The IIA recently published an Exposure Document on the Three Lines of Defense Model. Listen to my comments and suggestions for improving the Three Lines of Defense Model and how we can improve our coordination and collaboration with other assurance groups in organizations.

To listen and for complete show notes and links to downloads, visit:

I’m curious to hear your suggestions. Make sure to download the document (see link below) and comment below on social media to let me know what you think.

Three Lines of Defense Review & Survey Open 20 June–19 September 2019

The comment period is open until 19 September 2019.


00:00:02.129 –> 00:00:14.099
Well, welcome back. MY FRIENDS TO ANOTHER EDITION episode of jammin with Jason hey on JAMA with Jason, we try to make sure and talk about both the technical and soft skills.

00:00:14.670 –> 00:00:23.580
That are needed to be successful if you’re a chief audit executive or a professional in audit risk and compliance areas.

00:00:24.180 –> 00:00:33.420
Now today we’re going to talk more kind of on the technical side because what I wanted to do is the AIA the Institute of internal auditors.

00:00:33.840 –> 00:00:47.070
Has put out an exposure draft on the three lines of defense and the three lines of defense is a model that has been around for a while, probably around 20 years but

00:00:47.880 –> 00:00:59.130
A lot of people have really been talking about it more, the last five to 10 years and this is a model that is actually received some praise, but also some criticism from people

00:00:59.820 –> 00:01:14.670
And so the AIA has chosen to open it up in an exposure document to be able to get feedback from people on how to improve or enhance this particular model.

00:01:15.480 –> 00:01:22.050
And so let me just give you a little, a little bit of background. And then we’re going to go into it and talk more about it.

00:01:22.680 –> 00:01:31.230
Because I’ve gone through and read this a couple of times and want to try to provide some feedback at least some thoughts that I have around it.

00:01:31.740 –> 00:01:42.750
And I’ll also include in the show notes. The link, because I would encourage you to go out and download it and read it yourself and provide comments as well.

00:01:43.470 –> 00:01:56.730
So the comment period is open until the 19th of September, so it still gives you some time to be able to go out and read it and provide feedback to the I

00:01:57.420 –> 00:02:12.780
Now I see this as a big opportunity for us as a profession to be able to make some changes that are lasting and allow us to work better with others in the organization.

00:02:13.290 –> 00:02:22.380
So I see this as a big opportunity for us to make some changes that will help us, like I said, to be able to work better.

00:02:23.010 –> 00:02:33.720
With others in the organization and without the organization as well. Now, just to give you a little bit of a background or context.

00:02:34.260 –> 00:02:46.950
As to what we’re actually talking about. So the three lines of defense model, as I said, is it has been around for a little while. There’s a graphic that many of you have have seen

00:02:47.910 –> 00:02:55.380
As well, where it really kind of talks about the first line of defense is really kind of the, the local

00:02:56.010 –> 00:03:05.820
Manager, the person who’s putting in the different management controls and internal control measures, they’re the ones that are responsible for the day to day activities.

00:03:06.660 –> 00:03:20.280
Then there’s a second line of defense and these are usually subject matter expert groups. And so the examples that are given are people like you know financial controls security risk management compliance.

00:03:20.910 –> 00:03:31.770
Some of those functions that are actually helping to provide insight and guidance to the first line of defense on how to manage

00:03:32.250 –> 00:03:42.000
Some of these risk and compliance issues that are out there. And then there’s the third line of defense, which in the model is is listed as being internal audit.

00:03:42.630 –> 00:03:51.930
Now, those three lines of defense. They all report to senior management, but the internal audit function also usually reports to the governing body.

00:03:52.530 –> 00:04:03.450
Which could be the audit committee or board of directors, whatever is relevant for your particular organization. Now, in that. There’s also two other

00:04:03.900 –> 00:04:22.500
roles that are kind of added in the model, which is external auditors and the regulators and so like I said that’s kind of the way that the model has been done now. And a lot of organizations have been including are kind of following this methodology.

00:04:23.850 –> 00:04:34.800
And again, just kind of as a context or background. Let me just kind of explain some of the, the, the ways at least the way I kind of view that it’s supposed to be done.

00:04:35.340 –> 00:04:44.460
Versus the way that I’ve seen it actually implemented in a lot of organizations. And the reason for that is because I think a lot of people have been

00:04:45.120 –> 00:04:57.750
Miss applying the model. And as a result of that has actually caused more trouble in the organization. In fact, I think this is one of the areas where internal audit as a profession.

00:04:58.230 –> 00:05:10.140
Has been doing itself a disservice. Because if you if you miss apply this or are talking about this kind of in the wrong way, it ends up

00:05:11.130 –> 00:05:23.760
aggravating other people in the organization and actually almost isolates internal audit into being this separate group that nobody really wants to deal with now.

00:05:24.630 –> 00:05:35.130
Let me give you a little context about my my background and kind of why I’m coming at this with maybe a little different lens than other people who might

00:05:35.790 –> 00:05:45.000
That have spent their whole career in internal audit. And so, you know, I grew up in the audit profession was an external audit at a couple of firms.

00:05:45.390 –> 00:05:52.710
And then I was chief audit executive and actually built two different audit departments at two different organizations.

00:05:53.370 –> 00:05:58.170
So I’ve been in that role of Chief audit executive, a couple of times.

00:05:58.740 –> 00:06:09.120
Now, in addition to that, I was also given other responsibilities. So I was responsible for ethics and compliance risk management and information security.

00:06:09.630 –> 00:06:27.060
So later on as I talk about this concept called the blurring of the lines that some people have brought up and it’s actually referenced in this document, which is kind of funny because that’s actually the term I used in my portion of this lawyers internal auditing.

