Three Lines of Defence - A useful framework, or a crutch for the incompetent? (Both?)

The following was told to me by a person who was in the room. We were debating Three Lines of Defence (TLD) when he told me this story. I’ve reconstructed as much as possible, and confirmed the content with my source(s).

TLD can be an effective framework, or it can be a millstone dragging effective governance to the bottom of the pond. While the concepts behind the framework are sound, it only works as a framework; it is not a management system, nor does it provide a rigid demarcation of control activity. Most certainly, it fails as a model for the provision of assurance to senior executives and the Board.  TLD does not ensure or provide even a patina of confidence that those responsible for the effective implementation of the framework actually have the skill or competence to use the framework effectively.

This is a story of incompetence and a warning that the strength of the TLDs is only as strong as the least competent practitioner in any of the Lines of Defence, especially the Third Line.

TLD in the Company

The company espoused the TLD as a core part of its governance framework. Applied carefully, TLD (or 3LoD) is a framework that is easily understood at the executive and board level, and equally easily understood by line management.

The company trained managers in the concept of the TLD. This made it ‘easier’ for Risk Management and Internal Audit (IA) to gain management buy-in to ownership of risks and controls and to ensure management took ownership of reporting on the effectiveness of controls and processes. It also provided the common language that enabled people across the business to discuss risks and control, and understand the importance of, and different roles of, the operating monitoring functions.

The classic distributions were made between the Lines, with “First Line” defined to include all operational functions and processes, and anything that was directly customer-facing. Customer set up, ordering, fulfilment, and billing were all included in the First Line, as were customer complaints, etc.

“Second Line” was defined equally conventionally, to include Finance and Financial Reporting, MI (Management Information), Compliance, Risk Management, Governance (including Company Secretariate) and HR.

“Third Line”, following the IIA’s interpretation, comprises Internal Audit and is listed as the provider of assurance to the Audit Committee and the Board. 

The Audit Committee was well versed in TLD, and annually read and endorsed the IA Plan and the Risk Management Framework. TLD was so well embedded that at times it became a crutch and not a framework, something to fall back on when questioned, or when the obvious answers did not fit the problem.

The problem was that, TLD or not, business processes were inefficient, errors were being missed or discovered by accident (or by customers, which was worse), and staff were overworked due to inefficiencies. Management reporting was inadequate, and financial reporting was cumbersome and slow. The monthly close took weeks, with some critical financial information not available for up to a full month after the month-end. This financial information was critical not only for operations but to satisfy regulatory reporting requirements. Something needed to be done.

The company decided to review all its critical business processes, confirm controls were in place, and identify process improvement opportunities where possible.

Internal Audit

Internal Audit took the lead on the project, with support from specialists and Risk Management. The project fell outside the normal IA work programme, but this was accepted as process inefficiencies and failures had already impacted the company.

A list of those processes was made, and reviews of each process scheduled.

Of course, IA still needed to identify critical processes and potential areas of higher risk and to develop and deliver an IA programme based on reviews of those processes. This was done through an annual planning process that included input from the external auditors, but little or no input from within the business.

In this case, the senior Internal Audit Manager had alienated too much of the business, and was seen not as a value-adding or even confirming control effectiveness. IA had developed a reputation of being pedantic and measuring success by the number of findings, no matter how petty (or inaccurate), that were included in reports. Further, IA was known to demand that a recommendation be implemented, even if there was no budget or if the recommendation would not address the issue.

So the first lesson we should take is: Where Internal Audit has an adversarial relationship with functions across the business, maybe it is time to look at IA’s effectiveness. IA, especially when poorly lead, can establish a fiefdom and use TLD to protect its position and access to leadership.

In the case of the review of business processes, this leads to one of the most bizarre moments that has ever been recounted to me.

The list of business processes to be reviewed was developed and presented to the steering group, including the CEO. Someone from the Risk Management team asked why the month-end close process was not included.

“There are no critical processes in Finance” was the statement from Internal Audit.

“How can there be no critical processes? The CEO does not know the financial position for up to a month after the month-end. What about billing, payments or debt collection?”

Internal Audit persisted “Billing and debt are not financial processes. Those are operational processes and are part of the First Line.”

“Excuse me?”

