Three Lines and Assurance
1 Introduction
It is time
for a fundamental shift in the thinking about the concept of Three Lines of
Defence and the value that Internal Audit and Risk Management deliver, and an
equally fundamental shift in the role of management in the delivery of
assurance and value creation. Over the past decade, the role of provider of
assurance to the Board has been defined by the Internal Audit profession, and
enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model.
That presentation of the TLD model and the associated assumption of who
provides assurance undermines the responsibility of professionals across
businesses, and presents an overt statement that management is not to be
trusted. As such, it is time to review that model and introduce new thinking.
The
existing paradigm is broken, introduces and reinforces distrust and reduces the
effectiveness of assurance supporting functions such as Risk Management, Internal
Audit and Finance, and fosters an "us and them" set of behaviours,
destroying the importance of the overall enterprise team working together for
shareholder or stakeholder objectives. TLD also, in the IIA’s presentation of
the concept, places authority for the provision of assurance in the hands of a
single function that is already constrained by resources, skills, and maturity.
A new
paradigm is needed, in which assurance is provided across the business, at all
levels and by all managers, regardless of their role, with (currently
designated) second and third line functions supporting managers in their
provision of assurance. Not only will this increase business effectiveness, it
will reduce costs and improve the quality of business operations. Internal
Audit effectiveness and cost-effectiveness will improve, and with this the
standing of Internal Audit in the business and in relations with External
Audit, Shareholders and Regulators.
Greater
management accountability will be reinforced, and the trust in management
inherent in a revised assurance model will support improved report and quality
of assurance provided – a virtuous circle, enabled and supported by “second
line” functions providing the frameworks, systems, and processes needed to
deliver that assurance.
External
Auditor, regulators and the markets consider the level of assurance being
provided, and analyse public or privately delivered results (to private
investors or banks, for example). Market reactions in share price, regulator
comments and recommendations (or instructions) and investor decisions provide
the ultimate feedback to the Board and management to confirm external agreement
to the assurance that is provided internally.
2 Assurance
Before
going further, we should look again at what "assurance" is and what
it means. Asking professionals the meaning of the word, and a common response
may include providing comfort, guarantees, or otherwise confirming what
management is saying. Implicit in almost all the definitions that people give
is the idea that someone has checked what was said, and either agreed or
disagreed with the statements being made. The implication is that there exists,
or may exist, a trust issue that requires independent confirmation of
management's statements.
It might
be helpful at this stage to review the definitions provided in a simple Google
search. While Google returns two definitions, we will focus on the first only.
Missing is a definition in many jurisdictions that equates "assurance"
with "insurance"; we are not considering that definition.
The core
of the first definition is our focus: "a positive declaration intended to give confidence".
The synonyms are equally important for this discussion: "word of
honor", "promise", and "commitment".
Therefore,
from a business perspective, it is management's responsibility to both achieve
the objectives set for and by them, and to provide "Assurance" that
such objectives have or have not been accomplished. Management, through system
and reporting, are the primary providers of assurance to their management and
through them to the Board and Shareholders.
Contrast
that with the IIA's view of the Three Lines of Defence and the provision of
assurance, in which Internal Audit is the only provider of assurance to the
Board (or "governing body" as they sometimes say), as shown in their
graphic below:
"Internal
auditors provide the governing body and senior management with comprehensive
assurance based on the highest level of independence and objectivity within the
organization." (page 5, IIA 2013)
Unfortunately
this view of Internal Audit's role as the assurance provider within entities is
badly flawed, and undermines the responsibility of management and the roles of
Risk Management and other "second line" functions. It also does
Internal Audit a disservice, and in too many cases supports an unwarranted
level of hubris that is not helpful in creating and maintaining the trust
relationships required for Internal Audit to deliver greatest value.
Furthermore
it creates the impression that management (first and second line) cannot be
trusted, and that a third line is required because the first two lack
integrity. The very enunciation of a framework that has one function whose
purpose is to tell senior management and the Board that they can trust
management is a statement of a lack of trust or trustworthiness.
Finally
let me assure
you,
that as someone who has worked in all three lines across my career, every line
provides assurance to senior management and the Board that they are delivering
against their objectives, within the boundaries set by the entity, to the
ethical standards required of the company, its customers, stakeholders,
shareholders and regulators. In those cases where unethical or ineffective
people are unable to deliver that assurance, my experience has seen that flaw exhibited
in each of the three lines.