00:06:28.200 –> 00:06:36.420
Book update as well because there has been a blurring of lines and that, you know, for example.

00:06:37.140 –> 00:06:47.490
I was the third line of defense, if you will, as internal audit, but I also had management responsibilities for some of those second line functions.

00:06:47.850 –> 00:06:58.200
And so because of that, and in a lot of organizations, there’s not a clear distinction between each of those three particular areas.

00:06:58.800 –> 00:07:17.220
In fact, I mean you could almost argue that in some of my management roles. I was actually doing all three. Okay. And so that’s where, again, we get into it later in talk about the blurring of the lines, you’ll see kind of how that ends up going into it.

00:07:18.480 –> 00:07:28.440
So that’s a little, little bit of context behind it. Now, excuse me, as I said, there’s an exposure document that is out there right now.

00:07:28.950 –> 00:07:37.710
And I’ll give you the link in the show notes so that you can go back and download it and read it yourself. Now there is a working group.

00:07:38.250 –> 00:07:48.960
Of II all interior leaders who is actually running this and janita john is actually the one who is the working group chair.

00:07:49.440 –> 00:07:58.590
And I just, you know, before I get into actually talking about this. I want to give her credit, as well as, as other Members of the working group.

00:07:59.340 –> 00:08:09.300
Because I know how difficult it can be to be on a working group like this. And again, kind of from a context perspective for everybody who’s listening.

00:08:10.050 –> 00:08:18.420
This group of volunteers has a tough job because what they have to do is, is take the the comments from people

00:08:19.110 –> 00:08:28.410
Some of which will be way out in left field. Others will be on you know more directed exactly about what it is that’s going on.

00:08:28.890 –> 00:08:37.740
But then they have the task of actually taking all of all of our feedback and trying to come up with some sort of a model.

00:08:38.310 –> 00:08:51.660
That works for organizations across the world and that is one of the big challenges that I has is because not every internal audit department and not every organization.

00:08:52.620 –> 00:09:04.590
Around the world does internal auditing the same way they don’t necessarily have the same governance structures and so they have to come up with something that is applicable.

00:09:04.980 –> 00:09:15.480
Or that works for most of the places in the world. And so I know sometimes you know as a result of that, whenever you do this, there have to be compromises that are made.

00:09:16.140 –> 00:09:23.340
To try to come up with something that is again like I said, the best thing for the most people

00:09:24.330 –> 00:09:36.750
So like I said, I want to give a shout out to them and encourage them and let them know that you know I realized this is a tough job. I was in your position before

00:09:37.320 –> 00:09:45.510
In several different committees that I served on before so I know the time and effort that goes into this as well.

00:09:46.260 –> 00:09:57.180
So with that, though, you know, again, as I as I go through and kind of talk about this document. I’m going to provide you with my personal opinions. And so again, know that

00:09:57.750 –> 00:10:10.530
You know, just because I think this way, doesn’t mean this is how it’s going to end up being because you have to take into account, lots of people’s response to this.

00:10:11.610 –> 00:10:17.280
But again, that’s why I wanted to kind of set the stage to begin with and the context that I’m coming from.

00:10:17.880 –> 00:10:25.710
Because I’ve served both in the role as chief audit executive, as well as being responsible for some of these other areas.

00:10:26.340 –> 00:10:34.410
In fact, for probably the last 15 years I have been one of the leading thought leaders in the GR C space.

00:10:34.920 –> 00:10:45.930
Which a lot of people talk about its governance risk management and compliance and we’re going to talk about the difference there between how the I usually refers to that of being

00:10:46.350 –> 00:10:57.000
Governance risk and controls and some of the differences between that a little bit later. But like I said, I think this is an opportunity for us to really

00:10:57.600 –> 00:11:12.000
Kind of come to terms with and make some changes that I think are going to make us more relevant and in more of a real team player in this kind of going forward.

00:11:13.020 –> 00:11:17.970
So with that, let’s just kind of jump into made some notes on

00:11:18.870 –> 00:11:30.810
The printout that I did. And we’ll just kind of go through and talk about some of the changes that I would suggest, and in kind of why those changes are there as well.

00:11:31.590 –> 00:11:39.570
Now, like I said, I’d like to hear from you as well on whether you agree or disagree with some of the things that I’m saying

00:11:40.320 –> 00:11:56.790
Because again, I would encourage you to go download this read through it come up with some of your own comments and ideas and share that back with the working group and share that with me as well. So I can just kind of get a flavor for what people are thinking

00:11:58.230 –> 00:12:06.390
So the first thing to start with is, you know, it has been called the three lines of defense model.

00:12:07.680 –> 00:12:17.910
And personally, I you know I have a problem with the title itself. And I know I’ve heard from lots of people that they don’t really like the title, either.

00:12:18.750 –> 00:12:28.290
In here’s kind of why I feel that way. And then I’m going to give a suggestion for what I think might be a better title.

00:12:28.860 –> 00:12:36.660
So the first thing is, you know, it says the three lines of defense. And so in the model. There’s obviously a first, second, and third line of defense.

00:12:37.200 –> 00:12:47.310
But then off to the right, there’s the two hanging things called external audit and regulator. And so to me when I look at it and say, Well, is it three or is it five.

00:12:48.600 –> 00:12:53.910
You know, I think that the, the, the term three should probably be throwing out

00:12:55.050 –> 00:13:13.770
Because again, in a lot of organizations. It’s not just going to be three. The model does need to be simple, but I don’t think that we need to include the word or three or five or whatever the number happens to be. I don’t think that needs to be included in the title.

