|
The challenges arising from the current economic situation, and potential challenges in legislation, will increase the pressure for companies to adopt a robust governance framework. It will also raise the need to sustain a good relationship and communication between management, internal audit and the audit committee. In a marketplace where one person can undermine the reputation of a regulated entity, all parts of the organisation must be aware of and take responsibility for compliance-related risks.
An organisation is as strong or as ethical as its weakest link; the blame for a poor control environment must be shouldered throughout the organisation. Whilst the board and senior management must set the tone at the top of the organisation for a corporate culture, which acknowledges and maintains an effective control environment, each and every person within the organisation should be “tuned in” to internal controls. Rules are meaningless in a culture of non-compliance.
There are enhanced public expectations for economic actors to be more proactive in risk control. Article 41 of the eighth EU Company Law Directive assigns a duty to “monitor the effectiveness of risk management and control systems.”
The three lines of defence
Increasingly, organisations are adopting “three lines of defence” in embedding risk management capability across the organisation. The model distinguishes between functions that own and manage risks, functions overseeing risks and functions providing independent assurance.
First line of defence: business operations - risk and control in the business
The first line describes the controls an organisation has in place to deal with the day-to-day business. Controls are designed into systems and processes. Assuming that the design is sound to appropriately mitigate risk, compliance with process should ensure an adequate control environment. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequacy of process and unexpected events. The first line of defence provides management assurance, and informs the audit committee by identifying risks and business improvement actions, implementing controls, and reporting on progress.
Second line of defence: risk management and compliance functions
As a second line of defence, the risk management functions facilitate and monitor the implementation of effective risk management practices by operational management. It also assists the risk owners in reporting adequate risk-related information. This provides oversight over business process and risks.
Now is an opportune time to stand back and re-think how risk management activities combine within the wider system of internal control as part of an efficient, effective, integrated assurance framework
The second line is re-enforced by the advisory and monitoring functions of risk management and compliance. Risk management defines and prescribes the financial and operational risk assessment processes for the business, maintains the risk registers and undertakes regular reviews of these risks in conjunction with line management. Compliance advises on all areas of regulatory principles, rules and guidance, including leading on any changes, and undertakes monitoring activity on key areas of regulatory risk.
There are many functions in companies tied to risk management and compliance roles including:
- Enterprise risk management
- Quality functions
- Environmental
- Health and safety
Third line of defence: internal audit and other independent assurance providers
This describes the independent assurance provided by the board audit committee, a committee of non-executive directors chaired by the senior independent director, and the internal audit function that reports to that committee.
Internal audit undertakes a programme of risk-based audits covering all aspects of both first and second lines of defence. Internal audit may well take some assurance from the work of the second line functions and reduce or tailor its checking of the first line.
Clearly the level of assurance taken will depend on the effectiveness of the second line, including the oversight committees, and internal audit will need to coordinate its work with compliance and risk management as well as assessing the work of these functions. The findings from these audits are reported to all three lines, i.e. accountable line management, the executive and oversight committees and the board audit committee.
This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.
Conclusion
As indicated in the model, all three lines of defence have specific tasks in the internal control governance framework and could be applied to any sector or industry. The model of management control in the first line, oversight challenge in the second and independent assurance in the third is universal in application and one well worth considering. Recent surveys show the internal audit function becoming more standardised throughout the world and is predicted to expand its role in organisational governance and risk management - based on results released in July 2007, of the most comprehensive global study ever conducted by the Institute of Internal Auditors (IIA), involving the participation of more than 9,300 internal auditors in 91 countries.
|