background papers - TheIIA · APPENDIX: COMPLETE RESPONSES FROM ADVANCE POLLING QUESTIONNAIRE ......

BACKGROUND PAPERS

ABSTRACT

Background Papers are provided in

advance of Global Council to provide

comprehensive information on each of the

topics to be discussed during the event.

1

2019 GL OBAL COUNCIL BACKGROUND PAPERS

Table of

Contents

AGENDA

2

2019 GLOBAL COUNCIL OVERVIEW

3–4

BACKGROUND PAPER 1: GLOBAL ASSEMBLY

5–10

BACKGROUND PAPER 2: THREE LINES OF DEFENSE

11–15

BACKGROUND PAPER 3: GLOBAL CONTENT STRATEGY

16–19

APPENDIX:

COMPLETE RESPONSES FROM ADVANCE POLLING QUESTIONNAIRE

CURRENT THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT

AND CONTROL

20-40

2


Agenda Sunday, 17 March 2019

12:00–17:00 Registration

09:00–15:00 Affiliate Management Workshop (by invitation only)

18:00–20:00 Welcome Reception

Monday, 18 March 2019

07:15–08:15 Registration

08:30–10:00 Opening Session

10:00–10:30 Break

10:30–12:30 Breakout Discussion Session 1: Global Assembly

12:30–13:30 Lunch

13:30–15:30 Breakout Discussion Session 2: Three Lines of Defense

15:30–16:00 Break

16:00–17:00 Knowledge Exchange Session

18:30–21:30 Transportation to Cultural Evening and Dinner Hosted by IIA–Japan

Tuesday, 19 March 2019

08:30–10:00 General Session: The Global State of the Profession & Trends Impacting the Profession

10:00–10:30 Break

10:30–12:30 Breakout Discussion Session 3: Global Content Strategy

12:30–13:30 Lunch

13:30–15:00 Knowledge Exchange Session

15:00–15:30 Break

15:30–17:00 Closing Session: The Year Ahead

Wednesday, 20 March 2019

07:30–16:00 Transportation to Cultural Tours Hosted by IIA Japan (groups depart/return at different times)

All meetings will be held at the Hilton Tokyo Odaiba in Tokyo, Japan.

3


OVERVIEW

The IIA’s annual Global Council brings together IIA leaders from around the world to contribute insights

that shape the future of our global organization and profession, to learn about key global strategies, and

to share knowledge with each other. Leveraging The IIA’s 100+ Affiliates’ differences in membership

sizes, levels of maturity, and ranges of activities, the Global Council serves as a platform where each

Affiliate’s contributions add to the capacity, depth, and diversity of The IIA’s global network, propelling the

association forward.

OPENING SESSION

Following the traditional roll call of all Affiliates present and a special welcome from IIA–Japan, The IIA’s

2018–19 Chairman of the Global Board, Naohiro Mouri, CIA, will officially open and preside over 2019

Global Council. The Opening Session will include an update on key efforts conducted since the 2018

Global Council, in Panama City, where delegates discussed the 2019–23 Global Strategic Plan.

BREAKOUT DISCUSSION SESSIONS

Breakout Discussion Sessions will be held on each of the 2019 Global Council topics:

1. Global Assembly,

2. Three Lines of Defenses, and

3. Global Content Strategy.

The sessions are supported by a facilitator and a note taker from The IIA’s Executive Committee and IIA

staff. During the sessions, participants are seated either randomly or by Affiliate size/maturity at

roundtables of seven to eight participants. Table participants change for each session, and

representatives from the same Affiliate will be seated at different tables.

During these sessions, participants will have two hours to debate and share their views on the Discussion

Questions included in the Background Papers (below). The discussions are intended to collect input and

ideas from all participants, to generate debate, and ultimately, to provide collective, agreed-upon

suggestions, recommendations, and direction in answer to the discussion questions. So while each

participant will come to the Global Council prepared with their Affiliate’s views and ideas, it is expected

that additional, unique insights will be gained from the collective sharing and exchange that occurs during

the Breakout Discussion Sessions.

4


GENERAL SESSION

During the General Session, IIA President and CEO Richard Chambers will present the Global State of

the Internal Audit Profession and will host the discussion “Trends Impacting the Profession,” featuring a

panel of industry experts from around the world.

KNOWLEDGE EXCHANGE SESSIONS

Two Knowledge Exchange Sessions will give delegates opportunities to learn, share, and build relations

with other Global Council participants. These fun, engaging sessions include a variety of activities and

contests that will give everyone a chance to participate and win prizes!

SOCIAL EVENTS

Global Council provides a unique opportunity for participants to network with each other socially and

become acquainted with other cultures. The IIA and IIA–Japan have arranged several social events to

provide opportunities to see local sites and experience Japanese culture.

Global Council begins with a Welcome Reception hosted by The IIA on Sunday, 17 March, at the Hilton

Tokyo Odaiba. Monday night, IIA–Japan will host the Cultural Evening and Dinner, an exquisite evening

of entertainment and Japanese cuisine at a beautiful off-site venue steeped in Japanese tradition and

surrounded by ambient scenery.

A highlight of Global Council is the Cultural Tour where delegates and guests are invited to explore the

sights and sounds of Japan and its culture. IIA-Japan is inviting delegates and their guests to join

Wednesday’s optional tour to Kamakura which includes visits to Tsurugaoka Hachimangu Shrine,

Komachi Street, and the Hasedera Temple. Pre-registration for the tour is required.

CLOSING SESSION

The Closing Session will provide a high-level overview of several global initiatives and projects for 2019-

2020 and plans for the first IIA Global Assembly to be held in 2020. Following closing remarks, delegates

will gather to commemorate the event with the annual group photo.

BACKGROUND PAPERS

Global Council seeks input from Affiliates on the discussion topics in two ways: advance polling questions

(done via a survey of all Affiliates conducted in November/December 2018) and onsite discussion

questions. Preparation and participation by all attendees are key to a successful Global Council. Affiliates

must review the following Background Papers in advance of the event to ensure their Global Council

representatives are fully informed about the topics and familiar with the results of the advance polling.