“Finance is Second Line. Second Line only reports and supports First Line, so Second Line cannot have any critical processes.”

The room was quiet. People looked at each other, and then at the CEO.

He paused, obviously thinking about how to engage.

He then said, “can I suggest an offline review of the list of processes? I would expect to see more of the MI supporting and Financial processes included, because they are critical to my ability to achieve our plan.”

The second lesson we should take from this is that TLD, when used as a crutch, can embed ineffective governance, and provide a shield for incompetence.

The poor quality of MI and the speed of the financial close combined to undermine management’s ability to more efficiently manage the company, apply resources where they were needed, and provide assurance to the Board about the company’s status in relation to the strategic and tactical plans.

Unfortunately, the TLD model, as hijacked by the Internal Audit profession, reserves the provision of assurance to the Board as a Third Line function. Admittedly the IIA’s new “Three Lines of Defence” model conjoins the Senior Management and the Governance groups, while retaining the mythology of an independent Internal Audit. This is not the place to discuss if Internal Audit can ever actually be “independent”, but it is the place to reinforce the concept of the provision of assurance.

 

Real Assurance

All management provides assurance. That is what MI and reporting are all about. The information provided in management reports is compiled and provided to give assurance to the receiver that the status or situation reported is accurately reported. As information is reported upward (and summarised in almost all cases as it moves upward) there is an underlying assumption that the information is, to the best professional knowledge and experience of the information provider, accurate, and provides assurance that such information may be used for further decision-making.

Furthermore, IA is an overhead, and as such, the cost of the provision of IA will always be constrained. That constrained resource inevitably results in narrowing IA’s potential span of attention. IA will need to focus its limited resources on this highest risk business processes, systems or functions, and will not be able to provide the breadth of coverage required for real assurance to Executives and the Board, beyond the very narrow assurance over the limited areas of their attention.

This leads to our third lesson; that Assurance must be provided by all management, not only by the Third Line, and reliance on the Third Line for assurance, will undermine the quality of assurance that is being, or can be, provided to Executives and the Board.

So bringing our three lessons together we can see a recipe for disaster. An adversarial IA, using TLD as a crutch, claiming that only the Third Line (IA) is able to provide assurance. Bring these three together and the potential damage is huge.

Had IA prevailed, critical processes would have been ignored in the review, and fundamentally inefficient, yet critical, processes would have been ignored. Indeed, the Board would have been given “assurance” that all critical processes had been reviewed and were being improved (from a control and efficiency perspective), when it was clear that this was not the case, and that the CEO was missing critical business decision-making information, or that information was too old to enable effective and agile response, whether reactive or proactive.

 

Not everyone should be an Internal Auditor

Sometimes Internal Auditors shouldn’t be Internal Auditors. Sometimes the role can be, no matter how much effort is expended to avoid this, confrontational or with the potential for conflict with the auditee (and others). This is particularly the case when there are strong personalities on the ‘other side’ of the audit process. I ran into exactly such a situation, as I’m sure have most of us. Remember, however, that just because someone is not appropriate for Internal Audit that does not mean that they may not have a lot to contribute to the business.

A number of years ago, I was engaged by a bank to perform a number of IT Audits. The bank had a full Internal Audit function but only three IT Auditors. The audit programme, however, included too many audits to be completed by the team that was available (for various reasons, only one of which was to too much work for the available resources).

After cutting my teeth on a couple of simple reviews, the Audit Director asked me to take a look at the implementation and use of the Project Management Methodology in a couple of the major projects that were in-flight at the time. These were significant projects, being run by and for different parts of the bank. Each had external project managers, and each seemed to be running to time, budget and promised deliverables. There were no particular reasons to worry about the projects.

Enter Bob (not his real name), a somewhat meek Internal Auditor, who chanced into IT Audit from a role as a bank branch auditor. I had worked with Bob before at another institution, and knew some of his strengths and weaknesses.  The Internal Audit Director said to me “I’d like Bob to work with you on this audit”. Really? Well, okay. “It will be good for him. He’ll learn something, and hopefully will become a better auditor.” He saw the horror in my face.

“I really need you to do this, but let me know how it goes”.

