Three Lines and Assurance
It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.
The existing paradigm is broken, introduces and reinforces distrust and reduces the effectiveness of assurance supporting functions such as Risk Management, Internal Audit and Finance, and fosters an "us and them" set of behaviours, destroying the importance of the overall enterprise team working together for shareholder or stakeholder objectives. TLD also, in the IIA’s presentation of the concept, places authority for the provision of assurance in the hands of a single function that is already constrained by resources, skills, and maturity.
A new paradigm is needed, in which assurance is provided across the business, at all levels and by all managers, regardless of their role, with (currently designated) second and third line functions supporting managers in their provision of assurance. Not only will this increase business effectiveness, it will reduce costs and improve the quality of business operations. Internal Audit effectiveness and cost-effectiveness will improve, and with this the standing of Internal Audit in the business and in relations with External Audit, Shareholders and Regulators.
Greater management accountability will be reinforced, and the trust in management inherent in a revised assurance model will support improved report and quality of assurance provided – a virtuous circle, enabled and supported by “second line” functions providing the frameworks, systems, and processes needed to deliver that assurance.
External Auditor, regulators and the markets consider the level of assurance being provided, and analyse public or privately delivered results (to private investors or banks, for example). Market reactions in share price, regulator comments and recommendations (or instructions) and investor decisions provide the ultimate feedback to the Board and management to confirm external agreement to the assurance that is provided internally.
Before going further, we should look again at what "assurance" is and what it means. Asking professionals the meaning of the word, and a common response may include providing comfort, guarantees, or otherwise confirming what management is saying. Implicit in almost all the definitions that people give is the idea that someone has checked what was said, and either agreed or disagreed with the statements being made. The implication is that there exists, or may exist, a trust issue that requires independent confirmation of management's statements.
It might be helpful at this stage to review the definitions provided in a simple Google search. While Google returns two definitions, we will focus on the first only. Missing is a definition in many jurisdictions that equates "assurance" with "insurance"; we are not considering that definition.
The core of the first definition is our focus: "a positive declaration intended to give confidence". The synonyms are equally important for this discussion: "word of honor", "promise", and "commitment".
Therefore, from a business perspective, it is management's responsibility to both achieve the objectives set for and by them, and to provide "Assurance" that such objectives have or have not been accomplished. Management, through system and reporting, are the primary providers of assurance to their management and through them to the Board and Shareholders.
Contrast that with the IIA's view of the Three Lines of Defence and the provision of assurance, in which Internal Audit is the only provider of assurance to the Board (or "governing body" as they sometimes say), as shown in their graphic below:
"Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization." (page 5, IIA 2013)
Unfortunately this view of Internal Audit's role as the assurance provider within entities is badly flawed, and undermines the responsibility of management and the roles of Risk Management and other "second line" functions. It also does Internal Audit a disservice, and in too many cases supports an unwarranted level of hubris that is not helpful in creating and maintaining the trust relationships required for Internal Audit to deliver greatest value.
Furthermore it creates the impression that management (first and second line) cannot be trusted, and that a third line is required because the first two lack integrity. The very enunciation of a framework that has one function whose purpose is to tell senior management and the Board that they can trust management is a statement of a lack of trust or trustworthiness.
Finally let me assure you, that as someone who has worked in all three lines across my career, every line provides assurance to senior management and the Board that they are delivering against their objectives, within the boundaries set by the entity, to the ethical standards required of the company, its customers, stakeholders, shareholders and regulators. In those cases where unethical or ineffective people are unable to deliver that assurance, my experience has seen that flaw exhibited in each of the three lines.
3 Resource availability
All businesses attempt to deliver on a set of business objectives through the application of finite resources, applied as is thought best to accomplish those objectives. The core principle is that resources are finite. A disproportionate distribution or misallocation of those resources to one or another function or activity will result in objectives either not being met, or being met outside of acceptable standards. Controls exist to support the effective utilisation of resources, to reduce the risk that events or situation will impede the business, and to provide the management information and reporting required to give confidence (assurance) that objectives are being or will be met.