Affiliate representatives are encouraged to seek input on the discussion questions from their boards and,

if applicable, their staff, and come prepared to share, representing their Affiliate’s views on the three

discussion topics.

We look forward to seeing everyone in Tokyo! Please direct any questions to

[email protected].

mailto:[email protected]

5


Background Paper: Moving from Global Council to Global Assembly

INTRODUCTION

In 2019, The IIA began restructuring its global governance by introducing significant changes to the

Global Board of Directors and Executive Committee. In 2020, the Global Assembly will replace Global

Council and introduce several enhancements.

Under the leadership of the 2017-2018 and the 2018-2019 Chairman of the Global Board, a Global

Governance Task Force has been working on key concepts for the future Global Assembly.

The IIA’s Bylaws have been updated with the following references to

Global Assembly:

Section 1. Global Assembly. The Global Assembly will provide a forum

for Affiliates to have input to the Global Board on the strategic direction

for the profession, and key IIA initiatives, priorities and activities.

Section 2. Members. The Global Assembly shall include such

representatives as defined by the Global Board.

Section 3. Meetings. The Global Assembly shall meet at such dates

and times as may be prescribed by the Global Board.

The 2019 Global Council discussions will give Affiliates an opportunity to

provide feedback on some changes being considered for the new Global

Assembly before its implementation in 2020.

BACKGROUND

Global Council has been somewhat effective as a forum for IIA Affiliates to share insights and input on

The IIA’s Global Strategic Plan and key global projects and initiatives. However, the main goals of

enhancing the model with the creation of the new Global Assembly are:

o To elevate the voice and influence of The IIA’s 100+ Affiliates.

o To increase Affiliate accountability to The IIA and its Global Board.

o To enhance the effectiveness of the global governance process.

Below are preliminary key definitions and concepts for the future Global Assembly, subject to Global

Board approval in July 2019:

6


What is Global Assembly?

o A forum for Affiliates to provide input to the Global Board.

o A collective voice that helps inform, advise, and influence the Global Board* on strategy.

o A body that creates a liaison between the Global Board and the Affiliate Boards.

*Global Board decisions are final.

What is the Mission of Global Assembly?

o To serve as a sounding board for new ideas and concepts under consideration.

o To provide solicited input to global initiatives, projects, and strategies.

o To provide solicited feedback to draft global plans, positions, policies, etc.

o To communicate and offer insights regarding local trends, needs, issues, and risks.

o To share leading practices and facilitate benchmarking among Affiliates.

Who presides over Global Assembly?

o The Chairman of The IIA’s Global Board.

Who is entitled to a voice in the Global Assembly?

o Each IIA Affiliate shall have one voice (one per Institute and per international chapter).

o North America shall have three voices (USA, Canada, and the Caribbean).

Who are the Members of Global Assembly, how are they selected, and for how long?

o The Global Assembly Representatives are the members of Global Assembly.

o Each Affiliate and North America shall appoint their Global Assembly Representative.

o Each Global Assembly Representative shall serve on the Global Assembly for a three-year

term.

Who are the Observing Members of Global Assembly and what are their responsibilities?

o Each director of the Global Board is an observing member.

o Observing members are responsible to prepare for and attend Global Assembly meetings

and to consider input and feedback from Global Assembly.

What are the responsibilities of a Global Assembly Representative?

o To attend all Global Assembly in-person and teleconference meetings.

o To act as the liaison (connection) between the Global Assembly and their Affiliate Board.

o To actively participate in all Global Assembly meetings and activities.

o To share their knowledge with Global Assembly and report back to their Affiliate Board.

What are the attributes of a Global Assembly Representative?

o To be an active member or actively engage/participate in the Affiliate Board.

o To be knowledgeable about their Affiliate activities and operations.

o To be able to effectively communicate (write and speak) in English.

o To have the necessary time to dedicate to the outlined responsibilities.

o To be empowered by their Affiliate to represent its views and needs at Global Assembly.

7


Should the Global Assembly Representative be the current Affiliate Top Elected Officer?

o The Global Assembly Representative may be the current, past, or future Top Elected Officer

or any other member of the Affiliate Board including the Chief Staff/Executive Officer as long

as they can meet the outlined responsibilities and attributes of a Global Assembly

Representative.

o Each Affiliate is encouraged to recognize the role of “Global Assembly Representative” as an

addition to the appointee’s other responsibilities.

How often does the Global Assembly meet?

o One in person meeting and up to three teleconference meetings per year.

Does Global Assembly change the relationship between an Affiliate and The IIA or impact the

Master Relationship Agreement (MRA)?

o No, Global Assembly does not change the current relationship between IIA Global and an

Affiliate.

o No, Global Assembly does not have any impact on the current obligations of The IIA and

each Affiliate outlined in the MRA.

How can Global Assembly impact decisions of the Global Board?

o Global Assembly serves as an advisory body and sounding board to the Global Board.

o Global Assembly input and feedback is intended to represent the collective voice of all

Affiliates, not the individual voice of each Affiliate.

o Global Assembly does not have official governance authority and any views of the Global

Assembly are guiding, not authoritative.

o All official final decisions are the responsibility of the Global Board of Directors.

What are the main differences between the current Global Council and future Global

Assembly?

Current Global Council Future Global Assembly Global Council is mainly an in-person meeting held once a year at an event. Global Council participants might not have any connection with IIA Global Headquarters outside of this annual meeting. They have no set accountability or responsibilities outside of the actual annual Global Council meeting.

Global Assembly is a group made up of official members appointed by the Affiliates to represent them at several meetings and to carry a series of responsibilities. Global Assembly meets several times a year, and the members act as the official liaisons between the Global Assembly (not IIA Global Headquarters) and their Affiliate Boards.

Global Council has a defined role but no direct connection to the Global Board nor any joint meetings. Global Board members do not attend Global Council meetings.