3 Resource
availability
All
businesses attempt to deliver on a set of business objectives through the
application of finite resources, applied as is thought best to accomplish those
objectives. The core principle is that resources are finite. A disproportionate
distribution or misallocation of those resources to one or another function or
activity will result in objectives either not being met, or being met outside
of acceptable standards. Controls exist to support the effective utilisation of
resources, to reduce the risk that events or situation will impede the
business, and to provide the management information and reporting required to
give confidence (assurance) that objectives are being or will be met.
In
relation to assurance provided, there are three groups, mapping closely to the
"Three Lines of Defence" groupings;
·
Management across the business
·
Specialist support functions
·
Specialist assurance functions
Not
surprisingly, these three groups mirror, in large part, the traditional
breakdown in the TLD model. But it should also be noted that each of these
groups does provide assurance to overlapping audiences.
3.1 Management
across the business
Management
is responsible for operating and owning the business processes that deliver the
objectives. Management directs resources to ensure delivery, within the
resource constraints imposed. A key element of delivery of objectives is the
ability to demonstrate that the objectives are being met. The number of widgets
produced in accordance with objectives is meaningless without defined targets
and reporting metrics that demonstrate delivery. Therefore management must not
only deliver a defined number of widgets (be those "lumpy bits" or
pieces of information), management must also be able to demonstrate that they
delivered the desired widgets, in the desires or required volumes, at required
levels of quality, for the available resources or less. Where delivery is not
achieved or achievable, management must to be able to explain the impediments to
achievement and request either the resources to deliver, or a modification of
the delivery expectation.
Reporting
of revenue is equally important, though in this context revenue is simply
another of the business objectives that is expected to be delivered (and agreed
to be delivered) for the application of a defined amount of resources. Revenue
reporting and recognition are core assurance activities performed by
management.
The
reporting of achievement, or expenditure toward achievement, is a critical
element of control, as is the quality of the delivered product. Therefore, the
ability to demonstrate the accuracy of reporting and the quality of product are
core elements of the responsibility of management.
The
effectiveness of business processes directly impacts the ability of management
to deliver the quantity and quality of product. Therefore, measuring process
effectiveness is part of management's responsibly. Likewise, efficiency of
application of resources also contributes to the delivery of product, and it is
management's responsibility to be able to demonstrate efficiency of process.
These are assurance activities.
Management's reporting on effectiveness and efficiency, delivery volumes and
quality, and expenditure of resources to achieve objects, are the fundamental
assurance activities of management.
The
purpose of management is to "do", and to report what was
"done", all within the boundaries set by senior management and the
Board in pursuit of business objectives, and to provide comfort to senior
management and the Board that those objectives have been met.
3.2 Specialist
support functions
The TLD
model lumps a number of functions into the "second line", or what I'm
referring to as Specialist Support Functions. These functions provide support
to the managers across the business discussed above - those doing the
"do", delivering the business plan and objectives.
This other
group of functions, according to the IIA's perspective, includes Finance, HR,
Quality, Inspection, Risk Management and Compliance. Personally I would remove
Compliance and Risk Management from this and add them to the category of
"Specialist Assurance functions", but as the IIA and others have
grouped them into the "second line" I will leave them here.
The
provision of support for the "first line" comes in many forms, from
processing payments to providing support in managing human capital. A large
part of these functions’ activities involve reporting, both to and for
operational functions, and to and for senior management and the Board.
Therefore, these functions are actively involved in the provision of assurance.
To presume that they must be reviewed by a "third line" implies that
they cannot be trusted to deliver assurance to the Board and senior management,
or even to those departments and functions for which they may be providing
operational support.
In many
cases a core element of the purpose of these "second line" functions
is to provide the frameworks and systems to support operational functions. In
some cases this includes providing the frameworks and systems that enable
operational (first and second line) to provide assurance. In one specific example,
financial reporting systems provide operational functions with the tools to
provide confirmation that expenditure has been committed only where authorised,
and that such expenditure is appropriately recorded and reported. These very
actions serve, where effectively constructed and implemented, to provide
assurance to senior management, and through and independent of them, to the
Board.
Another
example is Risk Management, whose purpose is to provide a framework for the
identification and management of risk by operational management, senior
management and the Board. When operating effectively, the risk management
framework and processes represent a fundamental process for the provision of
assurance.
3.3 The “Third
Line” - Internal Audit
Internal
Audit came to the fore during and after the accounting scandals of the early
2000s, when the regulatory response demanded Internal Audit be established and
given greater prominence, and confirmation of compliance with a "system of
internal control". Certainly Internal Audit had been required by banking
and financial regulators for many years, but the near ubiquity of Internal
Audit explodes in the early 2000s. Of course, the FFIEC has required Internal
Audit within banks in the United States for decades.
