Coping with the Demands of Assurance: How to Reduce Cost and Improve Effectiveness – Part 2

Agreed upon Procedures

A business may commission an “Agreed upon procedures” report, specifying a range of controls on which they wish to receive assurance that they are operating effectively. This may be used in response to requests from potential clients who would like re-assurance that certain controls on which they are reliant are effective.

Internal assurance and internal audit

In addition to assurance provided by internal audit, there may be several layers of internal assurance roles within the business, from a formal compliance team in the case of financial services, to health & safety and legal teams, all designed to provide assurance to management and the Board that significant business activities are meeting their legal and regulatory requirements.

External consultancies

Boards and management will often also commission work from consultants for a specialist or specific area where they believe they lack expertise within the business. This might be to gain assurance that projects are being managed effectively or a new business unit is properly established.

Integrated Risk and Assurance

This growing and varied provision of assurance places pressure on the Board and senior management in fully understanding what they are being told about the whole business and how effectively it is managing its risk. If these sources are not co-ordinated, it is easy to see that gaps and duplication’s can occur. More importantly, it may not be clear that the assurance is fully focused towards the key risks that the business faces.

One method of providing for more effective oversight and understanding of a business’s assurance requirements, is the adoption of an assurance map. Essentially an assurance map is a method of recording all sources of assurance that are being relied upon by the business, and linking these with business objectives, business risks and internal controls.


As part of the process, it is important to consider and collaborate with those who are managing the risks and delivering assurance, and to ensure that these risk owners, senior managers, and the Board, each understand the roles and responsibilities of the others.

The map may take some time to fully develop, but the key benefits are the co-ordination and integration of the whole risk and assurance process, the elimination of duplication, more effective reporting, and a consequent reduction in assurance costs.

 The Regulations

As an example, the controls designed to support the adoption of the international standard for information security management systems (ISO 27001), the new General Data Protection Regulations, (GDPR), and the requirements of Cyber Essentials, will be the same in many instances. By co-ordinating the roles and responsibilities of those who manage and report on the effectiveness of these controls, a much clearer and concise message can be provided to the Board and other stakeholders.


If you are interested in developing a fully integrated risk management and assurance process and benefitting from the value that this can bring, you should ask yourself the following questions:

  • What are the key objectives of the business?
  • Have all the key risks and supporting controls been identified and assessed?
  • Who provides the Board and external stakeholders with assurance that risks are being managed?
  • Are there any gaps in assurance?
  • Is there any duplication across assurance providers?

If you have any further questions, or would like advice on developing an assurance map and integrating your risk and assurance process, please contact or call 020 7112 8300.

Read part one here.

Additional, helpful information

Here are links to topics related to the General Code of Practice that you will find useful:
(Note: as mentioned above the General Code of Practice was previously known as the Single Code of Practice)