Embed Size (px)
Citation preview
Philip RothCollaboration with Second Line of Defense
Deloitte
• Introduction
• Three Lines of Defense
• Forms of Collaboration
• Principles and Process
• Conclusion
Agenda
2
“The CAE should share information and coordinate activities with other internal and external
providers of assurance and consulting services to ensure proper coverage and minimize
duplication of efforts”Source: IPPF Performance Standard 2050- coordination
Introduction
3
The Three Lines of DefenseEssential Part of the House of Governance
4
“All three lines should exist in some form at every organization, regardless of size or complexity.”Source: IIA Position Paper January 2013
Ma
na
ge
me
nt
Monitor
Improve
Assess
Key RisksSetting the Path Activities Cover Monitoring
Corporate
Vision
Corporate
Strategy
Corporate
Objectives
Strategic
Operational
Compliance
Finance
Operational
Units (Vending
Units, GPCs,
RSCs, HQ
Functions)
Compliance with
company rules
and identification
of risks
„1st line of
defense“
Governance,
Risk- and
Compliance-
Functions (Risk
/ Compliance
Mgt., Finance...)
Design rules and
processes for
risk identification,
evaluation and
mitigation
„2nd line of
defense“
Internal Audit
Independent
Monitoring
„3rd line of
defense“ Managing
Board
Suoervisory
Board
Manage-
ment
Committees
Other
Committees
First Line – Operational Management
The Three Lines of Defense
Operational management:
• owns and manages risks and is responsible for implementing corrective actions to address process and
control deficiencies.
• is responsible for maintaining effective internal controls and for executing risk and control procedures on a
day-to-day basis.
• identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal
policies and procedures and ensuring that activities are consistent with goals and objectives.
5
Source: IIA Position Paper January 2013
Second Line - Risk Management and Compliance Functions
The Three Lines of Defense
2nd Line functions
• Support management policies, define roles and responsibilities, and set goals for implementation.
• Provide risk management frameworks.
• Identify known and emerging issues.
• Identify shifts in the organization’s implicit risk appetite.
• Assist management in developing processes and controls to manage risks and issues.
• Provide guidance and training on risk management processes.
• Facilitate and monitor implementation of effective risk management practices by operational management.
• Alert operational management to emerging issues and changing regulatory and risk scenarios.
• Monitor the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with
laws and regulations, and timely remediation of deficiencies.
6
Source: IIA Position Paper January 2013
Third Line - Internal Audit
The Three Lines of Defense
Internal Audit
• Acts in accordance with recognized international standards for the practice of internal auditing.
• Reports to a sufficiently high level in the organization to be able to perform its duties independently.
• Has an active and effective reporting line to the governing body.
7
Source: IIA Position Paper January 2013
• Informal exchange
• Regular meetings
• Exchange of staff / guest auditor
• Methodology sharing
• Usage of results / Relying on the work of others
Forms of collaboration
8
Limitation
“Combining the IAF and second line of defense functions is not the preferred solution considering the Three
Lines of Defense Model as well as safeguarding the auditor’s independence and objectivity as advocated by
the Institute of Internal Auditors”
Source: IIA
9
Challenges for an Effective Collaboration
Major Challenges (IIA NL – White Paper 2014)
• How to provide an independent opinion on the effectiveness of the second line of defense;
• How to provide assurance on GRC activities that are provided by professionals in the same department;
• How to deal with the potential perception that the objectivity of activities of the second line of defense in
which the audit function is involved has been compromised.
10
Principles of collaboration
11
1Purpose
2Independence & Objectivity
3Competence
4Elements of Practice
5 Communication of Results & Impactful remediation
Source: IIA Practice Guide Dezember 2011
According to IIA Practice Guide December 2011
Purpose
Principles of collaboration
• Clear in purpose and committed to provide assurance on a specified risk area
• Relevant to objectives and scope
• Documented in charter or similar documentation
12
Independence & Objectivity
Principles of collaboration
• Professional judgment is impartial, without inappropriate interference from others.
• Demonstration of a sufficient degree of objectivity
• When reporting to the management and thus are not truly independent, they can be relied on when they
demonstrate appropriate objectivity and competence.
13
Competence
Principles of collaboration
• Knowledgeable of the risks to the organizational processes
• How controls are designed to operate in response to the risks
• What constitutes a weakness or deficiency
• Characteristics of proficiency for internal or external assurance providers include:
− Organizational process expertise
− Education level
− Professional experience
− Relevant professional certifications
− Continuing education
− Reputation for sound judgment.
14
Elements of Practice
Principles of collaboration
• Established policies, programs, and procedures
• In execution, assurance work is appropriately planned, supervised, documented, and reviewed.
• Results are based on persuasive evidence sufficient to support the level of assurance.
• Authority to access sufficient information to reach a conclusion.
15
Communication of Results & Impactful Remediation
Principles of collaboration
• Communicating results and ensuring management takes timely action.
• Reporting weaknesses and deficiencies to the responsible person for taking corrective actions
• Reporting weaknesses and deficiencies to the members of management that have oversight
responsibilities.