The driver
for the expansion of Internal Audit came from the impression that a lack of
oversight allowed poor accounting decision and outright financial fraud to
occur. Strangely, in only one of major scandals was Internal Audit instrumental
in identifying or standing up to management and the eventual exposure of the
accounting fraud that was taking place (WorldCom). In virtually every other
scandal, from Enron to Waste Management, and later the collapses of Lehman Bros,
RBS and then MF Global in 2011, internal audit was nowhere to be seen in
diagnosing and raising the alarm.
Yet
somehow the idea of an all-powerful, "independent" Internal Audit
function took hold, possibly because of a perception following the Savings and
Loan Crisis of the 1980s that greater Internal Audit would reduce the
likelihood of banking institution failures. In reality the imposition of
Internal Audit mostly served to reduce the regulator’s burden by increasing internal
oversight that the regulator could, to a limited extent, rely upon. It was the
crisis that spawned that now-famous child of Treadway Commission on Fraudulent
Financial Reporting - COSO. The same COSO that morphed to become one of only
two "systems of internal control" explicitly mentioned in the
Sarbanes-Oxley bill (also known tongue in cheek as the "full employment
for auditors act").
The core
problem ultimately is that Internal Audit comes from the same “gene pool” as
the rest of the governance functions, and is a resource constrained as any
other function. While there is value in Internal Audit, it is difficult to
quantify, and therefore can be viewed as a non-productive overhead.
These resource
constraints ultimately limit the assurance that Internal Audit can provide to
narrow areas (of high risk) in which Internal Audit is able to provide a deep
vertical level of assurance. Internal Audit is unable to provide horizontal
assurance across the business.
4 A New Model
for TLA (“Three Lines of Assurance”)
It is time
to review and revisit the Three Lines of Defence and recognise that each line provides
assurance, to different and overlapping audiences, and that each can succeed or
fail depending the interlinking levels of assurance that are provided or
supported by the other elements of the Three Lines. Management does not provide
assurance alone, nor does Risk Management or Finance, Compliance or any other
“second line” function. Likewise, Internal Audit is not the provider of
assurance to the Board.
4.1 Management provides Assurance
Management
must focus on delivery against business objectives. Two of those objectives
include the honest and effective application of limited resources, and the
honest and accurate reporting to senior management and the Board on performance
against objectives. This reporting is the assurance that management provides. Management
should be trusted to provide that assurance, and should where appropriate be
offered resources to review the effectiveness of controls and processes, with
the goal of providing an independent (of that line or senior management)
assessment of where controls or processes could be improved. Finance provides
the systems and processes to enable and support accurate and authorised
expenditure and honest and effective reporting on revenue and expenditure, and
provision of management accounting and financial reporting services; reporting
that can be relied upon by management and Board as a true and accurate
reflection of the state of the entity.
4.2 Risk Management & Compliance
provide and validate frameworks
Risk
Management and other (traditionally) second line functions should provide the
frameworks, systems and processes to support front-line management and to
support provision of reporting and analysis for senior management, the CEO and
the Board. These functions, through the provision of effective frameworks,
systems and processes, also provide assurance that what is being reported is
what is being delivered, and assurance that the business is considering and
managing those risks that are inherent in its businesses, or that it elects to
take.
4.3 Internal Audit Confirms Assurance
Internal
Audit provides an additional level of confirmation of the quality and depth of assurance
that is being provided by management and through frameworks, systems and
processes. Internal Audit's assurance is a layer in addition to the assurance
that is already being provided to senior management, the CEO and the Board.
If
internal Audit resources are limited, as is most assuredly the case in
virtually every enterprise, then Internal Audit simply will not be able to
cover the full range of processes, systems and departments and will not be able
to provide assurance. Internal Audit, as a specialist assurance function, will
always be starved for resources, and as such must ensure that they focus on the
highest risk processes, systems and functions. It is only through a focus on
this highest risk area that Internal Audit can augment the assurance otherwise
provided, to give senior management, the CEO and the Board an additional level
of assurance.
4.4 The TLA Model
In any
entity, trust is a key factor in effective delivery, internally and to
customers, suppliers, investors, regulators and other stakeholders. Trust is
delivered through the provision of ongoing assurance by management, specialist
support functions and Risk Management, and Internal Audit. The “Three Lines of
Assurance” each provide overlapping assurance to provide a comprehensive level
of assurance to senior management and the Board. Specialist support functions,
including the Second and Third lines, support management in providing their
assurance, and provide confirmation of the level of assurance that the Board
can take from management. Final confirmation of the quality of assurance provided
is tested and confirmed by External Audit, regulators and the markets.
No comments:
Post a Comment