Global Assembly has a defined role and collective responsibilities to the Global Board. Global Assembly members are invited to attend the open Global Board meeting prior the Global Assembly in-person meeting. Global Board members attend all Global Assembly meetings as observing members.

8


The Executive Committee sets the topics that are discussed at the Global Council. The outcome of the discussions are shared with all Affiliates, the Executive Committee, and the Global Board of Directors. However, there is no systematic process to ensure a continuous flow of information between the Global Board of Directors and the Global Council.

The Global Board of Directors will approve the topics that are to be discussed by the Global Assembly. The outcome of the discussions will be shared with all Affiliates and the Global Board of Directors. There will be a systematic process in place to ensure a continuous flow of information between the Global Board of Directors and the Global Assembly.

There is no expectation of continuity for Global Council attendees. Affiliates designate whomever they chose from year to year, some changing the delegate each year, others keeping the same person in place for up to 10 years. The practice of changing Global Council attendees frequently can be ineffective and inefficient. The lack of continuity from year to year requires constant adjustment to the Global Council process, format, and relationship building by those new attendees. On the other hand, the practice of maintaining the same Global Council attendees for six or more years in a row does not afford the benefits of different perspectives, learning, and new relationship building.

Affiliates will be expected to appoint their Global Assembly Representative to serve for a period of three years. In that regard, Global Assembly operates more like a committee whose members are held accountable to fulfill a list of outlined responsibilities during their tenure on Global Assembly. This will require commitment and continuity by the representatives for a three-year term. It is understood that occasionally, a representative may not be able to complete his or her term due to changing personal or professional circumstances. Those situations shall be handled on an exception basis with a formal request process for the Affiliate to change their representative before the end of their three-year term.

Global Council attendees are often the Affiliate Top Elected Officer (current or incoming). These positions may be demanding without the added workload that comes with preparing, attending, and reporting on Global Council. Some attendees do not possess enough fluency in English to effectively participate in the discussions and discharge the responsibilities.

Global Assembly Representatives can be anyone on the Affiliate Board and/or appointed by the Affiliate because they have the time, knowledge, and skills to fulfill the outlined responsibilities. Command of the English language to effectively communicate verbally and in writing will be necessary to effectively discharge the responsibilities.

Participation in the annual Global Council meeting is strongly encouraged for all Affiliates but not required. There are no consequences for nonparticipation (*see exception below).

Participation in all meetings of the Global Assembly is required by all Affiliates. Attendance is tracked and nonparticipation in meetings could lead to consequences (to be determined).

Funding support is available to select Affiliates based on demonstrated needs and *subject to strict conditions of participation in the Global Council meeting.

Funding support will be available to Affiliates in need to ensure their participation at the in-person meeting of the Global Assembly.

Affiliates may send up to two delegates to participate in the Global Council. IIA Global Headquarters pays for the cost of hosting the Global Council (meeting rooms, meals, tours, etc.)

Affiliates may designate only one representative to Global Assembly. IIA Global pays for the cost of hosting the Global Assembly. However, the cost savings of limiting Global Assembly participation

9


for all delegates (up to two per Affiliate) and up to one of their guests. There is no revenue to defer the costs of hosting the events. The co-hosting Affiliate funds one of the dinners and occasionally cultural tours for all delegates and their guests. Limited travel support (covering full or partial airfare) is provided to some Affiliates that are newer or demonstrate they are struggling financially and could not otherwise attend the in-person meeting. Those who request and accept funding may not send more than one attendee to Global Council.

to one representative per Affiliate and no longer offering free cultural tours for all delegates and their guests will be redirected to provide financial support to Affiliates who demonstrate they are struggling financially to send their Representative to the Global Assembly in-person meeting. IIA Global Headquarters will seek additional ways to defer the costs of hosting the Global Assembly in-person meetings.

DISCUSSION QUESTIONS

Considering the background information and concepts outlined below, please review the below questions

and ensure your representative will come prepared to Tokyo to share your Affiliate’s view and ideas on

these questions during the Breakout Discussion Sessions.

Concepts Questions In order to manage the size of the Global Assembly’s in-person meetings and teleconference meetings, it is expected that each Affiliate and each group in North America (U.S., Canada, Caribbean) will have only one representative at Global Assembly. This person could be the current, past, or incoming Top Elected Officer, Chief Staff/Executive Officer or any designated Affiliate Board Member who meets the list of attributes.

1. Assess the feasibility of Affiliates designating one person to fulfill the responsibilities of Global Assembly Representative.

2. Share your feedback regarding the proposed list of attributes of Global Assembly Representatives: o To be an active member of their Affiliate

board or actively participate/engage in the Affiliate Board.

o To be knowledgeable about their Affiliate activities and operations.

o To be able to effectively communicate (write and speak) in English.

o To have the necessary time to dedicate to the Global Assembly responsibilities.

o To be empowered by their Affiliate to represent their views and needs at Global Assembly.

Global Assembly Representatives act as the liaisons between their Affiliate Board and the Global Assembly. Each must ensure that Global Assembly topics are communicated to their Board, that they seek their Board’s input to prepare for Global Assembly discussions, and report outcomes to their Board. Ideally their role of “Global Assembly Representative” is officially added to other responsibilities the representative may have on their Affiliate Board. There should be flexibility to appoint any board member who can fulfill these responsibilities in case the current Top Elected Officer lacks the time, knowledge or the English language skills to do so.

3. Share your feedback regarding the list of responsibilities of Global Assembly Representatives: o To attend all Global Assembly in-person

and teleconference meetings. o To act as a liaison (connection) between

the Global Assembly and the Affiliate Board.

o To actively participate in all Global Assembly meetings and activities.

o To share their knowledge with Global Assembly and report back to the Affiliate Board.

