LESSON 13: INTERNAL AUDIT – THE THIRD LINE OF DEFENCE

Video Activity Text Additional reading and references

13.1 PURPOSE

Review internal audit as one of the three lines of defence, providing independent assurance to the board on the effective
operation of the risk management framework and validating the risk measurement process.

13.2 KEY CONCEPTS

Independence Assurance Three lines of defence

Internal audit External audit Oversight
Audit committee Planning Resourcing

13.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 identify independent assurance as the third line of defence

 explain the role of independent assurance in operational risk management
 differentiate between internal and external audits
 discuss the internal audit function as it relates to risk oversight
 explain the role of internal audit in terms of planning and priorities, status and resourcing, reporting to the board,
consulting and investigations
 discuss the responsibilities of audit committees
 state the features of an effective internal audit

13.4 LEARNING MATERIAL

Chapter 13 of the prescribed book: Internal audit.

13.4.1 Audit and the three lines of defence

Internal audit forms a critical part of the third of the classic three lines of defence and has two complementary parts, namely
internal and external audit. Internal audit provides independent assurance to the board on the effective operation of the risk
management framework and validates the risk measurement process. External audit gives an opinion on the financial
statements. Internal audit has to assure itself of the quality of risk governance and controls over things such as ethical values,
management style and values, and human resource policies and practice.

Study “Audit and the three lines of defence” in chapter 13.

13.4.2 Independent assurance

Independence - to fulfil its function, internal audit must be functionally independent of the activities it audits.
Assurance – from a risk perspective, internal auditors will usually assure on

 risk governance and the risk management processes, considering their design and how well they are working

 the management and oversight process for risks, including the effectiveness of controls and other responses to them

 the accuracy and reliability of the components of the risk assessment and reporting process

Study “Independent assurance” in chapter 13.

13.4.3 Internal and external audit

Internal and external audit share a common goal of assuring the board that the risk and control processes are appropriate
and effective. Both should function independently of management and report to the board. However, there are differences
in the roles they play:

 Internal auditors are part of the organisation, and the audit committee or the board determines their objectives.

 External auditors are outside the organisation, and their objectives are driven partly by statutory and professional
requirements.

Study “Internal and external audit” in chapter 13.

13.4.4 Internal audit and risk management oversight

In financial services, the internal audit function is obligatory, whether in-house or outsourced. Internal audit provides
assurance to the board on the first and second lines of defence. Regarding the first line, it provides assurance that controls
are working effectively and are appropriate to the risks of the organisation. As for the second line of defence, oversight
functions such as risk management ensure consistent application of the risk management framework and provide a challenge
to business operations. Internal audit assures that the oversight functions are working effectively, picking up on adverse
changes in the risk profile and the reporting of them.

As an independent assurer, internal audit is valuable and necessary in operational risk. Operational risk managers are usually
intimately involved in developing the operational risk framework and are responsible for providing data inputs and producing
reports, effectively placing them in the first and second lines of defence. Therefore, there needs to be an independent
assurance process of the information provided and the methodologies used.

Study “Internal audit and risk management oversight” in chapter 13.

13.4.5 The role of internal audit

Policy – internal audit should operate within a clear policy statement, approved by the firm’s board and management, which
outlines its

 objectives and the scope of the internal audit function

 status and position within the firm, including its relationship to the business lines and oversight functions

 competences, tasks and responsibilities

Planning and priorities - having established its role, the head of internal audit can work with the board to develop and deliver
the audit plan. The audit plan should be risk-based and use some form of the risk and control assessment process, which
drives the audit cycle.

Status and resourcing - audit, the third line of defence, is a critical part of a firm’s risk management framework, which should
be accepted and recognised as such by everybody in the firm.

Reporting to management and the board - having established the plan and put it into action, it is internal audit’s job to report
its progress and significant issues to the board and senior management for action.

The internal auditor as consultant - internal audit is, among other things, a consulting activity designed to add value and
improve an organisation’s operations.

Consulting can

 provide management with the tools and techniques used in internal audits to analyse risks and controls
 support risk management by leveraging internal audit’s expertise in risk management and controls, and its overall
knowledge of the organisation
 support risk management by providing advice and promoting the development of a common language and
understanding as part of embedding risk in the firm
 support managers as they work to identify the best way to mitigate their risks

Investigations - events continually occur which require investigation and assurance. If the request comes from the chairman
of the audit committee or the non-executive directors, there is no risk of internal audit being conflicted. However,
management should use its resources wherever possible, probably from those in an oversight role (i.e. the second line of
defence), leaving audit to fulfil its proper role of independent reviewer and assurer.

Study “The role of internal audit” in chapter 13.

13.4.6 Audit committees

The audit committee, comprising independent non-executive directors, performs a key oversight role for the board and
should be the critical link between the board and both internal and external audit. In most financial sector firms, there will be
a separate risk committee.

Audit committee and internal audit - the head of internal audit should report to the chair of the audit committee from a
functional point of view.

Audit committee and external audit - the audit committee appoints the external auditors and agrees their terms of
engagement and fees.

An audit committee health check - audit committees are not just about financial reporting and assessing internal controls.
Their brief as independent assessors of the quality of risk management also takes them into non-financial risk assessments.
Audit committees should be continually considering several risks in assessing the overall health and tone of the company they
serve.

Study “Audit committees” in chapter 13.

13.5 SUMMARY

Business line management creates the scenarios and assumptions; risk management challenges the assumptions made in the
scenarios and the outcomes; and internal audit provides assurance on the process and the process that derives the
assumptions.

Study “Effective internal audit” in chapter 13.

13.6 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 13.6.

13.7 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now, or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 13 for this lesson? Are you still on schedule, or
do you need to adjust your study programme?
e. How do you feel now?

Blunden, T & Thirlwell, J. 2013. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. London: Pearson.