THE X3 LINES OF DEFENCE – A NEW PERSPECTIVE?

Compliance and ethics touch everyone in an organization – and every employee is responsible for understanding their responsibilities from a compliance and ethics perspective. With this update, the IIA has clarified that the responsibility for managing risk remains part of first-line roles and within the scope of management. Companies considering updating risk frameworks in response to the new guidance may be best served by evaluating the guidance with the assistance of all relevant stakeholders, including leaders from management, compliance and audit.

The models

Why change

1. The changes are a remedy to concerns that the original model was so “rigid” that distinctions between the three lines were, in practice, “more like hardened silos.”
2. The original model may give the impression that the internal audit function is [should be]
   • “Reluctant to reach over and assist management with monitoring and oversight or even sometimes to reach over and be there during the design and implementation of controls,”
3. The updated model stresses
   • “Alignment and collaboration,”
4. And in the view of many commentators in 2020
   • “There has to be collaboration and communication across the three lines for them to effectively serve the needs of the organization.”

Old vs. New: Comparing the IIA’s Models

1. As stated in its recently published guidance regarding the updated model, the IIA indicates that the new model recognizes that
   • Management, compliance and internal audit must work together to mitigate risk, and
   • The changes were intended to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.
2. Structure
   • The first line in the original model = Management controls and internal control measures represented,
   • The second line included various risk-management functions, including financial control, security, risk management, quality, inspection and compliance.
3. The IIA’s original model described three lines of defence against risk —
   • All reporting to senior management —
   • With the third line of defence, the internal audit function, also reporting directly to the company’s governing body, board or audit committee.
4. In the new model,
   • Both management and internal audit report to and receive oversight from the organization’s governing body.

Does the New Model Suggest a New Definition of Internal Audit?

1. Internal audit occupies the same space in both models, but the definitions of the first and second lines have changed significantly.
2. The original model’s sole focus on protecting value was problematic, since
   • “Organizations don’t exist just to protect value, but rather to create value and to serve customers, shareholders and others.”
3. Notably, company management is now deemed responsible both for
   • First-line activities – including managing risk and the provision of products/services to clients – and
   • Second-line activities, described as providing expertise, support, monitoring and “challenge on risk-related matters.”
4. The new model embraces
   • A more modern, expanded view of the role of internal audit, including helping management identify the risks and opportunities that are “out there for tomorrow.”

Does this contemporaneous perspective compromise internal audit’s independence?

1. Independence was never meant to imply isolation.
   • “Internal audit has an obligation to collaborate and communicate with management,”
   • A process that starts with “having an internal audit function that has a deep understanding of the business and that has a deep understanding of the roles and responsibilities that management has in making that business successful.”
2. Auditors also must get comfortable sitting down with management and offering an audit perspective while controls are being implemented, he said.
   • “If an internal auditor waits until the bridge is built, so to speak, to offer their perspectives about whether it was correctly built, then the value that they add isn’t quite as great.”

Compliance in the New Model – Little More Than a Footnote?

1. At first glance, it may appear the compliance function has been removed completely from the three lines model.
   • In the original model, compliance was clearly identified by name as part of the second line of defence,
   • The graphic depicting the new model doesn’t mention compliance at all.
2. However, the guidance accompanying the graphic states that management, as part of its first-line duties, should ensure
   • “Compliance with legal, regulatory and ethical obligations.”
3. Further, as part of its second-line duties, the guidance gives management responsibility for
   • Developing, implementing and improving “risk management objectives,” which would include “compliance with laws, regulations and acceptable ethical behaviour;
   • Internal control; information and technology security; sustainability; and quality assurance.”
4. The guidance also states that management may blend or separate its various duties and may elect to assign some second-line roles to specialists to provide
   • “Complementary expertise, support, monitoring and challenge to those with first-line roles.”

3 lines of defence and compliance, is there a problem

1. Recent updates to the Institute of Internal Auditors’ (IIA) three lines of defence model offer a refreshing take on corporate governance, but some worry the new model undervalues the compliance function.
2. Compliance doesn’t appear to figure prominently in the update to the Institute of Internal Auditors’ 2013 Three Lines of Defence Model.
3. Given its authorship, the guidance understandably takes a decisively audit-focused approach, giving thoughtful consideration to how the internal audit team can deliver value.
4. Less attention is paid, however, to the roles of the control functions outside of the audit group – compliance in particular.

The Distinction Between Risk Management and Compliance

Negative

Still, the shift in the new model from specifically calling out compliance in second-line functions to merely highlighting management’s responsibilities for overseeing compliance causes consternation. the new model doesn’t account for

• “The distinction between the risk-discipline function and the compliance function.”
• While risk management deals with risk appetite, compliance is responsible for ensuring that management adheres to all external regulatory requirements and internal compliance and ethics policies,
• “It’s very important to recognize those two disciplines and their value to the organization and not lump them all into the concept of risk management,” McCarthy said.

Positive

“The types of support the second line should provide the organization, the new model allows for more flexibility and speaks to a wider audience,”

• “It allows smaller organizations without dedicated compliance or risk functions to see how the model can be applied in their non-matrixed organizations,”
• The new model “more accurately reflects how risk is managed in organizations of all sizes.”

So, What IS the Role of Compliance?

Negative

• The lack of a clearly defined role for compliance in the model’s second line.
• Second-line functions provide value to the organization by performing oversight of the first line, she said. But that responsibility
• “Is not clearly defined in the new guidance.” Rather, it “lumps the second line in with management.”

Positive

• “By removing compliance from the second line, the new model allows compliance to be absorbed throughout all three lines,”
• This “more accurately reflects how compliance should operate in organizations – weaving through everything from the front line to the board.”
• Any failure to directly address oversight doesn’t trouble her, because she reads the model as consistent with regulatory requirements that the compliance function should audit and monitor the business.
• “By reworking the second line and emphasizing the need for the second line to provide expertise, support, monitoring and effective challenge, the new model has clarified and confirmed the role of compliance in advising on and overseeing the proper handling of risk-related matters throughout an organization,”

The Independence of the Second Line

Negative

Still, the shift in the new model from specifically calling out compliance in second-line functions to merely highlighting management’s responsibilities for overseeing compliance causes consternation. the new model doesn’t account for:

• “The distinction between the risk-discipline function and the compliance function.”
• While risk management deals with risk appetite, compliance is responsible for ensuring that management adheres to all external regulatory requirements and internal compliance and ethics policies,
• “It’s very important to recognize those two disciplines and their value to the organization and not lump them all into the concept of risk management”.

Positive

• “The types of support the second line should provide the organization, the new model allows for more flexibility and speaks to a wider audience,”
• “It allows smaller organizations without dedicated compliance or risk functions to see how the model can be applied in their non-matrixed organizations,”
• The new model “more accurately reflects how risk is managed in organizations of all sizes.”

The new model and Compliance in 2020

1. Compliance and ethics touch everyone in an organization – and every employee is responsible for understanding their responsibilities from a compliance and ethics perspective,”
2. With this update, the IIA has clarified that the responsibility for managing risk remains part of first-line roles and within the scope of management.
3. Compliance shouldn’t operate as a second line of defence, it should be “woven throughout every role and every function – from the front-line work to the board of directors.”
4. This is a win for the compliance function and compliance as a whole
5. “As compliance professionals and owners of compliance programs, we think about ourselves as a function that gives the organization the tools and guidelines to make good choices.”