04 October 2016

Risk and Internal Audit - beyond Three Lines of Defense

1 Introduction

The Three Lines of Defence model (TLD, 3LoD, etc) is a model that sets out to (i) provide a framework for the provision of assurance within a company, (ii) provide regulators with a model they can recommend companies implement, and (iii) that they can assess when reviewing regulated companies. It is the simplicity of the model and the risk of the introduction of silo mentalities that seems to draw much concern from the Risk Management profession. Yet it is also the simplicity of the model that enables companies to implement it.

This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

As a reminder, operational management is considered the 1st line of defence, in that it is operational management that runs the business, including the internal controls that manage risk and opportunity in the business.

However, a more accurate and measured interpretation of the TLD model shows all three lines (Operational Management; Risk Management (and Compliance); and Internal Audit) all provide elements of assurance, with each supporting the other two to ensure that the assurance provided can be relied upon. Where any of the three lines fail to perform their specific responsibilities, the overall level of assurance that can be provided is reduced, regardless of the quality of the other two lines.

We call it the TLD, but a more appropriate model may be the Three Elements of Assurance, which doesn't sound nearly as interesting.

2 Three Lines of Defence

The first thing to remember about the Three Lines of Defence (TLD) model is that it is not a model for a complete Governance structure. It is a model for the management of risk and provision of assurance and comfort to the Executive, Board and shareholders (and appropriate stakeholders). As such, the TLD fits within an overall set of governance functions and structures, and has the specific purpose of ensuring appropriate focus on, and management of risks and controls.

The three lines are generally considered to be Operational Management (1st line), Risk Management and Compliance (2nd line) and Internal Audit (3rd line). Without operational management, the company, any company, would not accomplish its basic functions, and therefore may assume unacceptable risks when providing services and products to customers. Operational management, through operating the business in line with the objectives and constraints of the Board, provides the returns to the shareholders, within the regulatory and legal constraints on the business. Operational Management also ensures controls function effectively and efficiently, and demonstrates that processes are functioning in a manner consistent with achievement of objectives.

The implementation and operation of the TLD is not "the" governance system, but is an element within an overall governance framework. Some organisations explicitly limit the number of functions considered part of "2nd line" to Risk Management and Compliance, while others include a range of operational support functions such as HR, Finance, IT, etc. Personally I consider these functions to be part of "first line" as they are operational functions supporting the direct activities of the enterprise.

The Bank of International Settlements (BIS), in their 2012 guidance on Internal Audit (http://www.bis.org/publ/bcbs223.pdf), includes Risk Management, Compliance, Legal, HR, Finance, Operations and Technology in the 2nd line. Equally, the IIA (Institute of Internal Auditors) not surprisingly included a wide range of business activities in the 2nd line, while reserving the third line for Internal Audit only.

The BIS, in their 2015 guidance on Corporate Governance (http://www.bis.org/bcbs/publ/d328.pdf), has a slightly updated discussion of the TLD model:

"The increased focus on risk and the supporting governance framework includes identifying the responsibilities of different parts of the organisation for addressing and managing risk. Often referred to as the “three lines of defence”, each of the three lines has an important role to play. The business line – the first line of defence – has “ownership” of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities.  The  risk  management  function  is  responsible  for  further  identifying, measuring,  monitoring  and  reporting  risk  on  an  enterprise-wide  basis  as  part of  the  second  line  of  defence,  independently  from  the  first  line  of  defence.  The  compliance  function  is  also  deemed  part  of the  2nd line  of  defence.  The  internal  audit  function  is  charged  with  the  3rd line  of  defence, conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance  framework,   including  the  risk  governance  framework,   is  effective  and  that  policies  and processes are in place and consistently applied."

This latest BIS guidance is clear in setting out the three lines. Like any model, if inflexibly adhered to, TLD can oversimplify and result in silos, in which there is an assumption that only IA is able to provide assurance to the Board and Audit Committee; this in a time when regulators and professional associations are increasingly calling for separate Risk Committees or, failing that, a joint Audit and Risk Committee. In the evolving models and expectations of regulators, Risk Management has a critical role in providing assurance at the Board level.

In summary, the TLD model provides an effective mechanism for the allocation of responsibility for the operation of controls, the assessment of the overall risk and control environment, and allocation of responsibility for the detailed review of specific high risk areas of the control environment. While there is a risk of silos reducing the ability of the first and second to provide assurance, the model is "simple" enough to allow for easy communication and allocation of responsibilities and ownership of operation and assurance over the system of internal controls. Regular communication of the concept also ensures that operational management is aware of and able to enunciate the TLD principles.

Regulators and professional bodies agree; Internal Audit and Risk Management need to be separate, and only in exceptional cases, or where the business is too small to afford both, should they be combined. In cases where they are combined, additional oversight by the Board is important. Both functions are and need to be independent of management, yet as highlighted above, they fulfil very different aspects of provision of assurance.

