Utfordringer med de tre forsvarslinjer - IIA Norge · Utfordringer med de tre forsvarslinjer Norges Interne Revisorers Forening 31. mai 2016 Prof. Flemming Ruud, PhD, Statsautorisert

Utfordringer med de tre forsvarslinjer

Norges Interne Revisorers Forening

31. mai 2016

Prof. Flemming Ruud, PhD, Statsautorisert revisorHandelshøyskolen BI, OsloUniversity St. Gallen, [email protected]

Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen

IIA-NO, 31. mai 2016Slide 2

The Three Lines of Defense Model –- “tre forsvarslinjemodellen”

(IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, 2013, p. 2)

Management Controls

Internal Control Measures

Financial Control

Security

Risk Management

Quality

Compliance

…

Internal Audit

Senior Management

Governing Body / Board / Audit Committee

External Audit

Regulator

1st Line of Defense 2nd Line of Defense 3rd Line of Defense



Innhold

• Modell – forenkling av virkeligheten – Presentiøs fremstilling…?

• Risiko management - reduksjon

• Terminologi - forsvar vs. beskyttelse

• Skille vs. samarbeid

• Valg av variabler i modellen

• «Continuous auditing» - eller monitoring, eller 1. linje?

• Videre utvikling – nye elementer eller variabler?

• Oppsummering



Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015

SUPPORT Governance Structures

How the organisation assigns specific tasks and responsibilities in internal control

(COSO, Leveraging COSO Across the Three Lines of Defense, 2015)

Leveraging COSO across the Three Lines of Defense



Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015

SUPPORT Governance Structures

How the organisation assigns specific tasks and responsibilities in internal control

(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 4)












Flere 2. linjefunksjoner

• Risk Management

• Information Security

• Financial Control

• Physical Security

• Quality

• Health and Safety

• Inspection

• Compliance

• Legal

• Environmental

• Supply chain

• Other (depending upon industry-specific or company-specific needs)




Og som …

• Assisting management in design and development of processes and controls to manage risks

• Defining activities to monitor and how to measure success as compared to management expectations

• Monitoring the adequacy and effectiveness of internal control activities

• Escalating critical issues, emerging risks and outliers

• Providing risk management frameworks

• Identifying and monitoring known and emerging issues affecting the organization’s risks and controls

• Identifying shifts in the organization’s implicit risk appetite and risk tolerance

• Providing guidance and training related to risk management and control processes








Forsvar vs. risikoreduksjon vs. in control

• Den iboende risikoen i verdikjeden blir redusert gjennom de tre forsvarslinjene

Man

agem

ent C

ontr

ol

Inte

rne

Steu

erun

g un

d Ko

ntro

lle

1stLi

ne o

fDef

ense

Risi

kom

anag

emen

t

Com

plia

nce

Qua

lität

ssic

heru

ng

…

2ndLi

ne o

fDef

ense

Inte

rnes

Aud

it

3rdLi

ne o

fDef

ense

Iboe

nde

risik

o

Res

trisi

ko



In Control

AttentionRadar



Internal Control

• Directive Controls: Support the achievement of objectives

• Preventive Controls

− Prevent non-beneficial behavior or events

− Organizational measures: Control effected by the company itself in terms of separation of functions, design of work processes

− Organizational tools: Plan of the organization, plan of processes, plan of functions, guidance, time stamp, signatory power

− Technical tools: Securities, IT controls

• Detective Controls: designed to detect misstatements or omissions as soon as possible

• Corrective Controls: designed to re-align the actual state with the target state

Des

ign

Che

ckin

g



«Defense» - Forsvar

• Betydning av “forsvar”:

• Fransk; Defense som stammer fra latin; Defensa – «Protection»1. Beskytte seg mot angrep; Angrep fra noen / forhindre noe

2. Argumentere for en person, sak - som er utsatt for kritikk

3. I en rettssak - anklaget i en straffesak forsvare seg i en rettssak

4. Sport …

• Forsvare hvem - seg mot hvem? • Ledelsen?

• Styret?

• Eiere

• Kreditorer?

• Ansatte

– ?

(Bibliografisches Institut, 2013)



Forsvar vs. verdiskapning

• “Forsvar vs. Defense” – Lingvistiske aspekter

• Verdiskapende – merverdiskapning i intern revisjon (3rd linje) og risk management funksjoner (2nd linje) Lines of Control? Lines of Responsibility? 3rd Line-Assurance?

• Tradisjonelt tankemønster• Intern revisjonen som “politi” for ledelse og styre?

• Gammeldags bilde av intern revisjonen?