10


It is expected that all Affiliates appoint a Global Assembly Representative. Failure for the representative to attend all meetings of the Global Assembly would result in consequences for the Affiliate (to be determined). To facilitate this, the following must also be considered:

Attendance at the teleconference meetings and participation in all activities (responding to all Global Assembly surveys and polls) is compulsory in all cases.

Attendance at the in-person meetings could be subject to exceptions in some circumstances.

The Affiliate may request to replace their appointed Global Assembly Representative if that person’s circumstances change during their three-year term. (This should be by exception only.)

Affiliates must ensure their representative has funding to fulfill their obligation.

Affiliates that are newer, smaller, and struggle financially to ensure their representative can travel to the Global Assembly in-person meeting may obtain reasonable financial support (to cover basic airfare and hotel accommodations) from IIA Global Headquarters.

Representatives who don’t participate or have unexcused absences may be asked by the Global Board to resign. The affected Affiliates may be asked to replace the representatives or face consequences.

4. Is compulsory participation of all Affiliates’ Global Assembly Representatives in all meetings and activities necessary so that Global Assembly can fulfill its mission?

5. Alternatively, for the in-person meeting of

Global Assembly only, should there be criteria that an Affiliate should meet for their participation to be classified as either compulsory or optional? Please consider the following criteria:

a. Affiliate size of their membership? b. Affiliate finances? c. Affiliate maturity? d. Other?

6. What consequences should be

considered if an Affiliate with mandatory participation does not attend? Please consider the following criteria:

a. Lose their seat/voice in the Global Assembly for one year?

b. No longer qualified to nominate candidate for the Global Board of Directors?

c. Other? 7. If participation isn’t compulsory or some

have unexcused absences, how do we ensure non-participating Affiliates (that lose their seat/voice or for whom it’s optional) remain informed, involved and accountable to their obligations?

11


Background Paper: Three Lines of Defense

INTRODUCTION

Goal A of The IIA’s Global Strategic Plan 2019-2023 focuses on strengthening the profession and

includes specific strategies for equipping members with resources to “strengthen the influence and

position” of internal auditing while deploying appropriate messages among key stakeholders. Undertaking

a review of The IIA’s Position Paper Three Lines of Defense is one short-term tactic to help achieve this

goal.

The review of the IIA Position Paper “The Three Lines of Defense in Effective Risk Management and

Control” was initiated in July 2018 and aims to deliver a revised position paper in 2019. The IIA’s

Executive Committee assigned the Working Group to lead this project, chaired by Jenitha John, vice chair

of Professional Certifications.

So far, the group has identified key strengths of the Three Lines of Defense model that should be

preserved and opportunities for improvement. The Working Group has also established guiding principles

for the development work.

The key next steps include regular consultation with an advisory group of around 30 stakeholders,

discussion at Global Council to seek input from all Affiliate leaders, and public exposure of an updated

position paper, before submitting it to the Global Board for final approval. Thereafter, sustained promotion

of the new position paper to members and stakeholders will be essential for its recognition and adoption.

BACKGROUND

The Three Lines of Defense model has been around for more than 20 years and has been a major

contribution to the collective understanding of governance, risk management, and internal control in

organizations. The model provides a simple yet powerful way of recognizing and explaining how certain

activities enable the governing body (regardless of how this is structured) to exercise its responsibilities

for direction, performance, transparency, oversight, and accountability.

When The IIA released its original Position Paper “The Three Lines of Defense in Effective Risk

Management and Control” in January 2013, the model was already well-known and widely implemented.

Since then, the model has gained additional recognition and adoption. Yet, as organizations and the

environments in which they operate have evolved, the need to revise the model has become evident.

Globalization, technological innovation, demographic shifts, environmental changes, resourcing

constraints, and similar trends are creating major disruptions and exposing governance weaknesses

across all kinds of entities. There is an ongoing need for measures that enhance organizational integrity,

advance public trust, and increase societal value derived from institutions.

The Three Lines of Defense model is built on an analogy that draws on the capabilities of a castle in

repelling attacks from hostile forces, being a combination of physical structures (moat, drawbridge, castle

walls, and so on) and the activities of the soldiers and king’s guards. Such comparisons have limited

https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

12


compatibility with most modern thinking on governance. The current analogy suggests static components

(the lines) and sequential operations (the first line acting first, the second line taking over if the first fails,

and so on), with a sole focus on defense.

Effective governance differs from this in certain fundamental regards:

The components of good governance must operate together as a single mechanism, requiring a

high degree of coordination between the “lines of defense”.

The same processes and structures that work to protect organizational value must also serve to

enhance and realize value, mitigating against the negative impact of risks as well as leveraging

opportunities to optimize outcomes.

The goals of updating the position paper are to broaden the scope with emphasis on coordination and

collaboration in the Three Lines model and to elucidate how the “lines” operate in a more flexible and

holistic fashion. This will require new terminology and explanations and an amended graphic to help

explain the important enhancements under consideration.

The graphic deployed by The IIA in 2013, and subsequently widely shared, is instantly recognizable and

has served its purpose well over the years. However, it has also left room for a misperception that the

Three Lines of Defense model requires a fixed way of organizing functions per tightly defined silos of

responsibility. Given the diversity and relentless evolution of organizations and their operating

environments, when it comes to effective governance, it is highly unlikely that a one-size-fits-all approach

can apply to all situations.

The updated position paper will make clear that the model works better when it is understood as an

explanatory framework for certain kinds of activities that make distinctive contributions to organizational

governance, rather than being a prescription for organizational structure. Nevertheless, for there to be

credible challenge and independent assurance, which are both fundamental components of the model to

be highlighted in the new position paper, it is necessary to maintain certain important internal

relationships among the functions that have been assigned specific responsibilities.

Attempts to multiply the number of lines of defense are recognized and understood to be consistent with

the basic Three Lines model. It is often a matter of perspective and interpretation. It is possible to retain

the simple Three Line model and be pragmatic with alternates that identify other lines external to the

organization as lines of defense from a broader external stakeholder view (such as the regulator,

government, or the public interest).

