Documente Academic
Documente Profesional
Documente Cultură
● Internal audit provides insight by acting as a catalyst for management and the board
of have a deeper understanding of governance processes and structures
● Internal audit can add value by providing advisory and consulting services, intended
to improve governance, risk management, and control processes, so long as internal
audit assumes no management responsibility
Institute Internal Auditors, (2013), IIA Position Paper: Three lines of defense in
effective risk management and control
INTRODUCTION
Internal auditors, enterprise risk management specialists, compliance officers,
internal control specialists, quality inspectors, fraud investigators, and other risk and control
professionals working together to help their organizations manage risk.
Clear responsibilities must be defined so that each group of risk and control
professionals understands the boundaries of their responsibilities and how their positions fit
into the organization’s overall risk and control structure.
Although risk management frameworks can effectively identify the types of risks that
modern businesses must control, these frameworks are largely silent about how specific
duties should be assigned and coordinated within the organization.
The Three Lines of Defense model provides a simple and effective way to enhance
communications on risk management and control by clarifying essential roles and duties. It
provides a fresh look at operations, helping to assure the ongoing success of risk
management initiatives, and it is appropriate for any organization — regardless of size or
complexity. If a formal risk management framework or system does not exist, the Three
Lines of Defense model can enhance clarity regarding risks and controls and help improve
the effectiveness of risk management systems.
Governing bodies and senior management are the primary stakeholders served by
the “lines,” and they are the parties best positioned to help ensure that the Three Lines of
Defense model is reflected in the organization’s risk management and control processes.
Senior management and governing bodies collectively have responsibility and
accountability for setting the organization’s objectives, defining strategies to achieve those
objectives, and establishing governance structures and processes to best manage the risks
in accomplishing those objectives.
The Three Lines of Defense model distinguishes among three groups (or lines)
involved in effective risk management:
Functions that own and manage risks.
Functions that oversee risks.
Functions that provide independent assurance.
As the first line of defense, operational managers own and manage risks. They also are
responsible for implementing corrective actions to address process and control deficiencies.
Operational management is responsible for maintaining effective internal controls and for
executing risk and control procedures on a day-to-day basis. Operational management
identifies, assesses, controls, and mitigates risks, guiding the development and
implementation of internal policies and procedures and ensuring that activities are consistent
with goals and objectives.
Operational management naturally serves as the first line of defense because controls are
designed into systems and processes under their guidance of operational management.
Management establishes these functions to ensure the first line of defense is properly
designed, in place, and operating as intended. Each of these functions has some degree of
independence from the first line of defense, but they are by nature management functions.
Management functions may intervene directly in modifying and developing the internal
control and risk systems.
The responsibilities of these functions vary on their specific nature, but can include:
Supporting management policies, defining roles and responsibilities, and setting
goals for implementation.
Providing risk management frameworks.
Identifying known and emerging issues.
Identifying shifts in the organization’s implicit risk appetite.
Assisting management in developing processes and controls to manage risks and
issues.
Providing guidance and training on risk management processes.
Facilitating and monitoring implementation of effective risk management practices
by operational management.
Alerting operational management to emerging issues and changing regulatory and
risk scenarios.
Monitoring the adequacy and effectiveness of internal control, accuracy and
completeness of reporting, compliance with laws and regulations, and timely
remediation of deficiencies.
Establishing a professional internal audit activity should be a governance requirement for all
organizations. This is important for smaller entities, as they may face equally complex
environments with a less formal, robust organizational structure to ensure the effectiveness
of its governance and risk management processes. Internal audit actively contributes to
effective organizational governance providing certain conditions — fostering its
independence and professionalism — are met. Best practice is to establish and maintain an
independent, adequately, and competently staffed internal audit function, which includes:
Risk management normally is strongest when there are three separate and clearly identified
lines of defense. However, in exceptional situations that develop, especially in small
organizations, certain lines of defense may be combined.