00:13:15.030 –> 00:13:28.410
Another concern that I’ve that I’ve had. And I’ve heard lots of people express is the word defense. Now the word defense usually is a reactive type of word

00:13:28.860 –> 00:13:36.570
And again, as internal auditors. Yes, while we should be trying to protect and defend the organization.

00:13:37.080 –> 00:13:51.840
We also need to be proactive and so I think using and having the word defense in the title is it’s a negative word and I think it sometimes forces or gets people to thinking back about

00:13:52.410 –> 00:14:05.010
Being defensive instead of being proactive and you’ll see later on the document actually does you know address that and show that look we not, we not only need to be reactive, but we need to be proactive.

00:14:05.700 –> 00:14:12.870
And I think one of the first steps to being able to do that is just remove that word from the title.

00:14:13.710 –> 00:14:24.420
So instead of the three lines of defense. I think something that could be very simple. As far as a title goes is just call it lines of assurance model.

00:14:24.840 –> 00:14:39.480
Because really we’re talking about different groups within the organization that are providing assurance. And so I think talking about, you can still refer to it as lines or functions or roles.

00:14:40.200 –> 00:14:47.640
But I think that, you know, something like lines of assurance model is a better way of trying to describe this

00:14:48.120 –> 00:14:56.070
Because really what we’re talking about here is about assurance. It’s about governance and some other things as well, but I think

00:14:56.580 –> 00:15:08.790
Really especially coming from the IAEA, it’s more about you know the governance, it’s set up how we’re managing the risk, how we’re dealing with the compliance issues and the controls.

00:15:09.120 –> 00:15:18.540
And who is providing assurance that those things are happening. Sometimes that might be from if we think about the way the model is set up now.

00:15:18.960 –> 00:15:35.070
It could be those first line managers who are giving a self assessment on what they’re actually doing or management assurance, it could be somebody from the second line, who is auditing the first line. Like if a compliance function.

00:15:36.180 –> 00:15:45.840
Excuse me, is auditing the first line manager, they’re providing assurance that that other group is doing what they say that they’re doing.

00:15:46.620 –> 00:15:55.530
Or if the third line of defense is internal audit is doing that they can also then provide assurance on the second or first line of defense.

00:15:56.160 –> 00:16:05.100
So I think for me, that is a little easier way of trying to describe it. Something like lines of assurance model.

00:16:05.790 –> 00:16:13.920
Now with that too because I want to bring up because I have a lot of interaction with the second line of defense functions.

00:16:14.460 –> 00:16:24.900
In my coaching and training that I’ve been doing for years and one of the biggest complaints that I get from these other groups about internal audit.

00:16:25.470 –> 00:16:34.830
Is the fact that internal audit does not trust the work they’re doing. And so again, you know, the way that I understand and kind of apply the model now is

00:16:35.310 –> 00:16:40.830
The third line of defense would be auditing the second line, the second line would be auditing the first line.

00:16:41.640 –> 00:16:49.890
But what ends up happening a lot of times is internal audit just jumps completely over the second line and goes right to the first line.

00:16:50.310 –> 00:16:59.640
And so they’re auditing those those front level managers multiple times, it’s being done by another group. It’s also being done by internal audit.

00:17:00.120 –> 00:17:11.460
It is much better to make sure that the assurance activities of the second line are working properly, and then just rely on the work that they happen to be doing at the front line.

00:17:12.060 –> 00:17:20.730
And I think because because the whole idea for me behind this model. Whatever we’re going to call it. However, it’s going to end up

00:17:21.270 –> 00:17:31.500
Is that we are coordinating the assurance activities in the organization. We don’t need five people auditing the same thing.

00:17:31.920 –> 00:17:43.980
We need to coordinate amongst those five groups and figure out who’s going to audit what and then we need to share with each other. The results of our assurance work.

00:17:44.370 –> 00:17:59.670
And I think that is a much, much better use of the resources of the organization as well as being able to, you know, coordinate and actually work better with some of these other teams.

00:18:00.300 –> 00:18:06.570
Now this is where I’m going to, I’m going to throw something here that that might piss. Some of you off. Okay.

00:18:07.020 –> 00:18:16.920
And that is that I have seen a lot of internal auditor groups believe they are the only one who can provide assurance.

00:18:17.430 –> 00:18:25.740
Now that is not true. Okay. And so this is one of those tough love areas where I’m going to tell you what you need to hear instead of what you want to hear.

00:18:26.640 –> 00:18:40.230
Internal audit is unique in its nature in the way that it reports to the board directly, but it is not the only group that can provide assurance.

00:18:40.590 –> 00:18:50.070
That activities are happening within the organization. So, you know, again, one of the complaints about the current model has been this belief.

00:18:50.550 –> 00:18:54.720
That internal audit is the one who has to audit everything

00:18:55.410 –> 00:19:01.380
And like I said, that’s all that’s been from some people that I’ve that I’ve talked with or that I’ve gotten feedback from

00:19:01.740 –> 00:19:11.040
Some of these second line groups. It’s not what everybody believes. Okay, so, so don’t get mad at me because of that. If you’re not in that camp.

00:19:11.670 –> 00:19:20.460
But I think again as internal audit. We have to realize there are other groups in the organization, providing assurance.

00:19:20.820 –> 00:19:32.880
And it is much better for us and much better for the organization if we work with them and coordinate with them and trust them and help them improve their processes. Okay.

00:19:33.990 –> 00:19:48.570
You know, if, for example, we don’t believe that the second line is doing a good job, then we should help them to improve instead of just ignoring what they’re doing. Okay, that that ends up causing aggravation.