While focusing on the entity, the model must also communicate the importance of the governing body as

central to governance rather than outside it, as a mere observer or passive stakeholder of governance. It

is equally critical to emphasize the need for lateral integrity to the model rather than falsely

communicating a silo, vertical approach. Enterprise risk management is a shared responsibility across all

three lines — requiring extensive communication, planning, cooperation, and collaboration; a shared

taxonomy, data, and reporting; and an assurance approach that involves coordination and reliance

among providers.

13


In important respects the term “three lines of defense” may be inadequate for the strengthened and

enhanced descriptions proposed for the new position paper. However, due to its widespread recognition,

changing the name may cause confusion. The Working Group will continue to ponder this risk.

14


Three improvements to the Three Lines of Defense model to empower The IIA to better support, promote, and embed the model.

Recognition and Importance of the Three Lines of Defense

ADVANCE POLLING RESULTS

The following data summarize the results of the advance polling, conducted in November/December

2018, where 87 IIA Affiliates responded to a series of questions on the Three Lines of Defense.

Industry where the Three Lines of Defense is the most understood and applied to a large extent. Financial Services

Please refer to the Appendix for the complete results of the advance survey on the Three Lines of Defense.

15



Considering the background information and results of the advanced polling survey included above and in

Appendix, review these questions and ensure your representative comes prepared to Tokyo to share your

Affiliate’s view and ideas during the Breakout Discussion Sessions.

1. Which individuals, groups of individuals, and organizations are the most important stakeholders of the

Three Lines of Defense?

2. We want the new IIA Position Paper on the Three Lines of Defense model to be accepted and

adopted by governing bodies in the public and private sectors, regulators, policy makers, accounting

firms, academics, and others around the world. For this to happen, when compared with the existing

paper:

a. What must be new?

b. What must remain the same?

3. How important is the Three Lines of Defense model and the relevant IIA Position Paper for the

recognition and promotion of the profession of internal auditing?

4. What are the best ways in which The IIA can encourage recognition and adoption of its new IIA

Position Paper once it has been released in July 2019?

16


Background Paper: Global Content Strategy

INTRODUCTION

The goal of the Global Content Strategy is to develop content that addresses issues impacting the

internal audit profession globally.

Content is defined as a principal substance of knowledge, such as written matter contained in reports,

publications, white papers, blogs, and more, both digitally and in print, or contained within an educational

medium such as a course, webinar, or other learning resource.

The plan aims to leverage The IIA’s collective resources to deliver valuable content to IIA members

globally. The Global Content Strategy’s objectives is to develop creative, strategically aligned content by:

1. Fostering a collaborative mindset between all who develop, contribute to, and deliver the content.

2. Providing a common framework.

3. Prioritizing and maintaining focus on quality, relevance, timely delivery, and return on investment.

BACKGROUND

The Global Content Strategy supports Vision 2024 and Global Strategic Goal B of The IIA’s Global

Strategic Plan.

Vision 2024: The IIA is the primacy global resource for members and the internal audit

profession, enabling internal audit professionals to be recognized as critical to enhancing and

protecting organizational value.

Global Strategic Goal B – Competent Professionals: Members are competent and confident to

deliver on stakeholder expectations and demonstrate the value of our profession.

The Global Content Strategy supports Vision 2024 and Global Strategic Goal B because:

Content is the core of The IIA’s resources.

The IIA provides insight through content.

Content provides members with the information they need to be competent and confident.

The IIA delivers value through content.

To date, The IIA has completed the following to help drive the Global Content Strategy:

Resourced a full-time Director of Global Content Strategy and created a content harmonization

task force at IIA Global Headquarters.

Created a glossary to define and align content definitions.

Identified target audiences and skill levels for all content.

Developed a taxonomy that includes the following elements: topic, resource type, industry,

membership type, audience segment, and geography.

Developed a content library (SharePoint repository) to collect information about current and

planned content.

Completed a needs analysis and researched best practices in content marketing and

development.

17


ADVANCE POLLING RESULTS

The following data summarize the results of the advance polling conducted in November/December 2018

where 86 IIA Affiliates responded to a series of questions on The IIA’s Global Content Strategy.

Please refer to the following definitions:

Skill Level Abbreviation Explanation Introductory I Limited awareness of task/skill/knowledge.

Follows instructions under direct supervision.

General Awareness GA General awareness of task/skill/knowledge.

Can perform routine tasks under normal business conditions.

Can perform some, but not all, of the applied tasks with supervision/coaching.

Applied Knowledge AK Demonstrates consistent, independent application of task/skill/knowledge in most situations.

Uses insight from this knowledge to coach and supervise others.

Can perform all of the applied tasks without supervision.

Can perform complex tasks independently.

Expert E Demonstrates consistent, independent application of task/skill/knowledge in all situations.

Applies foresight to help senior management and the board guide the organization.

Assists management to identify innovative approaches to mitigate risk.

Provides mentorship to assist individuals across the organization to move to the next level.

Provides subject matter expertise to others in addressing situations with higher complexity.

Serves as a role model.

18


Most Urgent Content Topics by Skill Level

I = Introductory / GA = General Awareness / AK = Applied Knowledge / E = Expert

Most Important Content Topics for Members by Category

Content Development

Please refer to the Appendix for the complete results of the advance survey on the Global Content Strategy.

14 Affiliates would be

willing to participate

in global content

development group

47%

of Affiliates

occasionally create

original content as the

need arises

of Affiliates rarely or

never create original

content

36%

19



Considering the background information and results of the advanced polling survey included above,

please review these questions and ensure your representative comes prepared to Tokyo to share your

Affiliate’s view and ideas during the Breakout Discussion Sessions.

1. Regarding technology, survey results indicate that overall IIA members most need information on

cybersecurity at the applied knowledge skill level. Based on your knowledge of your market:

a. What types of cybersecurity engagements might your members have in the coming year?

b. What problems or challenges are your members trying to resolve related to cybersecurity?