Senior management and governing bodies should clearly communicate the expectation that
information be shared and activities coordinated among each of the groups responsible for
managing the organization’s risks and controls. Under the International Standards for the
Professional Practice of Internal Auditing, chief audit executives are specifically required to
“share information and coordinate activities with other internal and external providers of
assurance and consulting services to ensure proper coverage and minimize duplication of
efforts.”
RECOMMENDED PRACTICES:
• Risk and control processes should be structured in accordance with the Three Lines of
Defense model.
• Each line of defense should be supported by appropriate policies and role definitions.
• There should be proper coordination among the separate lines of defense to foster
efficiency and effectiveness.
• Risk and control functions operating at the different lines should appropriately share
knowledge and information to assist all functions in better accomplishing their roles in an
efficient manner.
• Lines of defense should not be combined or coordinated in a manner that compromises
their effectiveness.
• In situations where functions at different lines are combined, the governing body should be
advised of the structure and its impact. For organizations that have not established an
internal audit activity, management and/or the governing body should be required to explain
and disclose to their stakeholders that they have considered how adequate assurance on
the effectiveness of the organization’s governance, risk management, and control structure
will be obtained.
A company generally has certain business units or areas that are much more complex
and challenging to understand than routine areas such as payroll. Management should
highlight such complex or risky areas for the audit committee. Those areas may include
hedging operations or off-balance sheet and related information more efficiently and
effectively.
3. Materiality
Materiality is central to financial reporting. Management uses materiality when
evaluating whether to disclose an item, assessing whether to make a proposed
adjustment, determining the magnitude of an internal control deficiency, and deciding
whether to restate previously issued financial statements. Establishing materiality can
be quire complex. For example, some point to a “rule of thumb” quantitative threshold
(e.g., of net income or net loss) to establish materiality.
4. Accounting policies
It is critical that audit committees understand the significant accounting policies the
company uses and whether they are reasonable and appropriate. Because the volume
and complexity of accounting standards, leading audit committees are devoting time at
meetings to ensure they understand existing accounting policies.
5. Accounting estimates
Accounting estimates represent higher financial reporting risk and require significant
judgement by management. Accordingly, the audit committee should understand which
areas involve estimates, given their effect on reported results. Management commonly
makes estimations for uncollectible accounts receivable, slow-moving or obsolete
inventory, asset impairment, pension and other postemployment benefit obligations,
income tax exposures, derivatives valuations, warranty liabilities, litigation reserves,
environmental liabilities, stock option expenses, and restructuring costs.
A challenge for audit committees is that they may be unaware the company has entered
into transaction involving related parties, and so don’t have a good basis for
determining whether the disclosure are adequate.
Astute committees perform their review before the company issues the interim financial
information, rather than after the fact. During its review of interim results, an audit
committee should ask management about significant judgements and issues faced in the
period end closing and whether the interim statements were prepared on a basis
consistent with the annual financial statements. The audit committee also should discuss
the results of any external auditor review of an interim report.
Audit committees should ask management about whether any such significant events
occurred and what effect they had. The possibility that these type of events could occur
may even cause the company to reconsider the timing of the earnings release or the
filing date.
CHAPTER 2 "RISK MANAJEMEN AND THE SYSTEM OF INTERNAL CONTROL"
Internal control systems are designed to help companies mitigate known risks, and so audit
committee's' oversight of internal control and risk management is often intertwined.
Overseeing how management addresses risk for financial reporting is clearly in an audit
committee's domain (and discussed later in this chapter); however, some audit committees
take broader responsibility for overseeing risk management.
