+
Assurance Mapping
Sandie DawsonDirectorDawson Corporate Advisory
2+Introduction & Purpose
Targeted assurance
Save money through resource optimisation
Add longer term value
Dawson Corporate Advisory Limited
3+Agenda – Assurance Mapping
What can it do?
What information is needed?
How do you do it?
What can it be used for?
Dawson Corporate Advisory Limited
4+From this…
Dawson Corporate Advisory Limited
5+…to this
Dawson Corporate Advisory Limited
6+…and produce structured output
Dawson Corporate Advisory Limited
7+…and from there…
The users of your Assurance Map will decide upon the next actions to take.
Make your analysis and recommendations count.
Dawson Corporate Advisory Limited
8+What can it do?
Show coverage of an organisations risks and controls by all 3 lines of defence
Highlight areas of: low coverage extensive / over coverage gaps in understanding
Dawson Corporate Advisory Limited
9+What Information is Needed?
Risk and Control Self Assessments
2nd Line Assurance Plans - Regulatory Compliance, Operational Risk
Dawson Corporate Advisory Limited
10+What Information is Needed?
3rd Line Internal Audit Plans
Risk Universe / Internal Audit Universe
Dawson Corporate Advisory Limited
11+What Information is Needed?
2nd and 3rd Line MI, to include: Terms of Reference for each area covered Test Programmes mapped to key risks and controls
Internal Audit Reports
Decide upon the most appropriate timeframe – I recommend 1 year
Dawson Corporate Advisory Limited
12+How do you do it?
Per L1, L2 and L3 Risks calculate coverage by each line of defence
Define Red, Amber, Green and Black parameters – these are key
L1 Risk L2 Risk L3 Risk Control 1LoD Coverage
2LoD Coverage
3LoD Coverage
Strategic Objectives are not met
Strategic Projects are not delivered on time
Delays are sustained in resourcing Projects
Master Services Agreements are in place with Preferred Suppliers
Full 20% 70%
Dawson Corporate Advisory Limited
13+How much assurance is enough?
Dawson Corporate Advisory Limited
14+Worked Example - MI
Dawson Corporate Advisory Limited
15+Who can use the Assurance Map?
Audit Committee
Risk Committees
Internal Audit team
First Line Management
Dawson Corporate Advisory Limited
16+What Can it be used for?
To summarise - more effectively allocating business resources
For - Risk Committees and the Audit Committee
To understand historic and current coverage
To provide an overlay of information on which to assess risk event MI
To provide MI on which to pose questions
Dawson Corporate Advisory Limited
17+What Can it be used for?
For – The Internal Audit Team
To compare risks identified during discovery / planning to the risks reported by the business in their RCSAs
To compare key controls identified and tested to those reported on RCSAs
To compare control effectiveness reported by RCSAs to control effectiveness identified by testing
To inform the Internal Audit Plan
Dawson Corporate Advisory Limited
18+What Can it be used for?
For - 1st Line Management
MI can be provided on a regular basis to show: RCSA Results compared with 2nd Line Coverage and Results and 3rd Line
Coverage and Results Assist the 1st Line in understanding the impact of control design and how
effectively their controls are operating
Dawson Corporate Advisory Limited
19+Summary
An Assurance Map is a piece of MI that can be used as a tool
If you are the Assurance Map producer: Provide accompanying analysis Make recommendations Take actions within your remit – e.g. Internal Audit Plan updates Keep it up to date Present it to the Audit Committee – to inform and take action
Dawson Corporate Advisory Limited
20+A few quotes from Davos 2014
"Data are becoming the new raw material of business.”
Craig Mundie, Senior Advisor to the CEO at Microsoft.
"The goal is to turn data into information, and information into insight.”
Carly Fiorina, former chief executive of Hewlett-Packard Company or HP.
“In God we trust. All others must bring data.”
W. Edwards Deming, statistician, professor, author, lecturer, and consultant.
Dawson Corporate Advisory Limited
21+Data
Dawson Corporate Advisory Limited
22+Questions and Comments
Sandie Dawson FCCA07914 [email protected]
Dawson Corporate Advisory Limited