The concept of the three lines of defence and its various interpretations provides a good tool for positioning and championing Internal Audit within organisations. Like many concepts it is not without its critics and limitations, but on the whole it does provide a good basis to frame the discussion regarding the Board’s Assurance Framework. Tim Le Mare explores how this can be used by Internal Audit to strengthen its position and conversation at Board level.
The recent publication of the Government’s consultation - Restoring trust in audit and corporate governance - will have ramifications across an organisation’s governance framework, including the role of Internal Audit. While the focus of the consultation is on the financial reporting and control framework for listed companies, the principles behind the consultation: the need for clear accountability; robust management self-assessment and attestation; and ensuring adequate and effective independent assurance, are ones that have wider applicability.
Internal auditors are familiar with the need to ensure governance and assurance frameworks are aligned, and have been using the three lines model for over a decade to help guide the interplay between management and the internal audit function. The recent revision to the model, with an increased focus on collaboration, speaks to the importance of ensuring assurance providers - wherever they sit in the organisation - have clear lines of sight and effective working relationships.
While the three lines concept is well known, how does this concept work in practice? One way of exploring this question is to examine the assurance framework from the vantage point of the board, particularly the audit committee. As assurances funnel up through the organisation the audit committee has a prime position at the top of this funnel looking across the three lines and trying to make sense of the various sources of assurance it has available. The Risk Coalition has undertaken significant work in this space looking to understand the connection between board strategy, risk management and the assurance framework. From its work surveying risk and audit committee members, some common themes emerge:
The need for assurance to be driven top down from the board
A stronger linkage between board objectives and assurance activity
A greater focus on assurance stemming from the first line
A more effective way of presenting the totality of assurance activity across the three lines.
These themes should be received as positive encouragement of the work assurance providers have been performing to-date. The Risk Coalition’s work shows a real appetite and need at board level for clear actionable assurance information, which is a solid foundation to build upon. The question for all involved in governance and assurance is how to go to the next level and drive a more integrated assurance framework.
For internal auditors, this poses some interesting issues on how best to support the board and audit committee. All too often internal audit is one of – if not the only - leading voice on assurance matters within an organisation. That voice should have a key role in shaping the assurance agenda and closing the gap between board level expectation and current practice.
So how should Internal Audit use that voice?
Senior level engagement. Now more than ever with the publication of the consultation on a UK regulatory controls regime, there is a space at the top table for Internal Audit to advise on the optimum assurance model. What is clear is that different stakeholders have different perspectives on the optimum assurance model, largely based on previous experiences and views on organisational strategy and future direction. Ensuring regular dialogue between Internal Audit, the audit committee and the wider c-suite is time well spent in building mutual trust and understanding.
Objective led assurance. There is often a tendency for internal auditors to ‘push’ assurance work onto the organisation. Moving to a position where the board is ‘pulling’ assurance from Internal Audit (and other assurance providers) helps to align expectations. Working with the board on developing a culture of objective led assurance is a key way of ensuring the board is clearly communicating to Internal Audit its needs for third line assurance.
Clarifying assurance responsibilities. When assurance issues are raised, very often all eyes turn towards Internal Audit as the key assurance provider. While flattering(!) for Internal Audit, it can lead to management taking a back-seat when it comes to driving conversations on assurance. The ‘UK SOX’ consultation paper puts a focus on attestations as a key mechanism for ensuring accountability for control and control assurance is clearly placed on management and the first line. This gives Internal Audit an opportunity to open a wider conversation on the role of the first line in assurance.
The big picture view. One of the key themes from the board and audit committee is they need help in understanding and visualising the totality of assurance across the three lines. The use of assurance maps and dashboards to surface and align assurance activity is one that has steadily risen up the audit committee agenda. Internal audit can help influence, particularly the second line, that investing in developing and maintaining this holistic assurance landscape pays dividends in allowing the board to gain a succinct coherent view of assurance activity.
While there is a current focus and debate on financial reporting and control, the above points have much broader applicability across the risk and control framework. Cyber, ESG and wider geo-political risks (eg Brexit) are all examples of priorities jostling for attention. Staying close to the board and its agenda, working to understand how assurances across the three lines combine, and helping the board to understand the totality of assurance, are all areas that will pay dividends in Internal Audit’s standing within the organisation, now and in the future.
To join the debate, please register for ACCA’s free webinar on 13 May at 12.30pm when I'll look at this topic further with Bryan Foss of Risk Coalition and Lee Glover of Haines Watts.