00:19:49.170 –> 00:19:55.170
With other people in the organization. So again, that’s, that’s kind of the broad level.

00:19:55.860 –> 00:20:03.630
Another thing that I that I noticed from this is now this this referring or a reference in this document to what are called

00:20:04.140 –> 00:20:15.180
Supreme Audit Institutions or sad eyes and i think that’s that’s a great addition to this because, you know, in general, we’ve kind of talked about the regulator.

00:20:15.660 –> 00:20:26.040
But these would be people like an inspector general kind of a group that is actually coming in from the outside to look at a particular organization.

00:20:27.300 –> 00:20:38.460
So as we move on in the document. There’s, there’s a couple of parts here where there’s a page that kind of goes through the strengths of the current three lines of defense model.

00:20:39.120 –> 00:20:54.390
But then provides opportunities for development as well. And so I just wanted to kind of go through this and and share with you some of the things that I thought were good in a few of the things that I thought maybe needed to be highlighted or changed a little bit.

00:20:56.160 –> 00:21:06.630
Excuse me. The first thing is, you know, right now it’s it’s a very simple, simple and easy to understand model. And I think that is great and we need to continue to do that.

00:21:07.200 –> 00:21:14.790
Whatever this ends up looking like at the end, it needs to be simple and easy to explain to anybody in the organization.

00:21:15.570 –> 00:21:28.410
Now, this is also, like I said, where, you know, the idea of being proactive and reactive approach having both proactive and reactive is good, that’s listed under the opportunities for development.

00:21:29.250 –> 00:21:40.680
And as I said before, I think that is a great addition to this as auditors. Often, we are very reactive. And we need to start thinking more proactively

00:21:41.670 –> 00:21:48.000
Now, there’s also a reference under the opportunities for development about more coordination and collaboration.

00:21:48.390 –> 00:21:54.960
And again, I believe that is important and I to me, that is one of the biggest benefits of this particular model.

00:21:55.470 –> 00:22:03.000
Whatever it ends up being is that we need to coordinate and collaborate on the assurance activities within the organization.

00:22:03.840 –> 00:22:10.080
Now, we also need to be flexible. There’s reference to that and the opportunities for development. I agree with that as well.

00:22:10.650 –> 00:22:21.570
It needs to be flexible because every organization is not going to be the same. Now, in that, though they say flexible and agile adoption of the model.

00:22:22.410 –> 00:22:30.510
I don’t like the word agile there because I think it confuses with the, the concept of agile.

00:22:30.990 –> 00:22:40.290
From a project management perspective, I think it also confuses with what a lot of people are talking about now, which is agile auditing.

00:22:40.800 –> 00:22:56.130
Which is actually taking those concepts from an Agile project management standpoint and applying them to audit. I do believe we need to be agile. I don’t think we should use the word agile, because I think it’s going to confuse people.

00:22:57.390 –> 00:23:10.770
Now one of the things that that under the areas are opportunities for development is, you know, it says it to expand this description. Okay, so let me let me go back.

00:23:11.310 –> 00:23:20.850
Currently under the strengths. One of the things is allows for a ready explanation of the role internal audit as the third line of defense.

00:23:21.390 –> 00:23:29.130
Okay that’s that’s that’s a DA sort of thing from the model, right, I mean, third line of defense right underneath that it says internal audit.

00:23:29.670 –> 00:23:38.430
So it shows where internal audit fits in there. But then the opportunity says to expand this description to embrace the role of internal audit.

00:23:38.940 –> 00:23:48.210
As a strategic partner and trusted advisor. Now, I agree that internal audit should be more of a strategic partner.

00:23:48.750 –> 00:23:55.140
And should be viewed as a trusted advisor, but here’s what I’m going to tell you this is where I disagree with this.

00:23:55.710 –> 00:24:03.390
Being a trusted advisor and a strategic partner has nothing to do with this model. Okay.

00:24:03.930 –> 00:24:15.810
You will not be seen as a trusted advisor, just because you hand this model over to somebody and say, Look, everybody, in turn, a lot of this a trusted advisor and strategic partner and that’s who we need to be

00:24:17.160 –> 00:24:27.570
Nobody’s going to believe that just because you hand them a report that says, look, internal lot of is this because we have this in our mission statement BA BA BA BA BA BA BA BA BA. Okay.

00:24:28.230 –> 00:24:40.470
That’s not how you get to strategic partner and trusted advisor status. There’s other things that you have to do. And it relates to both your technical expertise and experience.

00:24:40.920 –> 00:24:45.840
But also into your impact and influence that you have in the organization.

00:24:46.380 –> 00:25:01.860
So this particular model three lines of defense. Whatever we’re going to call it that is not going to help you get to trusted advisor status that is going to be dependent on what you’re actually doing separately from your experience and

00:25:03.420 –> 00:25:11.880
Expertise, as well as your influence and insight that you’re actually being able to provide to the organization.

00:25:12.930 –> 00:25:27.240
Now the this idea of blurring of the lines comes up again right is yeah under the opportunities is that we have to somehow account for and explain what this blurring of the lines means. And as I said before, that was a term that I used.

00:25:28.410 –> 00:25:39.480
In my portion of the Sawyer’s book because I believe that there is a blurring of the lines and and because of that, it’s it’s causing some confusion.

00:25:39.840 –> 00:25:57.390
Is a lot of times when people get this model, they think I have to do it this way in my organization and that is not what it what it’s what it stands for. This is not a standard. This is not something you must do. It’s a way of helping to explain how organizations usually deal with this.

00:25:58.470 –> 00:26:03.690
And as I said before, I was personally one of those people that have the lines blurred.

