The Institute of Internal Auditors (IIA) (https://www.iia.org.uk) is the recognised international standard setting body for the internal audit profession, including in the UK. The IIA is responsible for the INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (Standards) and also introduced the Three Lines of Defence governance model to Corporate America and globally to the other free market economies.
The main features of the model are:
- the Board and Executive management sit above the three lines and have collective responsibility for setting organisational objectives, defining strategies to achieve them, establishing the necessary governance risk management including setting the level of risk appetite that is tolerable, and in implementing control frameworks to mitigate the risks to the set tolerance,
- First line: Primary responsibility for managing organisational risks through designing and implementing appropriate mitigating controls rests with operational management who own and manage risks,
- Second line: comprises Risk Management and Compliance functions to help build and/or monitor the first line of defence controls, including risk appetite reporting,
- Third line: The principal function of the third line is to provide risk assurance. Internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including first and second-line controls. Internal audit is pseudo independent of management with a direct reporting line to the Audit Committee which is made of Non-Executive Director (NEDs) members.
In addition to the Standards, there is the Financial Services Code and its Code of Practice which should be applied in conjunction with the Standards. The Code builds on those Standards, providing context specific to the financial services sector; and seeks to increase the effectiveness and impact of internal audit in organisations in that sector by clarifying expectations and requirements. The full publication is shown at Financial Services Code