As the cost of compliance continues to increase, risk managers are finding that collaboration across the three lines of defense can achieve an integrated risk management solution that optimizes resources and technology.
In risk management, management control represents the first line of defense; risk and control monitoring represents the second line of defense; and independent assurance through the internal audit function is the third line of defense.
Collaborating across the three lines of defense is not new, but the concept has not been widely incorporated into standard risk management practices. In an environment where risks are perceived to be growing and resources are limited, risk management leaders are finding that aligning the efforts of the three lines of defense can help an organization achieve synergy and effectively manage risk.
For such collaboration to be effective, internal audit needs to define a methodology to assess the other lines of defense and alleviate common challenges.
Barriers that can limit internal audit's ability to place reliance on others include:
- Lack of maturity by the first and second lines of defense.
- Concern that placing reliance on others will impair independence and objectivity.
- Lack of alignment in definition of risk and risk management.
- Lack of prescriptive guidance for evaluating the lines of defense.
Fortunately, internal audit can develop a methodology for relying on others that can help the organization overcome these barriers to create a more streamlined risk management process that effectively and efficiently uses all available resources.
ACHIEVING RELIANCE
For internal audit to achieve reliance on other lines of defense, it is important to define what this means. For our purposes, reliance is defined as the dependence on something or someone with trust and confidence. Within the context of internal audit, reliance relates to reducing the volume or extent of internal audit work when the work performed by others meets certain standards.
The Institute of Internal Auditors' IIA Practice Guide, Reliance by Internal Audit on Other Assurance Providers, describes five critical principles that should exist to achieve reliance: purpose; independence and objectivity; competence; elements of practice; and communication of results and impactful remediation.
Internal audit should design an approach for assessing the principles listed above in a manner that is consistent, comprehensive, and objective. An assessment is a good practice, regardless of whether there is a plan to place reliance on a particular group, as it will provide management with feedback on opportunities for improvement.
Consider performing the analysis annually and then as needed if circumstances occur that might change the assessment's results, such as a significant change in leadership or a significant change in responsibilities.
Let's review each principle and identify practical ways to integrate each in your approach:
- Purpose: Understand if goals and motivations are defined and clear, and how they align with their responsibilities and authorities within the organization.
- Independence and objectivity: Identify the compensation and reporting structure. Determine the level of freedom needed to execute responsibilities. Highlight the ethical standards within which they operate.
- Competence: Determine the qualifications and requirements needed to perform each role, such as education, technical training, certifications, and years of professional experience. Assess how the resources align with those criteria.
- Elements of practice: Policies, programs, and procedures should be in place and understood in order to be followed. Assess if planning, supervision, documentation, and reviews are appropriate, and if results are sufficiently supported.
- Communication of results and impactful remediation: Understand the issue remediation methodology, tracking and response protocols, how issues are validated for remediation and sustainability, and communication of the results to management.
It's vital for internal audit to thoroughly document its methodology, policies, and procedures. As communication and transparency are key, this process allows management and stakeholders to contribute to the process and obtain necessary approvals from the audit committee or other governing authority. Consider implementing training and quality assurance mechanisms to monitor that the assessments are performed as designed and the criteria are applied consistently.
It is also important to define a rating methodology. Based on the results, you can determine the level of reliance that may be placed. For example, the work of groups that receive the highest rating may be relied upon to the maximum extent, and the auditor can eliminate testing due to reliance on such testing. The work of groups that receive a midtier rating may be relied upon to a limited extent, and the auditor can reperform testing over a subset of such testing to determine whether reasonable conclusions were reached. Low ratings would likely indicate that little to no reliance can be placed, and internal audit should perform testing as planned.
The goals are more effective integration of risk management activities, reducing duplicative efforts, increasing the quality of activities performed by all lines of defense, and realigning internal audit within the organization as a trusted adviser.
ADDRESSING CHALLENGES
PwC's 2017 State of the Internal Audit Profession survey identified common challenges most internal audit departments face (see the sidebar, "Reliance Challenges," for several key numbers from the survey). While internal audit is well-positioned to be a catalyst for adopting a reliance methodology, it has been reluctant to take a firm position, develop policies and procedures, and facilitate meaningful dialogue with the appropriate stakeholders. Outlined here are these challenges, as well as tips on how to begin bridging the gaps with an organization.
Challenge No. 1: Internal audit practitioners believe that groups within the other lines of defense lack maturity
This belief stems from internal audit's lack of confidence in others' abilities to effectively identify risks and controls, perform adequate monitoring, and test true remediation of issues, highlighted by the fact that the other lines of defense often do not have sufficient staff and/or staff with adequate controls-oriented skill sets.
Consider the following in addressing this challenge:
- Define a maturity model that describes the desired behaviors and working practices needed to reach the optimal level of reliance. Compare this to the current behaviors and practices to determine the gaps and needs of both people and systems.
- Proactively communicate expectations and standards for reliance to the other lines of defense. This includes the need to train resources to properly execute the work and reestablish roles and responsibilities so there is an appropriate review and supervision of the work being done.
Ask yourself: How can you help further enhance the skills of people and improve systems across the lines of defense to support your risk management and controls framework? How can you define common risk management and controls frameworks to be used across the organization?
