![6
B. Governance: the key to organizational success
B.1 Why organizations exist
Organizations are created to fulfill a purpose and deliver desirable outcomes defined by the specific needs and
interests of stakeholders, and to create value by transforming various inputs into new outputs1, 2
. Stakeholders
pass authority and assets to a governing body to take charge of the organization on their behalf, and they are
interested not only in the outputs and outcomes but also in how these are achieved3
. Above all, stakeholders
expect the organization to realize their goals effectively, efficiently, sustainably, and ethically through appropriate
decisions, actions, behaviors, and outcomes.
Organizations do not operate in a vacuum but are influenced and shaped by economic, social, political,
environmental, technological, physical, and other factors. These factors include uncertainty, change, complexity,
subjectivity, bias, self-interest, competition for finite resources, and limits on capacity and capabilities, and they
are often sources of both opportunities and threats. Organizations adopt appropriate and specific measures to
navigate these factors to keep their decisions, actions, behaviors, and outcomes in alignment with stakeholder
needs and interests, and so optimize their overall performance.
B.2 How governance fosters organizational success and value creation
Examples of the measures designed to address opportunities and threats include, but are not limited to:
Stakeholder engagement Stewardship of resources Ethical culture
Ethical leadership Effective leadership Direction
Prioritization Delegation of resources Goal setting
Segregation of responsibilities Specialization Division of labor
Processes to deal with uncertainty Processes to deal with change Performance indicators
Monitoring and reporting Expert challenge Policy setting and testing
Independent evaluation Independent assurance Independent advice
Such measures contribute to effective governance and are enablers of organizational success and value creation4
.
They serve not only to promote outcomes that are aligned with the interests of stakeholders but also to keep
decisions, actions, and behaviors in alignment as well.
Even with adequate governance measures in place, it is not possible to predict future events with complete
accuracy or guarantee success. Instead, the aim is to optimize the effectiveness of, and accountability for, decision
1 “Organization” is used throughout this document to refer to any formally constituted entity, regardless of size, sector,
ownership, and form of control, from the smallest family-run business to the largest multinational conglomerate, as well as
local, municipal, and central government bodies and departments.
2 “Stakeholder” is used throughout this document to refer to any party that has an interest or stake in the activities of an
organization.
3 “Governing body” is used throughout this document to refer to the individual or group of individuals charged with governance
and having ultimate responsibility for all aspects of the organization, regardless of how this is constituted, including single and
multi-tier boards, councils, and similar organs. It is also used to include any committees of the governing body such as the audit
committee.
4 “Governance” is used throughout this document, consistent with the definition from The IIA’s International Professional
Practices Framework® (IPPF®) glossary, as “[t]he combination of processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”](https://image.slidesharecdn.com/3lod-iia-exposure-document-190629054825/85/Three-Lines-of-Defense-6-320.jpg)
![9
C.1.3 Risk, quality, control, and compliance functions
As part of the broader management function, risk, quality, control, and compliance functions provide tactical
oversight, guidance, support, challenge, and control by working with management and are specialized to leverage
specific knowledge and skills. They develop and test policies approved by the governing body that are designed to
maintain performance within the range of acceptable variances and tolerances defined by the governing body. The
development, monitoring, and ongoing improvement of policies can usefully include the involvement of
management as well as internal audit. Variances and tolerances in performance are impossible to avoid and are
usually recognized as being potentially valuable when they are understood and managed carefully and in a timely
fashion. In some instances, it is the risk, quality, control, or compliance function that approves certain actions and,
in this way, acts as a control.
The responsibilities of these functions generally include supporting management policies, defining roles and
responsibilities, and setting goals for implementation. Specific tasks may include:
• Analyzing known and identifying emerging issues that may impact decisions, actions, behaviors, and
outcomes.
• Identifying changes in the organization’s implicit acceptance of variances and tolerances in performance.
• Assisting management in developing risk frameworks, processes, and controls to align performance with
strategic goals, and identifying when controls are no longer necessary and can be relaxed or withdrawn
altogether.
• Providing guidance and training on governance, risk management, and control processes.
• Facilitating and monitoring the implementation of effective risk management practices by management.
• Alerting management to emerging issues and changing regulatory requirements.
• Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting,
compliance with laws and regulations, and timely remediation of deficiencies.
C.1.4 Independent internal audit
The mission of internal audit is “[t]o enhance and protect organizational value by providing risk-based and
objective assurance, advice, and insight” and it is a direct contributor to enabling an organization in achieving its
purpose (i.e., value creation)5
.
