit committee and adopt a combined assurance approach, a valuable way we can highlight the current state of our organizational risk profile is with a risk coverage map. In researching the topic, one of the best examples of a risk coverage map in a combined assurance setting comes from a PwC report titled Implementing a combined assurance approach in the era of King II 1 (see figure below). In this report, the authors present the major risk topics for an organization along with the groups within the Three Lines of Defense 2 who are providing assurance services related to each risk.

    From an internal audit perspective, the risk coverage map shows exactly which group has responsibility for risk management and to what extent the coverage extends. In the example below, you can see that Internal Audit has minimal coverage on environmental risk, but this may be appropriate since there is an EHS team and special projects that include heavier coverage on this risk.

    Assurance Mapping

    In the end, the risk coverage map serves as both a responsibility chart as well as a way to demonstrate to management which risks are getting the most attention by all aspects of the organization. If we use a risk assessment that includes a comprehensive view of risks identified by all assurance providers in our organization, and a combined assurance risk map to show coverage, we will present management with a more complete and more understandable picture of our organizational risk profile.

    1 Implementing a combined assurance approach in the era of King III, 2010 PricewaterhouseCoopers.

    2 IIA Position Paper – The Three Lines of Defense in Effective Risk Management and Control (2013)

  • View Demo
    Contact Us
    Request More Information