2. Regarding governance, survey results indicate that overall IIA members most need information on

ethics at the applied knowledge skill level. Based on your knowledge of your market:

a. Do your members most need information on organizational ethics or professional ethics?

b. What problems or challenges are your members trying to resolve related to ethics?

3. Regarding risk, survey results indicate that overall IIA members most need information on COSO at

the applied knowledge skill level. Based on your knowledge of your market:

a. What types of risk assessments might your members engage in for the coming year?

b. Which of COSO’s frameworks are your members most interested in?

i. COSO Enterprise Risk Management — Integrating with Strategy and Performance

ii. COSO Internal Control — Integrated Framework

c. What problems or challenges are your members trying to resolve related to COSO?

4. Regarding audit practice, survey results indicate that overall IIA members most need information on

assurance maps at the applied knowledge skill level. Based on your knowledge of your market:

a. What problems or challenges are your members trying to resolve related to assurance maps?

5. Regarding leadership, survey results indicate that overall IIA members most need information on soft

skills at the introductory knowledge level. Based on your knowledge of your market:

a. What types of soft skills are your members most interested in developing? Communication,

critical thinking, negotiation, emotional intelligence, or others?

b. What problems or challenges are your members trying to resolve related to soft skills?

20


Appendix

Advance Survey Results: Three Lines of Defense Based on responses from 87 Affiliates

What impact has the Three Lines of Defense had on the profession in your area?

How well is the Three Lines of Defense model understood and applied in your area?

85%

10%

5%

Helped the profession

Little or no impact

Don't know

0%

25%

50%

75%

100%

To a large extent To some extent To a negligible extent Unsure

21


Has the Three Lines of Defense model been codified (i.e., included in legislation, regulation, corporate

governance codes, etc.) in your area?

Compared with 2013, when The IIA’s Position Paper was first released, how important is the Three Lines

of Defense model for promoting effective governance, risk management, and internal control?

To improve the current Three Lines of Defense model, there are several potential areas of focus. Please

indicate the importance that should be given to the following topics when prioritizing potential revisions

of the current model.

The importance of communication and collaboration between the lines of defense 90%

Broader focus on governance 87%

Opportunity and organizational success in addition to risk management and internal control 86%

The nature and importance of independence for internal auditing 86%

The role of internal audit in both enhancing organizational value and protecting it 86%

56%32%

12%

No

Yes

Unsure

66%

27%

1%

6%

More important

About the same

Less important

Not sure

22


The contribution of the audit committee 83%

The public sector context 82%

Potential pitfalls of the Three Lines model 78%

A blurring between the second and third lines 77%

Integration with The IIA’s Position Paper "The Role of Internal Auditing in Enterprise Risk Management" (including the ERM framework) 76%

Based on the top ten responses of those who selected “Important” or “Very important”; 85 responses

Q17. Do you have any additional comments, including areas for improvement of the Three Lines of

Defense model, and ways in which The IIA can further support, promote, embed, and advocate for the

model?

Allowing for greater flexibility in the model reflecting size, maturity etc. 7

More advocacy for three lines of defense 5

Combined/integrated assurance 4

Most common responses (more than 1); based on an analysis of 86 responses

23


Advance Survey Results: Global Content Strategy Based on responses from 86 Affiliates

The following responses prioritize members’ needs by topic for each of the following categories:

Technology, Governance, Risk, Audit Practice, and Leadership

24


For each of the topics, the following charts indicate the most urgent topic by skill level.

Topic: Technology

25


Topic: Governance

26


Topic: Risk

27


Topic: Audit Practice

28


29


Topic: Leadership

IIA Position Paper:

THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROLJANUARY 2013

TABLE OF CONTENTS

Introduction .................................................................... 1

Before the Three Lines: Risk Management Oversight and Strategy-Setting ........................................................ 2

The First Line of Defense: Operational Management ............ 3

The Second Line of Defense: Risk Management and Compliance Functions ................................................ 4

The Third Line of Defense: Internal Audit ........................... 5

External Auditors, Regulators, and Other External Bodies ............................................................... 6

Coordinating The Three Lines of Defense ........................... 6

IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 1

IIA POSITION PAPER:

THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL

INTRODUCTIONIn twenty-first century businesses, it’s not uncommon to find diverse teams

of internal auditors, enterprise risk management specialists, compliance

officers, internal control specialists, quality inspectors, fraud investiga-

tors, and other risk and control professionals working together to help their

organizations manage risk. Each of these specialties has a unique perspective

and specific skills that can be invaluable to the organizations they serve, but

because duties related to risk management and control are increasingly being

split across multiple departments and divisions, duties must be coordinated

carefully to assure that risk and control processes operate as intended.

It’s not enough that the various risk and control functions exist — the chal-

lenge is to assign specific roles and to coordinate effectively and efficiently

among these groups so that there are neither “gaps” in controls nor unneces-

sary duplications of coverage. Clear responsibilities must be defined so that

each group of risk and control professionals understands the boundaries of

their responsibilities and how their positions fit into the organization’s overall

risk and control structure.

The stakes are high. Without a cohesive, coordinated approach, limited risk

and control resources may not be deployed effectively, and significant risks

may not be identified or managed appropriately. In the worst cases, commu-

nications among the various risk and control groups may devolve to little more

than an ongoing debate about whose job it is to accomplish specific tasks.

The problem can exist at any organization, regardless of whether a formal

enterprise risk management framework is used. Although risk management

frameworks can effectively identify the types of risks that modern businesses

must control, these frameworks are largely silent about how specific duties

should be assigned and coordinated within the organization.

2 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL

Fortunately, best practices are emerging that can help organizations delegate

and coordinate essential risk management duties with a systematic approach.

The Three Lines of Defense model provides a simple and effective way to

enhance communications on risk management and control by clarifying

essential roles and duties. It provides a fresh look at operations, helping to

assure the ongoing success of risk management initiatives, and it is appropri-

ate for any organization — regardless of size or complexity. Even in organiza-

tions where a formal risk management framework or system does not exist,

the Three Lines of Defense model can enhance clarity regarding risks and

controls and help improve the effectiveness of risk management systems.

