The three lines of "defense", a new vision!

Yesterday the Institute of Internal Auditors released the new vision of the three lines, and the title caught my attention, as it does not mention the word “defense”, which can be either a mistake or deliberate, demonstrating that the members of each line are not there to defend, but to manage, add value, including the third line,  which makes much more sense to me.

The original model emerged with the publication on September 21, 2010 by FERMA and ECIIA in the Guidance on the 8th EU Company law as a recommendation for implementing the law's requirements for monitoring the effectiveness of the internal control system, internal audit and risk management.

This update model solved an anomaly of the previous model, which demonstrated a duality in the internal audit reporting line, an arrow for senior management, and another for the level of supervision and governance, creating some “noise” about the independence of the internal audit activity, with no much sense

In this new format, it is very clear that the reporting line should only be for the level of supervision and governance (Board and Committee), and the relationship with senior management (President, their directs) is a process of alignment, communication, coordination and collaboration. This point reinforces the importance of independence for the existence of an effective and integrated internal audit to the businesses.

This subject regarding independence is also addressed by principle 5, which objectively describes the independence of the audit in relation to management responsibility, as you may see below:

Principle 5: Third Line Independence

Internal audit´s independence from the responsibilities of management is critical to its objective, authority, and credibility. It is established through: accountability to the governing body; unfettered access to people, resources, and data needed to complete its work; and freedom from bias or interference in the planning and delivery of audit services.

Another relevant subject, in my vision, that this model brings to our understanding to the role of the audit as a consultancy. It was a great confusion created when the definition of the audit was disclosed which includes in its statement that the audit adds value to the organization through assurance and consulting, which unfortunately, here in Brazil, allowed misunderstandings and great debates on this topic.

This new version accommodates this theme when it describes the roles of each of the lines, as we may see below, the role of the audit:

                             Internal Audit

•          Maintains primary accountability to the governing body and independence from the responsibilities of management.
•          Communicates independent and objectives assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organizational objectives and to promote and facilitate continuous improvement.
•          Reports impairments to Independence and objectivity to the governing body and implements safeguards as required.

 

Observe that it describes “independent and objective assurance and advice”, remembering that objectivity is the auditor's independence in positioning and giving an opinion, based on his competence and proficiency.

I have had that the audit fulfills its role as a consultant, not implementing or executing management activities, but rather, making intelligent notes to management on opportunities for operational improvements to strengthen the efficiency, effectiveness and economy of the risk management process, controls internal and governance.

This model also stresses that independence does not mean isolation, as there must be an interaction between the three lines. The auditors have to be aligned with the organization's strategic and operational needs in order to became a “trusted advisor and strategic partner”.

However, for this to be true, the auditors must go back to basics.

When I say go back to basics, it is that the internal auditors must objectively understand their mission and the definition of what auditing is, essential points that are described in the International Structure of Professional Practices of the IIA. In addition, must be proficient in application of the standards of attributes and performance when carrying out the evaluation and / or consultancy work.

Finally, I believe that some discussions will arise about the model and its application, and this is my contribution to the understanding of this new version of the three-line model.

 

Be happy!

What is the importance of Internal Audit in the organization's governance process?

Somehow, especially after corporate fraud event, this question about the importance, and also, about the effectiveness of internal auditing, becomes more latent and frequent, mainly in relation to the cost and benefit of having the internal audit in the corporation.

Part of this doubt is generated by the auditors themselves, who are stationed in compliance work, or with the archaic view that a good audit is one that finds errors and irregularities, fail to demonstrate objectively and pragmatically the gains generated by the existence of an audit activity. proactive, structured and integrated audit to the business.

To answer the question above, we first need to understand that internal auditing aims to add value to the organization through smart notes on opportunities for improvement, resulting from independent and objective assessments of the performance of operational processes, considering efficiency, effectiveness and economics of risk management, compliance, internal control system and corporate governance.

It is important to note that the internal audit activity does not exist to find errors or irregularities, it is not a control, it is not an ombudsman, nor a provider of opinions, nor is it a inspection unit.

Internal audit is not control, but it is part of the internal control system, as it is the periodic monitoring activity dealt with in the monitoring component of the COSO Internal Controls Structure management good practice paradigm.

It is an activity based on standards and professional practices that guide your organization and the applied evaluation methodology. The auditors' positioning and opinion are based on factual evidence, obtained through audit procedures and techniques, applied in a systematic and disciplined manner, comparing the activity evaluated with the chosen standard of best management practices, thus allowing for quality notes and effective for improving the entity's operational and strategic management process.

Although the internal audit does not have the objective of detecting irregularities, the auditor is proficient in detecting indications of the existence of possible irregularities and, therefore, directing the finding to the competent bodies. He is also proficient in identifying operational vulnerabilities that may contribute to fraud and / or corruption events, suggesting, for responsible management, taking actions to mitigate this vulnerability.

Internal audit is also responsible for the dissemination of corporate ethical values ​​in the day-to-day activities of the organization, including the dissemination of best management practices, thus contributing to the increase of the organization's capacity to achieve its objectives through economic and effective processes.

It is worth remembering that, according to our experience, only with the presence of the audit activity in the organizational structure, possible acts of irregularities are already prevented, as it changes the view of the “rational” attribute, considered in the concept of the fraud triangle.

Finally, an independent, proactive and integrated internal auditing activity is essential for strengthening the corporate governance structure. Furthermore, it should not be seen as a cost center, since through your work, the company will have:

• More aligned, effective and economical operating processes,
• Better understanding of existing risks, resulting in a better mitigation process,
• Minimization of losses arising from possible acts of irregularities.

But for all of this to be a reality, it is essential to have a modern and integrated internal audit with proficient, proactive auditors aligned with the organization's business, guided by the auditing standards and professional practices.

Be happy!