210 likes | 225 Views
Join Nathan Paget in an introductory workshop on assurance maps to gain a complete picture of services, activities, and associated risks, and to identify areas for improvement and efficiency. Learn how assurance maps can better focus efforts and provide evidence of collective assurance.
E N D
Assurance MapsAn Introductory workshop Nathan Paget United Kingdom
Definitions • Risk - The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. • Internal Control - Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. • Assurance - The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Business objectives and the link to assurance maps 1st Line Assurance 2nd Line Assurance 3rd Line Assurance Monitor and review Independent Assurance Ownership & Management Management at various levels Board / Audit Committee / Governing group
Assurance Map – WHY? Providing : • A complete picture of the services being delivered, the activities undertaken, the level of associated risk. • A complete picture of the types of assurance available and obtained. Enabling: • Identification of any potential areas where assurance activities are not present or are insufficient (i.e. assurance gaps). • Identification of any areas where assurance is duplicated, repeated or excessive when compared with the value of the activity being undertaken. Allowing: • Better understanding of risk exposure. • Direction of proportionate assurance provision (and efficiencies). • Evidencing of collective assurance the Annual Governance Statement. • Better focus of efforts by the Audit Committee.
Business objectives and the link to assurance maps 1st Line Assurance 2nd Line Assurance 3rd Line Assurance Monitor and review Independent Assurance Ownership & Management Management at various levels Board / Audit Committee / Governing group
1st line of Assurance • Good policy and performance data, • Monitoring statistics, • Risk registers, • Reports on the routine system controls and other management information.
2nd Line of Assurance • Compliance assessments or reviews carried out to determine that policy or quality arrangements are being met in line with expectations for specific areas of risk across the organisation; • Portfolio Management • Strategic planning, • Investment appraisal and project and programme management.
3rd Line of Assurance • This relates to independent and more objective assurance and focuses on the role of internal audit. • Internal audit will place reliance upon assurance mechanisms in the first and second lines of defence, where possible, to enable it to direct its resources most effectively, on areas of highest risk or where there are gaps or weaknesses in other assurance arrangements. It may also take assurance from other independent assurance providers operating in the third line, such as those provided by independent regulators, for example. • Other sources of independent assurance available include external system accreditation reviews/certification (e.g. ISO/Risk Management Accreditation Document Sets), European Commission/European Court of Auditors and Treasury/Cabinet Office/Parliamentary scrutiny processes.
Assurance Map – Control and assurance connections ASSURANCE MAPS
Assurance and Risk RISK ASSURANCE Those business risks that, if realised, could fundamentally affect the way in which the organisation exists or conducts its business. These risks will have a detrimental effect on the organisations achievement of its key business objectives. The risk realisation will lead to material failure, loss or lost opportunity This is a direct output from the risk management process: • Assurance provided that controls are effective in the case where inherently high / extreme risks are mitigated to a lower residual classification. • Assurance provided that actions are progressing where risk is both inherently and residually high / extreme. • Assurance over the management of risk where our appetite to the risk is low. The main operational risks associated with the key business activities and processes that if realised would increase the likelihood of a strategic risk realising. Key business activities and processes on which the organisation is reliant for successful execution of its strategies.
DEFRA CASE STUDY • 4 Strategic Priorities – supported by lower level activities. • Growing the rural economy. • Protecting the Environment. • Protect / respond on Animal Health. • Protect / respond on Plant Health.
Further References • HMT Orange Book – Assurance Maps • CoSo / IIA Guidance on Assurance Maps and CoSo
Questions • Any questions???????