BEFORE THE THREE LINES: RISK MANAGEMENT OVERSIGHT AND STRATEGY-SETTINGIn the Three Lines of Defense model, management control is the fi rst line of

defense in risk management, the various risk control and compliance over-

sight functions established by management are the second line of defense,

and independent assurance is the third. Each of these three “lines” plays a

distinct role within the organization’s wider governance framework.

Although neither governing bodies nor senior management are considered to

be among the three “lines” in this model, no discussion of risk management

systems could be complete without fi rst considering the essential roles of

both governing bodies (i.e., boards of directors or equivalent bodies) and

senior management. Governing bodies and senior management are the

primary stakeholders served by the “lines,” and they are the parties best

positioned to help ensure that the Three Lines of Defense model is refl ected

in the organization’s risk management and control processes.

External audit

Regulator

Governing Body / Board / Audit CommitteeGoverning Body / Board / Audit Committee

The Three Lines of Defense Model

Senior ManagementSenior Management

3rd Line of Defense3rd Line of Defense

InternalInternalAuditAudit

1st Line of Defense1st Line of Defense

ManagementManagementControlsControls

InternalInternalControlControl

MeasuresMeasures

2nd Line of Defense2nd Line of DefenseFinancial ControlFinancial Control

SecuritySecurity

Risk ManagementRisk Management

QualityQuality

InspectionInspection

ComplianceCompliance

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41


Senior management and governing bodies collectively have responsibility

and accountability for setting the organization’s objectives, defining strate-

gies to achieve those objectives, and establishing governance structures and

processes to best manage the risks in accomplishing those objectives. The

Three Lines of Defense model is best implemented with the active support

and guidance of the organization’s governing body and senior management.

THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT The Three Lines of Defense model distinguishes among three groups (or lines)

involved in effective risk management:

� Functions that own and manage risks.

� Functions that oversee risks.

� Functions that provide independent assurance.

As the first line of defense, operational managers own and manage risks. They

also are responsible for implementing corrective actions to address process

and control deficiencies.

Operational management is responsible for maintaining effective internal

controls and for executing risk and control procedures on a day-to-day basis.

Operational management identifies, assesses, controls, and mitigates risks,

guiding the development and implementation of internal policies and proce-

dures and ensuring that activities are consistent with goals and objectives.

Through a cascading responsibility structure, mid-level managers design and

implement detailed procedures that serve as controls and supervise execution

of those procedures by their employees.

Operational management naturally serves as the first line of defense because

controls are designed into systems and processes under their guidance of op-

erational management. There should be adequate managerial and supervisory

controls in place to ensure compliance and to highlight control breakdown,

inadequate processes, and unexpected events.


THE SECOND LINE OF DEFENSE: RISK MANAGEMENT AND COMPLIANCE FUNCTIONSIn a perfect world, perhaps only one line of defense would be needed to as-

sure effective risk management. In the real world, however, a single line of

defense often can prove inadequate. Management establishes various risk

management and compliance functions to help build and/or monitor the first

line-of-defense controls. The specific functions will vary by organization and

industry, but typical functions in this second line of defense include:

• A risk management function (and/or committee) that facilitates

and monitors the implementation of effective risk management

practices by operational management and assists risk owners

in defining the target risk exposure and reporting adequate

risk-related information throughout the organization.

• A compliance function to monitor various specific risks such

as noncompliance with applicable laws and regulations. In

this capacity, the separate function reports directly to senior

management, and in some business sectors, directly to the

governing body. Multiple compliance functions often exist

in a single organization, with responsibility for specific types

of compliance monitoring, such as health and safety, supply

chain, environmental, or quality monitoring.

• A controllership function that monitors financial risks and

financial reporting issues.

Management establishes these functions to ensure the first line of defense is

properly designed, in place, and operating as intended. Each of these func-

tions has some degree of independence from the first line of defense, but

they are by nature management functions. As management functions, they

may intervene directly in modifying and developing the internal control and

risk systems. Therefore, the second line of defense serves a vital purpose but

cannot offer truly independent analyses to governing bodies regarding risk

management and internal controls.

The responsibilities of these functions vary on their specific nature,

but can include:

� Supporting management policies, defining roles and responsibilities,

and setting goals for implementation.

� Providing risk management frameworks.

� Identifying known and emerging issues.

� Identifying shifts in the organization’s implicit risk appetite.

� Assisting management in developing processes and controls to

manage risks and issues.


� Providing guidance and training on risk management processes.

� Facilitating and monitoring implementation of effective risk

management practices by operational management.

� Alerting operational management to emerging issues and

changing regulatory and risk scenarios.

� Monitoring the adequacy and effectiveness of internal control,

accuracy and completeness of reporting, compliance with laws

and regulations, and timely remediation of deficiencies.

THE THIRD LINE OF DEFENSE: INTERNAL AUDIT Internal auditors provide the governing body and senior management with

comprehensive assurance based on the highest level of independence and

objectivity within the organization. This high level of independence is not

available in the second line of defense. Internal audit provides assurance

on the effectiveness of governance, risk management, and internal controls,

including the manner in which the first and second lines of defense achieve

risk management and control objectives. The scope of this assurance, which

is reported to senior management and to the governing body, usually covers:

• A broad range of objectives, including efficiency and

effectiveness of operations; safeguarding of assets; reliability

and integrity of reporting processes; and compliance with laws,

regulations, policies, procedures, and contracts.

• All elements of the risk management and internal control

framework, which includes: internal control environment;

all elements of an organization’s risk management framework

(i.e., risk identification, risk assessment, and response);

information and communication; and monitoring.

• The overall entity, divisions, subsidiaries, operating units,

and functions — including business processes, such as sales,

production, marketing, safety, customer functions, and opera-

tions — as well as supporting functions (e.g., revenue and

expenditure accounting, human resources, purchasing, payroll,

budgeting, infrastructure and asset management, inventory,

and information technology).

