The Evolution of Internal Audit: Beyond the Third Line of Defence

Introduction

Internal audit has long been recognized as the third line of defence in the risk management and control framework.

However, there is growing concern among professionals and industry experts that focusing exclusively on this traditional role may fail to add significant value to the organization. By not engaging with the first and second lines of defence, internal auditors risk overlooking the holistic management of risks and the alignment with strategic objectives. To truly contribute to the organization’s success, internal auditors must step up and play a more proactive role in strengthening governance and risk management across all levels of the organization.

The Traditional Role of Internal Audit

Traditionally, the internal audit function has been tasked with providing independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively. This is often referred to as the third line of defence, following the first line (operational management) and the second line (risk management and compliance functions). While this role is critical, it is often perceived as backward-looking, focusing on identifying past issues rather than preventing future problems.

The Limitations of a Narrow Focus

When internal auditors concentrate solely on their role within the third line of defence, several limitations emerge:

1. Reactive Approach: Auditors often spend considerable time identifying and reporting issues after they have occurred, rather than preventing them.
2. Siloed Function: By not collaborating with the first and second lines, internal auditors may miss out on a comprehensive view of the organization’s risk landscape.
3. Limited Impact on Strategy: Focusing strictly on compliance and control might lead to neglecting strategic risks that can impede the achievement of organizational objectives.
4. Value Perception: Stakeholders may view the internal audit function as merely a compliance necessity rather than a strategic partner.

The Need for a Proactive Stance

To overcome these limitations, internal auditors need to adopt a more proactive and integrated approach. This involves engaging with the first and second lines of defence to enhance the overall governance framework and ensure that risks are managed effectively throughout the organization.

Enhancing the First Line of Defence

The first line of defence comprises operational management, which owns and manages risks. Internal auditors can add value here by:

1. Risk Awareness and Training: Providing training sessions to operational managers on identifying, assessing, and mitigating risks.
2. Process Improvements: Collaborating with management to streamline processes, reduce inefficiencies, and embed risk management practices into daily operations.
3. Advisory Services: Acting as advisors rather than just evaluators, offering insights and recommendations on best practices in risk management.

Strengthening the Second Line of Defence

The second line of defence includes risk management and compliance functions, which oversee risk and monitor controls. Internal auditors can support this line by:

1. Risk Assessments: Assisting in conducting comprehensive risk assessments to ensure all significant risks are identified and evaluated.
2. Compliance Checks: Working closely with compliance teams to ensure regulatory requirements are met and controls are effective.
3. Coordination: Enhancing coordination between risk management, compliance, and operational functions to create a unified approach to risk management.

Bridging the Gap to Strategic Objectives

A crucial aspect of internal audit’s value proposition is its alignment with the organization’s strategic objectives. Internal auditors must ensure that their activities contribute to achieving these goals by:

1. Strategic Risk Management: Identifying and assessing strategic risks that could impact the organization’s ability to achieve its objectives.
2. Performance Metrics: Developing and monitoring key performance indicators (KPIs) related to risk management and strategic initiatives.
3. Regular Reviews: Conducting regular reviews and providing feedback on the organization’s progress toward its strategic goals.

Case Study: A Holistic Approach to Internal Audit

Consider a multinational corporation facing significant operational risks due to fragmented processes across its global subsidiaries. The internal audit team, traditionally focused on compliance and control, decided to adopt a more proactive approach.

1. Engagement with First Line: The internal auditors conducted workshops with operational managers to identify process inefficiencies and areas for improvement. They provided training on risk management techniques and helped embed these practices into daily operations.
2. Collaboration with Second Line: They worked closely with the risk management team to develop a comprehensive risk assessment framework. This included regular risk assessments and compliance checks to ensure all regulatory requirements were met.
3. Alignment with Strategy: The internal auditors identified strategic risks related to the company’s expansion plans. They developed KPIs to monitor progress and provided regular updates to senior management and the board.

As a result, the organization saw a significant improvement in its risk management practices, streamlined operations, and better alignment with its strategic objectives. The internal audit function was now viewed as a strategic partner rather than just a compliance necessity.

Conclusion

To remain relevant and add significant value, internal auditors must move beyond their traditional role as the third line of defence. By actively engaging with the first and second lines, they can enhance governance, improve risk management practices, and contribute to the achievement of the organization’s strategic objectives. This proactive and integrated approach not only strengthens the overall risk management framework but also elevates the perception of the internal audit function as a key player in the organization’s success.