Three lines of defence model: ensuring the independence and effectiveness of internal audit
Following on from my previous article explaining the Three Lines of Defence model, this article focusses on action CAs in internal audit can take to demonstrate independence if their responsibility as the third line of defence becomes blurred with the first or second line.
The Chartered Institute of Internal Auditors (CIIA) highlighted this issue in a position paper titled The Three Lines of Defence. As a refresher, this paper also neatly summarises the three lines of defence model in the below diagram.
What are some of the extra roles and responsibilities performed by CAs in internal audit?
Management may request you to take on extra roles and responsibilities that traditionally lie outside the third line of defence in either the first or second line. Some examples are:
- Managing whistleblowing arrangements;
- Managing Business Continuity Planning arrangements;
- Performing regular inspection work such as monthly monitoring testing, that possibly could be performed by other departments and which is different to your risk-based audits; and
- Approving (signing-off) new projects or new business processes.
Management may also seek to combine the role of the Chief Audit Executive with other roles. For example, the Chief Audit Executive role is sometimes combined with the Head of Legal, Compliance or the CFO. In another scenario, the Chief Audit Executive can be asked to report to another department such as the CFO or Chief Legal Officer instead of, or in addition to the Board / Audit Committee.
Management might request that you carry out these tasks for the following reasons:
- They trust and value your objective mindset and independent opinion;
- They believe the most appropriate skillset and knowledge lies within internal audit; and
- You may have capacity to take on additional work or could create capacity for example, by spending less time on risk-based audits.
Could this potentially impact CAs independence and effectiveness, or create that perception?
In short, yes.
For example, you decide to perform an audit of Business Continuity Planning but may already be managing that process on a day-to-day basis. Alternatively, you may decide not to audit Business Continuity Planning at all as you are already managing this process. There is a risk that you are checking your own work or it’s not checked at all.
There may be a reality or perception that internal audit inadvertently becomes part of the control environment instead of acting as an assurance function assessing and checking that control environment.
Consequently, existing problems or issues that should be identified and resolved for the organisation’s benefit may not be promptly identified or prioritised. You may be unwilling or unable to effectively identify and report issues on yourself.
The organisation’s reporting lines structure may potentially hamper your independence. For example, where the Chief Audit Executive is also the Head of Compliance, there may be a risk that an audit of the Compliance function is of limited scope or not performed at all, as the Head of Compliance does not want their function audited.
Separately, if the internal audit headcount remains the same and management requests audit to take on additional roles and responsibilities, then less time may be spent by internal audit on traditional third line risk-based audits, advisory services, risk assessments or continuous monitoring potentially reducing the overall effectiveness of the internal audit function.
How should you manage such situations?
Firstly, all internal audit functions should identify and document instances of any role or responsibility they undertake that lies outside of the traditional third line. You should then assess these instances to determine if your independence or effectiveness could be compromised to help prioritise areas of focus and for further discussion. As part of this assessment, you should document any mitigating factors such as Board oversight, outsourcing of audits, rotation of audit staff, or structure of your team.
The assessment document can be shared with management as transparency is important and it’s always useful to obtain different opinions. In addition, the assessment document and management’s views should ideally be presented for discussion at an Audit Committee or Board meeting. Best practice suggests that such a presentation and discussion should occur on a regular basis for example, annual, and included in the minutes.
Another point to consider is if the roles and responsibilities of internal audit are clearly stated, or need to be updated or clarified within the existing Internal Audit charter and the Audit Committee charter.
For some industries such as financial services, regulators are focussed on assessing the independence and effectiveness of Internal Audit and the above practice is something they may expect.
What next?
The 2017 paper states: ‘Changes to governance codes, standards, guidance or regulation should promote internal audit’s role as a core part of the third line of defence and must avoid undermining its unique position in monitoring and providing assurance on the management of risk. Demarcation between the third line of defence and the first two lines must be preserved to enable internal audit to provide an objective overview to the Board, independent of management, on the effectiveness of all risk management and assurance processes in the organisation.
To help internal auditors, the IIA published revised standards and guidance effective from January 2017, which was the subject of a previous ICAS article titled: Institute of Internal Auditors – Revised Standards 2017. Two new standards were issued and directly relate to the topics discussed in this article namely IIA Standard No. 1112 (Chief Audit Executive Roles beyond Internal Auditing) and No. 1130 (Impairment to Independence or Objectivity).
A position paper published in June 2017 by the IIA titled Independence and Objectivity said ‘IIA recognises that companies should be given flexibility to establish their internal audit arrangements according to their size and circumstance’. The paper also calls for other professional bodies, such as the FRC, to provide more detailed guidance on how independence and objectivity of internal auditors can be protected. If the internal audit function in your organisation is not currently considering and then discussing the issues in this article at either Board or Audit Committee level, it’s not too late to start.