exploring the assurance map - pwc

Exploring the Assurance Map January 2021

2 PwC | Exploring the Assurance Map

In his Government-commissioned 2019 review of the quality and effectiveness of audit1, Sir Donald Brydon introduced the concept of an Audit and Assurance Policy, which would provide details of the audit and assurance process, including how auditors are appointed, how audit fees are set and how materiality is determined. It would also explain the approach taken to obtaining assurance over other areas of the business and supplementary financial information outside of the financial statements. We think a really useful way to explain and illustrate the approach to obtaining assurance would be an Assurance Map that outlines the level and type of assurance over the risks faced by the company.

In this paper, we explore the concept of the Assurance Map and provide what we hope are useful ideas for how it might look and work in practice, to help companies undertake a mapping exercise and help think through how this concept might be designed and implemented more broadly.

We also raised the concept of the Assurance Map in our Future of Audit perspectives paper, issued in July 20192 as part of our Future of Audit initiative. Our ambition is that this thinking will contribute to the ongoing conversation concerning the future of audit, as well as the governance over and shareholder engagement in, the wider corporate reporting system.

Setting the scene The past decade has seen a number of corporate failures and institutional scandals. This has undoubtedly resulted in an erosion of trust in corporate institutions as a whole and in the information they report. Compounding this trust deficit is the fact we live in an information saturated world.

1 Report of the Independent Review into the Quality and Effectiveness of Audit, Sir Donald Brydon

Stakeholders increasingly make decisions based on not just financial information, but non-financial information, such as a company's culture, its purpose and its environmental and societal impact. Company stakeholders are faced with a constant flow of information and views from the internet, the media, not to mention their own experience as consumers or employees. However, as the amount of information demanded, shared and relied upon increases, not all of that information will be of the same quality because information gathering and reporting processes are not always equally robust.

The challenge for Boards and Audit Committees3

While they can’t control all of the information that is put out about a company, Boards and Audit Committees do have a responsibility for all of the information they provide to stakeholders, in particular as it relates to the principal risks facing the business. They need to ensure that stakeholders are able to assess the riskiness of a company's activities and business model by having robust and relevant reporting. Boards also have a responsibility to ensure there are appropriate controls and processes in place so that this reporting can be trusted.

The challenge for Boards and Audit Committees, therefore, is to be able to transparently and reliably communicate information about their businesses, the risks they face and the mitigating controls and processes they have in place over those risks. Crucially, they need to be able to communicate to stakeholders what assurance there is over those controls and processes so that stakeholders can judge for themselves how much reliance to place on published company information.

2 The Future of Audit: Perspectives on how the audit could evolve

The role of assurance The provision of assurance (whether internal or external) over controls and reporting can aid confidence in a company’s reported information. In some instances, assurance is required by regulation, but in many other areas it is commissioned at the company's discretion and therefore judgement is required to determine if and where additional assurance may be needed.

Not all reporting requires fully independent assurance; in some cases a review performed by an Internal Audit function may suffice. But in other instances, the importance of the subject matter drives the need for a company to consider obtaining a level of independent assurance that demonstrates a recognition of that importance to stakeholders. Given that each area of reporting will vary in terms of maturity and complexity, the Board and Audit Committee will need their own process to first determine when they are ready for independent challenge and secondly how to choose the appropriate assurance provider. Transparency over the process taken regarding assurance, in addition to the assurance itself, will further aid the confidence provided to stakeholders.

3 ‘Audit Committees’ should be read as those charged with governance

where there is no Audit Committee

Introduction


Source: Report of the Independent Review into the Quality and Effectiveness of Audit, Sir Donald Brydon

The responsibilities of the Board and Audit Committee were highlighted by Sir Donald Brydon in his review. One of the recommendations was the introduction of a corporate Audit and Assurance Policy, which would encourage Boards and Audit Committees to establish greater clarity over reporting responsibilities and related assurance, and to increase company dialogue with investors on related topics.

Sir Donald envisaged that the Audit and Assurance Policy would outline the Audit Committee’s overall approach to audit and assurance and include an explanation of how assurance relates to the risks faced by the company. Sir Donald said: ‘This Policy provides the opportunity for companies to show how they are assuring the integrity of reporting, and handling of risk, whether required to do so by law or not.’ The Brydon report recognises the need for stakeholders to be able to trust information beyond that in the financial statements and that it is the responsibility of the Audit Committee to demonstrate how that trust can be established.

The current statutory audit process is a key source of this trust. But Sir Donald’s view is that trust is required beyond the boundaries of the traditional statutory audit and that there may be a need for assurance over a broader range of risks. This is illustrated by the new ‘audit’ model outlined in the Brydon report, shown in the diagram on the left.