While remaining part of the organization, internal audit can offer credible objective assurance on the adequacy
and effectiveness of controls, processes, and structures designed to support good governance. The governing body
needs objective assurance to be able to exercise its oversight role effectively. In addition to structural
independence, internal audit’s objectivity is enabled through having and applying an objective mindset, and by
adhering to a rigorous and systematic process and aligning to professional standards. Internal audit’s role does not
replace management’s obligation to monitor performance and report to the governing body, but it is an essential
complement to it. Certain supporting and reporting structures are required to ensure internal audit’s access to all
resources, personnel, and records needed for it to be able to conduct its work, as well as a direct reporting line to
the governing body to secure its independence.
The internal audit plan of work must be clearly aligned to the strategic priorities and operational needs of the
organization, providing an authoritative, credible, and objective view on the adequacy and effectiveness of
governance and of all the checks and balances that this includes, as well as identifying opportunities and threats
that may arise.
5 The IIA’s International Professional Practices Framework® (IPPF®)](https://image.slidesharecdn.com/3lod-iia-exposure-document-190629054825/85/Three-Lines-of-Defense-9-320.jpg)
![12
operating environment may be less complex and easier to oversee in their entirety more directly by the governing
body with less need to place reliance on reports from others.
As a result, a small organization may well choose to adopt a form of the model with much greater blending of
governance roles and activities. There may also be limited separation within management to form distinct risk,
quality, control, and compliance functions, these instead being more closely integrated within operations or
included within internal audit.
In contrast, as organizations grow, become more complex and subject to greater regulation, and seek greater
differentiation from other organizations in the same segment, the scope for fully exploiting the broader, refreshed
interpretation of the model becomes even greater. As resources increase, so too do the opportunities for
specialization and the segregation of responsibilities. More specialist resources can be dedicated to risk, quality,
control, and compliance activities, and to internal audit.
In all cases, the particular form of adoption of the model should be kept under regular review by the governing
body within the requirements set by regulators and the expectations of stakeholders. The balance of priorities of
value protection over value creation, the degree of blending in the separation between the sets of governance
roles and activities, and the relative distribution of resources across functions should vary in accordance with
changing needs and circumstances.
D.2 “Blurring of the lines”
One of the criticisms of the Three Lines model is that it does not allow for, or explain, any “blurring of the lines.”
The graphic included in the 2013 Position Paper shows all the elements clearly separated from each other. In many
circumstances, the separation between them is not always so distinct, raising the question of what impact this may
have on the effectiveness of governance.
The analysis in this document allows abundant opportunity for overlapping and complementary roles and activities
recognizing that the internal audit function can provide value in nonassurance roles, as long as there is clear
assessment of the potential impact on the effectiveness of governance. Safeguards must also be considered. In
principle, the governing body may assign responsibility for the roles and activities that comprise governance to any
individual, team, or function in the organization or outsourced service provider. By grouping related
responsibilities together, it is possible to minimize duplication, gain economies and efficiencies, shorten
communication lines, reduce the burden on management and the governing body of receiving multiple reports,
and deploy resources with optimum results. At the same time, it is important to identify the blending together of
potentially conflicting responsibilities that could impact the overall effectiveness of governance in the long term.
The governing body must make an informed decision by weighing the advantages and disadvantages of different
structural options.
“Blurring,” when it involves the internal audit function, demands special attention, given the importance of
structural independence for its ability to deliver credible objective assurance on all aspects of the organization.6
The function can deliver a mix of assurance and nonassurance services according to the needs of the organization.
Advisory and other nonassurance services may include:
• Agreeing management decisions.
• Making recommendations.
• Consulting on current circumstances and future actions.
