As we look for ways to provide relevant risk information to the audit committee and adopt a combined assurance approach, a valuable way we can highlight the current state of our organizational risk profile is with a risk coverage map. In researching the topic, one of the best examples of a risk coverage map in a combined assurance setting comes from a PwC report titled Implementing a combined assurance approach in the era of King II 1. In this report, the authors present the major risk topics for an organization along with the groups within the Three Lines 2 who are providing assurance services related to each risk.
From an internal audit perspective, the risk coverage map shows exactly which group has responsibility for risk management and to what extent the coverage extends. In the example below, you can see that Internal Audit has minimal coverage on environmental risk, but this may be appropriate since there is an EHS team and special projects that include heavier coverage on this risk.