In relation to assurance provided, there are three groups, mapping closely to the "Three Lines of Defence" groupings;
· Management across the business
· Specialist support functions
· Specialist assurance functions
Not surprisingly, these three groups mirror, in large part, the traditional breakdown in the TLD model. But it should also be noted that each of these groups does provide assurance to overlapping audiences.
3.1 Management across the business
Management is responsible for operating and owning the business processes that deliver the objectives. Management directs resources to ensure delivery, within the resource constraints imposed. A key element of delivery of objectives is the ability to demonstrate that the objectives are being met. The number of widgets produced in accordance with objectives is meaningless without defined targets and reporting metrics that demonstrate delivery. Therefore management must not only deliver a defined number of widgets (be those "lumpy bits" or pieces of information), management must also be able to demonstrate that they delivered the desired widgets, in the desires or required volumes, at required levels of quality, for the available resources or less. Where delivery is not achieved or achievable, management must to be able to explain the impediments to achievement and request either the resources to deliver, or a modification of the delivery expectation.
Reporting of revenue is equally important, though in this context revenue is simply another of the business objectives that is expected to be delivered (and agreed to be delivered) for the application of a defined amount of resources. Revenue reporting and recognition are core assurance activities performed by management.
The reporting of achievement, or expenditure toward achievement, is a critical element of control, as is the quality of the delivered product. Therefore, the ability to demonstrate the accuracy of reporting and the quality of product are core elements of the responsibility of management.
The effectiveness of business processes directly impacts the ability of management to deliver the quantity and quality of product. Therefore, measuring process effectiveness is part of management's responsibly. Likewise, efficiency of application of resources also contributes to the delivery of product, and it is management's responsibility to be able to demonstrate efficiency of process.
These are assurance activities. Management's reporting on effectiveness and efficiency, delivery volumes and quality, and expenditure of resources to achieve objects, are the fundamental assurance activities of management.
The purpose of management is to "do", and to report what was "done", all within the boundaries set by senior management and the Board in pursuit of business objectives, and to provide comfort to senior management and the Board that those objectives have been met.
3.2 Specialist support functions
The TLD model lumps a number of functions into the "second line", or what I'm referring to as Specialist Support Functions. These functions provide support to the managers across the business discussed above - those doing the "do", delivering the business plan and objectives.
This other group of functions, according to the IIA's perspective, includes Finance, HR, Quality, Inspection, Risk Management and Compliance. Personally I would remove Compliance and Risk Management from this and add them to the category of "Specialist Assurance functions", but as the IIA and others have grouped them into the "second line" I will leave them here.
The provision of support for the "first line" comes in many forms, from processing payments to providing support in managing human capital. A large part of these functions’ activities involve reporting, both to and for operational functions, and to and for senior management and the Board. Therefore, these functions are actively involved in the provision of assurance. To presume that they must be reviewed by a "third line" implies that they cannot be trusted to deliver assurance to the Board and senior management, or even to those departments and functions for which they may be providing operational support.
In many cases a core element of the purpose of these "second line" functions is to provide the frameworks and systems to support operational functions. In some cases this includes providing the frameworks and systems that enable operational (first and second line) to provide assurance. In one specific example, financial reporting systems provide operational functions with the tools to provide confirmation that expenditure has been committed only where authorised, and that such expenditure is appropriately recorded and reported. These very actions serve, where effectively constructed and implemented, to provide assurance to senior management, and through and independent of them, to the Board.
Another example is Risk Management, whose purpose is to provide a framework for the identification and management of risk by operational management, senior management and the Board. When operating effectively, the risk management framework and processes represent a fundamental process for the provision of assurance.
3.3 The “Third Line” - Internal Audit
Internal Audit came to the fore during and after the accounting scandals of the early 2000s, when the regulatory response demanded Internal Audit be established and given greater prominence, and confirmation of compliance with a "system of internal control". Certainly Internal Audit had been required by banking and financial regulators for many years, but the near ubiquity of Internal Audit explodes in the early 2000s. Of course, the FFIEC has required Internal Audit within banks in the United States for decades.
The driver for the expansion of Internal Audit came from the impression that a lack of oversight allowed poor accounting decision and outright financial fraud to occur. Strangely, in only one of major scandals was Internal Audit instrumental in identifying or standing up to management and the eventual exposure of the accounting fraud that was taking place (WorldCom). In virtually every other scandal, from Enron to Waste Management, and later the collapses of Lehman Bros, RBS and then MF Global in 2011, internal audit was nowhere to be seen in diagnosing and raising the alarm.
