Finally, if the IA function comes to the conclusions that current assurance needs do not fully fill the time budget available for the upcoming months, the IA function should seek alternative opportunities to support the organization. For example, it could enhance its cooperation with 2nd line functions, such as the Internal Controls department, ERM units or the Compliance function to strengthen the various governance frameworks.
For instance, we see a trend that existing Internal Control System frameworks (ICS) that have not been updated or amended for quite some time (i.e. 5 to 10 years) are now under scrutiny by the governing body of a corporation (i.e. board) as well as external stakeholders (i.e. external auditor confirming the existence and effectiveness of an ICS) for not providing the necessary assurance on key financial risks. It is often asserted that the ICS no longer accurately and completely reflects the risk situation, the process flow and control checks and that it is no longer embedded in the business as an effective governance framework efficiently.
With the in-depth knowledge of the organization, its workflows, culture and IT system, the Internal Audit function is ideal for supporting the 2nd line of defense adapting, amending, modernizing or simply updating the framework. Clearly, the support provided by IA should not include the actual implementation of controls or take on the responsibility of owning risk or executing a related control. These tasks and duties remain with the 1st line of defense, i.e. the business.
However, this is an opportune moment to strengthen and improve the existing ICS framework, thus making it more valuable to the organization (i.e. fewer manual controls and more effective design of reviews, detection or automated checks).
The same holds true with the ERM framework or the Compliance Management System (CMS), where IA can support the adaption of the risk catalogue and its assessment (i.e. probability, impact, response time-frame, ownership, mitigating actions) or help Compliance to better align the CMS with other internal governance frameworks (i.e. ICS, ISO9001) or embed it more effectively in the organization.
In the coming blogs, we will discuss other challenges an IA function has to deal with in today’s world, notably the question around staffing and talent management, the execution process and what key risks to address in the coming 6 to 24 months.
1 The three-lines-of-defense being:
1st line: risk owner and responsible for managing risk
2nd line: risk control and monitoring duties and support 1st line in effectively addressing risks
3rd line: independent risk assurance such as Internal Audit or External Audit
2 In this four-part series, the questions what key risks could be of relevance in the coming 6 to 24 months will be addressed in the fourth part.