Optimized Integrated Assurance

An organization’s three lines of defense should be tailored to its structure, culture, and risk environment.

Comments Views

In today’s business environment, risks continually are evolving because of economic conditions, rapid rates of market and technological advancements, and increasing regulatory oversight. Management and the board must have assurance that risks are identified and operations are managed within acceptable tolerance levels. The organization’s business and control functions, or assurance providers, usually provide this assurance. Their collective efforts provide the organization its integrated assurance.

Given the number of assurance providers across the enterprise, and increasing pressure to manage risks, an optimal framework is needed from which to operate. The generally accepted model is the three lines of defense.

The first line of defense, operational management, maintains internal controls and executes risk and control procedures as part of its daily operations. Usually comprising oversight functions responsible for policies and procedures, the second line of defense often includes the compliance, risk management, and financial control functions. Finally, the third line of defense, internal audit, is independent from the business units and provides the board and senior management assurance on the effectiveness of governance, risk management, and internal controls. The three lines of defense must operate effectively and cohesively to be fully integrated.

The work quality of all assurance providers must be sound, or the assurance will be misleading. As noted in the 2013 IIA position paper, The Three Lines of Defense in Effective Risk Management and Control: “The stakes are high. Without a cohesive, coordinated approach, limited risk and control resources may not be deployed effectively, and significant risks may not be identified or managed appropriately.”

What role should internal audit have in the integrated assurance process? The International Standards for the Professional Practice of Internal Auditing Standard 2050: Coordination states, “The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.”

Although there are no concrete rules for establishing the three lines of defense, there are certain elements that should be considered. Communication among the assurance providers, and ultimately their output to management and the respective boards and committees, is a cornerstone of success. The assurance providers must have a common risk and control language to allow for understanding among the providers. Internal audit can have an integral role in communication protocols within integrated assurance by being a champion for improving communication among the providers and striving toward an environment of minimal overlap of work. Internal audit should actively participate with the other assurance providers to identify and manage the risks facing the enterprise, ensuring that the third line of defense is applied in all applicable risk areas. Internal audit also should maintain a regular audit schedule of the assurance providers’ operations.

An example of an established integrated assurance function that uses the three lines of defense approach can be found at Farmers Insurance. Designed to support management in its responsibilities, formal communication protocols have been established; the assurance providers meet each month to discuss the groups’ respective results, ongoing work, and matters to raise to management and the audit committee. This fosters teamwork and ensures ongoing communication and efficient use of resources.

A key output from the Farmers’ assurance providers is the risk landscape document, which lists key risks as identified by management, the owner of each risk, and each assurance provider’s detailed response to the individual risks. This process helps align the assurance providers with the risks facing the organization to ensure no key risks are missing.

To aid in better communication among the assurance providers, as well as with their formal reporting to management, boards, and committees, common terminology has been instituted among them for rating identified control issues and providing an overall opinion of the client’s control environment. Internal audit also maintains a regular review of all the integrated assurance providers.

Although each assurance provider has its own mandate, all are closely aligned and regularly exchange information. This integrated assurance approach provides the confidence to management and to the audit committee that risks are being identified, addressed, and mitigated.

The Farmers’ example has been optimized for what works best in its organizational structure, culture, and risk environment. It is important to customize the three lines of defense to meet the needs of the specific organization.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3