The term 'assurance' refers to the verification of risk mitigation and internal control. It embraces the tasks of internal audit, management reviews and specialised audits that test and validate the control environment. The terms 'combined assurance' and 'integrated assurance' have become fashionable in recent times. These terms refer to the idea that a planned approach to arranging all of the various assurance providers is adopted.
This seeks to reduce duplications in audit processes and prevent any key controls from being missed by assurance providers. This approach to assurance normally has a risk foundation. The contents of risk registers are used to design the annual assurance plans.
The main output from this wide focus on assurance is a spread sheet that details all the key controls of the institution and indicates which assurance provider will validate them. An assurance plan should indicate how often a control will be validated.
Certain key controls may be validated and reviewed more than once by different parties. The allocation of control validation by internal and independent parties is a fundamental principle of structuring a good assurance plan.
An assurance plan is one of the primary means by which the Accounting Authority / Officer receives confirmation that internal controls and risk mitigations are appropriately designed and implemented. A risk-based assurance plan follows the outputs of the risk identification, assessment and control evaluation processes.
It is commonly accepted that assurance should be designed on an integrated basis. This means that there is a coordinated plan to provide a spread of assurance providers for the key controls. The principle of integration lies in the arranging of specialist assurance providers based on a rational allocation of resources.
Assurance providers usually have an existing assurance role such as internal auditors, insurance surveyors, safety auditors, environmental surveyors, quality auditors, stakeholder satisfaction surveys, credit auditors, etc. One of the main challenges with integrated assurance is to select assurance providers for strategic risk mitigations.
Another challenge is to secure agreement between existing assurance functions as to who will perform certain audits and reviews so that duplication is eliminated.
A number of entities have developed a system whereby a joint assurance team works together during one audit visit to an operation.
4. Drafting an assurance plan
A risk-based assurance plan encourages an allocation of assurance resources based on risk priorities. Risk owners have a key role to play in selecting assurance activities for their respective risks.
The integrated approach requires the organisation to provide a spread of assurance providers for each risk, balanced between management, independent functions and external parties.
The assurance template is completed by listing the key risks and their respective controls in the indicated column. The risk owner will then indicate which assurance providers currently review or monitor the controls listed.
This can be indicated by means of a code which indicates the frequency of the particular assurance activity, e.g. 'M' for 'monthly'. Gaps in the assurance programme are then considered with input from assurance providers themselves, such as the internal audit function. The desired additional assurance activities, with preferred frequency of activity, are then inserted into the template.
Click here to access an assurance template.
Click here if you would like to view an example of an assurance plan.