The Institute of Internal Auditors’ published its Position Paper Three Lines of Defense in Effective Risk Management and Control was released 18 months ago. It has already established itself as one of the most useful and frequently mentioned publications of the IIA. The paper does a great job of putting the role of internal audit into an overall organizational context in a simple and succinct way. It also draws attention to the 2nd Line of Defense – an often somewhat grey and ambiguous area because it can include such a wide range of specialty functions. Every auditor understands the 1st and 3rd Lines of Defense: that management is responsible for implementing and maintaining effective controls and that auditors are responsible for providing assurance that management is fulfilling its responsibilities. But what about those other functions and teams that are involved in various aspects of regulatory compliance, risk management, financial controls, fraud, environmental standards, health and safety and a potentially long list of other areas that often vary from one industry to another? Where do they fit into the scheme of things? The IIA describes this general group as functions that “oversee risks” – more or less in recognition that, in reality, management often doesn’t spend a lot of time worrying about controls and regulations and effectively outsources this job to specialty groups.
It seems that at every audit conference session or seminar on the intersection of audit and risk management or compliance there is a message around “avoiding silos”. The real significance of this managed to escape me for a while – until I really thought about all of the functional groups that can exist within the 2nd Line of Defense. Wait – you mean there are quite possibly another half a dozen, or more, groups all “doing their own specialized thing”? So how do you avoid getting into a situation where every group creates its own processes and implements its own systems? This can get quickly get very complex, inefficient and expensive. Clearly some of the areas in the 2nd Line of Defense are so specialized that they have relatively unique functional requirements – but all of these areas exist in order to reduce and manage risks to the organization, so it just seems to make sense to use a common framework and system in order to get a consistent and understanding of relative risks. The same could be said for internal audit. Clearly there are some unique functional requirements for internal audit processes and systems that support the need for independence – but everything internal audit does is set in a context of organizational risks, controls and regulatory compliance. So shouldn’t internal audit use systems that maintain security and independence, but link seamlessly and efficiently into common systems for the other Lines of Defense? And does it really make sense to use a homegrown combination of spreadsheets and generic documents and folders to manage the audit process?
Of course, some of the more healthily skeptical of you (internal auditors, perhaps!) may discount this as the self-serving view of someone involved in the software business. But, looking again at the incredibly broad scope of the Three Lines of Defense Model, I think there is an objective argument to use integrated audit and risk systems in just the same way that business areas moved to integrated ERP systems to run an organization’s operations.
Or, as the IIA puts it in their Position Paper “There should be proper coordination among the separate lines of defense to foster efficiency and effectiveness. Risk and control functions operating at the different lines should appropriately share knowledge and information to assist all functions in better accomplishing their roles in an efficient manner.”
(Source: ACL Blog)