00:26:04.020 –> 00:26:19.500
Because I was not only was I the chief audit executive, but I was the chief compliance officer. I was the chief risk officer. So that meant I had more than one role. And because of that, there were some blurring of the lines and other things that that that went on.

00:26:20.910 –> 00:26:22.560
Because I had multiple

00:26:23.580 –> 00:26:35.940
Responsibilities. Okay. Now that is a normal part of organizations and if you will look it’s it’s my opinion and the opinion of a lot of people that I’ve talked to

00:26:36.510 –> 00:26:42.390
It’s better for us to be a team player, and to help the organization out

00:26:43.200 –> 00:26:54.570
Then to try to stand alone and say, nope. I can only be the chief audit executive, that’s all I can do. I can’t help you with compliance. I can’t help you with risk. I can’t help you with whatever insert in there.

00:26:54.990 –> 00:27:08.850
It’s better to actually be a team player and be there and do and help the organization. Now, later on we’ll talk about obviously there’s some safeguards and other things that you need to put in place.

00:27:09.690 –> 00:27:16.920
If you are handling multiple management roles, but we’ll talk about that in a little bit.

00:27:18.150 –> 00:27:26.370
But before we, before we move on. I wanted to talk a little bit about the concept of G. R. See, okay.

00:27:27.630 –> 00:27:41.550
Now in organizations. There are different functions or roles, you can call them whatever you want to call them functions or roles and I’ll kind of give in and explain a little bit more about what those happened to be

00:27:42.330 –> 00:27:49.620
But from the whole idea around GR c and this is what everyone outside of internal audit believes

00:27:50.100 –> 00:28:01.740
G R C stands for governance risk management and compliance. Those are three separate functions or roles within the organization.

00:28:02.640 –> 00:28:14.550
That are kind of distinct there is some blurring of the lines between it and I’ll get in and talk about later what those different roles, happened to be

00:28:15.360 –> 00:28:25.620
Now the problem is, at least in my, in my opinion, the AI continues to use governance risk and controls to mean JRC

00:28:26.190 –> 00:28:38.070
And I think that confuses everybody because as an internal auditor when we use GR C in that term differently than everyone else in the organization.

00:28:38.850 –> 00:28:44.640
You know, a couple things happen. First off, I think we’ll just a minute, their guests are not playing with us and the GR C space.

00:28:45.180 –> 00:28:57.480
And even worse is some people may look at the internal auditor and go, you don’t even know what GR C stands for, you’re probably don’t even know what you’re talking about. And so it can actually less than

00:28:58.500 –> 00:29:14.070
The, the value or the perceived expertise of internal audit, if we’re using those terms differently. The other thing is controls are a way that you know management or governance groups.

00:29:15.300 –> 00:29:23.340
Help to ensure that they achieve their objectives and manage the risk to achieving those particular objectives.

00:29:23.850 –> 00:29:31.860
And so the thing is controls are actually you used in the governance area in the risk management area and in the compliance area.

00:29:32.310 –> 00:29:41.520
Controls are not something separate by themselves. And so I think again using G RC to mean governance risk and controls.

00:29:41.910 –> 00:29:53.070
Is is wrong because there are controls being used everywhere along the path. So I think one of the big opportunities we have is to just say,

00:29:53.430 –> 00:30:04.590
It GR C stands for governance risk and compliance. We’re going to use the same terms as everybody else. And we’re going to realize that there are controls under all three of those buckets.

00:30:04.920 –> 00:30:26.070
And yes, those are probably the controls that we’re going to be testing. Okay, get off my soapbox a little bit. But like I said, I think that’s an important thing and an opportunity for us in this process to actually change that term in the way that we use it in internal audit.

00:30:27.330 –> 00:30:34.290
Now, let me get in and talk about these different roles, because again, as we go through this

00:30:35.940 –> 00:30:42.660
Through the through the exposure document next to kind of talks about what governance is

00:30:43.290 –> 00:31:00.300
And. And again, this is where I believe that usually is auditors. We talk about governance in a little bit different way than some other people do in the organization. And I’m not convinced that the way we talk about it is the right way. And so let me explain.

00:31:01.410 –> 00:31:06.060
At least for me, the easiest way to try to explain governance.

00:31:07.230 –> 00:31:12.090
Most of the time when people think of governance, they think of the board of directors or the audit committee.

00:31:12.750 –> 00:31:22.530
That is a governance role, but there are also other governance roles within an organization. It’s not just the board of directors.

00:31:23.460 –> 00:31:44.940
And so the easiest way to describe governance is the governance group is X terminal to the group that they are directing or controlling and so that’s why, again, the board of directors is separate or external from management. That’s why they are governing what management is doing.

00:31:46.230 –> 00:32:00.150
But there are other governance roles, even within the organization. And so as an example right there is usually a group in organizations called something like the it steering committee.

00:32:00.660 –> 00:32:14.160
And this group is made up usually of managers who I T is their customer. Right. Okay. And so I T has a governance group.

00:32:14.580 –> 00:32:24.750
Made up of managers that are outside of i t to direct and control how the IT resources are used.

00:32:25.230 –> 00:32:37.590
So when it steering committee is also a form of governance, because they are outside of the day to day activities being done by I. T.

00:32:38.040 –> 00:32:44.130
Okay. And so I think that makes a big difference in the way that we look at this

00:32:44.670 –> 00:32:59.850
Because again, as I go through and read how we’ve kind of described in this document what governance is I think there’s a big crossover between what governance is and what management is. And I’ll give you an example.

00:33:00.570 –> 00:33:14.130
So underneath here. You know, we’ve got some things like policy setting and testing. Now that’s listed as a governance role. I don’t think that’s a governance role.