6 “Independence” and “objectivity” are related but distinct concepts. They are used here in accordance with the glossary of the
IPPF in which independence is defined as “[t]he freedom from conditions that threaten the ability of the internal audit activity
to carry out internal audit responsibilities in an unbiased manner” and is effectively achieved when the CAE reports to the
governing body. Objectivity is defined as “[a]n unbiased mental attitude that allows internal auditors to perform engagements
in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that
internal auditors do not subordinate their judgment on audit matters to others.”](https://image.slidesharecdn.com/3lod-iia-exposure-document-190629054825/85/Three-Lines-of-Defense-12-320.jpg)
Three Lines of Defense
- 1. 1 IIA EXPOSURE DOCUMENT Three Lines of Defense June 2019 Table of Contents 02 Executive summary 03 Letter from the Working Group 04 A. Background 06 B. Governance: the key to organizational success 07 C. Contributing to organizational success and value creation 11 D. Scalability, maturity, structuring, and “blurring the lines”
- 2. 2 Executive Summary The Three Lines of Defense model is an important part of organizational risk management and control, attracting both critics and admirers. At a time when trust in organizations is under attack and in an era of near continuous change and upheaval, The IIA is undertaking a major review of the model to determine its value and usefulness going forward. This exposure document is part of that review process and has been designed to solicit input from a wide range of global stakeholders. The current model has the benefit of being simple, easy to communicate, and easy to understand. It describes the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing. It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities. It also highlights the influence of external audit and regulators. While the model has been widely adopted by organizations and governments around the world, the main criticisms of this approach are that the Three Lines of Defense model is too limited and too restrictive. It focuses exclusively on defensive actions rather than a more proactive approach to the identification, analysis, and preparedness for both opportunities and threats. It suggests rigid structures and creates a tendency toward operational silos, which can be less efficient and effective. In short, it is not equipped to reflect the current realties of modern organizations. In this document we provide an analysis of the Three Lines of Defense model and make proposals for how it can be strengthened and improved. Key to these proposals is a broadening of the scope of the model beyond value protection to embrace value creation. The structures and processes that exist to provide an organization with protection from risk are at the same time central to effective governance and organizational success. Stakeholders’ needs and interests determine the purpose of an organization. Governance mechanisms serve to ensure that the organization remains aligned with the stakeholders. In this context, each of the key contributors to organizational success and value creation (governing body; management; risk, quality, control, and compliance; and independent internal auditing) are described in this document. While the perspective is mainly an internal one, we also examine the roles of external auditors, regulators, and others. Within the basic model, there is plenty of scope for flexibility and choice. How to assign, separate, and combine roles must be a decision that the governing bodies of each organization make, taking full account of stakeholder desires and direction as well as regulatory expectations and legal requirements. Another point of emphasis is the need for close coordination among these contributors to avoid silos. The freedom to assign roles along with close collaboration among roles can lead to so-called “blurring of the lines”. Yet the current Three Lines of Defense model is unable to explain this nor offer any guidance. Careful consideration is needed to ensure that this does not result in the combining of conflicting roles. In particular, given the importance of its independence, great care must be taken when the responsibilities of internal auditing are extended beyond providing credible objective assurance on the effectiveness and adequacy of governance, risk management, and control. Certain safeguards may be applied to enable internal auditing to be able to complete its mission. The Three Lines of Defense model has proven its value repeatedly over the past 20 years. These proposed revisions are designed to help modernize and strengthen this trusted governance tool so that its usefulness and value can be extended. This paper reflects the thoughts and analysis of a working group appointed by The IIA and chaired by Jenitha John.
- 3. 3 Letter from the Working Group “The Three Lines of Defense has come to serve a broad range of industries addressing the many issues around governance, risk management, and control. For over 20 years, organizations have used the model to navigate the ever-evolving operational landscape on their journey to organizational success and sustainable value creation. Acknowledging changing stakeholder expectations and increasing complexities of organizations, The IIA, in collaboration with specialists in governance and risk management from around the globe, launched a review of the Three Lines of Defense, weighing in on strengths, application, and effectiveness toward ensuring its continued relevance in today’s ever-changing climate. The objective of the working group is the creation of a fit-for-purpose model that is adaptive enough to apply to the wide variety of organizational models and the rapidly changing environments in which they operate. To this end, dynamic governance, risk management, and control processes are required with coordination, collaboration, and alignment across the model being of vital importance. The aim of this review is to enable those charged with governance to draw from the Three Lines of Defense model to help them deploy the most appropriate structure and resources within their organizations to preserve and enhance value. The working group, through its illuminating deliberations and vast discussions, presents to you the Three Lines of Defense as it is experienced today with thoughts and logic on how to implement the model effectively. We seek to harness the collective wisdom of IIA members and stakeholders around the world, and ask for your feedback to assist in shaping and molding the position of The IIA on this vital topic. Your participation is sincerely appreciated.” Jenitha John, working group chair; vice chairman of The IIA Global Board of Directors; and Chief Audit Executive, FirstRand Ltd Members of the working group are: Mark Carawan, Chief Compliance Officer, Citigroup Greg Grocholski, Chief Audit Executive, SABIC Trygve Sørlie, Independent Service Provider, Trygve Sørlie Services EPF Shannon Urban, Managing Director, EY Beili Wong, VP, Audit and Risk, CAE, Liquor Control Board of Ontario Charlie Wright, Chief Risk Officer, Jack Henry and Associates The views expressed in this document are the personal views of the members of the working group and do not necessarily reflect the views of the organizations for which they work.
