October 22, 2019 Writing in English
Three Lines of Defense
After 20 years in use, The Institute of Internal Audit (IIA) thinks it time to refresh the model referred to as “The Three Lines of Defense” (for consistency, I will use the US spelling). To facilitate this, they are asking internal auditors and stakeholders around the world to contribute their thoughts through a survey. The link to the IIA Survey, which runs from June 20 to September 19, 2019 is provided at the end of this article.
There is a 13 page IIA EXPOSURE DOCUMENT that provides great context to The Three Lines of Defense, outlining:
Letter from the Working Group
B. Governance: the key to organizational success
C. Contributing to organizational success and value creation
D. Scalability, maturity, structuring, and “blurring the lines”
For me, this was very timely, as I have been writing a LinkedIn article entitled “Does the Three Lines of Defense need Fixing?” In a small way, I hope that this article contributes to the background, research and thinking behind what will make the Three Lines of Defense more effective. My response covers a cross disciplinary approach and looks at the Board Director’s perspective.
As outlined by IIA: “The current Three Lines of Defense model is delineated by:
- Operational management (first line)
- Risk management and compliance functions (second line); and
- Internal audit (third line)….”
My Key Message:
While it may reflect an Agency Theory perspective, I assert that a director cannot assume that management has effectively designed key controls (and are monitoring the operating effectiveness of these key controls within a defined period), by simply relying on the first two lines of Defense.
Perhaps it is more about the Russian proverb used by President Ronald Reagan in the context of nuclear disarmament discussions with the Soviet Union: “Trust, but verify.”
While Internal Audit is there to add significant value and assurance to the Board, it cannot form part of the system of control (i.e. the first and /or second lines). Hence, I assert that management needs to demonstrate that they have obtained independent assurance that key (or perhaps critical) controls have been designed effectively and are operating effectively within a defined period. To do this, the best defensible position for a director is to ask if management’s review of these controls has been undertaken based on an Assurance Engagement as outlined by the AUASB (Australian Government Auditing and Assurance Standard Board).
I assert that more emphasis needs to be placed on the role of key Assurance Engagements as published by AUASB. The following are what I consider to be the key Assurance Engagement standards:
- ASAE3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information
“Para 10 OBJECTIVES: (b) To express a conclusion regarding the outcome of the measurement or evaluation of the underlying subject matter through a written report that conveys either a reasonable assurance or a limited assurance conclusion and describes the basis for the conclusion.”
- ASAE3100 Compliance Engagements
“An entity may have an obligation to comply with externally and/or internally established compliance requirements. These compliance requirements may be established through law and regulation, contractual arrangements or internally established requirements, for example company policies.”
- ASAE3150 Assurance Engagements on Controls
“This Standard on Assurance Engagements (ASAE) deals with assurance engagements undertaken by an assurance practitioner to provide an assurance report on the suitability of the design of controls to achieve identified control objectives, and, if applicable, fair presentation of the description of the system, implementation of the controls as designed and/or operating effectiveness of controls as designed.”
- Auditing Standard ASA 102 Compliance with Ethical Requirements when Performing …. Assurance Engagements.
Para. 6 “Compliance with Relevant Ethical Requirements
The auditor, assurance practitioner, engagement quality control reviewer, and firm shall comply with relevant ethical requirements, including those pertaining to independence, when performing audits, reviews, and other assurance engagements.”
A1 …. “The auditor, assurance practitioner, engagement quality control reviewer, and firm are to have regard for the applicable requirements of APES 110 Code of Ethics for Professional Accountants, issued by the Accounting Professional & Ethical Standards Board Limited.”
A6 … “The fundamental principles in APES 110 are reinforced in particular by:
(a) The leadership of the firm;
(b) Education and training;
(c) Monitoring; and
(d) A process for dealing with non-compliance.”
For further information, see my May 3, 2019 LinkedIn article on assurance engagements: “How Assurance Audit Engagements Can Drive Value and Peace of Mind for Directors and Regulators”. Here’s the link: https://www.linkedin.com/pulse/how-assurance-audit-engagements-can-drive-value-peace-john-halliday
APES110 Code of Ethics
One of the key aspects of these assurance engagements is that they can only be performed by assurance practitioners who are bound by the very stringent APES110 Code of Ethics for Professional Accountants, issued by the Accounting Professional and Ethical Standards Board (APESB). This is the code of ethics that members of all three professional accounting associations must comply with.