• Fra «compliance revisjoner til strategic assurance» (Austbø, Statoil)

– Alternativ til tilbakeskuende – «offense»?• Se mer «upstream» og mindre «downstream» (May Ibsen)



Adskilte vs samarbeidende funksjoner- Objektivitet vs uavhengighet

Management Controls


Financial Control

Security

Risk Management

Quality

Compliance

…

Internal Audit

Senior Management


External Audit

Regulator

1st Line of Defence 2nd Line of Defence 3rd Line of Defence

(Adapted from IIA Position Paper: The Three Lines of Defence in Effective Risk Management and Control, 2013, p. 2)



Integrated Assessment and Assurance –Zurich Financial Services

(Zurich Financial Services, Annual Report 2014, p. 56)



Utviklingen av The Three Lines of Defense-Model

1st line : Value generation

Controls embedded in operational processes

Risk management : protection, prevention & transfer actions

Internal controls : Key controls

Ethics & Compliance :Implementation of whistle blowing

External certifications : Operational controls linked to : QSE, Basel

2, …

2nd line : Strategy & Policies

Definition and organization of systems

Risk management : Definition of ERM system

Definition of risk policies, risk appetiteReporting to governance bodies

Internal control :Definition of IC system

Choice of critical processes & key controlsReporting to governance bodies

Ethics & Compliance: Definition of E&C system

Reporting to governance bodies

External controlsDefinition of certification policy

Reporting to governance bodies

3rd line : Assessment

of control environment

Internal auditAssessment of processes

Testing

External auditAssessment of processes

Testing

Senior ManagementBoard of Directors / Audit Committee



Utviklingen av „The Three Lines ofDefense-Model“



Utviklingen av Three Lines of Defense-Model


Internal Audit

Risk Management

Others

Compliance External Audit

Supervisory Authority

Operational

And Supporting

Functions

Risk M

anagement and

Internal Control procedures,

built into business processes

Senior Management

Board of Directors / Audit Committee



The Three Lines of Defense Model –- hva med dataanalyser og kontinuerlig revisjon?

“Big data… Analytics… Continuous auditing…”???

Management Controls


Financial Control

Security

Risk Management

Quality

Compliance

…

Internal Audit

Senior Management


External Audit

Regulator




The internal audit activity should evaluate risk exposures relating to the organization’s governance, operations, and information systems; .....and based on the risk assessment ... Evaluate the adequacy and effectiveness of controls ...

• Achievement of the organization’s strategic objectives• Reliability and integrity of financial and operational information;• Effectiveness and efficiency of operations;• Safeguarding of assets; and• Compliance with laws, regulations, and contracts.

The IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization.

• Ensuring effective organizational performance management and accountability.

• Effectively communicating risk and control information to appropriate areas of the organization.

• Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

GovernanceProcesses

(2110)

ControlProcesses

(2130)

Risk Management

Processes(2120)

Nature of work – governance, risk management, and control processes



Re-Performance

2020

Vekst

2010

Risk

Control

Governance

?

20001990

Operations

Compliance

Financial Reporting

Internal Control over Financial Reporting

Ongoing Compliance

Introduction SOXCompliance (2002)

NYSE Listing Rules: Section 303A.07(d): "Each listed company must have an internal audit function.“ (2003) Quo vadis

Governance prosesser

Internestyrings-

og kontroll-prosesser

Risikomanagement

prosesser

Standard 2110

Standard 2130Standard 2120

Basel Committee:The internal audit function in banks

(2012)

Update COSO Internal Control (2013)

UpdateNUES /

Swiss Code(2014)

COSO Internal Control (1992)

Basel Committee: Internal audit in banks and the

supervisor's relationship with audit (2001)

COSO ERM

(2004)

Intern revisjon - utvikling



Employers

Vision

Objectives

Strategies

Nomination

RemunerationAudit

Committee

BoD

Indicators Signals

CEO

ExternalAudit

CustomersSuppliers

Other Stakeholders Government

InvestorsLegislationShareholders

Acc

ount

abili

ty

Dire

ctio

n

Controlling Compliance

Quality Management

1st Line3rd Line-

Assurance

2nd LineRisk Management

and Internal Control

Tre forsvarslinje modell – ProsessorientertOverordnet uttalelse - «Helhetlige bekreftelser»

Risk Management

Value Adding Process



“Internal auditing has got to be the coolest profession

in the world.”(Tom Peters, The Institute of Internal Auditors –

International Conference, Orlando, 2013)

Tom Peters (*November 7, 1942) • American “management guru” and writer on business management practices;

• Co-author (with Robert H. Waterman, Jr.) of best-seller “In Search of Excellence”, 1982

Development and Current State of Internal Auditing

Documents

Utfordringer med de tre forsvarslinjer - IIA Norge · Utfordringer med de tre forsvarslinjer Norges Interne Revisorers Forening 31. mai 2016 Prof. Flemming Ruud, PhD, Statsautorisert