Examples of assurance beyond the current statutory audit include assurance over environmental, social and governance (ESG) data and over some types of controls such as cyber security controls. It may be that, in the future, the statutory audit expands to include some of these areas, or they may be separate assurance engagements.

As these examples of broader assurance are emerging, we believe that Audit Committees could benefit from having a way to bring this all together and paint the ‘assurance picture’ by using an Assurance Map to determine the level and type of assurance sought by company stakeholders over the principal risks faced by the company. This Assurance Map would set out:

The principal risks faced by the company. The governance, controls and processes in place to

mitigate those risks. Where applicable, the key performance indicators

(KPIs) associated with the risks (which could be financial or non-financial).

The assurance provided by and over the controls, processes and KPIs, including the level of assurance, who provides the assurance, and how frequently. The statutory audit would be just one component of the Assurance Map; Internal Audit and other sources of internal or external assurance could also feature.

Such an Assurance Map could form an integral part of a company’s Audit and Assurance Policy. In providing visibility over the steps being taken to address risk (through internal management response and internal and external assurance), Audit Committees would have the opportunity to engage with their stakeholders (for example at the AGM) to discuss and agree whether sufficient assurance has been commissioned. We’ve described in more detail below how the Assurance Map could be developed.

The Brydon review and the Future of Audit


Where to start – The initial building blocks of the Assurance Map are the risks an organisation is facing. A sensible starting point for this would be an existing risk register and might be a company’s top 5-10 risks, each with an assigned level of inherent risk. For our illustrative examples in Figure 2, we have bucketed risks into Operational, Financial, Non-Financial/Regulatory, and Strategic risks.

Assigning the level of assurance – Each risk could be viewed as an empty ‘bucket’, which needs to be filled via the three lines of internal defence together with external assurance, as needed, until those charged with governance are satisfied that the contents of each bucket sufficiently addresses the identified risk. This would begin with identifying the internal controls, processes and governance in place to manage that risk (the first and second lines of defence). The next step would then be to look at what assurance, internal (the third line of defence) or external, there is over those controls and processes. Key Performance Indicators that are disclosed for each risk could also be included along with the level of assurance over these measures. Finally, after taking all this into account, decide if the mitigation of the risk is sufficient or whether it needs to be mitigated further, either by increasing the internal processes and controls and/or getting more internal or external assurance. This process would require judgement and debate to determine how best to ‘fill the bucket’, recognising, for example, that some comfort is provided by the simple assertion that controls are in place, but that more robust assurance is usually provided through testing by an independent reviewer.

This approach should drive transparency in clarifying whether assurance needs to be obtained and the level of assurance. We recognise that, in many instances, a review performed by Internal Audit would be entirely sufficient, however in other areas of complexity or of particular scrutiny, an external auditor or other assurance provider with specific experience and skills may be more appropriate. The Assurance Map would help to indicate where the gaps might be and to drive conversations internally and with stakeholders on the risk vs. reward of ‘topping up’ the assurance levels. In order for the Assurance Map to be effective it needs to be kept live by teams who deal with these areas such as Internal Audit, Finance and Risk and Compliance Functions.

Figure 1 below illustrates this possible process for developing the Assurance Map.

Figure 2 below includes examples of what the Assurance Map might look like. These examples are for illustrative purposes only and not necessarily how the eventual output might look

The Assurance Map process


Figure 1 – Steps to completing the Assurance Map


Figure 2 – Illustrative Assurance Map (1)

This is a detailed example of how the Assurance Map might be presented, with a determination of the residual risk after the first two lines of defence (LOD) and more granular descriptions of each type of assurance.

Step 1: Identity principal risks Step 2: Map risks to controls to processes to determine residual risk

Step3: Identify assurance provided over risk areas and identify potential gaps

Step 4: Map risk areas to related KPIs and communications

Step 5: Identify assurance provided over KPIs and identify potential gaps

Information taken from existing Risk Register

Risk description Level of risk (considering

likelihood and impact)

Risk response (1st and 2nd LOD) Residual risk

Internal assurance provided over risk (3rd LOD)

External assurance provided over risk

Related KPIs/reporting to measure these areas

Reporting of KPI/ risk area

Internal assurance currently provided over KPI (3rd LOD)

External assurance currently provided over the KPI

Non

-fina

ncia

l and

re

gula

tory

Environmental, Social and Corporate Governance (ESG) impact: Unfavourable coverage regarding the company’s ESG impact means that consumers take their custom elsewhere, leading to declining brand value and financial performance.