Yet somehow the idea of an all-powerful, "independent" Internal Audit function took hold, possibly because of a perception following the Savings and Loan Crisis of the 1980s that greater Internal Audit would reduce the likelihood of banking institution failures. In reality the imposition of Internal Audit mostly served to reduce the regulator’s burden by increasing internal oversight that the regulator could, to a limited extent, rely upon. It was the crisis that spawned that now-famous child of Treadway Commission on Fraudulent Financial Reporting - COSO. The same COSO that morphed to become one of only two "systems of internal control" explicitly mentioned in the Sarbanes-Oxley bill (also known tongue in cheek as the "full employment for auditors act").
The core problem ultimately is that Internal Audit comes from the same “gene pool” as the rest of the governance functions, and is a resource constrained as any other function. While there is value in Internal Audit, it is difficult to quantify, and therefore can be viewed as a non-productive overhead.
These resource constraints ultimately limit the assurance that Internal Audit can provide to narrow areas (of high risk) in which Internal Audit is able to provide a deep vertical level of assurance. Internal Audit is unable to provide horizontal assurance across the business.
4 A New Model for TLA (“Three Lines of Assurance”)
It is time to review and revisit the Three Lines of Defence and recognise that each line provides assurance, to different and overlapping audiences, and that each can succeed or fail depending the interlinking levels of assurance that are provided or supported by the other elements of the Three Lines. Management does not provide assurance alone, nor does Risk Management or Finance, Compliance or any other “second line” function. Likewise, Internal Audit is not the provider of assurance to the Board.
4.1 Management provides Assurance
Management must focus on delivery against business objectives. Two of those objectives include the honest and effective application of limited resources, and the honest and accurate reporting to senior management and the Board on performance against objectives. This reporting is the assurance that management provides. Management should be trusted to provide that assurance, and should where appropriate be offered resources to review the effectiveness of controls and processes, with the goal of providing an independent (of that line or senior management) assessment of where controls or processes could be improved. Finance provides the systems and processes to enable and support accurate and authorised expenditure and honest and effective reporting on revenue and expenditure, and provision of management accounting and financial reporting services; reporting that can be relied upon by management and Board as a true and accurate reflection of the state of the entity.
4.2 Risk Management & Compliance provide and validate frameworks
Risk Management and other (traditionally) second line functions should provide the frameworks, systems and processes to support front-line management and to support provision of reporting and analysis for senior management, the CEO and the Board. These functions, through the provision of effective frameworks, systems and processes, also provide assurance that what is being reported is what is being delivered, and assurance that the business is considering and managing those risks that are inherent in its businesses, or that it elects to take.
4.3 Internal Audit Confirms Assurance
Internal Audit provides an additional level of confirmation of the quality and depth of assurance that is being provided by management and through frameworks, systems and processes. Internal Audit's assurance is a layer in addition to the assurance that is already being provided to senior management, the CEO and the Board.
If internal Audit resources are limited, as is most assuredly the case in virtually every enterprise, then Internal Audit simply will not be able to cover the full range of processes, systems and departments and will not be able to provide assurance. Internal Audit, as a specialist assurance function, will always be starved for resources, and as such must ensure that they focus on the highest risk processes, systems and functions. It is only through a focus on this highest risk area that Internal Audit can augment the assurance otherwise provided, to give senior management, the CEO and the Board an additional level of assurance.
4.4 The TLA Model
In any entity, trust is a key factor in effective delivery, internally and to customers, suppliers, investors, regulators and other stakeholders. Trust is delivered through the provision of ongoing assurance by management, specialist support functions and Risk Management, and Internal Audit. The “Three Lines of Assurance” each provide overlapping assurance to provide a comprehensive level of assurance to senior management and the Board. Specialist support functions, including the Second and Third lines, support management in providing their assurance, and provide confirmation of the level of assurance that the Board can take from management. Final confirmation of the quality of assurance provided is tested and confirmed by External Audit, regulators and the markets.