00:33:14.610 –> 00:33:24.780
Okay, maybe some high level policies setting for the whole organization could be a governance role but testing definitely not a governance role that’s an assurance role.

00:33:25.620 –> 00:33:36.930
monitoring and reporting while yes there are some monitoring and reporting things that governance, does that is usually seen more as a management activity.

00:33:38.430 –> 00:33:48.420
Segregation of responsibilities processes to deal with change. Okay, I don’t think the board of directors is set up to do change management processes.

00:33:48.780 –> 00:34:01.860
I don’t think that’s truly a governance role. I think that is a management role. And so like I said, I think we would do ourselves better to try to think about governance more as externally directing

00:34:02.370 –> 00:34:15.000
And management, which is the other role that I wanted to kind of talk about that. That is kind of missed in this is management is really kind of responsible more for the day to day activities.

00:34:15.750 –> 00:34:26.400
Okay so governing body or externally directing or controlling somebody who’s doing the day to day activities examples of that could be board of directors or the it steering committee.

00:34:27.060 –> 00:34:36.210
Now when they talk about management in here. Again, like I said, it is internally directing. So those are the day to day activities.

00:34:36.600 –> 00:34:46.350
The governance group says we want this to happen. These are the, the rules of engagement. These are the things that we want done but now you go and figure out

00:34:46.740 –> 00:34:52.560
And put in place the day to day processes to be able to actually do what we like you to do.

00:34:53.460 –> 00:35:01.770
And so in here. There’s some good language that I’m going to read for you. That’s from the exposure document. And I think it’s just important for us to actually remember it.

00:35:02.220 –> 00:35:11.490
Management owns the risk. Okay. And again, I think sometimes internal auditors think that they’re responsible for identifying and assessing the risk

00:35:11.850 –> 00:35:20.790
That is a management responsibility so management owns risk and is responsible for designing and implementing controls.

00:35:21.210 –> 00:35:31.980
And managing the uncertainty associated with the strategy execution within agreed variations in performance and those agreed variations come from the governance group.

00:35:32.850 –> 00:35:43.440
And while this cannot be guaranteed with perfect perfect precision management is expected to take steps necessary to have the greatest chance of success.

00:35:44.040 –> 00:35:50.850
That’s really what management is trying to do. Okay. Now the other role that kind of comes along in there is audit.

00:35:51.240 –> 00:36:01.410
Right. And somebody providing assurance that management is doing what the governance, or the governing group is asking them to do. And so

00:36:02.160 –> 00:36:12.180
That’s really kind of the, the three main roles within an organization. And again, to kind of come back to this whole idea of GR C.

00:36:12.600 –> 00:36:20.370
Right, that that controls are used by the governance group they’re used by the management group they’re used by the assurance group.

00:36:21.090 –> 00:36:35.100
And and let’s kind of talk about the difference between compliance and controls so compliance is a function where we are trying to ensure that we are compliant.

00:36:35.580 –> 00:36:46.530
With either internal or external requirements so difference between the two an external requirement may be something like a law.

00:36:47.430 –> 00:37:00.660
That we are forced to kind of comply with it could also be voluntary external compliance. So as an example, if your organization decides to follow an ISO standard

00:37:01.260 –> 00:37:10.950
They’re not required by law to do that, but they voluntarily choose to do that. They’re still trying to put in place processes to make sure they’re compliant.

00:37:11.340 –> 00:37:19.350
With that particular standard as an example. So those are external type of compliance requirements.

00:37:19.980 –> 00:37:29.610
But we also develop internal compliance requirements as well. So when we create policies, when we create different procedures or other things like that.

00:37:30.090 –> 00:37:41.850
Those are things that again we want to be compliant with because those are controls that are built into the processes to help us meet our objectives and manage our risk.

00:37:43.920 –> 00:37:55.380
Okay, so that’s that’s kind of, again, the difference between compliance and controls and I think why we would be better served to start using the word compliance.

00:37:56.880 –> 00:38:06.750
So when again when we talk further down in the document now gets into talking about independent internal audit. And again, it’s important to be

00:38:07.260 –> 00:38:19.590
Independent. That’s one of the reasons why we we usually report directly to the board and we’re independent and deciding while we’re going to audit how we’re going to audit and and how we’re going to report on

00:38:20.160 –> 00:38:30.210
Independence is around the freedom to be able to do the things that we need to do, but it’s also and even more important that we’re objective in what we’re actually doing.

00:38:30.720 –> 00:38:37.560
And so two words that you can think about independence is really the freedom to do those things.

00:38:38.100 –> 00:38:50.910
Objectivity is means that we do our work in an unbiased nature and that is more important, because ultimately we’re not truly independent of the organization because they’re paying our paycheck.

00:38:51.510 –> 00:39:06.750
And no matter how you end up trying to do the reporting structure in the organization, ultimately, you know, we’re, we’re going to be limited, a little bit in our freedom based on who’s paying us and who is doing our performance evaluation.

00:39:07.920 –> 00:39:22.980
Now one of the points under, under internal audit here in the document, you know, again, I think it does a good job of kind of describing it. Yeah. But one of the areas that I take a little exception with is, let me read this to you and I’ll explain why.

00:39:24.150 –> 00:39:34.830
So internal audit the internal audit plan of work must be clearly aligned to the strategic priorities and operational needs of the organization. Totally agree with that.

00:39:35.520 –> 00:39:44.220
Provide an authoritative credible and objective view on the adequacy and effectiveness of governance totally agree with that.

