Should We Try to Keep Everyone in Line?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

 

It seems that internal auditors are increasingly hearing from stakeholders who are concerned about a duplication of efforts between internal audit and other oversight functions within an organization. No matter how meticulously roles and responsibilities are assigned and documented, issues inevitably come up that fall into a gray area between internal audit and other monitoring activities, such as compliance or risk management. And where responsibility is not clearly defined, things can go awry.

A surprising number of internal audit recommendations spring from these “Who’s on first?” quandaries. That’s one of the reasons we spend so much time preparing flowcharts and narratives aimed at delineating responsibilities. Duplication of effort is almost always viewed as inefficient, and gaps are generally viewed as risky.

Because we are sensitive to these issues, you might think that such problems would be relatively uncommon as far as internal audit’s responsibilities are concerned. Unfortunately, we and some of our other oversight colleagues are often among the more conspicuous offenders.

One of the questions in The IIA’s 2014 North American Pulse of the Profession survey asked how clear the distinctions are between the roles of internal audit and an organization’s management, risk, compliance, and control functions. Two-thirds of chief audit executives (CAEs) who responded said their organizations had only moderately, somewhat, or not clearly defined lines of defense. It’s evident the boundaries between our organizations’ various assurance groups are drawn with a blurry line.

If we don’t address this issue, we will eventually run into serious problems. Work will indeed be unnecessarily duplicated or, worse, there will be gaps in the essential services provided by internal audit, internal control groups, risk-management professionals, and other assurance providers.

The IIA position paper The Three Lines of Defense in Effective Risk Management and Control embraces a simple and effective model to clarify essential roles and duties. However, internal audit is increasingly being asked to take on risk management and compliance responsibilities and some chief risk officers are being asked to provide assurance on the overall effectiveness of risk management. Stakeholder perceptions of duplication are exacerbating feelings of “audit fatigue,” particularly among management stakeholders. As emphasis by regulators and others on effective compliance and risk management increases, the chaos in the lines of defense is likely to grow.

If we don’t strive to clarify our respective responsibilities, we may soon be playing the blame game. And that’s a game no one wins. As the Pulse of the Profession report noted, should stakeholders not understand the distinction between the various risk and control functions, the presumption may become that one or the other function is dispensable.

If the lines of defense are not clearly drawn at your organization, I urge you to circulate a copy of The IIA’s position paper as a starting point for discussions. This issue is simply too important to ignore.

How clear are the lines within your organization? Should we try to keep everyone in line? And what are you doing functionally and administratively to ensure the internal audit function owns its true responsibilities?

Posted on May 6, 2014 by Richard Chambers

Share This Article:    

  1. (1/3)

    Richard,

     
    I agree that stakeholders are increasingly demanding transparency in relation to oversight roles, responsibilities, and accountabilities. As you suggest where oversight responsibility is not clearly defined, "things can go awry".
     
    This however begins at the very top of the organization. A complete Lines of Defense framework must therefore also include the roles, responsibilities, and accountabilities of the 4th and 5th Lines of Defense (Executive Management, and the Board). Clearly these are the most important lines of Defense from a strategic perspective. I therefore strongly recommend the adoption of an extended Five Lines of Defense as a more complete oversight model.    
     
  1.  (2/3) I have previously addressed this critical issue in my Conference Board paper entitled "Corporate Oversight and Stakeholder Lines of Defense": 

     
    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360

    A short YouTube video also helps to visualize these workings:

    http://www.youtube.com/watch?v=vLoA8U0GZHI
  1.  (3/3)  In essence a Lines of Defense framework is designed to operate on the principle of providing transparency in assigning oversight responsibilities and in holding individuals or groups to account for these oversight responsibilities. The logic of a Lines of Defense approach is that each Line of Defense has “skin in the game” and has the capability to provide separate and additional levels of comfort, which can be relied upon in the event that a subordinate Line of Defense fails to operate effectively.

     
    If Internal Audit is to truly contribute at a strategic level surely it must begin by ensuring that their organization recognize and determine the critical oversight roles, responsibilities, and accountabilities of Executive Management and the Board in their organization's Lines of Defense framework. 
  1.  Why do you think we have such confusion by internal auditors in the year 2014 Richard? What training programs has the IIA put in place so that such problems would not occur? I continue to be confused by what internal audit is actually doing in the marketplace and believe that their training is well below what it needs to be.

     

    For example- I pointed out the article on Merywn King in last month's IIA magazine- probably the single most important article ever- yet nothing in the way of extensive training on such subject matter. Curious as to your thoughts on this matter. My sense is that we waste much time in providing training in areas that are not needed as opposed to focusing on the specific core problems relating to risk management and as a consequence keep on churning articles on "how internal auditors need to step up to the plate"

    Don't you think by now they know this but do not know what it is they need to do specifically?

  1.  totally agree with this fact

Leave a Reply