With audit committees already having significant responsibilities, many audit committee
chairs and other observers are deeply concerned about charging audit committees with full
responsibility for overseeing risk management. They argue that audit committees already
have overlt-full plates. But while audit committees generally are not charged with overseeing
all the risks that a company faces, many do take on responsibility to oversee the process
that management uses. Thos audit committees that have responsibility for overseeing the
risk management process likely will want to:
2. Internal Control
The Sarbanes-Oxley Act requires U.S. public companies to report on internal control over
financial reporting. Companies must document, test, and evaluate these controls and
provide a report that acknowledges management’s responsibility for establishing and
maintaining adequate internal control over financial reporting, identifies the framework
management used to evaluate controls, indicates management’s conclusion regarding the
effectiveness of those controls, and describe any material weaknesses that exist.
While management is responsible for implementing effective internal control over financial
reporting, audit committees should meet periodically with individuals who are primarily
responsible for internal control over financial reporting, understand and help set the tone at
the top, discuss with management the controls in place to mitigate key financial reporting
risks, including fraud risks, focus discussions on areas of greatest potential risk, understand
how management plans to assess internal control and what role internal audit and other
related resources will play, understand the external auditors’ scope and plan to test the
controls, and meet regularly with management, internal audit, and the external auditors to
discuss status and findings-particularly significant deficiencies and material weaknesses-as
well as management’s action plan to respond appropriately.
Weaknesses in internal control can make companies more susceptible to fraud. There are
many types of fraud, including misappropriation of company assets, insider trading and
bribery. But the type of fraud that is of grace concern for audit committees is financial
reporting fraud.
Additionally, audit committees may wish to ask management whether compliance programs
specifically address the FCPA and other-anti-bribery legislation and whether programs are
tailored to incorporate risk analysis, training, sanctions, monitoring, auditing, and assistance.
Management has deep insight into the company and its challenges, and therefore is best
positioned to recommend what information the audit committee needs.
2. Management bench strength
How does an effective committee assess the strengths and performance of key finance
managers and the broader finance team?
- First, it discusses with the CFO how he or she ensures the finance team is
appropriately qualified – and how the staff stays current with changing accounting
standards.
- Second, the committee assesses how well senior finance personnel perform based
on what it witnesses at committee meetings and how these employees respond to
queries between meetings.
- Third, it considers the confidential feedback from internal and external auditors.
Members of management such as the chief financial, accounting, controller, and CFO should
attend audit committee meeting
Internal audit’s role should be reflected in its charter. A charter sets out internal audit’s
purpose, authority, reporting structure, and responsibilities and should specify the group
cannot perform responsibilities that could hinder its objectivity.
Some companies have their internal audit departments fully “in house”. Other outsources
most of all of the work. Many take a hybrid approach – using outside resources in selected
circumstances to make the overall function stronger.
- An executive summary that concisely describes the overall state of the company’s
control environment and sets the context for the rest of the report and for the
discussion in the meeting. It should highlight any areas of significant concern
- A description of internal audit’s most significant findings, with business implications
and indication of management’s remediation plans
- A listing of the results of all audits conducted since the last report, with the current
rating and the prior rating for each audit and an indication of whether the control
environment for that area or function is improving, deteriorating, or stable
- The status of past significant audit recommendations, to allow the committee to
monitor management’s commitment to needed remediation and to understand if
repeat issues exist, which can be a sign of an ineffective process.
The internal audit reporting should demonstrate the highest support for internal audit
mandate and support objectivity, Often internal audit reports both to executive management
and to the audit committee.
The internal audit director drives the function’s effectiveness and perception in the company.
This person’s background, experience, and executive presence play a key role in whether
other executives view him or her as part of the management team and whether they hold
internal audit in high regard. The internal audit director walks a fine line, as a member of
management and as the leader of an internal group that is expected to be objective of
management.
10. P
rivate sessions
The audit committee should hold regular private meetings with the internal audit director,
ideally at each in-person audit committee meeting. This private session allow more open and
candid discussion than might otherwise occur with management present.
11. E
valuating internal auditor’s performance
Committee should understand how internal audit monitors its own quality. Check that audit
are conducted in accordance with the department’s standard and professional internal
auditing standards. Committees can also seek input from external auditors.