The Power of the Independent Internal Audit and External Assurance Providers

Organisations are human undertakings, operating in an increasingly uncertain, complex, interconnected, and volatile world.

They often have multiple stakeholders with diverse, changeable, and sometimes competing interests.

Stakeholders and Shareholders entrust organisational oversight to a governing body, which in turn delegates resources and authority to management to take appropriate actions, including managing risk. 

For these reasons and more, organisations need effective structures and processes to enable the achievement of objectives, while supporting strong governance and risk management.

As the governing body receives reports from management on activities, outcomes, and forecasts, both the governing body and management rely on internal audit to provide independent, objective assurance and advice on all matters and to promote and facilitate innovation and improvement.

The governing body is ultimately accountable for governance, which is achieved through the actions and behaviours of the governing body as well as management and internal audit. 

The Safety Governance Three Lines Model helps organisations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

The model applies to all organisations and is optimised by: 

  • Adopting a principles-based approach and adapting the model to suit organisational objectives and circumstances. 
  • Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value. 
  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them. 
  • Implementing measures to ensure activities and objectives are aligned with the prioritised interests of stakeholders. 

Principles of the Three Lines Model

Principle 1: Governance 

Governance of an organization requires appropriate structures and processes that enable: 

  • Accountability by a governing body to stake-holders for organizational oversight through integrity, leadership, and transparency. 
  • Actions (including managing risk) by manage-ment to achieve the objectives of the organiza-tion through risk-based decision-making and application of resources. 
  • Assurance and advice by an independent internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication. 

Principle 2: Governing body roles 

The governing body ensures: 

  • Appropriate structures and processes are in place for effective governance. 
  • Organisational objectives and activities are aligned with the prioritised interests of stakeholders. 

The governing body: 

  • Delegates responsibility and provides resources to management to achieve the objectives of the organisation while ensuring legal, regulatory, and ethical expectations are met. 
  • Establishes and oversees an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives. 

Principle 3: Management and first and second line roles 

Management’s responsibility to achieve organisational objectives comprises both first and second line roles.

First line roles are most directly aligned with the delivery of products and/or services to clients of the organisation, and include the roles of support functions.

Second line roles provide assistance with managing risk. 

First and second line roles may be blended or separated.

Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles.

Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.

Alternatively, second line roles may span a broader responsibility for risk management, such as enterprise risk management (ERM).

However, responsibility for managing risk remains a part of first line roles and within the scope of management. 

Principle 4: Third line roles 

Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management.

It achieves this through the competent application of systematic and disciplined processes, expertise, and insight.

It reports its findings to management and the governing body to promote and facilitate continuous improvement. In doing so, it may consider assurance from other internal and external providers. 

Principle 5: Third line independence 

Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility.

It is established through: accountability to the governing body; unfettered access to people, resources, and data needed to complete its work; and freedom from bias or interference in the planning and delivery of audit services. 

Principle 6: Creating and protecting value 

All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritised interests of stakeholders.

Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.