Utfordringer med de tre forsvarslinjer

Utfordringer med de tre forsvarslinjer Norges Interne Revisorers Forening 31. mai 2016 Prof. Flemming Ruud, PhD, Statsautorisert revisor Handelshøyskolen BI, Oslo University St. Gallen, Sveits flemming.ruud@bi.no

The Three Lines of Defense Model - tre Governing Body / Board / Audit Committee Senior Management 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Financial Control Security External Audit Regulator Management Controls Internal Control Measures Risk Management Quality Internal Audit Compliance (IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, 2013, p. 2)

Innhold Modell forenkling av virkeligheten Presentiøs fremstilling? Risiko management - reduksjon Terminologi - forsvar vs. beskyttelse Skille vs. samarbeid Valg av variabler i modellen «Continuous auditing» - eller monitoring, eller 1. linje? Videre utvikling nye elementer eller variabler? Oppsummering

Leveraging COSO across the Three Lines of Defense Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015 SUPPORT Governance Structures How the organisation assigns specific tasks and responsibilities in internal control (COSO, Leveraging COSO Across the Three Lines of Defense, 2015)

Leveraging COSO across the Three Lines of Defense Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015 SUPPORT Governance Structures How the organisation assigns specific tasks and responsibilities in internal control (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 4)

Leveraging COSO across the Three Lines of Defense (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 5)

Flere 2. linjefunksjoner Risk Management Information Security Financial Control Physical Security Quality Health and Safety Inspection Compliance Legal Environmental Supply chain Other (depending upon industry-specific or company-specific needs) (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)

Og som Assisting management in design and development of processes and controls to manage risks Defining activities to monitor and how to measure success as compared to management expectations Monitoring the adequacy and effectiveness of internal control activities Escalating critical issues, emerging risks and outliers Providing risk management frameworks Identifying and monitoring known and emerging issues affecting the organization s risks and controls Identifying shifts in the organization s implicit risk appetite and risk tolerance Providing guidance and training related to risk management and control processes (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)

Forsvar vs. risikoreduksjon vs. in control Den iboende risikoen i verdikjeden blir redusert gjennom de tre forsvarslinjene Iboende risiko 1 st Line of Defense Management Control Interne Steuerung und Kontrolle 2 nd Line of Defense Risikomanagement Compliance Qualitätssicherung 3 rd Line of Defense Internes Audit Restrisiko

In Control Attention Radar

Internal Control Directive Controls: Support the achievement of objectives Preventive Controls Design Prevent non-beneficial behavior or events Organizational measures: Control effected by the company itself in terms of separation of functions, design of work processes Organizational tools: Plan of the organization, plan of processes, plan of functions, guidance, time stamp, signatory power Technical tools: Securities, IT controls Checking Detective Controls: designed to detect misstatements or omissions as soon as possible Corrective Controls: designed to re-align the actual state with the target state

«Defense» - Forsvar Betydning av forsvar : Fransk; Defense som stammer fra latin; Defensa «Protection» 1. Beskytte seg mot angrep; Angrep fra noen / forhindre noe 2. Argumentere for en person, sak - som er utsatt for kritikk 3. I en rettssak - anklaget i en straffesak forsvare seg i en rettssak 4. Sport Forsvare hvem - seg mot hvem?? Ledelsen? Styret? Eiere Kreditorer? Ansatte (Bibliografisches Institut, 2013)

Forsvar vs. verdiskapning Forsvar vs. Defense Lingvistiske aspekter Verdiskapende merverdiskapning i intern revisjon (3 rd linje) og risk management funksjoner (2 nd linje) Lines of Control? Lines of Responsibility? 3 rd Line-Assurance? Tradisjonelt tankemønster Intern revisjonen som politi for ledelse og styre? Gammeldags bilde av intern revisjonen? Fra «compliance revisjoner til strategic assurance» (Austbø, Statoil) Alternativ til tilbakeskuende «offense»? Se mer «upstream» og mindre «downstream» (May Ibsen)

