There has been much talk in the past few years about the IIA's recommended guidance, the Three Lines of Defense in Effective Risk Management and Control (or continuous monitoring of key data analytics). Thought leaders have stated the 3LOD model or continuous monitoring of key data analytics or duplicative efforts, or risk management improvement opportunities by or continuous monitoring of key data analytics.
According to the IIA's guidance, the 3LOD can be used to help improve risk management and control conversations by clarifying risk and control responsibilities between operational management (first line), risk management and compliance functions (second line) and internal audit (third line).
While these conversations were aimed towards anyone with risk or control responsibilities, internal audit leaders and chief audit executives may benefit from leveraging the 3LOD model to facilitate the following conversations and meetings they may have with different stakeholders:
1. During Internal Audit Kick-Off Meetings
When being audited by internal audit for the first time, employees (I mean our audit customers!) may not fully grasp what internal audit does or why their department was selected to be audited. Visually sharing and walking through the 3LOD model at the beginning of audit planning or fieldwork can increase your customer's understanding of the reason for the audit and internal audit's value proposition.
2. When Recommending Internal Control Changes
Take the example of a social media audit: your organization delegates sharing content on social media to business managers (first line), and policy creation and content monitoring to a social media department (second line). You observe issues with monitoring duties because the social media department spends most of their time carrying out the first line's responsibilities.
Using the 3LOD model to show management that, in this instance, social media is no different than the other second line of defense functions will help you influence and obtain support for your recommendation that the first line carries out their duties.
3. Summarizing Control Issues by Themes
When reporting internal audit issues to the audit committee, a leading practice is to summarize issues by theme. Typically issues have been themed by geography, business division, internal control area (i.e. compliance, operations, or reporting), or internal control component (i.e. control environment, risk assessment, control activities, etc.
Another way to consider reporting is by the first and second lines of defense. By highlighting in where internal audit issues are identified, common root causes may be determined, and then be more easily addressed. For example, a high number of audit issues found in the first line of defense may indicate a weak organizational control environment. Perhaps front line managers may not be incentivized to perform control responsibilities.
Conversely, a high number of audit issues found in the second line of defense may highlight inexperienced business leaders in compliance and risk management functions, or that poor communication exists between the first and second line of defense.
4. Providing Control Training
Internal audit is often asked to help facilitate compliance and control training. Training topics may typically include anti-corruption, ethics, and travel and entertainment expense requirements.
Using the 3LOD model to teach and train employees about the control responsibilities between the first, second, and third lines of defense could cement their understanding of their duties, resulting in increased control compliance.
5. Obtaining Approval for a Governance, Risk, and Control (GRC) Project
Multiple benefits are derived from internal audit completing a GRC project. Benefits include cost savings by eliminating control redundancies, identifying unknown or unaddressed risks by mapping out control activities and providing assurance on all organizational controls at a point in time.
Using the 3LOD model during the planning discussion may help executive management better understand how risks could be missed or how the same control could be performed more often than necessary. The model would come in very handy for the CAE who works within a matrix structure or a decentralized organization.
6. Suggesting Changes to Internal Audit Responsibilities
Many internal auditors have second line of defense responsibilities, such as Sarbanes-Oxley control testing, or continuous monitoring of key data analytics. Those CAEs should be in constant dialogue with their managers about whether or not internal audit's resources are best used by performing on-going management responsibilities, or by providing assurance through risk-based auditing.
The 3LOD model can be used to obtain support for changing Internal Audit's responsibilities, and to prove that organizational control is decreased when an independent monitoring activity is not sufficiently resourced.
The CAE who successfully uses the 3LOD model during important conversations should experience better business relationships, have less resistance to their recommended changes, and positively influence the awareness of risk management and control in their organization.