3 Should Risk be pan-enterprise

There is an old adage: Risk Managers do not manage risk, Risk Managers create the environment that enables the identification, assessment, management and reporting on risks across the enterprise. One of the key elements of that statement is "across the enterprise". Risk Management must, like Internal Audit, have free and unrestricted access across the enterprise in order to form and maintain a consolidated picture of the risk environment, and to ensure that management is aware of their responsibilities for implementation and operation of that control environment. (Of course Risk Management has many other responsibilities, and I recommend you dig deeper into the BIS governance guidance document).

Yet here the difference between RM and IA comes to the fore; RM works with management to identify, assess, respond and monitor the risk environment. RM does not perform deep-dive reviews of individual controls or events (unless specifically requested or if part of the management of a specific transactions and activities, in which case RM, for these activities, becomes an element of operational management).

The identification and recording / assessment of risks then assumes the identification of controls associated with that risk. Of course, there may be no controls in place to manage the risk, in which case there should be a record of the gap in the system of controls, and the control gaps should be documented, with responsibility allocated for implementing controls, based on and in agreement with the own or the associated risk.

Controls do not exist in a void. Without a business objective and risks to the achievement of that objective, there is no need for a control. Such "controls" are actually a drag on the effective and efficient performance of business operations to achieve objectives. Therefore, if there is a control, then there is a risk, and the risk only exists in relation to the ability of the business to achieve objectives.

Logically then, identification of a risk universe begins with the objectives of the business or function being controlled, at whatever level of granularity, and from those objectives, risks to the achievement of the objective can be identified. Of course, people will identify risks without a specific linkage in mind. It is part of the role of Risk Management to assist in the assessment of the risk, including how that risk may impact of achievement of objectives.

The role of Risk Management in relation to individual controls and the control environment is to ensure that management performs periodic assessments of the effectiveness of the controls they are responsible for, and provides attestation that the controls are functioning effectively. Where the controls are not functioning, or there are gaps in the system of controls, management must identify these missing controls, and through the Risk Management process, confirm the status of implementing such controls.

Risk Management challenges management's assertions on the effectiveness of the controls over risks. Management operates the controls, and attests to the effectiveness of the controls. Internal Audit tests management’s assertions at a detailed level.

4 The Scope of Internal Audit

To be effective, Internal Audit must have unrestricted access across the enterprise, yet should work to a risk-based programme of internal audits and reviews. There is a natural tension between the desire to provide Internal Audit coverage across all business processes, systems and departments, and the recognition that Internal Audit is a cost overhead that must be carefully applied. The nature of Internal Audit activity is to confirm through investigation that the stated control environment is in place, and that controls are functioning to the level of effectiveness attested by management. This means that Internal Audit by nature must dig deeper in to the strategic and operational functioning of the specific areas subject to individual audits.

This can be expensive, and therefore IA resources need to be carefully targeted and used to best effect. Equally, as the audience for Internal Audit's reports and ultimately for the level of assurance provided is the Board and Audit Committee, Internal Audit activity should be focused only on those areas (process, system or department) whose controls or the failure of the controls may have a material impact on the ability of the business to achieve strategic objectives.

What this means in practice is that Internal Audit must be cognisant of, and monitor risk and control status across the enterprise, but that actual Internal Audit activity should be focused on areas of greatest risk. In addition, specialist resources to perform internal audits of technical areas are expensive to retain on staff, and therefore tend to be brought in for the specific audit.

In summary this means that where Internal Audit is performing a controls based audit (as opposed to an E&E, Strategic or Operational audit), they tend to perform deep yet narrow reviews of higher risk areas. Where controls have previously been identified and management has attested to the effectiveness of the functioning of the controls, Internal Audit can use the Risk Register and associated controls reporting to inform audit planning and performance.

5 The Relationship between Internal Audit and Risk Management planning

The objective of IA planning is to ensure that the highest risk areas within the enterprise and within any individual auditable area are covered by audit review and testing. To accomplish this, frequently IA will review the Risk Register for the area(s) that will be reviewed. The Risk Register should inform audit planning, but should not be the primary resource.

This means that IA needs to interact with Risk Management and the Risk Register three times in the audit cycle: (i) at development of the IA Strategic and Annual Plan, (ii) at the planning stage of each audit, and (iii) post audit confirming that the auditee has updated the Risk Register to reflect findings (risks) and control recommendations. The following chart provides an overview of the IA planning processes, and the key interactions with Risk and the Risk Register.

In planning an audit, Internal Audit needs to consider the range of business processes, systems and departments that are included in the specific review. These should be risk assessed and ranked, with the primary focus of audit testing and review being focused on the higher risk areas. At this point it is important to note that risk assessment is not only "likelihood & impact" but extend well beyond, to include factors such as sensitivity of data, value at risk or exposure, as well as other factors.