Challenge No. 2: There are varying definitions of risk and risk management across the three lines of defense
The tone at the top may not convey the importance of communication and collaboration across the organization to bring about a disciplined approach to managing risk. Fifty percent of the PwC survey respondents stated that risk assessments and the evaluation of risks and controls are performed in isolation (separately by each group in the other lines of defense).
Consider the following in addressing this challenge:
- Collaborate with the other lines of defense to create a universal taxonomy that incorporates the collective view of risks of all types across the organization.
- Clearly define roles and responsibilities of "risk owners" to drive accountability and have a clear understanding of the risk environment.
- Establish an enterprisewide risk assessment approach that will help manage risks across the organization holistically and regularly.
- Actively work with leadership to improve the support for risk management across all lines of defense.
Ask yourself: Do all lines of defense in your organization coordinate to determine where efficiencies can be gained in evaluating risks and testing controls?
Challenge No. 3: There is concern that reliance may impair internal audit's independence and objectivity in fact or in appearance
One key to mitigating the idea that internal audit's independence and objectivity may be impaired by placing reliance is ensuring that sufficient documentation and process protocols not only exist, but are also being followed. With a well-defined structure in place for assessing the other lines of defense, internal audit should feel very comfortable defending a reliance approach while maintaining objectivity.
Consider the following in addressing this challenge:
- Establish lines of demarcation as necessary to protect internal audit from independence risks. Teams can continue to collaborate, but they need to be able to maintain an objective viewpoint.
- Maintain an informed position by facilitating transparency across the lines of defense, including reviewing reports provided by the other lines of defense.
Ask yourself: Do you have the appropriate documentation and risk management protocols in place to mitigate independence risks?
Challenge No. 4: There is a lack of prescriptive guidance for internal audit practitioners to follow
Guidance related to the concept of reliance is generally targeted toward external assurance providers. Though the IIA Practice Guide provides some guidance, PwC's survey found that 42% of respondents believe it is not prescriptive enough with respect to the "who, what, when, and how."
Consider the following in addressing this challenge:
- Clearly define and document the concept of reliance as it specifically relates to your organization.
- Clearly define and document policies, procedures, and methodologies to drive how reliance will be placed.
Ask yourself: Have you aggregated the suggested guidance and professional judgment to define the protocols that would be necessary to make this work?
APPLICATION AND WHAT'S NEXT
As internal audit's role in integrated risk management continues to expand and deepen, internal audit leaders are taking a fresh look at ways to become more agile, enhance the effectiveness of coverage, and optimize the use of audit and risk resources across the organization. Your internal audit department can apply the practices outlined in this article and build a blueprint that demonstrates internal audit's approach to the concepts and practice of reliance.
Defining the concept of reliance on the work of others, and then defining the methodology for achieving reliance, will help internal audit and others within the organization become more successfully aligned. These steps include the application of specific principles governing the internal audit approach, including a comprehensive analysis of the first and second lines of defense in the context of meeting the applicable principles. The blueprint should also outline internal audit's policy and procedures, detailing steps required for reliance. Lastly, this blueprint will serve as a tool to obtain a consensus among organizational stakeholders on expectations and related challenges. Having all these items outlined in one document will facilitate alignment among various departments within the organization.
This well-thought-out and documented reliance model will have a significant positive impact on audit coverage, reduce duplication among testing groups, and create strategic resource allocation. As a result, internal audit will be better aligned within the organization to provide guidance and advice, focus on more strategic and value-added activities, and serve as a trusted adviser.
Reliance challenges
62% Portion of internal auditors who say lack of maturity within the other lines of defense prevents internal audit from placing reliance on the other lines of defense.
77% Portion who say internal audit does not have a methodology for evaluating the lines of defense for the purpose of placing reliance on other lines of defense.
58% Portion who are concerned that relying on other lines of defense may limit their ability or authority to develop their own point of view.
92% Portion who have not developed policies and procedures that address placing reliance on the other lines of defense.
Source: PwC's 2017 State of the Internal Audit Profession survey report.
About the authors
Jason Pett (jason.pett@us.pwc.com) is a partner and U.S. leader, internal audit, compliance, and risk management solutions for PwC. Danielle Poritz (danielle.poritz@us.pwc.com) is a director, internal audit, compliance, and risk management solutions for PwC. Michael T. Walker, CPA; Naomi Gordon-Fulse, CPA; Genail McKinley, CPA; and Stefanie Gould, CPA, also contributed to this article.
To comment on this article or to suggest an idea for another article, contact Ken Tysiac, editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.
AICPA resources
Articles
- "Checklist: Auditing Risks in Culture," April 2016
- "How to Lead an Effective Internal Audit Function," March 8, 2016
- "Internal Auditors Challenged by Cybersecurity, Data Quality," JofA, Feb. 16, 2016
- "How Internal Audit Can Help Manage 10 Top Technology Risks," JofA, Aug. 26, 2015
- "Using Three Lines of Defense to Manage Internal Controls," JofA, July 8, 2015
CPE self-study
- Internal Audit Overview (#165340, online access; #GT-SMA-GRMG4, group pricing)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