• Ongoing monitoring to ensure the resolution is sustained as intended.
• Rigorous process and persuasive and reliable communication results in prompt corrective action.
• In turn, management action validates an effective assurance process that internal audit can place greater
reliance on.
16
Purpose:
When the assurance provider is committed and its purpose is aligned with internal Audit’s objectives,
auditors will find the work more relevant.
Objectivity:
The assurance provider can demonstrate credibility and deliver value to the internal auditor even
where independence is lacking.
Competence:
Assurance providers can bring a high level of expertise relevant to the specific business process
while exercising sufficient objectivity. Although internal auditors provide a high degree of objectivity,
they may not have the depth of knowledge needed to provide the desired level of assurance in
certain organizational processes or technical areas.
Elements of Practice:
The external and internal assurance providers’ discipline to practice standard procedures is directly
related to their capability for timely and persuasive conclusions. Consistency and rigor in practice
should raise the internal auditor’s confidence in the assurance provider’s work.
Impact:
Internal assurance providers who are in close proximity to the business process may communicate
risk and influence management to remediate control deficiencies quickly, perhaps more quickly than
would a traditional internal audit. By monitoring risk and responding promptly, internal assurance
providers may shorten the time to management action.
The application of the principles
Principles of collaboration
17
Assessment of each factor plus consideration of risk
determines reliability
High Reliance
Low reliance
Purpose
Co
mp
ete
ncy
Ob
jectivity
Ele
me
nts
of
Pra
ctice
Imp
act
Le
ve
l o
f R
isk
Source: IIA Practice Guide Dezember 2011
Process
Relying on the work of others
Identify
Locate internal assurance groups and determine maturity and priority based on
preliminary assessment.
Evaluate
Perform an evaluation of individual groups to determine the extent the internal
auditor can rely on the work of others.
Adjust
Modify audit plans and scope to eliminate duplicative testing and expand risk coverage.
Monitor
Maintain close communication with each group, sharing risk assessments, audit plans, and results.
18
IdentifyEvaluate
AdjustMonitor
Source: IIA Practice Guide Dezember 2011
Levels of Value
Relying on the work of others
19
Lo
w R
eli
an
ce
Hig
h R
eli
an
ce
• Program commitment
• Broad expertise
• Assess and report risk
• Common purpose
• Process expertise
• Inspection discipline
• Point-in-time conclusion
• Common purpose
• Process expertise
• Repeatable testing
• Issue tracking
• Analytics
• Integral purpose/priority
• Technical expertise
• Rigorous practice
• Sustained remediation
• Continuous monitoring
• Communicate emerging
risk
“The value the internal auditor can derive from an effective partnership with other assurance groups will vary.”
Source: IIA Practice Guide Dezember 2011
If the IAF and second line of defense functions are combined the key overarching basic conditions and safeguards that need
to be in place, are the following:
Effectiveness not compromised:
‘There are instances where internal audit has been requested to establish and/or manage the organization’s risk
management, compliance and internal control activities.’ If this is the case, the different functions should never be combined
or coordinated in a manner that compromises the "effectiveness of the IAF and the expectation of senior management and
the governing bodies that independent, objective assurance will be provided regarding being ‘in control’ of the business
Make consequences explicit:
‘Internal audit should clearly communicate to senior management and the governing bodies the nature and impact of the
combination.’
Ground Rules when combining functionsBasic conditions and safeguards
20
Source: IIA‘s Position Paper 2013
Subsequent conditions and safeguards
Ground Rules when combining functions
21
1No management responsibility
The IAF should not make managerial decisions and remains accountable for the process [The IIA, 2004, 2009]. The IAF can facilitate, but should
never assume ownership
2Formalization by documenting roles and responsibilities in the audit charter
It is important to avoid any ambiguity regarding the potential roles of Internal Audit and second line of defense functions in the organization by
explicitly defining these roles.
3Maturity
Internal audit professionals may have the knowledge and expertise to support management in setting up, designing and strengthening risk
management controls and compliance programs.
4Outsourcing
Some organizations allocate risk management activities to the IAF, which then acts as a provider of consulting services. In that capacity, the IAF
can play a facilitating role in identifying, assessing and introducing risk management methods.
5Applying segregation of duties within the IAF
Auditors should avoid any potential conflicts of interest by maintaining an independent position. The perception of independence is also an
important aspect of this.
Providing seamless assurance
Conclusion
• Risk and control processes should be structured in accordance with the Three Lines of Defense model.
• Each line of defense should be supported by appropriate policies and role definitions.
• There should be proper coordination among the separate lines of defense to foster efficiency and
effectiveness.
• Risk and control functions operating at the different lines should appropriately share knowledge and
information to assist all functions in better accomplishing their roles in an efficient manner.
• Lines of defense should not be combined or coordinated in a manner that compromises their
effectiveness.
• When functions at different lines are combined, the governing body should be advised of the structure
and its impact.
22
Source: IIA Position Paper January 2013
Questions
Questions?
23
