Upload
duongkiet
View
218
Download
0
Embed Size (px)
Citation preview
Utfordringer med de tre forsvarslinjer
Norges Interne Revisorers Forening
31. mai 2016
Prof. Flemming Ruud, PhD, Statsautorisert revisorHandelshøyskolen BI, OsloUniversity St. Gallen, [email protected]
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 2
The Three Lines of Defense Model –- “tre forsvarslinjemodellen”
(IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, 2013, p. 2)
Management Controls
Internal Control Measures
Financial Control
Security
Risk Management
Quality
Compliance
…
Internal Audit
Senior Management
Governing Body / Board / Audit Committee
External Audit
Regulator
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 3
Innhold
• Modell – forenkling av virkeligheten – Presentiøs fremstilling…?
• Risiko management - reduksjon
• Terminologi - forsvar vs. beskyttelse
• Skille vs. samarbeid
• Valg av variabler i modellen
• «Continuous auditing» - eller monitoring, eller 1. linje?
• Videre utvikling – nye elementer eller variabler?
• Oppsummering
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 4
Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015
SUPPORT Governance Structures
How the organisation assigns specific tasks and responsibilities in internal control
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015)
Leveraging COSO across the Three Lines of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 5
Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015
SUPPORT Governance Structures
How the organisation assigns specific tasks and responsibilities in internal control
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 4)
Leveraging COSO across the Three Lines of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 6
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 5)
Leveraging COSO across the Three Lines of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 7
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 7)
Leveraging COSO across the Three Lines of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 8
Flere 2. linjefunksjoner
• Risk Management
• Information Security
• Financial Control
• Physical Security
• Quality
• Health and Safety
• Inspection
• Compliance
• Legal
• Environmental
• Supply chain
• Other (depending upon industry-specific or company-specific needs)
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 9
Og som …
• Assisting management in design and development of processes and controls to manage risks
• Defining activities to monitor and how to measure success as compared to management expectations
• Monitoring the adequacy and effectiveness of internal control activities
• Escalating critical issues, emerging risks and outliers
• Providing risk management frameworks
• Identifying and monitoring known and emerging issues affecting the organization’s risks and controls
• Identifying shifts in the organization’s implicit risk appetite and risk tolerance
• Providing guidance and training related to risk management and control processes
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 10
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 8)
Leveraging COSO across the Three Lines of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 11
Forsvar vs. risikoreduksjon vs. in control
• Den iboende risikoen i verdikjeden blir redusert gjennom de tre forsvarslinjene
Man
agem
ent C
ontr
ol
Inte
rne
Steu
erun
g un
d Ko
ntro
lle
1stLi
ne o
fDef
ense
Risi
kom
anag
emen
t
Com
plia
nce
Qua
lität
ssic
heru
ng
…
2ndLi
ne o
fDef
ense
Inte
rnes
Aud
it
3rdLi
ne o
fDef
ense
Iboe
nde
risik
o
Res
trisi
ko
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 12
In Control
AttentionRadar
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 13
Internal Control
• Directive Controls: Support the achievement of objectives
• Preventive Controls
− Prevent non-beneficial behavior or events
− Organizational measures: Control effected by the company itself in terms of separation of functions, design of work processes
− Organizational tools: Plan of the organization, plan of processes, plan of functions, guidance, time stamp, signatory power
− Technical tools: Securities, IT controls
• Detective Controls: designed to detect misstatements or omissions as soon as possible
• Corrective Controls: designed to re-align the actual state with the target state
Des
ign
Che
ckin
g
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 14
«Defense» - Forsvar
• Betydning av “forsvar”:
• Fransk; Defense som stammer fra latin; Defensa – «Protection»1. Beskytte seg mot angrep; Angrep fra noen / forhindre noe
2. Argumentere for en person, sak - som er utsatt for kritikk
3. I en rettssak - anklaget i en straffesak forsvare seg i en rettssak
4. Sport …
• Forsvare hvem - seg mot hvem? • Ledelsen?
• Styret?
• Eiere
• Kreditorer?
• Ansatte
– ?
(Bibliografisches Institut, 2013)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 15
Forsvar vs. verdiskapning
• “Forsvar vs. Defense” – Lingvistiske aspekter
• Verdiskapende – merverdiskapning i intern revisjon (3rd linje) og risk management funksjoner (2nd linje) Lines of Control? Lines of Responsibility? 3rd Line-Assurance?
• Tradisjonelt tankemønster• Intern revisjonen som “politi” for ledelse og styre?
• Gammeldags bilde av intern revisjonen?
