On June 17, 2019, The Institute of Internal Auditors (the IIA) released an Exposure Draft (the Draft) on a study being conducted to review and modernize the Three Lines of Defense Model (3LoD). The Draft has been released for public comments from June 20, 2019 and September 19, 2019 and reflects the thoughts and analysis of a working group, chaired by Jenitha John, Vice Chairman of The IIA Global Board of Directors; and Chief Audit Executive, FirstRand Ltd. The study aims to refresh the existing 3LoD model, broadening its scope and purpose and imparting flexibility in its use, depending on organizational size and complexity. A need was felt to make the model relevant and adaptive to a wider range of organizations with varied business models and a rapidly changing business environment.
The IIA will update its Position Paper “The Three Lines of Defense in Effective Risk Management and Control,” published in 2013, after considering public comments and feedback. The 3LoD model has been widely adopted by business organizations globally in structuring their risk management functions, roles and responsibilities.
Need for revision
The business community and the IIA agreed the model needed to be revised for the following key reasons:
Focus on defense rather than proactive risk and opportunity management
One of the key drawbacks of the existing 3LoD model is that its scope is limited by its “defense” oriented focus on the value preservation aspects of risk management. An emphasis on the value creation that arises from proactive risk management is needed.
Promotes a siloed approach to risk management
The existing model promotes a siloed approach given its description of the 3 “lines” that separate the functions of business units, risk and control groups, and internal audit. A certain rigidity has been introduced in some organizations which took the 3 lines in a literal sense. Efficiency can often be compromised with the 3 lines performing overlapping tasks in reviewing and testing the risk management controls.
Does not account for blurring of lines and potentially conflicting roles
Some smaller organizations experience a “blurring of lines” due to limited staffing and the need for individuals to wear “multiple hats.” There is a need for additional guidance to ensure conflicting roles will not get combined in an effort to be more cost conscious through staff reduction. Of particular importance is maintaining the independence and objectivity of Internal Audit as an independent assurance function.
What has changed?
Emphasis on Governance
The Draft emphasizes Governance as the key to achieving the organizational objectives as defined by the stakeholders. The Governing body is given the overall stewardship of the organizational resources that are to be used to achieve the objectives of value creation. Per the Exposure Draft, “Organizations are created to fulfill a purpose and deliver desirable outcomes defined by the specific needs and interests of stakeholders, and to create value.” Organizations adopt specific measures including decisions, actions, behaviors, and outcomes in alignment with stakeholder needs and interests to achieve the organization’s objectives. These measures are grouped into four overlapping and complementary sets of related roles and activities with different functions/ groups responsible for each as follows:
|Leadership and oversight|
Responsibility for leadership and oversight is assigned to a governing body.
|Governing body||Stakeholders give the governing body overall responsibility for the stewardship of the organization, its culture, assets, activities, performance, engagement with other organizations and individuals, environmental impact, reporting, and so on.|
|Management||The governing body typically delegates responsibility for executing strategy to management and allocates the appropriate resources. Management owns risk and is responsible for designing and implementing controls and managing the uncertainty associated with strategy execution within agreed variations in performance.|
|Support, guidance, and control|
Within management’s sphere of responsibility, separate functions are established that provide support, guidance and control with respect to risk, quality, control, and compliance.
|Risk, quality, control, and compliance functions||Risk, quality, control, and compliance functions provide tactical oversight, guidance, support, challenge, and control by working with management and are specialized to leverage specific knowledge and skills.|
|Objective assurance and advice|
Independent internal audit provides objective assurance, insight, and often advice.
|Independent internal audit||The mission of internal audit is “[t]o enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight” and it is a direct contributor to enabling an organization to achieve its purpose (i.e., value creation).|
|Additional Independent External Assurance||External auditors/SAIs||External auditors provide an additional level of independent assurance for stakeholders over the accuracy of an organization’s financial reporting and the systems that underpin it. Supreme audit institutions (SAIs) perform this role in the public sector, conduct performance and compliance audits, and may have additional inspection and jurisdictional mandates.|
Regulatory requirements and examinations
|Regulators||Regulators apply and monitor rules designed to increase transparency and accountability in a number of areas, including financial reporting, environmental, health and safety, privacy, labor, and others.|
The Draft acknowledges that smaller, less mature or less regulated enterprises may need to have different structures to implement appropriate risk management controls. Less stakeholders, more direct communications, and greater participation by stakeholders and governance bodies in management may make it easier to oversee organizational activities directly. The need for oversight and reporting by other assurance functions is therefore reduced. This may, however, result in a greater blending of roles and limited separation between management, risk, and audit functions.
Larger, more mature or more complex organizations, can implement greater specialization of functions and segregation of duties across risk, control, and audit. The balance of priorities of value protection over value creation, the degree of blending vs. separation between the various governance roles and activities, and the deployment of resources across functions should vary in accordance with changing needs and circumstances.
Blurring of lines and safeguards
There is a recognition that, depending on the industry, size of organization, and resources available, two or more of the governance roles and activities may be combined leading to a “blurring of the lines.”
Appropriate safeguards should be considered and built into the process when such blurring occurs. Grouping of related responsibilities can reduce duplication and gain efficiencies, but its key to identify potentially conflicting roles that could impact the overall effectiveness of governance.
Blurring of roles involving the internal audit function are of particular concern, given the importance of independence in its ability to deliver credible challenge and objective assurance to the stakeholders. Internal audit may render assurance and nonassurance services according to the needs of the organization, but where nonassurance services are provided, there must be an active consultation with the governing body about whether this creates any conflict with the function’s ability to perform its services in an impartial and objective manner and design appropriate safeguards.
Sometimes the internal audit function is given responsibility for enterprise risk management and the importance of effective safeguards under such circumstances. Additional oversight from the governing body over internal audit’s nonassurance responsibilities may work as an effective safeguard. Safeguards may also include time limited engagements that clearly define certain roles, such as management decision making, that the internal audit function would not undertake and implement a “cool off” period after completion of the nonassurance activity before being able to undertake any assurance work in that area.
The IIA’s working group has made a good attempt at refreshing and modernizing the 3LoD model, and after incorporating feedback received from the public and various stakeholders, the revised guidance is expected to be more flexible, scalable and more focused on value creation.