The following was told to me by a person who was in the room. We were debating Three Lines of Defence (TLD) when he told me this story. I’ve
reconstructed as much as possible, and confirmed the content with my source(s).
TLD can be an effective framework, or it can
be a millstone dragging effective governance to the bottom of the pond. While
the concepts behind the framework are sound, it only works as a framework; it
is not a management system, nor does it provide a rigid demarcation of control
activity. Most certainly, it fails as a model for the provision of assurance to
senior executives and the Board. TLD
does not ensure or provide even a patina of confidence that those responsible
for the effective implementation of the framework actually have the skill or competence
to use the framework effectively.
This is a story of incompetence and a warning that the strength of the
TLDs is only as strong as the least competent practitioner in any of the Lines
of Defence, especially the Third Line.
TLD in the Company
The company espoused the TLD as a core part of its governance framework. Applied carefully, TLD (or 3LoD) is a framework that is easily understood at the executive and board level, and equally easily understood by line management.
The company trained managers in the concept of the TLD. This made it
‘easier’ for Risk Management and Internal Audit (IA) to gain management buy-in
to ownership of risks and controls and to ensure management took ownership of
reporting on the effectiveness of controls and processes. It also provided the
common language that enabled people across the business to discuss risks and
control, and understand the importance of, and different roles of, the
operating monitoring functions.
The classic distributions were made between the Lines, with “First
Line” defined to include all operational functions and processes, and anything
that was directly customer-facing. Customer set up, ordering, fulfilment, and
billing were all included in the First Line, as were customer complaints, etc.
“Second Line” was defined equally conventionally, to include Finance
and Financial Reporting, MI (Management Information), Compliance, Risk
Management, Governance (including Company Secretariate) and HR.
“Third Line”, following the IIA’s interpretation, comprises Internal
Audit and is listed as the provider of assurance to the Audit Committee and the
Board.
The Audit Committee was well versed in TLD, and annually read and
endorsed the IA Plan and the Risk Management Framework. TLD was so well embedded
that at times it became a crutch and not a framework, something to fall back on
when questioned, or when the obvious answers did not fit the problem.
The problem was that, TLD or not, business processes were inefficient,
errors were being missed or discovered by accident (or by customers, which was
worse), and staff were overworked due to inefficiencies. Management reporting
was inadequate, and financial reporting was cumbersome and slow. The monthly
close took weeks, with some critical financial information not available for up
to a full month after the month-end. This financial information was critical
not only for operations but to satisfy regulatory reporting requirements.
Something needed to be done.
The company decided to review all its critical business processes,
confirm controls were in place, and identify process improvement opportunities
where possible.
Internal Audit
Internal Audit took the lead on the project, with support from specialists and Risk Management. The project fell outside the normal IA work programme, but this was accepted as process inefficiencies and failures had already impacted the company.
A list of those processes was made, and reviews of each process
scheduled.
Of course, IA still needed to identify critical processes and potential
areas of higher risk and to develop and deliver an IA programme based on
reviews of those processes. This was done through an annual planning process
that included input from the external auditors, but little or no input from
within the business.
In this case, the senior Internal Audit Manager had alienated too much
of the business, and was seen not as a value-adding or even confirming control
effectiveness. IA had developed a reputation of being pedantic and measuring
success by the number of findings, no matter how petty (or inaccurate), that
were included in reports. Further, IA was known to demand that a recommendation
be implemented, even if there was no budget or if the recommendation would not
address the issue.
So the first lesson we should take is: Where Internal Audit has an
adversarial relationship with functions across the business, maybe it is time
to look at IA’s effectiveness. IA, especially when poorly lead, can establish a
fiefdom and use TLD to protect its position and access to leadership.
In the case of the review of business processes, this leads to one of
the most bizarre moments that has ever been recounted to me.
The list of business processes to be reviewed was developed and
presented to the steering group, including the CEO. Someone from the Risk
Management team asked why the month-end close process was not included.
“There are no critical processes in Finance” was the statement from
Internal Audit.
“How can there be no critical processes? The CEO does not know the
financial position for up to a month after the month-end. What about billing,
payments or debt collection?”
Internal Audit persisted “Billing and debt are not financial processes.
Those are operational processes and are part of the First Line.”
“Excuse me?”
“Finance is Second Line. Second Line only reports and supports First
Line, so Second Line cannot have any critical processes.”
The room was quiet. People looked at each other, and then at the CEO.
He paused, obviously thinking about how to engage.
He then said, “can I suggest an offline review of the list of
processes? I would expect to see more of the MI supporting and Financial
processes included, because they are critical to my ability to achieve our
plan.”
The second lesson we should take from this is that TLD, when used as a
crutch, can embed ineffective governance, and provide a shield for
incompetence.
The poor quality of MI and the speed of the financial close combined to
undermine management’s ability to more efficiently manage the company, apply
resources where they were needed, and provide assurance to the Board about the
company’s status in relation to the strategic and tactical plans.
Unfortunately, the TLD model, as hijacked by the Internal Audit
profession, reserves the provision of assurance to the Board as a Third Line
function. Admittedly the IIA’s new “Three Lines of Defence” model conjoins the
Senior Management and the Governance groups, while retaining the mythology of
an independent Internal Audit. This is not the place to discuss if Internal
Audit can ever actually be “independent”, but it is the place to reinforce the
concept of the provision of assurance.
Real Assurance
All management provides assurance. That is what MI and reporting are
all about. The information provided in management reports is compiled and
provided to give assurance to the receiver that the status or situation
reported is accurately reported. As information is reported upward (and
summarised in almost all cases as it moves upward) there is an underlying
assumption that the information is, to the best professional knowledge and
experience of the information provider, accurate, and provides assurance that
such information may be used for further decision-making.
Furthermore, IA is an overhead, and as such, the cost of the provision
of IA will always be constrained. That constrained resource inevitably results
in narrowing IA’s potential span of attention. IA will need to focus its
limited resources on this highest risk business processes, systems or
functions, and will not be able to provide the breadth of coverage required for
real assurance to Executives and the Board, beyond the very narrow assurance over
the limited areas of their attention.
This leads to our third lesson; that Assurance must be provided by all
management, not only by the Third Line, and reliance on the Third Line for
assurance, will undermine the quality of assurance that is being, or can be,
provided to Executives and the Board.
So bringing our three lessons together we can see a recipe for
disaster. An adversarial IA, using TLD as a crutch, claiming that only the
Third Line (IA) is able to provide assurance. Bring these three together and
the potential damage is huge.
Had IA prevailed, critical processes would have been ignored in the
review, and fundamentally inefficient, yet critical, processes would have been
ignored. Indeed, the Board would have been given “assurance” that all critical
processes had been reviewed and were being improved (from a control and
efficiency perspective), when it was clear that this was not the case, and that
the CEO was missing critical business decision-making information, or that
information was too old to enable effective and agile response, whether
reactive or proactive.