• Fra «compliance revisjoner til strategic assurance» (Austbø, Statoil)
– Alternativ til tilbakeskuende – «offense»?• Se mer «upstream» og mindre «downstream» (May Ibsen)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 16
Adskilte vs samarbeidende funksjoner- Objektivitet vs uavhengighet
Management Controls
Internal Control Measures
Financial Control
Security
Risk Management
Quality
Compliance
…
Internal Audit
Senior Management
Governing Body / Board / Audit Committee
External Audit
Regulator
1st Line of Defence 2nd Line of Defence 3rd Line of Defence
(Adapted from IIA Position Paper: The Three Lines of Defence in Effective Risk Management and Control, 2013, p. 2)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 17
Integrated Assessment and Assurance –Zurich Financial Services
(Zurich Financial Services, Annual Report 2014, p. 56)
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 18
Utviklingen av The Three Lines of Defense-Model
1st line : Value generation
Controls embedded in operational processes
Risk management : protection, prevention & transfer actions
Internal controls : Key controls
Ethics & Compliance :Implementation of whistle blowing
External certifications : Operational controls linked to : QSE, Basel
2, …
2nd line : Strategy & Policies
Definition and organization of systems
Risk management : Definition of ERM system
Definition of risk policies, risk appetiteReporting to governance bodies
Internal control :Definition of IC system
Choice of critical processes & key controlsReporting to governance bodies
Ethics & Compliance: Definition of E&C system
Reporting to governance bodies
External controlsDefinition of certification policy
Reporting to governance bodies
3rd line : Assessment
of control environment
Internal auditAssessment of processes
Testing
External auditAssessment of processes
Testing
Senior ManagementBoard of Directors / Audit Committee
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 19
Utviklingen av „The Three Lines ofDefense-Model“
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 20
Utviklingen av Three Lines of Defense-Model
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Internal Audit
Risk Management
Others
Compliance External Audit
Supervisory Authority
Operational
And Supporting
Functions
Risk M
anagement and
Internal Control procedures,
built into business processes
Senior Management
Board of Directors / Audit Committee
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 21
The Three Lines of Defense Model –- hva med dataanalyser og kontinuerlig revisjon?
“Big data… Analytics… Continuous auditing…”???
Management Controls
Internal Control Measures
Financial Control
Security
Risk Management
Quality
Compliance
…
Internal Audit
Senior Management
Governing Body / Board / Audit Committee
External Audit
Regulator
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 22
The internal audit activity should evaluate risk exposures relating to the organization’s governance, operations, and information systems; .....and based on the risk assessment ... Evaluate the adequacy and effectiveness of controls ...
• Achievement of the organization’s strategic objectives• Reliability and integrity of financial and operational information;• Effectiveness and efficiency of operations;• Safeguarding of assets; and• Compliance with laws, regulations, and contracts.
The IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Effectively communicating risk and control information to appropriate areas of the organization.
• Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.
GovernanceProcesses
(2110)
ControlProcesses
(2130)
Risk Management
Processes(2120)
Nature of work – governance, risk management, and control processes
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 23
Re-Performance
2020
Vekst
2010
Risk
Control
Governance
?
20001990
Operations
Compliance
Financial Reporting
Internal Control over Financial Reporting
Ongoing Compliance
Introduction SOXCompliance (2002)
NYSE Listing Rules: Section 303A.07(d): "Each listed company must have an internal audit function.“ (2003) Quo vadis
Governance prosesser
Internestyrings-
og kontroll-prosesser
Risikomanagement
prosesser
Standard 2110
Standard 2130Standard 2120
Basel Committee:The internal audit function in banks
(2012)
Update COSO Internal Control (2013)
UpdateNUES /
Swiss Code(2014)
COSO Internal Control (1992)
Basel Committee: Internal audit in banks and the
supervisor's relationship with audit (2001)
COSO ERM
(2004)
Intern revisjon - utvikling
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 24
Employers
Vision
Objectives
Strategies
Nomination
RemunerationAudit
Committee
BoD
Indicators Signals
CEO
ExternalAudit
CustomersSuppliers
Other Stakeholders Government
InvestorsLegislationShareholders
Acc
ount
abili
ty
Dire
ctio
n
Controlling Compliance
Quality Management
1st Line3rd Line-
Assurance
2nd LineRisk Management
and Internal Control
Tre forsvarslinje modell – ProsessorientertOverordnet uttalelse - «Helhetlige bekreftelser»
Risk Management
Value Adding Process
Prof. T. F. Ruud, PhDUtfordringer med treforsvarslinjemodellen
IIA-NO, 31. mai 2016Slide 25
“Internal auditing has got to be the coolest profession
in the world.”(Tom Peters, The Institute of Internal Auditors –
International Conference, Orlando, 2013)
Tom Peters (*November 7, 1942) • American “management guru” and writer on business management practices;
• Co-author (with Robert H. Waterman, Jr.) of best-seller “In Search of Excellence”, 1982
Development and Current State of Internal Auditing