ICAEW.com works better with JavaScript enabled.
Exclusive

Part one – internal audit and compliance: some thoughts for directors

Author:

Published: 14 Sep 2012

Exclusive content
Access to our exclusive resources is for specific groups of students, users, members and subscribers.
Log in Find out more
In this first of two articles, which considers questions that a board director might ask of their organisation’s compliance and internal audit functions, Mark Stock starts with a reminder of the three lines of defence (3LD) model.

Boards, audit committees and senior management need to establish mechanisms to assist them control the organisation, manage the risks it faces and comply with the legal and regulatory frameworks in which it operates as well as with its own internal policies and procedures. These mechanisms will primarily focus on line management in the business but will be supplemented (particularly in larger organisations) by separate internal audit and head office compliance and company secretary functions.

1. What is the 3LD model?

Put simply, the ‘three lines of defence’ model explicitly allocates responsibility and accountability for control to each business unit or function within an organisation.

The outline of a basic 3LD model

  • The first line of defence covers front-line management in the business units. They carry primary responsibility to ensure they have a system of internal control that is ‘in place’, ‘fit for purpose’ and ‘working as intended’. They are often required to demonstrate this via a process of self-certification to senior management and others. Internal certification requirements often bring clarity on who is accountable for what.
  • The second line covers central management, usually at group level, including heads of group/policy setting or oversight functions, such as compliance and risk management. They gain ‘confidence’ in the system of internal control first by setting policies and boundaries (including delegations and escalations) across the organisation and by defining, implementing and maintaining reporting and monitoring activities. Increasingly, self-certification is also being used by policy-setting functions and thus it is important to have a common language and definitions.
  • The third line covers the assurance functions, ie, internal and external audit, which are independent of the execution of business. They ‘justify’ the confidence that management have over the system of internal control by performing independent checks on component parts of the system. It is important to draw the distinction between assurance provided by management and that by internal audit. While ultimately both give assurance to the board/audit committee, it is only internal audit that provides independent assurance. Internal audit should be directly accountable to the board and/or audit committee.

While the 3LD model is simple in concept, applying it unthinkingly can be restrictive. In reality the edges of the model are often blurred. The structure of any organisation will vary depending on its nature, maturity, culture and complexity. For example, the basic 3LD model can be challenging to apply in large, complex organisations with shared services and multiple co-located business units. By way of contrast, in a small organisation where the CEO and the directors can reach out and touch all sides of the business, a simpler model may be sufficient.

It must be recognised that as an organisation gets larger, and the directors’ reach diminishes, there is an increased need to set rules and clear boundaries and ultimately to delegate responsibility to monitor compliance. Breakdowns in internal control often result from weaknesses associated with a lack of clarity on accountabilities between functions.

2. Where do the compliance and the internal audit functions fit into the model and what do they do?

Compliance

Management in the first line of defence should undertake compliance activity as part of their everyday activities controlling and monitoring their business. The compliance function is generally considered to be a second line of defence function and internal audit a third line of defence function.

The activity of a compliance function has historically been to try to ensure ‘continual compliance’, either to act as a preventative control or as a swift-responding detective control that can quickly correct and mitigate the consequences of non-compliance.

In organisations where the consequences of non-compliance are severe, in particular financial services, this compliance activity can become significant. Many compliance functions have grown significantly in size and have become sophisticated in the tools and capabilities deployed. With the ever-increasing burden of  compliance and the increasing consequences of non-compliance, it is perhaps unsurprising that the role of chief compliance officer has become more commonly found within organisations.

Although the increasing sophistication of the compliance function can be seen as a positive response to the legislation and regulation that a company is expected to adhere to, as well as its ability to monitor adherence to the organisation’s own policies, directors should be aware that this could mask a problem. If there is a substantial increase in the workload of the compliance function, this might mean that front-line management is not adequately undertaking its compliance responsibilities.

Directors should be aware of the dangers of focusing too much on strengthening second line compliance functions rather than re-enforcing a right first time culture, which might ultimately be less costly to the company. Increasingly, the maturity of the first line of defence should always be in the minds of the board and audit committee as well the head of internal audit.

Internal audit

Turning to internal audit, boards and audit committees increasingly have a reasonable understanding that the work of independent internal audit is not the same as that of a compliance function. However, one key aspect of internal audit’s work that may not be immediately apparent is the extent to which it assesses the full cycle of assurance over policy governance. Internal audit considers the four pillars of policy governance and may ask:

  • Is the policy fit for purpose? What approach is taken to ensure the policy has been refreshed to reflect new and emerging risks, and/or a revised view of the organisation’s appetite for risk?
  • How does the policy owner ensure their policy is understood throughout the organisation, including appropriate feedback mechanisms to check and challenge understanding?
  • What means of self-verification mechanisms are in place for responsible individuals (often business unit leaders) to confirm they have complied or to report exceptions or violations?
  • What monitoring is undertaken by the policy owner to validate that the compliance statements being made are valid and reliable?

3. Should the internal audit function undertake work in the compliance area?

Yes. Internal audit should seek to assess the effectiveness of compliance activity within the organisation. Areas for particular consideration could include policies where non-compliance is considered high risk such as anti-trust, anti-bribery, mis-selling, health and safety. Boards and audit committees should be aware that although these areas will often be included in the internal audit function’s plans, given the challenge to attain a percentage of coverage of all the business activities over a period of time, it is inevitable that even key policies may not be audited continuously.

It is not uncommon for the internal auditor to be asked to act as a ‘surrogate parent for controls over lost risks’. For example, where an emerging risk is identified and insufficient action is being taken or it’s unclear who should take control, internal audit can step in at the request of management to ensure appropriate controls are established and then seek to hand this over to an appropriate part of the business. It must be considered that it is better to do this rather than stand-by on the touchline observing that something needs to be done. A similar point of view could be taken on compliance activity; better that it is managed by a competent person who will ensure that it happens, rather than let it wane.

However, boards and audit committees should be aware that if there has been a significant amount of internal audit focus on compliance activity, this is often due to a lack of maturity of the second line of defence where policy functions have not matured to provide oversight and establish their own effective monitoring. They need to ensure that they are appraised of where internal audit is taking on additional responsibilities and fully understand whether or not this is a temporary measure and under what circumstances it should cease.

For questions that boards and committees might ask about their internal audit and compliance functions, read the second article in this series.

Mark Stock is a Partner in PwC and was previously Group Audit Director at Vodafone plc

Non-Executive Directors Group, September 2012

Corporate governance events and training

Training workshops, seminars, networking opportunities and more.

Find out more

Next

Part 2 - internal audit for directors

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record