Refer also to my LinkedIn post If you are an accountant who could use a brief outline of the APES110 Code of Ethics. Here is the link: https://www.linkedin.com/feed/update/urn:li:activity:6523720244735942656
Auditing Standard ASA 102 Compliance with Ethical Requirements when Performing …. Assurance Engagements (link provided above) reinforces the importance of this code of ethics.
Ethical compliance is a point of distinction. It is accepted that some in the first or second line of defense will be accountants, who are all bound by APES110 Code of Ethics, and likely people of integrity. Even so, they may be challenged at some point with an ethical dilemma involving compliance with the fundamental principles of APES110: integrity, objectivity, professional skills and due care, professional behavior, and confidentiality.
An accountant or assurance practitioner must respond to an ethical dilemma to either eliminate the threat of non-complianceneeds or reduce the threat to an acceptable level (which is defined in the Code and in the above LinkedIn post).
Examples of these threats include:
- Threat of Intimidation… A threat from their manager to report a more favourable outcome that supports management’s view of the effectiveness of controls (which may be aligned with the manager’s incentives, bonus, and rewards)… or risk the consequences, e.g. “loss of promotion”, “threat of dismissal”, “poor performance review”.
- Insufficient skills development and training invested in the individual(s) undertaking the controls review. I have included a broad reference below to the intent of the needs for these skills from the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services referenced in the Final Report Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry Volume 1 (Pp210):
4.1.4 FASEA and the Code of Ethics
“As noted earlier, recent legislation… seeks to advance the ‘professionalism’ of financial advice: by requiring higher education and training standards;… and by establishing FASEA… and requiring compliance… with a Code of Ethics to be prepared by FASEA… and monitored by a ‘monitoring body’…).”
Role of Internal Audit – Third Line of Defense
Under the Three Lines of Defense model, there is a very high reliance on the effectiveness of the first and second lines of defense, which may well have been previously assessed by Internal Audit at a point in time as being effective.
My assertion is that if Assurance Engagements are in place, then it would also free up Internal Audit to focus on other aspects of operations. Internal Audit currently does a risk-based assessment of the Audit universe. If management sought an ASAE Report on the effectiveness of the control environment, then Internal Audit could simply cite this ASAE report, assess its scope and objectives, and rely on this in the context of assessment of controls.
Assurance Engagements, as outlined above, can provide INDEPENDENT ASSURANCE to the executive and, by implication, the board and directors. Internal Audit cannot be part of this ongoing assurance, as they do not form part of the system of internal control.
As outlined in the “IIA EXPOSURE DOCUMENT Three Lines of Defense” (also available within the link to the IIA Survey):
“Careful consideration is needed to ensure that this does not result in the combining of conflicting roles. In particular, given the importance of its independence, great care must be taken when the responsibilities of internal auditing are extended beyond providing credible objective assurance on the effectiveness and adequacy of governance, risk management, and control.”
It is accepted that the Three Lines of Defense does currently consider the concept of assurance, e.g. as part of the second line to monitor controls. However, I assert that this does not go far enough and does not leverage the Assurance Engagement strategy as outlined above, i.e. incorporating an internationally accepted Assurance Engagement approach, underpinned by a strong Code of Ethics (APES110).
The IIA Position paper, “The Three Lines of Defense in Effective Risk Management and Control”, provides a guide to the second line of defense (risk management and control functions):
“… the second line of Defense serves a vital purpose but cannot offer truly independent analysis to governing bodies regarding risk management and internal controls.”
”… Typical functions for the second line of defense include:
- “A risk management function…”,
- “A compliance function to manage various specific risks such as non-compliance with various applicable laws and regulations” and
- “A controllership function…”.
Of the nine responsibilities outlined for the above functions, the final one relates to monitoring:
- “Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies.”
It is this monitoring responsibility that I assert should (at least for key or critical controls) be undertaken in accordance with an Assurance Engagement strategy, as outlined above.
