Three lines of defence model – setting the scene
The main features of the model are:
- First line: Primary responsibility for managing organisational risks through designing and implementing appropriate mitigating controls rests with operational management who own and manage risks
- Second line: comprises Risk Management and Compliance functions to help build and/or monitor the first line of defence controls, including risk appetite reporting
- Third line: The principal function of the third line is to provide risk assurance. Internal Audit provides assurance on the effectiveness of governance, risk management and internal controls, including first and second-line controls. Internal audit is pseudo independent of management with a direct reporting line to the Audit Committee which is made of Non-Executive Director (NEDs) members.
The Board and Executive management sit above the three lines and have collective responsibility for setting organisational objectives, defining strategies to achieve them, establishing the necessary governance risk management including setting the level of risk appetite that is tolerable, and in implementing control frameworks to mitigate the risks to the set tolerance.
However, effective organisational governance will never be at its optimum if these Lines operate via a silo mentality. Integration is absolutely key whilst maintaining a balance of independence with any potential conflicts of interest fully mitigated. For example, a regulated business should have a separate CRO from the Head of Internal Audit and both should report to separate Risk and Audit Committees, respectively. However, expect to see a close and collaborative business relationship between the CRO and the HoIA as indicative of good corporate governance.
Risk-Based Internal Auditing (“RBIA”) & the Risk Register
The Institute of Internal Auditors (“IIA”) defines RBIA as a methodology that links internal auditing to an organisation’s overall risk management framework. RBIA allows internal audit to provide assurance to the Board that risk management processes are managing risks effectively, in relation to the risk appetite. RBIA seeks, at every stage, to reinforce the responsibilities placed on management and the Board, for managing risk.
The IIA goes further and provides an assessment of the applicability of RBIA to the Internal Audit function:
Stage 1: Assessing risk maturity
Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.
Stage 2: Periodic audit planning
Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritising all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks.
Stage 3: Individual audit assignments
Carrying out individual risk-based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.
IA Planning – Risk & Control Matrix (RCM)
For individual assignments, the RCM is a key IA planning document which brings together risk registers and mitigating controls, an assessment of risk appetite, inherent risks, residual risk and risks scoring based on 1. Impact and 2. Probability. For the controls, expect to include Control Owners and Control Performers, Control Frequency, Prevent vs. Detect classification, Control Objectives, and maybe other control assessments brought together under one roof such as applicable Lloyd’s Minimum Standards self-assessment and applicable SOX testing results.
An example RCM, for Board Governance, is provided here: Risk & Control Matrix (RCM) – Example – Board Risk Governance
Link between Risk Scoring & IA Ratings
At the Reporting stage of internal audit, reports will include detailed findings with recommendations and a risk assessment and scoring which follows through from the planning stages of the IA when the RCM is produced.
A typical Risk Matrix, whatever the industry or type of organisation, should follow the example provided Risk Scoring & IA Rating
If you need assistance with any aspect of your internal auditing service offering, JCBFL can help.