00:39:44.910 –> 00:39:52.380
And of all the checks and balances. This includes yes agree with that as well. Not as not as definitively

00:39:52.890 –> 00:40:00.480
But then the last part, as well as identifying opportunities and threats that may arise, I don’t agree with that.

00:40:00.960 –> 00:40:11.820
That is a management role management is the one who is supposed to identify opportunities and threats that may arise. That is a management responsibility.

00:40:12.420 –> 00:40:20.430
We should be providing assurance that they’re actually doing that, but that is not our role.

00:40:20.880 –> 00:40:31.800
And again, this is one of those areas where a lot of times people get rubbed wrong in the organization. If you as an internal auditor go to a C level executive

00:40:32.280 –> 00:40:37.830
And tell them what their opportunities and threats are, they’re not going to want to listen to you.

00:40:38.520 –> 00:40:45.810
Now if you bring up things like, Hey, did you consider this. That’s a different kind of an approach right

00:40:46.140 –> 00:40:54.300
Is that as you’re talking to them as you’re going through this. You want to make sure that they have thought about the opportunities and threats.

00:40:54.720 –> 00:41:11.820
And that they have done things that they need to to either take advantage of those opportunities or to try to manage or mitigate those threats, but that is not internal on its role that is a management role. So like I said, I take a little exception with that.

00:41:13.770 –> 00:41:25.260
Alright, so as we keep on moving down here. The, the next area kind of talks about this contribution to organizational success or other bodies.

00:41:25.680 –> 00:41:33.720
And so here, they’re starting to kind of talk about these external bodies, which a lot of people refer to, or use the word stakeholder

00:41:34.590 –> 00:41:42.900
And a stakeholder is somebody that can be affected or can affect the organization. And so there’s lots of different groups that are out there.

00:41:43.770 –> 00:41:54.210
But under this section of the other bodies. There’s the talk about external auditors and the Supreme Audit Institutions, which I believe those are stakeholders.

00:41:54.810 –> 00:42:00.870
There’s also the talk about regulators, which I agree with, as well, that those are stakeholders.

00:42:01.530 –> 00:42:15.780
But what I see missing from this section is if you’re actually going to talk about stakeholders. Then there’s certain stakeholders that are not mentioned here. And so those would be, you know, like the community.

00:42:16.830 –> 00:42:23.940
The employees that you have your unions other other people like that as well. So

00:42:24.750 –> 00:42:34.260
If we’re going to refer to, or think about stakeholders in general, then we need to add discussions about some of those other stakeholders.

00:42:34.830 –> 00:42:47.940
If we’re only talking about other bodies who provide assurance, then maybe only discussing external auditors sad eyes and regulators as appropriate. But if the idea here is

00:42:49.800 –> 00:42:52.530
Excuse me. Got a little tickle in my throat. Chris some reason.

00:42:53.850 –> 00:43:04.860
If the idea is broader than just who else provides assurance, then I think that we probably need to be discussing and talking about some of those other stakeholders as well.

00:43:06.240 –> 00:43:14.700
Now, you know, kind of get towards the end here. You know, we’ve talked about this coordinated approach and I’ve referred to that before.

00:43:15.360 –> 00:43:27.030
That, I think, again, the real value in this model is helping to develop a more coordinated and collaborative approach to assurance in general.

00:43:27.630 –> 00:43:32.940
And as I mentioned before, we’ve got to stop thinking that were the one that has to do all the assurance work.

00:43:33.360 –> 00:43:46.920
There’s other groups in the organization that are already doing assurance work and that will continue to do assurance work. We just need to do a better job of working with and coordinating and collaborating with them.

00:43:48.480 –> 00:43:54.030
Now, kind of at the end, you know, there’s a there’s a part in here about scalability and about the blurring of the lines.

00:43:54.450 –> 00:44:04.860
And we’ve talked a little bit about talked a little bit about that. To begin with the fact that every organization is not going to be at the same maturity level.

00:44:05.220 –> 00:44:23.730
Their organizational structure is going to be different. And so we just need to recognize that that is a fact of life and so somehow in the model we have to say, even though this is kind of the ideal or theoretical thing to do. How do you deal with some of these things where

00:44:24.870 –> 00:44:35.550
It doesn’t fit into that nice box or picture like the model actually has and like I said from my own career. I have seen that

00:44:37.350 –> 00:44:45.330
In my own career. Right. So, so we started talking about, hey, we need to do compliance better. We need to take a better approach towards compliance.

00:44:45.720 –> 00:44:50.610
And the CEO said great, Jason. Now your chief compliance officer as well because you’re right, we need to do that.

00:44:50.940 –> 00:44:57.600
We’re not going to hire somebody else we’re not going to hire a whole new team to do that. But that’s going to be one of your responsibilities now.

00:44:58.200 –> 00:45:05.640
The same thing came up when we started talking about Enterprise Risk Management. Again, Jason, you’re going to do that for us. You’re going to be the point person because

00:45:05.970 –> 00:45:17.700
We’re not going to hire somebody else. Now, we were a big company, but we were a privately held company and chose that you know again between management and the board, they decided

00:45:18.060 –> 00:45:26.970
These are important functions, but we’re not going to hire someone else separately for that. And so my organization didn’t fit neatly under this model.

00:45:28.080 –> 00:45:37.380
But we were still helping the organization. Okay, now. Whenever this happens and and there’s a point in here that is very valid that I agree with on

00:45:37.740 –> 00:45:45.030
Safeguards must be considered. So for example, I knew since I was responsible for ethics and compliance.

00:45:45.540 –> 00:45:56.700
That was not an area that we should audit because I also had management responsibility for that the board knew that they knew I wasn’t going to audit it. They were okay with it.