- 4. 4 A. Background A.1 The case for refreshing and updating the Three Lines of Defense The Three Lines of Defense model first emerged more than 20 years ago and has since become widely recognized, especially in the financial services sector where it originated. The IIA formally adopted it in a Position Paper “The Three Lines of Defense in Effective Risk Management and Control,” published in 2013, and has since promoted it as a valuable tool for those charged with governance. Its appeal lies in its direct and simple explanation of the various roles and activities that comprise risk management and control (while neglecting to consider governance more broadly), and its value is in helping organizations avoid confusion, duplication, and gaps when assigning responsibility for these roles and activities. Graphic taken from The IIA Position Paper The Three Lines of Defense in Effective Risk Management and Control published in 2013, adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41 Much has changed since the model was first formulated, including the nature of organizations and the environments in which they operate, the role and positioning of each of the three “lines,” and the contribution to organizational success made by internal auditing. Trust in organizations has eroded in recent years through a succession of scandals and crises. If the shortcomings of the model can be addressed, the Three Lines of Defense can help organizations rebuild that trust and achieve their goals in a way that best serves the needs and interests of their stakeholders. A.2 Assessment of the Three Lines model The model has attracted criticism over the years, highlighting its limitations in addressing the complexity of modern organizations. In addition, the familiar graphic, developed and promoted to illustrate the model, is seen as reinforcing these limitations. A number of variations to the model have been proposed, but none has gained significant adoption. Rather than needing a complete overhaul, the current model has strengths that can be extended and enhanced to serve organizational needs even more successfully.
- 5. 5 Strengths of the Three Lines of Defense Model Opportunities for Development Is simple, easy to understand, and easy to communicate. To maintain these qualities. Provides focus on the importance of effective risk management and control. To contextualize risk management and control as part of governance, supporting organizational success and value creation. Supports an organization’s efforts in responding to opportunities and threats. To encourage both a proactive and a reactive approach to advancing the goals of an organization. Offers a basis for clarity and efficiency when organizing the activities and resources of risk management and control. To emphasize the importance of coordination and collaboration aligned to strategic priorities and operational needs. Describes the roles played by each of the key functions and relevant external stakeholders with respect to risk management and control. To provide additional clarity to the roles and responsibilities of individual functions and to their joint contribution to governance, organizational success, and value creation. Describes a means of structuring key functions. To highlight the opportunities for a more flexible and agile adoption of the model. Has been widely adopted, especially by organizations and regulators in financial services. To take account of organizational differences, especially with respect to size, sector, and maturity; demonstrate relevance; and enable ready adoption by any organization. Recognizes the roles of external auditors and regulators in risk management and control. To consider other external stakeholders and their contribution to governance, organizational success, and value creation without over-complicating the model. Allows for a ready explanation of the role of internal audit as the “third line of defense.” To expand this description to embrace the role of internal audit as a strategic partner and trusted advisor. Provides a useful framework for discussions about independence, objectivity, and assurance. To account for and explain “blurring of the lines” and describe appropriate safeguards. Is illustrated by a well-known and simple graphic. To evolve the graphical representation to reflect evolution and enhancement of the model itself.
