In the second of a series of blogs on the possible changes to the corporate governance and audit landscape, PwC UK’s Head of Audit Strategy and Public Policy Gilly Lord considers why an assurance map might be a useful part of the Audit and Assurance Policy recommended by Sir Donald Brydon.
Over the past decade, we’ve seen various corporate failures and institutional scandals. Rightly or wrongly, these have contributed to an erosion of trust in corporate institutions as a whole, and in the information they report.
Restoring trust in the information reported by businesses is made more difficult because today we live in an information-saturated world. Company stakeholders increasingly make decisions based on financial and non-financial information — for instance, potential investors want to understand a company’s environmental impact before they invest and potential employees look at sites like Glassdoor for information on a company’s culture.
So, the big challenge for Boards and Audit Committees is to get happy that all of the information a company reports is reliable and trustworthy, in particular as it relates to the risks faced by the company. One way of doing this is to assess the level of assurance that exists over different types of reported information — and there’s no reason this assessment couldn’t be shared with stakeholders so that they can judge for themselves how much they should rely on it.
At PwC, we’ve been thinking about how this might work in practice. We’re talking about the idea of an “assurance map” as a valuable way for companies to get their arms around all the different levels and forms of assurance that exist over reported information relating to the risks faced by the company.
Some components of the assurance map should be familiar — listed companies already describe their principal risks in their annual reports. This is usually accompanied by information on the mitigating processes and controls that respond to each risk. But right now, it’s usually not clear whether these controls have been challenged and tested, and therefore how reliable they really are.
So, in our vision of an assurance map, a company would outline the type and depth of assurance over these mitigating processes and controls, including who provides that assurance, and how frequently. Stakeholders could evaluate that information and decide for themselves the confidence that gave them in associated reporting. We know that some Audit Committees are already thinking in this way but not many are sharing their assurance maps externally.
It’s worth noting that ‘assurance’ referenced on the assurance map would certainly be assurance with a small “a”! Yes, companies have statutory audits, which give shareholders assurance over the truth and fairness of financial statements — but there are many other less formal sources of assurance as well. For example, stakeholders might take assurance from a company’s own governance processes or internal reviews; in other cases, independent assurance might be considered necessary. The beauty of the visibility provided by the assurance map is that it allows Audit Committees and stakeholders the opportunity to engage on how much assurance is enough — and co-create the right answer.
We believe that the breadth of information demanded by stakeholders will only increase in the future — and that means now is the right time to think about how your company will drive transparency and increase trust.
For practical suggestions on how to construct an assurance map for your organisation, please read our latest paper: