By Jenitha John, Chair of the Global Board of Directors, Institute of Internal Auditors
When the Institute of Internal Auditors (IIA) began to consider the relevance of the widely accepted Three Lines of Defence model a few years ago, it quickly recognised the need for a paradigm that would be less rigid and less inclined to silo different roles within the governance ecosystem and to address risks as opportunities rather than merely challenges.
The new Three Lines Model, unveiled last summer, is more dynamic and interactive, and underscores the need for the three major players in governance – the governing body, management and internal audit – to be interconnected and agile to evolving circumstances. One of the IIA’s priorities was to broaden organisations’ understanding of risk management as more than just a defensive exercise. Historically, risk management has been viewed as a cost centre, rather than as something that could enhance returns and create value.
A series of jolting corporate scandals across the globe – Wells Fargo’s fraudulent creation of millions of savings and checking accounts on behalf of clients without their consent and Volkswagen’s gaming of its carbon emissions testing technology, to name only two examples – demonstrated the need for effectively integrating risk management into an organisation’s business strategy for the sake of creating and maintaining enterprise and brand value. This is all the more relevant in an era of a pandemic when customers, investors and other stakeholders are paying increased attention to the integrity of supply chains and other aspects of how organisations achieve their objectives.
That informed our decision to recast the framework with an expanded focus on the more proactive benefits of governance. And, by refocussing on the Three Lines as roles embodied by the governing body, management and internal audit, rather than siloed structures and disciplines, we wanted to emphasise the need for two-way communications, collaboration and coordinated sharing of responsibility among the roles.
One aim of the Three Lines Model is to emphasise that principles, rather than rules, should guide an organisation in the design of its governance structure. Reliance on principles ensures that there is ample flexibility to choose a governance structure that best suits each organisation’s unique needs.
The new model is grounded in six principles: governance, governing body roles, management’s first- and second-line roles, third-line roles, third-line independence, and creating and protecting value.
The three key aspects of governance are accountability (typically assigned to the governing body), actions to achieve organisational goals (normally the dominion of management) and assurance and advice (usually the responsibility of the internal audit function).
The board or governing body ensures that appropriate structures and processes are established for effective governance and that organisational objectives and activities are aligned with the prioritised interests of stakeholders. In addition, the governing body delegates responsibility and provides resources to management to achieve the objectives of the organisation while safeguarding that legal, regulatory and ethical expectations are met. It also establishes and oversees an independent, objective and competent internal audit function to provide clarity and confidence on progress being made to achieve the organisation’s objectives.
The first-line roles that management plays include allocating resources to provide products and services to clients and establishing and maintaining appropriate structures and processes to manage operations and risk. Second-line roles are often assigned to specialists to provide complementary expertise, support, monitoring of and challenge to those in first-line roles.
Second-line roles may also focus on specific objectives of risk management, such as legal compliance, internal control, acceptable ethical behaviour and quality assurance. Alternatively, these roles can be consolidated to take the form of a broader responsibility for managing risks, such as enterprise risk management (ERM). While many second-line roles may be assigned to specialised departments within management, organisations should have governance structures that are flexible enough to assign aspects of any of these roles to internal audit when that function can demonstrate it has either the talent or the capacity to assist in such roles – with appropriate safeguards in place not to impair objectivity.
The value of the Three Lines Model is optimised by having a clear understanding of the relationships among the roles and responsibilities represented in the model. As the governing body receives reports from management on activities, outcomes, risk indicators and forecasts, for example, both the governing body and management should rely on internal audit to provide independent, objective assurance and advice on matters that support and facilitate performance, innovation and improvement.
Although the CEO is usually the focal point of communication between management and the governing body, ensuring that leaders of second-line roles – such as the chief risk officer and chief compliance officer – have a direct reporting line to the governing body (as may be preferred by the organisation and required by regulators), is fully consistent with the principles of the Three Lines Model. “Our intention is that the improved Three Lines Model will be an enabler to shape governance structures while being flexible and agile to address the ever-changing risk landscape of the future, including risks associated with the cyber-physical systems that the pandemic has accelerated reliance on.”
“Our intention is that the improved Three Lines Model will be an enabler to shape governance structures while being flexible and agile to address the ever-changing risk landscape of the future, including risks associated with the cyber-physical systems that the pandemic has accelerated reliance on.”
Internal audit needs to be independent from management to ensure it is free from hindrance and bias in its planning and oversight and has unimpeded access to the people, resources and information it requires, while being accountable to the governing body. But independence does not mean isolation. There must be regular interaction between internal audit and management to guarantee internal audit’s work is relevant and aligned with the strategic and operational needs of the organisation.
The knowledge and understanding of the organisation that internal audit builds in the course of its activities contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. Collaboration and communication are needed across both the first- and second-line roles of management and internal audit to ensure there are no unnecessary duplications, overlaps, or gaps.
While internal audit’s independence from the responsibilities of management is critical to its objectivity, authority and credibility, it has long been understood that some of the core competencies of the internal audit function makes it well-positioned to provide consulting services for ERM – as long as it has no role in actually managing risks, which is management’s responsibility and as long as senior management actively authorises and supports ERM.
There are many ways in which a chief audit executive (CAE) can provide input and support to the development and improvement of ERM while maintaining their independence and objectivity. Still, it may be necessary to consider putting in place safeguards to reduce risks, or even the appearance of risks, to that independence.
If a CAE is making decisions about risk management and appropriate measures to maintain internal controls, the CAE must reflect on whether they are operating in a management capacity. When that is the case, internal audit no longer has the objectivity needed to provide an independent and authoritative assessment of risk management processes and that role should be assigned to a qualified third party.
Ultimately, it’s up to the board or governing body to decide who is most suited to embody certain roles within an organisation. Appreciating the value of internal audit as an independent provider of objective and authoritative insights, distinct from the responsibilities of management, will enable each organisation to make the best decision regarding assignment of roles.
The Covid-19 pandemic has accelerated change in organisations, tested their resilience and fostered awareness of new realities setting in. Our intention is that the improved Three Lines Model will be an enabler to shape governance structures while being flexible and agile to address the ever-changing risk landscape of the future, including risks associated with the cyber-physical systems that the pandemic has accelerated reliance on.
About The Author
Jenitha John, CIA, QIAL, is 2020-21 Chair of The Institute of Internal Auditors (IIA) global board of directors. In this role, John serves as an officer of the global board, is chairwoman of the supervisory committee and presides over the global assembly. She is also the CEO at the Independent Regulatory Board for Auditors (IRBA). She has more than 26 years of experience in internal auditing, including as a chief audit executive. Jenitha led The IIA’s task force in development of the new Three Lines Model.