- 6. 6 B. Governance: the key to organizational success B.1 Why organizations exist Organizations are created to fulfill a purpose and deliver desirable outcomes defined by the specific needs and interests of stakeholders, and to create value by transforming various inputs into new outputs1, 2 . Stakeholders pass authority and assets to a governing body to take charge of the organization on their behalf, and they are interested not only in the outputs and outcomes but also in how these are achieved3 . Above all, stakeholders expect the organization to realize their goals effectively, efficiently, sustainably, and ethically through appropriate decisions, actions, behaviors, and outcomes. Organizations do not operate in a vacuum but are influenced and shaped by economic, social, political, environmental, technological, physical, and other factors. These factors include uncertainty, change, complexity, subjectivity, bias, self-interest, competition for finite resources, and limits on capacity and capabilities, and they are often sources of both opportunities and threats. Organizations adopt appropriate and specific measures to navigate these factors to keep their decisions, actions, behaviors, and outcomes in alignment with stakeholder needs and interests, and so optimize their overall performance. B.2 How governance fosters organizational success and value creation Examples of the measures designed to address opportunities and threats include, but are not limited to: Stakeholder engagement Stewardship of resources Ethical culture Ethical leadership Effective leadership Direction Prioritization Delegation of resources Goal setting Segregation of responsibilities Specialization Division of labor Processes to deal with uncertainty Processes to deal with change Performance indicators Monitoring and reporting Expert challenge Policy setting and testing Independent evaluation Independent assurance Independent advice Such measures contribute to effective governance and are enablers of organizational success and value creation4 . They serve not only to promote outcomes that are aligned with the interests of stakeholders but also to keep decisions, actions, and behaviors in alignment as well. Even with adequate governance measures in place, it is not possible to predict future events with complete accuracy or guarantee success. Instead, the aim is to optimize the effectiveness of, and accountability for, decision 1 “Organization” is used throughout this document to refer to any formally constituted entity, regardless of size, sector, ownership, and form of control, from the smallest family-run business to the largest multinational conglomerate, as well as local, municipal, and central government bodies and departments. 2 “Stakeholder” is used throughout this document to refer to any party that has an interest or stake in the activities of an organization. 3 “Governing body” is used throughout this document to refer to the individual or group of individuals charged with governance and having ultimate responsibility for all aspects of the organization, regardless of how this is constituted, including single and multi-tier boards, councils, and similar organs. It is also used to include any committees of the governing body such as the audit committee. 4 “Governance” is used throughout this document, consistent with the definition from The IIA’s International Professional Practices Framework® (IPPF®) glossary, as “[t]he combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”
- 7. 7 making and actions, facilitate ethical behavior, and manage uncertainty, to reduce variability in the whole performance and operate within an acceptable range of outcomes. The governance measures listed above can be readily grouped into four overlapping and complementary sets of related roles and activities: • Leadership and oversight. • Strategy execution. • Support, guidance, and control. • Objective assurance and advice. Assignment of responsibility for these roles and activities within an organization is one of the tasks of the governing body when establishing processes and structures for governance, ensuring compliance to regulatory and legislative requirements. Organizations vary considerably and change over time, but there are common structural elements that broadly align to the sets of governance roles and activities: • Responsibility for leadership and oversight is assigned to a governing body. • The governing body delegates responsibility for strategy execution to management. • Within management’s sphere of responsibility, separate functions are established that provide support, guidance and control with respect to risk, quality, control, and compliance. • Independent internal audit provides objective assurance, insight, and often advice, as well. Within this general framework, there are likely to be individuals, teams, and functions that have responsibilities spanning two or more of the sets of governance roles and activities. This is discussed in section D.2, “Blurring of the lines.” C. Contributing to organizational success and value creation C.1 Building on the model The common structural elements described above align closely with the familiar components of the Three Lines of Defense model but allow for overlap and “blurring.” There is a much closer relationship between all the elements than suggested by the familiar graphic on page 3. C.1.1 Governing body Stakeholders give the governing body overall responsibility for the stewardship of the organization, its culture, assets, activities, performance, engagement with other organizations and individuals, environmental impact, reporting, and so on. Thereafter, stakeholders commonly have limited direct input to strategic and operational decisions. This separation of ownership and governance requires measures to ensure that the governing body directs the organization in accordance with the needs and interests of its stakeholders, within the requirements of laws and regulations, and according to social and cultural expectations. This requires integrity, transparency, and accountability together with regular stakeholder engagement as well as independent scrutiny and reporting. Key roles of the governing body therefore include: • Establishing and maintaining an ethical culture, leading by example, and setting the “tone at the top.” • Engaging with stakeholders to ensure alignment of decisions, actions, behaviors, and outcomes with their interests in a way that is efficient, effective, sustainable, and ethical. • Providing ethical and strategic leadership for the organization and setting strategic direction.