So the audit began. Each project provided all the requested information, and both were open allowing interviews with key project personnel and the projection managers. The project sponsors were comfortable the progress, and the user communities were looking forward to the new systems and processes, even though these were months away.

The projects were running smoothly, and the audit did not find any unreasonable budget to actual variations, or undue and unexpected slippages in estimated deliver dates, resource requirements, etc. Risks were documented (inadequately, but there was some consideration of risks). Of course, the primary purpose was to confirm the implementation and use of the corporate-mandated project management methodology.

While everything is going smoothly, a finding that process is not being followed can be a difficult finding to make and defend, especially when the processes will add effort and probably increase the resources and costs required to accomplish the project or set of tasks.

Add to that the personality trait of many good project managers – a straightforward manner and an air of confidence that can be used to ‘encourage’ focus on goals. They are confident, and they exude confidence, and that is one of the ways that they provide comfort to stakeholders, encourage teams, and deflect or reduce potential conflict or disagreement. This sometimes can manifest itself as arrogance and bullying.

And we faced two of these individuals. They had the backing of their respective General Managers, they were confident, they were delivering, and they really didn’t need Internal Audit second-guessing how they were going about achieving their missions.

I sent Bob to carry out some interviews, collect documentation, read it and summarise his thoughts. We talked through what he was seeing. We combined our work and work papers, and we arrived at our conclusions. We wrote up the draft report, and prepared for the exit-interviews with the two Project Managers. 

As the fieldwork progressed, Bob became more and more agitated, and at times seemed distracted. Finally, with the fieldwork completed and the draft report ready, we scheduled the exit interviews. Twice.

Then a third time, with each of the other two being cancelled and rescheduled.

Finally, the day arrived. I arrived in Internal Audit, and seeing Bob, said “Fantastic, today is the day. They’ve not cancelled or postponed. We’re ready.”

I looked closely at Bob. “Are you alright? You look tired.”

“I haven’t slept all week, I’ve been so worried about this meeting” was his response. Worried? Why? All our ducks were in a row, all the documentation was completed, the draft report was written, the findings reviewed, and the key points ready. All that was needed now was a conversation with the PMs, and to give them an opportunity to take the draft back with them and write up their comments, responses and action plans.

Focusing on the coming meeting, I put his comment away in the back of my mind, something for later.

We had our exit meeting. We outlined the audit, the fieldwork performed and the data and information reviewed. We presented our findings. The PMs read the Executive Summary, looked at each other, and after a few questions said “You’re right, we use our own methodologies. They are not the corporate-approved methodology. We will talk to our teams about how we will implement and use the standard methodology. We will need to train our people, and we might need some training also.”

Done. 

Yes. It was that ‘easy’. The data was there, the documentation was there, and we did not attack their methodologies or pick holes in what they were doing. We were not auditing the effectiveness of their personal leadership, and we were not questioning the performance of the projects (although we did look at status reporting, steering committee reporting, budgets to actuals, etc). We had a specific scope and we audited to that scope, cognisant that other issues may come up.

What I didn’t expect was that the primary finding of serious concern was that one of the auditors was not able to perform the audit. Having worked with Bob in the past, it all came together then. He simply was not capable of assertive support of any position. His default in any potential conflict was not to address the issue, but to seek someone who could deal with it on his behalf.

When all was done and the report was issued, I stopped by the Audit Directors office. I told him what had happened, and said I was deeply worried about Bob, his mental state and his fitness to be and Internal Auditor. Furthermore, there was the very real potential that Bob would bring Internal Audit into ‘disrepute’ within the bank by not being adequately assertive or able, when pushed, to deal with highly assertive individuals. In the worst case, such an auditor might miss a critical control and technical issue, or fail to push for acceptance and resolution of a critical weakness, potentially endangering the bank itself. The IA Director knew we had worked together in the past, in fact, all three of us has been at another bank at the same time in the past. He “inherited” Bob when we took over IA in this bank. He knew what he had, but there was little he could do directly.

We talked, and eventually, I said “You have to get him out of Internal Audit. He will have a nervous breakdown, or worse. This is not the right job for him.” The IA Director agreed and asked for my suggestion. My view was that Bob had a solid knowledge of retail banking, adequate IT knowledge, and understood both the bank and the banking sector. Firing him would only compound Bob’s issues and would be wasting an otherwise perfectly decent person and skill-set. “Find him another job in the bank. For you and for him”.

