In July 2020, the Institute of Internal Auditors (“IIA”) updated its Three Lines of Defense Model (“Model”) to emphasize more active forms of risk management and governance that appear to go beyond merely defensive maneuvers made by the internal audit function.
Did the Model need to change?
Some believed the old Model sent a message that risk was bad. I never saw it that way. I understood the subliminal message was the Model was about achieving objectives, which requires both the creation and the protection of value. I also knew that for businesses to grow, often risks have to be taken. The context around the new Model does a much better job of confirming that risk management contributes “to achieving objectives and creating value, as well as to matters of “defense” and protecting value.”
One of the more significant changes includes the apparent elimination of the word “Defense” from the Model. There is also the incorporation of the governing body into the Model.
The new Model delineates the roles and responsibilities of the governing body, as well as executive management, and internal audit. These roles are not limited to risk management but focus on the overall governance of the organization.
There are now six (6) fundamental principles on which the new Model is based:
- Principle 1: Governance of an organization requires appropriate structures and processes that enable accountability, action, and assurance.
- Principle 2: Governing body roles ensure appropriate structures and processes are in place for effective governance.
- Principle 3: Management’s responsibility to achieve organizational objectives comprises both first- and second-line roles. First-line roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the roles of support functions. Second-line roles provide assistance with managing risk.
- Principle 4: In its third-line role, internal audit provides an independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider assurance from other internal and external providers.
- Principle 5: Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility.
- Principle 6: All roles working collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders.
The guidance talks about interaction, communication, and collaboration. In today’s tumultuous and fast-paced environment, where risks can change or emerge quickly, this is a must. Moreover, the guidance states, “There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.” Further, “There is a need for collaboration and communication across both the first and second-line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.”
The Bad and the Ugly
I would have erased or gotten rid of the lines. The lines to me imply there are layers or silos, and we all know the havoc silos can have on an organization. The Board, Management, Internal Audit, Compliance, and the General Counsels office should be collaborating on risk and working harmoniously and not in silos.
Also, in July 2015, the Committee of Sponsoring Organizations of the Treadway Commission and the IIA published a paper. “Leveraging COSO Across the Three Lines of Defense.” The paper related the COSO Internal Control-Integrated Framework to the Three Lines of Defense (See Graphic Below) to help enhance the overall governance structure of an organization. The paper provides guidance on how to articulate and assign specific roles and responsibilities regarding risk and control, the aspects for which each group is accountable, and how they will coordinate their efforts. Yet in the updated Three Lines Model, there is no mention of COSO.
Clear responsibilities must be defined so that each group understands their role in addressing risk and control, the aspects for which they are accountable, and how they will coordinate their efforts with each other. There should be neither “gaps” in addressing risk and control, nor unnecessary or unintentional duplication of effort.
Lastly, there has been a lot of regulatory guidance published recently, Evaluation of Corporate Compliance Programs, the Framework for OFAC Compliance Commitments, and the Evaluation of Corporate Compliance Programs in Criminal Anti-Trust Investigations. The three documents provide best practice thinking and drive home the message of the convergence of compliance from a disparate discipline into one overall ‘compliance’ function. So, I am perplexed as to why the IIA snubbed, ignored, excluded Compliance, and the General Counsel from their Model. Mostly since purportedly, there were compliance executives involved in the update.
According to Compliance Week, the IIA explained the process of updating the model was a joint effort between the IIA and a task force of audit practitioners, risk and compliance executives, stakeholders, and more. It is intended to apply to all organizations and “is most effective when it is adapted to align with the objectives and circumstances of the organization.”
While you can make the assumption Compliance and the General Counsel are embedded in theory, to me, they are conspicuously absent. Some practitioners and board members will undoubtedly interpret the Model literally, which could be problematic.
“The Three Lines Model has largely been viewed as the basis for sound risk management,” IIA President and CEO, Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA said in a July 20, 2020 news release. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”
While the IIA’s new Model identifies and structures interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives. I think my Model, The Enterprise Risk Resilient EcoSystem is more complete and is reflective of the current state of “our modern world” and where we need to be.
I also want to point out the need for Internal Audit, Compliance, and Legal (General Counsel) to work with each other harmoniously, including using and sharing data in the quest to become business intelligent* (See Below). Failure to do so is like traveling through the Bermuda Triangle, where CCO’s, CAE’s, and GC’s have been know to disappear under mysterious circumstances. Also, I realize that every organization is different, and some may want to scale or adapt a model to their own particular needs. Expressly, organizations should adopt a model in a way that is suitable for their industry, size, operating structure, and approach to risk management. Caution: Ignoring any group or element in the Model increases risk.
Moreover, without real accountability, risk management is difficult, if not impossible.
Lastly, the Board should possess enough collective knowledge and experience to promote a broad perspective, open dialogue, and useful insights regarding risk.
Thank you to my friends Robert Mainardi and Eric Young, for providing great feedback.
I welcome your thoughts, suggestions, and comments.
If you change the way you look at things, the things you look at change. Wayne Dyer
Attribution and Sources:
- Journal of Accountancy
- Norman Marks