- 8. 8 • Establishing overarching processes, responsibilities, and structures. • Establishing committees of the governing body as required. • Setting goals for performance as a whole and determining acceptable variances and tolerances. • Delegating resources and authority to management and internal audit. • Approving policies designed by risk, quality, control, and compliance functions. • Monitoring performance. • Reviewing reports and assurance received from all functions. • Reporting on decisions, actions, behaviors, and outcomes to stakeholders and appropriate authorities. C.1.2 Management The governing body typically delegates responsibility for executing strategy to management and allocates the appropriate resources. The separation between governance and strategy execution may be blurred depending on the type of governance model and the degree to which management participates in governance, and vice versa. Working alongside management are various support functions considered to be part of management, even where these may be outsourced. Finance and accounting, human resources, and IT, for example, typically support management with supplementary services. Assistance is provided to management from risk, quality, control, and compliance, and internal audit. However, management owns risk and is responsible for designing and implementing controls and managing the uncertainty associated with strategy execution within agreed variations in performance, and while this cannot be guaranteed with perfect precision, management is expected to take the steps necessary to have the greatest chance of success. The key responsibilities of management include: • Achieving organizational objectives. • Making decisions, taking actions, maintaining personal conduct, and delivering outcomes aligned with the needs and interests of stakeholders efficiently, effectively, ethically, and sustainably within the range of variances and tolerances approved by the governing body. • Assessing internal and external factors that may impact (whether positively or negatively) decisions, actions, behaviors, and outcomes. • Establishing and operating systems of checks and balances that are designed to keep performance within the acceptable range of variances and tolerances. • Keeping checks and balances up to date in the context of the current and likely future operating environment, and to repair them if they prove to be ineffective or defective, or to slacken or eliminate them if they are no longer necessary. • Taking corrective action when decisions, actions, behaviors, and outcomes are falling short of expectations. • Contributing to the design and development of policies with risk, quality, control, and compliance functions, and implementing and taking responsibility for those policies. • Communicating direction received from the governing body down and across the organization. • Setting tactics and performance indicators. • Monitoring and analyzing activity. • Reporting performance and forecasts to the governing body and providing assurance.
- 9. 9 C.1.3 Risk, quality, control, and compliance functions As part of the broader management function, risk, quality, control, and compliance functions provide tactical oversight, guidance, support, challenge, and control by working with management and are specialized to leverage specific knowledge and skills. They develop and test policies approved by the governing body that are designed to maintain performance within the range of acceptable variances and tolerances defined by the governing body. The development, monitoring, and ongoing improvement of policies can usefully include the involvement of management as well as internal audit. Variances and tolerances in performance are impossible to avoid and are usually recognized as being potentially valuable when they are understood and managed carefully and in a timely fashion. In some instances, it is the risk, quality, control, or compliance function that approves certain actions and, in this way, acts as a control. The responsibilities of these functions generally include supporting management policies, defining roles and responsibilities, and setting goals for implementation. Specific tasks may include: • Analyzing known and identifying emerging issues that may impact decisions, actions, behaviors, and outcomes. • Identifying changes in the organization’s implicit acceptance of variances and tolerances in performance. • Assisting management in developing risk frameworks, processes, and controls to align performance with strategic goals, and identifying when controls are no longer necessary and can be relaxed or withdrawn altogether. • Providing guidance and training on governance, risk management, and control processes. • Facilitating and monitoring the implementation of effective risk management practices by management. • Alerting management to emerging issues and changing regulatory requirements. • Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies. C.1.4 Independent internal audit The mission of internal audit is “[t]o enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight” and it is a direct contributor to enabling an organization in achieving its purpose (i.e., value creation)5 . While remaining part of the organization, internal audit can offer credible objective assurance on the adequacy and effectiveness of controls, processes, and structures designed to support good governance. The governing body needs objective assurance to be able to exercise its oversight role effectively. In addition to structural independence, internal audit’s objectivity is enabled through having and applying an objective mindset, and by adhering to a rigorous and systematic process and aligning to professional standards. Internal audit’s role does not replace management’s obligation to monitor performance and report to the governing body, but it is an essential complement to it. Certain supporting and reporting structures are required to ensure internal audit’s access to all resources, personnel, and records needed for it to be able to conduct its work, as well as a direct reporting line to the governing body to secure its independence. The internal audit plan of work must be clearly aligned to the strategic priorities and operational needs of the organization, providing an authoritative, credible, and objective view on the adequacy and effectiveness of governance and of all the checks and balances that this includes, as well as identifying opportunities and threats that may arise. 5 The IIA’s International Professional Practices Framework® (IPPF®)