00:45:57.360 –> 00:46:07.800
If they felt like they needed to have an audit of ethics and compliance than they were. And we discussed this, they would bring in someone from the outside.

00:46:08.220 –> 00:46:16.470
To audit that area, but that would not be in the scope of the areas that I was going to audit the same thing was true for our enterprise risk management.

00:46:17.280 –> 00:46:23.820
Because I was primarily responsible for that they were more comfortable that I was actually doing something with it.

00:46:24.570 –> 00:46:41.880
Than to not have anybody there. And so again, if they decided in the future that they wanted some assurance that we were doing era them the way that they would like it to be done, then we would have brought someone else in from the outside to be able to take a look at that.

00:46:43.440 –> 00:46:50.040
But again, those safeguards do need to be in place. And in fact, I’ll just give you a kind of a sample of one of the things that I did.

00:46:50.460 –> 00:47:00.150
Was I had three separate teams. Okay, I had an audit team. I had an ethics and compliance group and I had a risk management group. They were all separate

00:47:00.540 –> 00:47:10.410
Now, sometimes they would work together, but for the most part they were completely separate so that way if someone from the risk management team showed up in part of the organization.

00:47:10.800 –> 00:47:20.670
They knew that person was there to help them manage risk. If the Ethics and Compliance people showed up, they knew that they were there to do something about ethics and compliance.

00:47:21.060 –> 00:47:27.930
If the internal audit group showed up, they knew that they were being audited. Okay, or that we were doing some consulting work with them.

00:47:28.560 –> 00:47:33.210
So you do need to have those safeguards and kind of separate those functions out

00:47:33.870 –> 00:47:44.940
To be able to help make that distinction easier because I didn’t want the audit client wondering. Hmm. Jason showing up. So you’re gonna if you’re going to audit me. Is he

00:47:45.660 –> 00:47:55.230
Do something about compliance or is he going to do something about risk management and so having three separate teams, I think, is one of the ways to help reduce some of that blurry.

00:47:56.730 –> 00:48:07.350
Again, the you know when when internal audit is providing these non assurance services, the CA does need to consult with the governing board.

00:48:07.680 –> 00:48:17.610
And assess if there’s conflicts and how you’re actually going to work around that. And again, I think that this is this is something that has been seen in the industry.

00:48:18.120 –> 00:48:30.810
Because I would, I was not alone. I know a lot of chief executives that have multiple roles, even today, this is a fact of life. But again, you just have to figure out and work with your governing authority.

00:48:31.980 –> 00:48:43.590
To make sure what what they would like to have done and any of these safeguards that need to be put in place. So as I said, kind of at the beginning and I’ll kind of wrap up here.

00:48:44.400 –> 00:48:53.940
I think that this is a great step in in the right direction for us as a profession to look again at three lines of defense model.

00:48:54.360 –> 00:49:03.570
And figure out again, do we change the name. How do we continue to make it simple, but actually deal with some of these real things that people are actually dealing with

00:49:04.080 –> 00:49:17.430
Because a lot of Chief audit executives do also have responsibility for the second lines. The standards were actually updated a couple years ago. Finally, to kind of reflect that reality of what’s actually going on.

00:49:18.630 –> 00:49:29.280
But as I said, to begin with, I think that, you know, even though I’ve gone through and kind of given my thoughts on what I think should be updated or kind of provide my opinion.

00:49:29.820 –> 00:49:40.440
I would encourage you to go out and download this and also you know get active on social media, you know, send me messages if you know people in the working group reach out to them.

00:49:40.980 –> 00:49:50.910
Make sure that you’re actually putting in your suggestions. During this open period because again we have until September 19 to be able to put in comments on that.

00:49:51.420 –> 00:50:02.250
And just that way you know this document as it goes forward and comes out in its new iteration is going to be better than what we have now. And I think that’s, that’s kind of the whole idea.

00:50:03.060 –> 00:50:13.860
I think that we do have an opportunity to really aligned better with others in the organization and and even change some of the words that we are using

00:50:14.370 –> 00:50:23.520
To be more consistent and more acceptable to other people in the organization. And I really see this as a big opportunity for us as a profession.

00:50:24.120 –> 00:50:32.340
And I hope that we do kind of go down this route because if we do, I think we’ll be able to be continued to be viewed

00:50:32.940 –> 00:50:37.740
in a positive light. What I what I’m afraid of. And what I’m seeing a little of

00:50:38.340 –> 00:50:47.400
Is that if we don’t make changes that we’re going to be viewed as a group that’s irrelevant. And we’re going to be left out.

00:50:47.730 –> 00:50:54.750
Of a lot of the things that are going on in our organizations. And I think that’s a very dangerous place for us to be

00:50:55.290 –> 00:51:08.670
We don’t want to go there. And so I think, again, this provides us with a great opportunity to be able to make some of these changes across the whole profession in really elevated and get going even further. So

00:51:09.690 –> 00:51:20.160
That’s kind of all I have for today, like I said, Today was a little bit of a different kind of episode because it’s more kind of my opinions on this particular document.

00:51:20.760 –> 00:51:29.640
But I would be interested to know what you think. So, again, get get active on social media, send me messages.

00:51:30.180 –> 00:51:38.520
You know, comment on different things and just kind of let me know where you’re at on this as well, because I know I don’t have all the answers myself.

00:51:38.910 –> 00:51:48.060
I’m coming from it from my particular context in the background that I have had, but would be interested to see what you all here as well.

00:51:48.720 –> 00:52:03.510
So with that, I’m going to sign off for today and go out to download this read it comment it think about it and have a fabulous rest of your week and I’ll see you on a future episode of jam and with Jason

Leave a comment