Controls Assurance Frameworks
A large government agency engaged Pitt Group to support the development of a control assurance framework for its major grants management program. When Pitt Group was engaged, the grants program’s assurance arrangements were largely ad-hoc and only loosely based on risk. The agency had mapped key controls for the program and identified several priority controls but had not developed any assurance processes over these controls.
Our first step was reconciling the mapped controls with the strategies and risks identified for the grants program to confirm the priority controls. To assist this, we reviewed the grants program’s documented processes. We facilitated workshops between the in-house assurance team and business areas to understand the grants process and map the controls.
This led to the identification of further controls, as well as the reprioritisation of some controls based on the following:
controls mitigating more than one program, financial or fraud risk
controls that assure other controls (detective controls)
overlap between controls and whether one test could cover controls in multiple phases
the interrelationship between controls and whether tests could be expanded to cover multiple controls using the same data set.
We used the introductory workshops, research and controls mapping to design a control testing regime that accounted for control design and operating effectiveness. We recommend testing frequency (from continuous to annual) based on the control frequencies and sample sizes based on population sizes and control priority. We also created preliminary test programs for each control.
We facilitated a second series of workshops with the owner of each control to discuss the potential control tests and to determine the existence and availability of assurance data. Where necessary, we determined whether automated processes could be modified to support continuous or automated auditing.
We developed a training program to build the capability of the in-house assurance team and developed a series of resources, such as testing templates, a sample size calculator, a process mapping guide and rating matrices.
Pitt Group collaborated with the in-house team to test the identified controls. Over twelve months, we completed several tests ourselves, using these tests to train the in-house team. We then mentored the in-house team to undertake their own testing, using the process to progressively refine the control tests.
We provided quality control over all tests to ensure consistency and assurance of the results.
Pitt Group developed a series of reports, including individual test reports, an assurance dashboard and periodic consolidated reports. We facilitated a series of meetings with senior management to ensure the assurance process met their requirements and to enhance their commitment to assurance.