- 10. 10 The responsibilities of internal audit may include: • Providing assurance, opinions, insight, and advice on the adequacy and effectiveness of governance, risk management, and internal control. • Undertaking risk-based internal audits and reviews aligned to strategic priorities and operational needs. • Providing assurance, opinions, insight, and advice on the efficiency and effectiveness of operations, including the safeguarding of assets, and on the reliability and integrity of reporting processes. • Providing assurance and opinions on the organization’s compliance functions and its compliance with laws, regulations, policies, procedures, and contracts. • Assessing the influence of organizational culture and behavior. • Contributing to the development of policies. • Consulting with the governing body and management on emerging opportunities and threats. • Reporting to the governing body and management. C.1.5 Contribution to organizational success: other bodies In addition to internal structural elements, organizations draw upon external bodies (external auditors, supreme audit institutions, regulators, and others) to support value creation. Stakeholders gain important benefits as a result, such as greater confidence in the accuracy of financial reporting and comfort that organizational leaders are being held to account. It is important to recognize the roles played by these external bodies as further contributors to governance, risk management, and control, and to effective decisions, actions, behaviors, and outcomes that enable an organization to make progress toward its goals and to remain aligned with the interests and needs of its stakeholders. External auditors/SAIs External auditors provide an additional level of independent assurance for stakeholders over the accuracy of an organization’s financial reporting and the systems that underpin it. Supreme audit institutions (SAIs) perform this role in the public sector and also conduct performance and compliance audits and may have additional inspection and jurisdictional mandates. It is the responsibility of the governing body to provide oversight of the work of external audit or SAIs and receive reports. It is important to ensure that the planning of external audit and SAIs is coordinated with that of internal audit to allow for mutually beneficial sharing and integration. As organizations move toward extended forms of external reporting that reflect financial and nonfinancial capitals, there is opportunity for even greater value for stakeholders, as well as additional needs for assurance, from both internal and external audit. Regulators Regulators apply and monitor rules designed to increase transparency and accountability in a number of areas, including financial reporting, environmental, health and safety, privacy, labor, and others. Particular attention is focused on large financial institutions due to their significance to the economy as a whole. Typically, regulation sets expectations for organizations to follow that are enforced through a process of inspection, review, reporting, and penalties. Financial regulators in many countries have strongly embraced the Three Lines of Defense as a model of effective governance, risk management, and control because it offers a clear and fairly simple template for organizing and managing those activities and resources. Accountability, inspection, oversight, monitoring, and evaluation In some public sector contexts, such as multilateral financial institutions (such as development banks), especially in the absence of a regulator, there may be additional roles that are variously referred to as accountability, inspection, oversight, monitoring, and evaluation. These may be included in the remit of risk and compliance or internal audit or alternatively may be assigned to distinct functions that usually report to the governing body,
- 11. 11 directly or via a committee. Such reports may also be shared with the public. The focus for this work tends to be on policy as well as the external (especially environmental and social) impacts of large scale initiatives. The desire for a higher degree of independence as well as the specialist nature of monitoring and evaluation leads to the creation of separate functions or outsourcing of the activity. C.2 A coordinated approach Successful application of the principles that underpin the model is dependent on the individual elements operating with a high degree of coordination to prevent siloed thinking and activity unaligned to the strategic priorities and operational needs of the organization. The benefits of a coordinated approach include: gains in efficiency and effectiveness leading to more timely and consistent planning, execution, monitoring, and reporting; a clearer single picture of the adequacy and effectiveness of governance; avoidance of reporting and assurance fatigue; and better governance overall. In designing and establishing its governance processes and structures, the governing body must ensure that roles and responsibilities are clearly understood by all functions, supported by regular interaction and communication. It is important to recognize the value of a sustained, coordinated effort. Without this, there may be a tendency to move out of alignment, and the organization will be vulnerable to confusion, gaps, duplication of effort, and an overall weakening of organizational success and value creation. Regular communication is often the key to effective coordination. Greater integration can also be fostered by: • Ensuring individual, team, and departmental goals are aligned with the strategic priorities and operational needs of the organization. • Ensuring a common understanding of the purpose and roles of each part of the organization. • Establishing a common vocabulary for describing aspects of governance, risk management, and control. • Using common rating or measurement systems across all functions. • Sharing resources, including subject matter experts, among functions. • Leveraging data and technology to facilitate insight capture, analysis, and communication. Internal audit can play an important role in leading efforts toward a more integrated approach. This includes assurance mapping to ensure that the coverage across the organization from various functions and other bodies — whether internal or external — is consistent, adequate, efficient, reliable, and aligned. The efforts of the different assurance providers should be accumulated and coordinated for maximum effect. As a major provider of objective assurance, internal audit can be the one that provides better assurance management in the organization and act as a guarantor that the governing body and the organization as a whole receives the required level of assurance across all activities and capabilities. D. Scalability, maturity, structuring, and “blurring the lines” D.1 Scalability The refreshed understanding proposed in this document allows for a more flexible and adaptable approach to applying the principles that underpin the model, and increases its relevance for a wide range of organizations. Smaller, less mature, and less highly regulated organizations enjoy certain benefits that make it easier to keep decisions, actions, behaviors, and outcomes aligned with the interests and needs of their stakeholders. The primary stakeholders are likely to be fewer in number, making it easier to track and understand their expectations and to keep them updated on performance. There is likely to be greater participation in governance by stakeholders, and by members of the governing body in management activities. Overall the organization and its