Note the continual use of the word "risk" in planning and execution of the audit. The question could be asked, why aren't all the risks that IA will be considering already included in the Risk Register? The simple answer is that audit planning is considering a far more granular level of risks at the detailed business process level, while the Risk Register may have a risk or risks that encompass a wider range of detailed business processes within a single risk.

Certainly the major controls should be included in the Risk Register and be associated with individual risks. Again, a Risk to a business objective may have a number of Controls in place to manage that Risk within the Risk Appetite of the enterprise, as set by the Board. Yet the development and evolution of the specific Risk within the Risk Register may omit or fail to include all controls applicable to the Risk. In such a case, if IA places too much reliance on the Risk Register, there is the danger that the full control environment will not be understood, and that key processes and controls will be missed or discounted. This could undermine the value of the audit, and open the results to dispute by not taking into account compensating or other existing controls.

6 IA findings in a Risk world

There should be a link between IA findings and recommendations, and the overall risk environment of the enterprise, and therefore Risk Management. Working backwards, there cannot be an IA recommendation if there is not an associated risk. The failure of a control to function, or a lack of evidence of the functioning of the control does not in itself mean that there is a risk. It could simply mean that the control is redundant, or the evidence previously provided or assumed to be required is not adequate to demonstrate that the control is effective or even required. It can be difficult for an enterprise to get the right balance of under-controlled (and thereby exposed to greater risk than is the Risk Appetite of the enterprise) or over-controlled (and thereby incurring excessive costs of control for limited economic benefit through reduced exposure).

Therefore, when auditing internal controls, generally IA findings should not exist if there is no associated risk. This means that the structure and content of the IA finding needs to clearly enunciate the risk or risks associated with that finding, and the potential impact if the required or recommended controls are not functioning, or not put in place. It is also critical that the auditee recognises and agrees with the description of the description and the resulting situation of risk. Without this agreement, there can be no agreement to the required controls. Failure to gain buy-in to the underlying enunciation of the situation and the risk undermines IA, the auditor, and can result in unnecessary conflict between IA and business units.

Having buy-in to the description of the situation and associated risk(s) does not automatically presuppose that the IA recommendation is the most appropriate response to the risk(s) highlighted by the auditor. Management understands, or should understand, their business objectives and constraints. Therefore management should in theory be best positioned to confirm what controls will be most effective, and to agree to apply the resources required to implement an effective control. IA can and should use best judgement to consider if management's response is appropriate, and if so should be willing to alter the recommendations to meet what management suggests.

The recommendation that is almost always missing from audit reports is one that should be common to all Audits; that the risks, controls and remediation actions identified in the audit should be cross referenced to the Risk Register and the Risk Register updated to reflect the findings of the audit. Where the Risk and Controls are included in the Risk Register, these should be updated based on the audit findings. Where the Risk does not exist, it should be added. Where the Control is not included against a Risk, it should be added.

By taking this final step, IA ensures that the overall risk environment and system of internal controls is updated to reflect the actual current situation.

7 Linkages, and a model

Through the Risk Management and Internal Audit processes, we can build a consolidated picture of the risk environment and system of internal controls. Assurance is provided to Senior Management, the Board, shareholders and key stakeholders. Risk Management ensure a holistic view of the risk and control environment, while Internal Audit provides comfort, through detailed testing, that management's assertions of the effectiveness of the control environment are accurate, and provides guidance on where remediation activity is required.

The TLD model, if narrowly applied as per the IIA's interpretation, assumes all assurance is provided by Internal Audit. This is a narrow view that does not adequately consider the assurance roles that are provided by 2nd and 1st lines in their daily activities.

A more accurate and measured interpretation of the TLD model shows all three lines (Operational Management, Risk Management (and Compliance), Internal Audit) providing assurance, with each supporting the other two to ensure that the assurance provided can be relied upon. Where any of the three lines fail to perform their specific responsibilities, the overall level of assurance that can be provided is reduced, regardless of the quality of the other two lines.

Management's responsibility is to operate controls that exist to manage identified and recorded risks, efficiently and effectively. Risk Management's responsibility is to ensure that risks are identified and assessed, that the risk environment and system of internal controls is defined, that risks and their associated controls are recorded and monitored, and that management provides attestation or assertions on the effectiveness of those controls. Internal Audit provides a ‘final line of defence’ by performing detailed reviews to confirm the effective functioning of control. None is responsible for catching the others out, or "owning" the provision of assurance.

Internal Audit cannot be everywhere or see the entire risk environment - internal and external. Risk Management cannot retain a systemic view of risk if it engages in detailed controls testing, and managers can provide assurance only over those controls for which they are individually responsibility for ensuring are functioning.

We call it the TLD even through a more appropriate model may be the Three Elements of Assurance, but that doesn't sound nearly as interesting.