Establishing a professional internal audit activity should be a governance

requirement for all organizations. This is not only important for larger and

medium-sized organizations but also may be equally important for smaller

entities, as they may face equally complex environments with a less formal,

robust organizational structure to ensure the effectiveness of its governance

and risk management processes.

Establishing a

professional internal

audit activity should

be a governance

requirement for all

organizations. This is

not only important for

larger and medium-

sized organizations but

also may be equally

important for smaller

entities, as they may

face equally complex

environments with

a less formal,

robust organizational

structure to ensure

the effectiveness of

its governance and

risk management

processes.


Internal audit actively contributes to effective organizational governance

providing certain conditions — fostering its independence and professional-

ism — are met. Best practice is to establish and maintain an independent,

adequately, and competently staffed internal audit function, which includes:

� Acting in accordance with recognized international standards for the

practice of internal auditing.

� Reporting to a sufficiently high level in the organization to be able to

perform its duties independently.

� Having an active and effective reporting line to the governing body.

EXTERNAL AUDITORS, REGULATORS, AND OTHER EXTERNAL BODIESExternal auditors, regulators, and other external bodies reside outside the

organization’s structure, but they can have an important role in the organiza-

tion’s overall governance and control structure. This is particularly the case

in regulated industries, such as financial services or insurance. Regulators

sometimes set requirements intended to strengthen the controls in an organi-

zation and on other occasions perform an independent and objective function

to assess the whole or some part of the first, second, or third line of defense

with regard to those requirements. When coordinated effectively, external

auditors, regulators, and other groups outside the organization can be consid-

ered as additional lines of defense, providing assurance to the organization’s

shareholders, including the governing body and senior management.

Given the specific scope and objectives of their missions, however, the risk

information gathered is generally less extensive than the scope addressed by

an organization’s internal three lines of defense.

COORDINATING THE THREE LINES OF DEFENSEBecause every organization is unique and specific situations vary, there is no

one “right” way to coordinate the Three Lines of Defense. When assigning

specific duties and coordinating among risk management functions, however,

it can be helpful to keep in mind the underlying role of each group in the risk

management process.

FIRST LINE OF DEFENSE SECOND LINE OF DEFENSE THIRD LINE OF DEFENSE

Risk Owners/Managers Risk Control and Compliance Risk Assurance

•operatingmanagement •limitedindependence •reportsprimarilyto

management

•internalaudit •greaterindependence •reportstogoverningbody


All three lines should exist in some form at every organization, regardless of

size or complexity. Risk management normally is strongest when there are

three separate and clearly identified lines of defense. However, in exceptional

situations that develop, especially in small organizations, certain lines of

defense may be combined. For example, there are instances where internal

audit has been requested to establish and/or manage the organization’s risk

management or compliance activities. In these situations, internal audit

should communicate clearly to the governing body and senior management

the impact of the combination. If dual responsibilities are assigned to a sin-

gle person or department, it would be appropriate to consider separating the

responsibility for these functions at a later time to establish the three lines.

Regardless of how the Three Lines of Defense model is implemented,

senior management and governing bodies should clearly communicate the

expectation that information be shared and activities coordinated among each

of the groups responsible for managing the organization’s risks and controls.

Under the International Standards for the Professional Practice of Internal

Auditing, chief audit executives are specifically required to “share informa-

tion and coordinate activities with other internal and external providers of

assurance and consulting services to ensure proper coverage and minimize

duplication of efforts.”

RECOMMENDED PRACTICES:

• Risk and control processes should be structured in accordance

with the Three Lines of Defense model.

• Each line of defense should be supported by appropriate

policies and role definitions.

• There should be proper coordination among the separate lines

of defense to foster efficiency and effectiveness.

• Risk and control functions operating at the different lines

should appropriately share knowledge and information to assist

all functions in better accomplishing their roles in an efficient

manner.

• Lines of defense should not be combined or coordinated in a

manner that compromises their effectiveness.

• In situations where functions at different lines are combined,

the governing body should be advised of the structure and its

impact. For organizations that have not established an internal

audit activity, management and/or the governing body should

be required to explain and disclose to their stakeholders that

they have considered how adequate assurance on the effec-

tiveness of the organization’s governance, risk management,

and control structure will be obtained.

All three lines

should exist in

some form at

every organization,

regardless of size

or complexity.

Risk management

normally is strongest

when there are

three separate and

clearly identified

lines of defense.

1216

91-2

Global Headquarters

247 Maitland Avenue

Altamonte Springs, Florida 32701 USA

T +1-407-937-1111

F +1-407-937-1101

W www.globaliia.org

About the InstituteEstablished in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit acknowledged leader, chief advocate, and princi-pal educator.

Position PapersPosition Papers are part of The IIA’s International Professional Practices Framework (IPPF), the conceptual framework that organizes authoritative guidance promulgated by The IIA. A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and strongly recommended guidance. Position papers are part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed by The IIA through formal review and approval processes.

Position Papers assist a wide range of interested parties, including those not in the internal audit

profession, in understanding signifi cant gover-nance, risk, or control issues, and delineating the related roles and responsibilities of internal auditing.

For other authoritative guidance materials provided by The IIA, please visit our website at www.globaliia.org/standards-guidance.

DisclaimerThe IIA publishes this document for informa-tional and educational purposes. This guidance material is not intended to provide defi nitive answers to specifi c individual circumstances and as such is only intended to be used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specifi c situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.

CopyrightCopyright © 2013 The Institute of Internal Auditors. For permission to reproduce, please contact The IIA at [email protected].

background papers - TheIIA · APPENDIX: COMPLETE RESPONSES FROM ADVANCE POLLING QUESTIONNAIRE ......

Documents

Transcript of background papers - TheIIA · APPENDIX: COMPLETE RESPONSES FROM ADVANCE POLLING QUESTIONNAIRE ......