- 12. 12 operating environment may be less complex and easier to oversee in their entirety more directly by the governing body with less need to place reliance on reports from others. As a result, a small organization may well choose to adopt a form of the model with much greater blending of governance roles and activities. There may also be limited separation within management to form distinct risk, quality, control, and compliance functions, these instead being more closely integrated within operations or included within internal audit. In contrast, as organizations grow, become more complex and subject to greater regulation, and seek greater differentiation from other organizations in the same segment, the scope for fully exploiting the broader, refreshed interpretation of the model becomes even greater. As resources increase, so too do the opportunities for specialization and the segregation of responsibilities. More specialist resources can be dedicated to risk, quality, control, and compliance activities, and to internal audit. In all cases, the particular form of adoption of the model should be kept under regular review by the governing body within the requirements set by regulators and the expectations of stakeholders. The balance of priorities of value protection over value creation, the degree of blending in the separation between the sets of governance roles and activities, and the relative distribution of resources across functions should vary in accordance with changing needs and circumstances. D.2 “Blurring of the lines” One of the criticisms of the Three Lines model is that it does not allow for, or explain, any “blurring of the lines.” The graphic included in the 2013 Position Paper shows all the elements clearly separated from each other. In many circumstances, the separation between them is not always so distinct, raising the question of what impact this may have on the effectiveness of governance. The analysis in this document allows abundant opportunity for overlapping and complementary roles and activities recognizing that the internal audit function can provide value in nonassurance roles, as long as there is clear assessment of the potential impact on the effectiveness of governance. Safeguards must also be considered. In principle, the governing body may assign responsibility for the roles and activities that comprise governance to any individual, team, or function in the organization or outsourced service provider. By grouping related responsibilities together, it is possible to minimize duplication, gain economies and efficiencies, shorten communication lines, reduce the burden on management and the governing body of receiving multiple reports, and deploy resources with optimum results. At the same time, it is important to identify the blending together of potentially conflicting responsibilities that could impact the overall effectiveness of governance in the long term. The governing body must make an informed decision by weighing the advantages and disadvantages of different structural options. “Blurring,” when it involves the internal audit function, demands special attention, given the importance of structural independence for its ability to deliver credible objective assurance on all aspects of the organization.6 The function can deliver a mix of assurance and nonassurance services according to the needs of the organization. Advisory and other nonassurance services may include: • Agreeing management decisions. • Making recommendations. • Consulting on current circumstances and future actions. 6 “Independence” and “objectivity” are related but distinct concepts. They are used here in accordance with the glossary of the IPPF in which independence is defined as “[t]he freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner” and is effectively achieved when the CAE reports to the governing body. Objectivity is defined as “[a]n unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.”
- 13. 13 • Participating in change initiatives. • Delivering training in risk-related topics. • Leading control self-assessment sessions with management. • Assuming managerial responsibilities from time to time. When internal audit provides nonassurance services, the chief audit executive (CAE), in consultation with the governing body, should assess whether this creates any conflict with the function’s ability to deliver credible objective assurance, and consider appropriate safeguards, which may include: • Informing the governing body of nonassurance engagements that internal audit has been asked to undertake or managerial responsibilities it has been asked to assume, and communicate the impact these may have on the ability of the function to provide organizationwide credible objective assurance. • Ensuring that nonassurance roles are clearly defined and, where possible, time limited. • Refraining from assuming responsibility for management decisions and associated risks and controls. • Implementing measures, such as a “cooling off” period or use of outsourced resources, when auditing an area in which internal audit has had a significant and recent engagement in an advisory or managerial capacity. In some organizations, there is a blending of responsibilities for internal audit with aspects of risk, quality, control, and compliance. This occurs, for example, when the CAE is given responsibility for enterprise risk management, or where the head of risk or compliance reports to the CAE. The importance of effective safeguards under such circumstances is at its greatest. The governing body’s added oversight of the CAE’s nonassurance responsibilities can be an effective safeguard. References IFAC, 2015, From Bolt-On to Built-In: Managing Risk as an Integral Part of Managing an Organization. The IIA, 2013, The Three Lines of Defense in Effective Risk Management and Control. IIA–Netherlands, 2014, Combining Internal Audit and Second Line of Defense Functions? The IIA Research Foundation, 2015, Combined Assurance: One Language, One Voice, One View.