Possible General Theme of IIA Survey Response to the Three Lines
Many people responding to the IIA “Three Lines of Defense” survey would reasonably comment on how IIA could improve the effectiveness and role of the internal audit, e.g. by greater presence at stakeholder/board level.
As outlined by the UK Chartered Institute of Internal Auditors, “… it is important to stress the four key issues for directors monitoring the internal audit’s effectiveness in order to ensure that internal audit maximises its contribution to good governance:
- Internal audit should have a functional reporting line to the board or one of its committees…
- Internal audit must be properly resourced…
- Internal audit should use a risk-based approach in developing and executing the internal audit plan in order to focus on the greatest threats to the organisation…
- Internal audit’s scope should be unrestricted, including all areas of risk…”
Also, the “SUBMISSION ON THE PROPOSED FOURTH EDITION OF THE CORPORATE GOVERNANCE COUNCIL PRINCIPLES AND RECOMMENDATIONS” sent by IIA to Chairman ASX Corporate Governance Council on 19 July, 2018 outlined:
“The recent revelations from the Banking and Financial Services Royal Commission and Australian Prudential Regulation Authority’s (APRA) Prudential Inquiry into CBA highlighted issues raised by internal auditors, and found that many reports were either ignored in part, or not acted upon by layers of management.”
Director’s Fiduciary Duty
While I support this theme, my response gets to what I believe is the heart of where the Three Lines of Defense has let down shareholders (in the context of directors’ fiduciary duty within Australia) and the community (in the context of directors’ corporate social responsibility and “duty” to a wider variety of stakeholders).
An internal audit cannot be expected to be accountable for every system and control. This is just not practical. Ideally, an independent ASAE Assurance Engagement will provide the internal audit with the further supporting information it may require to take key messages to the board.
Director’s Duty to Stakeholders
In relation to a director’s duty to stakeholders, let me refer to the updated “ASX Corporate Governance Council Corporate Governance Principles and Recommendations 4th Edition”, which comes into “force” (albeit on an “if not, why not?” basis) in financial years commencing on or after 1 January, 2020. Principle 3 should be read in conjunction with Principle 7:
Principle 3 / Instil a culture of acting lawfully, ethically and responsibly…
“In formulating its values, a listed entity should consider what behaviours are needed from its officers and employees to build long-term sustainable value for its security holders. This includes the need for the entity to preserve and protect its reputation and standing in the community and with key stakeholders, such as customers, employees, suppliers, creditors, law makers and regulators.”
Principle 7 – Recognise and Manage Risk:
“A listed entity should establish a sound risk-management framework and periodically review the effectiveness of that framework.”
Expert Witness Question for Directors to Ponder
Finally, let me put to you a perspective relating to if I were asked as an expert witness to answer the question below by counsel, e.g. after a major or catastrophic cybersecurity incident.
You may also wish to read my LinkedIn Article: “Major Cyber Attack and Director’s Duty to Prevent Insolvent Trading under Section 588 of Corporations Act”. (You may need to copy and paste this link: https://www.linkedin.com/pulse/major-cyber-attack-directors-duty-prevent-insolvent-trading-halliday)
In the expert witness statement, I would include an explanation (in part) of the critical role that independent Assurance Engagements could have in relation to how a director can demonstrate that they have taken “reasonable steps” to ascertain that management has effective systems in place to assess the design and operational effectiveness of key controls, within a defined period.
Question from Counsel to the Expert Witness:
“What reasonable steps could a director have taken in 2019 to ascertain that management has effective systems and controls in place to manage risks to the level acceptable to the board’s defined risk appetite, and at what cost?”
John is an experienced IT Governance professional who assists businesses to drive value from their investment in technology. This includes the innovative FastTrack CyberSecurity™ Program. He also lectures in Ethics and Governance and Finance Data Analytics to University Masters students.
He is highly qualified and has over thirty years’ experience as an IT Compliance, Risk and Governance specialist. This includes eleven year as Executive Director, Risk Advisory (Technology) in a large international accounting firm with a specialist Risk Advisory Services practice.
This article was proofread by Writesaver