Controls Assurance Frameworks
A large government agency engaged Pitt Group to support the development of a control assurance framework for its major grants management program. When Pitt Group was engaged, the grants program’s assurance arrangements were largely ad-hoc and only loosely based on risk. The agency had mapped key controls for the program and identified several priority controls but had not developed any assurance processes over these controls.
​
First Steps
Our first step was reconciling the mapped controls with the strategies and risks identified for the grants program to confirm the priority controls. To assist this, we reviewed the grants program’s documented processes. We facilitated workshops between the in-house assurance team and business areas to understand the grants process and map the controls.
This led to the identification of further controls, as well as the reprioritisation of some controls based on the following:
-
controls mitigating more than one program, financial or fraud risk
-
controls that assure other controls (detective controls)
-
overlap between controls and whether one test could cover controls in multiple phases
-
the interrelationship between controls and whether tests could be expanded to cover multiple controls using the same data set.
Controls Regime
We used the introductory workshops, research and controls mapping to design a control testing regime that accounted for control design and operating effectiveness. We recommend testing frequency (from continuous to annual) based on the control frequencies and sample sizes based on population sizes and control priority. We also created preliminary test programs for each control.
​
We facilitated a second series of workshops with the owner of each control to discuss the potential control tests and to determine the existence and availability of assurance data. Where necessary, we determined whether automated processes could be modified to support continuous or automated auditing.
​
Capability Development
We developed a training program to build the capability of the in-house assurance team and developed a series of resources, such as testing templates, a sample size calculator, a process mapping guide and rating matrices.
​
Control Testing
Pitt Group collaborated with the in-house team to test the identified controls. Over twelve months, we completed several tests ourselves, using these tests to train the in-house team. We then mentored the in-house team to undertake their own testing, using the process to progressively refine the control tests.
​
We provided quality control over all tests to ensure consistency and assurance of the results.
Assurance reporting
Pitt Group developed a series of reports, including individual test reports, an assurance dashboard and periodic consolidated reports. We facilitated a series of meetings with senior management to ensure the assurance process met their requirements and to enhance their commitment to assurance.
​