● Clear ESG Strategy signed off by the

board ● Policies and processes aligned

to strategy ● List of approved suppliers,

manufacturers and contractors ● Benchmarking against industry ● External communication over

steps taken

None None ● Carbon footprint

● Water usage ● Waste to landfill rates

Included in the Annual Report and separate Sustainability Report

None Other assurance provider performs limited assurance procedures over the reported KPIs

Ope

ratio

nal Cyber:

A cyber attack or failure could result in system outage, disrupting the business and leading to major data loss and reputational damage.

● Specific IT policies in place ● Internal controls over cyber risks ● Disaster recovery plans ● Routine system ‘penetration testing’ ● Staff training over risks

Internal audit test the operating effectiveness of controls on a sample basis throughout the year

None ● n/a The IT department issues a monthly report to the Board outlining any cyber issues identified in the period

n/a na/

Fina

ncia

l Capitalised software: Investment in capitalised software to support programme delivery may be not be recoverable where it does not deliver on the investment.

● Financial and IT controls over

approval, acquisition and development of new software

● Appropriate delegation of authority in place

● Review if actual progress against projected plans

● Annual impairment review

Internal audit test the operating effectiveness of controls on a sample basis throughout the year

External audit team review the operating effectiveness of key controls on a sample basis, and assess the recoverability of significant balances at the year end

● Return on investments ratio

● Carrying value and write offs of capitalised software

Included in the Annual Report

None External auditor performs reasonable assurance procedures over the capitalised software balance in the Financial Statement, and limited assurance procedure over the related reported KPIs

Stra

tegi

c Failure to innovate: Failure to successfully invest, develop and deliver innovative products and services which meet the changing needs of consumers may inhibit ability to grow the business and impact financial performance.

● Ongoing market research and surveys

to understand consumer preferences and trends

● Dedicated innovation team trialling new products to be launched in coming years

● Diversification through acquisition of new business

● Internal review of the continued impact of existing services (compared to competitors and previous years)

None None ● Customer surveys

● Effectiveness/impact of existing product portfolio

Included on company website

None None



This is a more summarised example of how the Assurance Map might be presented in order to provide a high level snapshot of the risks and related assurance.

Risk type Principal risk per the Annual Report

Description Inherent Risk

1st LOD: Design and operation of controls and processes

2nd LOD: Oversight through risk, compliance and legal

3rd LOD: Internal assurance

External assurance Reported KPIs 3rd LOD: Internal assurance

External assurance

Operational Cyber Security A cyber attack or failure could result in system outage, disrupting the business and leading to major data loss and reputational damage.

N/A

Principal risk 2

Principal risk 3

Financial Capitalised software

Investment in capitalised software to support programme delivery may be not be recoverable where it does not deliver on the investment.

● ROI ratio

● CV and write offs of capitalised software

Provided by external auditor

Principal risk 5

Principal risk 6

Strategic Failure to innovate

Failure to successfully invest, develop and deliver innovative products and services which meet the changing needs of consumers may inhibit ability to grow the business and impact financial performance.

● Customer surveys

● Impact of existing product portfolio

Principal risk 8

Principal risk 9

Non- financial and regulatory

ESG impact Unfavourable coverage regarding the company’s ESG impact means that consumers take their custom elsewhere, leading to declining brand value and financial performance.

● Carbon footprint

● Water usage ● Waste to landfill rates

Other Assurance provider

Principal risk 11

Principal risk 12



This example uses a different visual format to illustrate the Assurance Map.


An Assurance Map, however you decide it should be developed for your organisation, could be a valuable way to get to grips with the type and depth of assurance you have over your reported information and, therefore, how much your stakeholders can rely on that information. Information beyond the financial statements is only going to get more important in the coming years as investors and other stakeholders look to fully analyse an organisation’s long term value creation. As expectations and regulations change, the Assurance Map would drive transparency for these investors and stakeholders, which in turn would build organisational resilience over the longer term.

We hope that we have given you some practical suggestions of how an Assurance Map may be a useful tool for your organisation to consider using. If you would like to discuss further, please discuss with your usual PwC contact or those listed on the next page.

Closing thoughts

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with over 276,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

This document has been prepared for general guidance and information only. It does not constitute professional advice, nor does it consider individual circumstances or specific requirements. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information provided, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this document or for any decision based on it.

© 2021 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

RITM4361253

Gilly Lord Head of Audit Strategy and Public Policy PwC United Kingdom T: +44 (0)7801 685046 E: [email protected]

Paolo Taurae Stakeholder Assurance Leader PwC United Kingdom T: +44 (0)7802 223287 E: [email protected]

Jayne Kerr Director PwC United Kingdom T: +44 (0)7740 241129 E: [email protected]

Contact

exploring the assurance map - pwc

Documents