Adskilte vs samarbeidende funksjoner - Objektivitet vs uavhengighet Governing Body / Board / Audit Committee Senior Management 1 st Line of Defence 2 nd Line of Defence 3 rd Line of Defence Financial Control Security External Audit Regulator Management Controls Internal Control Measures Risk Management Quality Internal Audit Compliance (Adapted from IIA Position Paper: The Three Lines of Defence in Effective Risk Management and Control, 2013, p. 2)

Integrated Assessment and Assurance Zurich Financial Services (Zurich Financial Services, Annual Report 2014, p. 56)

Utviklingen av The Three Lines of Defense-Model Senior Management Board of Directors / Audit Committee 1 st line : Value generation Controls embedded in operational processes 2 nd line : Strategy & Policies Definition and organization of systems 3 rd line : Assessment of control environment Risk management : protection, prevention & transfer actions Internal controls : Key controls Risk management : Definition of ERM system Definition of risk policies, risk appetite Reporting to governance bodies Internal control : Definition of IC system Choice of critical processes & key controls Reporting to governance bodies Internal audit Assessment of processes Testing Ethics & Compliance : Implementation of whistle blowing External certifications : Operational controls linked to : QSE, Basel 2, Ethics & Compliance: Definition of E&C system Reporting to governance bodies External controls Definition of certification policy Reporting to governance bodies External audit Assessment of processes Testing

Utviklingen av The Three Lines of Defense-Model

Utviklingen av Three Lines of Defense-Model Senior Management Board of Directors / Audit Committee 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Operational And Supporting Functions Risk Management and Internal Control procedures, built into business processes Compliance Risk Management Others Internal Audit External Audit Supervisory Authority

The Three Lines of Defense Model - hva med dataanalyser og kontinuerlig revisjon? Governing Body / Board / Audit Committee Senior Management 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Financial Control Security External Audit Regulator Management Controls Internal Control Measures Risk Management Quality Internal Audit Compliance Big data Analytics Continuous auditing???

Nature of work governance, risk management, and control processes The IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Effectively communicating risk and control information to appropriate areas of the organization. Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management. Risk Management Processes (2120) Governance Processes (2110) Control Processes (2130) The internal audit activity should evaluate risk exposures relating to the organization s governance, operations, and information systems;...and based on the risk assessment... Evaluate the adequacy and effectiveness of controls... Achievement of the organization s strategic objectives Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations, and contracts.

Vekst Re-Performance Intern revisjon - utvikling NYSE Listing Rules: Section 303A.07(d): "Each listed company must have an internal audit function. (2003) Ongoing Compliance Introduction SOX Compliance (2002) Basel Committee: Internal audit in banks and the supervisor's relationship with audit (2001) COSO Internal Control (1992) Control COSO ERM (2004) Risk Operations Update COSO Internal Control (2013) Basel Committee: The internal audit function in banks (2012) Governance Financial Reporting Compliance Internal Control over Financial Reporting Update NUES / Swiss Code (2014) Risiko management prosesser Standard 2120 Quo vadis Standard 2110 Governance prosesser Interne styringsog kontrollprosesser Standard 2130? 1990 2000 2010 2020

Tre forsvarslinje modell Prosessorientert Overordnet uttalelse - «Helhetlige bekreftelser» Legislation Shareholders Investors Other Stakeholders Government Direction Suppliers 1 st Line Indicators Controlling Risk Management BoD CEO Vision Objectives Strategies Employers Nomination Remuneration Audit Committee Compliance Value Adding Process 2 nd Line Quality Management 3 rd Line- Assurance Signals Risk Management and Internal Control External Audit Customers Accountability

Development and Current State of Internal Auditing Internal auditing has got to be the coolest profession in the world. (Tom Peters, The Institute of Internal Auditors International Conference, Orlando, 2013) Tom Peters (*November 7, 1942) American management guru and writer on business management practices; Co-author (with Robert H. Waterman, Jr.) of best-seller In Search of Excellence, 1982