Originally the Three Lines of Defense, the model has gained popularity for organizing governance and risk management in organizations. However, acknowledging that risk-based decision-making is as much about seizing opportunities as it is about defensive moves, the new Three Lines Model helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.
It clearly outlines the roles of various leaders within an organization, including oversight by the board or governing body; management and operational leaders including risk and compliance (first- and second-line roles); and independent assurance through internal audit (third line). And it addresses the position of external assurance providers. The model applies to all organizations, regardless of size or complexity.
Webinar: Three Lines Model Webinar: During the webinar, Mark Carawan, Member of the Three Lines Working Group, Former CAE and CCO of Citigroup, and 2020–21 Global Board Director of Stakeholder Relations, and Francis Nicholson, Vice President of Global Relations at the IIA, provided a detailed overview of the new Three Lines Model and how it’s been redefined.
Global Technology Audit Guide (GTAG) – Recommended Guidance
Information technology is a fundamental part of all organizations, so internal auditors should have a fundamental understanding of their organization’s IT functions and processes.
Because IT is imperative to business strategy, understanding the impact technology can have on business processes and making accurate and timely recommendations can elevate internal audit as a trusted advisor and value creator.
This guidance will enable internal auditors to understand:
- The relationship between IT and the business.
- The various network structures, components, and related concepts.
- IT infrastructure, including hardware, software, and databases.
- How organizations use, implement, and develop applications.
- Relevant topics such as data analytics, social media, machine learning, RPA, and more.
A Maturity Model Approach
Corporate culture is increasingly recognized to factor heavily into an organization’s success, its reputation, the protection of its stakeholders, and the morale of its employees. If internal audit is to help the organization to grow its maturity in corporate culture and increase its own capabilities in providing culture-related assurance and advisory services, it must be a few steps ahead of the organization in understanding corporate culture and developing the appropriate audit approaches at varying levels of culture maturity.
This book uses a maturity model to illustrate different levels of corporate governance infrastructure and internal audit function maturity at an organization and the associated and advisory services. As the third line of defense, internal audit can play a vital role in risk assessment and management by assessing risks, providing assurance and advisory services, offering a point of view on the state of culture, sharing insights, monitoring culture, and validating culture risk mitigation activities.
The book covers:
- The Basics of Culture
- Building the Knowledge Base
- The Maturity Model: Know What’s Then, Now, and Next
Agile IA includes process improvements, team-based iterative planning, sprints (time-boxed work increments), daily stand-up meetings, project collaboration with stakeholders, and iterative releases of work products.
Common features of Agile IA:
- Focus on value for the organization (rather than audit objectives)
- Enhanced client collaboration (part of project team)
- Iterative planning, execution, and reporting
- Time-boxed discipline (fixed work cycles)
- Self-organizing audit teams
- Timely audit insights and risk responses (real-time feedback)
- Fewer disagreements about audit outcomes between audit team
and audit client - Documentation rationalization (simplification of workpapers)
Practice Guide for the Financial Services
The issue of conduct is not easily separated from an organization’s culture; rather, it is a distinct segment of culture as a whole.
Internal auditors can add value by assessing and reporting on their organization’s conduct risk management. The internal audit activity can help drive strong internal control risk management frameworks (including conduct risk) that align with stakeholder expectations, supporting boards, audit committees, and executive management in their oversight roles.
This guidance will enable internal auditors to understand:
- The business significance of conduct risk in an organization’s control environment.
- The key components of conduct risk.
- Key stakeholder (including regulator) concerns and expectations related to conduct risk.
- Internal audit’s role in assessing and reporting on organizational culture and management of conduct risk.
- An approach to assess and report on an organization’s culture and management of conduct risk.
Practice Guide for the Financial Services
Credit risk has always been considered a key risk for financial services organizations and, for a good number of organizations, maybe the most critical risk. This guidance provides internal auditors with a baseline skill set that allows them to test and evaluate the effectiveness of their organization’s credit risk management framework and processes.
This guidance will enable internal auditors to:
- Understand the importance of credit risk in a financial services context.
- Understand the regulatory environment and requirements related to credit risk.
- Understand the risk governance and risk management processes surrounding credit risk.
- Describe the nature and basis of measurement of the probability of default.
- Design an audit engagement that assesses the appropriateness and effectiveness of the credit risk management framework and the adequacy of the institution’s credit profile.
- Be able to apply IPPF and risk-based internal audit techniques to assess and audit credit risk in their organization.
Webinar: Auditing Credit Risk: Credit risk is one of the foundational risks for financial services firms. Providing credit is a large part of what financial services firms do. Over the last several years, regulators have focused on credit risk first emphasizing the necessity of having accurate models that can measure the capital impact of the credit activities, the risk of leveraged finance, and the great importance of counterparty risk. Now, financial services organizations are also grappling with the ramifications of CECL and IFRS 9 to their credit risk management framework. This webinar is an overview of new guidance published by The IIA on Auditing Credit Risk. The purpose of the guidance is to provide internal auditors with a baseline skillset that allows them to test and evaluate credit risk management in their organizations.
A Global Perspective and Insights from IIA global
Research shows that diversity within an organization has a tangible impact on both workplace productivity and organizational value. In contrast, a lack of diversity is a relevant organizational risk. Learn why internal audit should be an advocate for diversity in all its forms within both its own activity and the organization as a whole.
Practice Guide 2020 – Recommended Guidance
In today’s unprecedented environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks. To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve its goals.
Ensuring alignment between internal audit priorities and the organization’s objectives is the essence of Standards 2010 – Planning, 2010.A1, 2010.A2, and 2010.C1, which task the chief audit executive (CAE) with the responsibility of developing a plan of internal audit engagements based on a risk assessment.
This practice guide will help the CAE and internal auditors create and maintain a risk-based internal audit plan. The guide describes a systematic approach to:
- Understand the organization.
- Identify, assess, and prioritize risks.
- Coordinate with other providers.
- Estimate resources.
- Propose the plan and solicit feedback.
- Finalize and communicate the plan.
- Assess risks continuously.
- Update the plan and communicate updates.
Veileder for compliancefunksjonen (heretter også referert til som «compliance») har som formål å beskrive god praksis for compliance uavhengig av bransje, regelverk og størrelse på organisasjon.
Veilederen beskriver hvordan virksomheter bør innrette og tilnærme seg for å etablere hensiktsmessig og tilstrekkelig styring på området for etterlevelse av lover og regler.
Veilederen er utviklet av IIA Norges Nettverk Compliance og bygger videre på 1. utgave fra 2015.
As the regulatory environment around data ethics evolves, all parties certainly must expand their knowledge of this risk. This brief explores organizational conduct and the potential associated reputational and financial damages for failure to establish proper data governance.
Internal auditors function as the final line of defense in an effective data governance strategy. Through their engagements, they have the ability to assess the effectiveness of data protection policies and if they are being properly executed. Should an issue be identified, internal auditors can also use their understanding of data ethics best practices to aid organizations in revising current policies or creating new ones.