Checking in with the IA Director a couple of years later, I asked what was the final outcome with Bob. The news was all good. Bob was encouraged to apply for, and was appointed to, a role in the Retail Product Development team, and was to all reports thriving. Conflict was not an issue, because he was supporting product developers who were, by nature, positive and had the support of the executives. His knowledge of the bank and banking products served him well.

Most of all, a ‘wrong fit’ was rectified, and IA was seen as a potential source of good quality people for the business, and not tarnished as the home of people who were not able to provide the challenge actually needed in healthy organisations.

What are the attributes of a good Internal Auditor? There is a long list. Near the top of any list must be confidence in the correctness of the principles that the auditor is espousing; of effective control, process effectiveness, risk identification and assessment, and confirmation by the auditee of the findings and potential impact. Meekness is not a desirable attribute.

  

Why Inherent and Residual Risk are Inadequate: What is the Appetite?

Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite.

Risk Appetite provides management with a view of the level and type of risk that the entity is willing to take, and the risks that the entity will pursue. Missing from the IIA’s (and others) assessment of risk is the Target Risk level. This represents the level of risk acceptable for any individual risk based on the Risk Appetite of the entity.

The delta between Inherent Risk and Residual Risk measures only the current assessed level of control or risk. It does not provide a link to what is the acceptable level of risk (and control) for the entity.  This means that Internal Audit could, in theory, report that the entity is well controlled as the Residual Risk level is accurately stated and the controls to enable that level of Residual Risk are functioning effectively. 

Equally, in theory, the Residual Risk level could actually be fully in-line with the Risk Appetite, and in such a case there would be no Internal Audit findings other than “(Auditable area) appears to be well controlled with the current Residual Risk being within the Risk Appetite”.

I do say “in theory” because I have only seen one Internal Audit report in the past 35 years that did not contain findings and recommendations, even when reporting that the audited area is effectively controlled. Internal Auditors simply, almost pathologically, count the number of findings, and too few findings are seen (by the Internal Auditors) to indicate a poorly performed or ineffective Internal Auditor. For a candid discussion of the “7 deadly Internal Audit sins” I would only point you to the video from Richard Chambers, IIA President and CEO.

The concept limiting risk to Inherent and Residual is sound – IF that remediation reduces risk to within Risk Appetite.

From the IIA

The reality is that Inherent and Residual Risk scores do not cater for the situation in which the level of residual risk is inconsistent with the entity’s Risk Appetite. This is left to Internal Auditor to attempt to determine what the control environment should include to bring it within the Risk Appetite, sometimes in the absence of a defined Risk Appetite.
In this case, we need to know what the Target Risk score is, in terms of the Risk Appetite. The most important delta then is between the Residual Risk level and the Target Risk level, not between Inherent and Residual.

Of course there is the common problem that many (most?) entities do not have a well-defined Risk Appetite, and therefore it is almost impossible to confirm that a Residual Risk position actually is within the Risk Appetite. This make development and communication of the Risk Appetite a critical step for an entity in its journey to becoming “well controlled”.

Therefore, as the Risk Appetite frequently is either non-existent or not well communicated and understood, the probability is that the Residual Risk position will not be in line with what would be the Risk Appetite. What is needed then is to determine what management considers the “Target” risk position should be for any risk, thus creating the de-facto Risk Appetite at that particular risk level.

Then, with a Target Risk score, it is possible to clearly communicate the difference between the Residual and the Target. That difference is the Internal Audit finding, and can be used to demonstrate the need for improved or additional controls, or can be used to demonstrate that existing control are not operating effectively.

In an ideal world the entity will have a defined Risk Appetite statement, or Target risks scores for each identified risk, therefore having a de-facto Risk Appetite at the risk level. And in such an entity, all Internal Audit findings and recommendations should demonstrate how those recommendation will enable achievement of the Target, and therefore Risk Appetite. This will also allow management to petition an adequately senior authority to “accept” the risk or authorise resources to plug the gap. 

Such “acceptance” should of course be in line with the Delegations of Risk Acceptance, but that is a topic of a different article.