Last line of Defence - a brief appreciation of the IIA update on the Three Lines of Defence model
3LoD - a faithful companion
3LoD has been a long-standing and faithful companion for all those involved in governance and risk issues. Due to its ease of explanation and simplicity, the model made it possible to define and implement roles and responsibilities of different organisational units in the area of risk management, compliance and control systems. The model enabled companies to effectively and efficiently coordinate the responsible organisational units to avoid control gaps and duplications. It is based on a strict organisational separation of responsibilities and a hierarchical responsibility pyramid leading to the board of directors or the audit committee. In many companies, the impact of the model can therefore be found in the organisational structures.
However, three key drivers have challenged the validity of the model:
- With the development and introduction of new agile organisational forms and working methods and an accompanying softening of organisational hierarchies, it was clear that the model was coming under pressure and new answers had to be found. The rather static 3LoD model does not offer suitable answers here.
- A similar effect was caused by the trend towards digitalisation and the introduction of new technologies as well as the associated rapid innovation cycles, especially in technology-driven companies. This requires new approaches in the companies' cooperation with technology suppliers and internal organisational units, as well as the creation of innovation incubators that are also designed for failure. All in all, this leads to transfers of responsibility that are not reflected in the 3LoD.
- Finally, the trend can be observed in professional practice that the effectiveness of internal control systems and their importance is gradually decreasing due to their static orientation in the companies. In some cases, controls are executed pro forma, and the findings from the control reviews have been noted rather than leading to concrete measures and adjustments of the compliance environment.
What does the IIA do
In particular, the bunkering of internal auditing behind the third line in parts carries the risk of the audit being cut off from the reality of the company and a weakening of its ability to critically accompany and support the company in achieving its corporate goals.
Consequently, in 2019, the IIA had set up a working group to examine necessary adjustments to the model. Complementing this, last year the IIA had called for inputs, opinions and expectations for a further development of the model.
Hidden in the summer break, the IIA published its findings from the validation on 20 July. On a positive note, it tries to take the VUCA principle into account: "Organisations are human undertakings, operating in an increasingly uncertain, complex, interconnected, and volatile world. They often have multiple stakeholders with diverse, changeable, and sometimes competing interests. Stakeholders entrust organisational oversight to a governing body, which in turn delegates resources and authority to management to take appropriate actions, including managing risk". (Source IIA position paper)
In the analysis of the document, however, it becomes clear that the "blurring of the lines effect" originally described in the working group is only partially reflected in the result paper. Rather, an attempt was made to retain the existing model and to supplement it with six principles, which, however, are essentially a repetition of known self-evident facts:
Principle 1: Governance
Principle 2: Governing body roles
Principle 3: Management and first and second line roles
Principle 4: Third line roles
Principle 5: Third line independence
Principle 6: Creating and protecting value
The graphic summary of the new model shows a bit of helplessness in trying to save the model instead of courageously taking a step forward.
In the entire paper, one does not find a single reference to the actual causes and drivers of the changes that are successively making the 3LoD obsolete. If you search for keywords like digitalisation, technology or modern forms of organisation, you will find nothing. On the contrary, the IIA tries to stick to existing principles as much as possible.
In my opinion, the IIA has not understood that the technological disruption that many companies with hitherto proven business models are confronted with also has an impact on risk management, compliance and control systems. That disruption does not mean sticking to a proven model, but having the courage to throw it overboard and recognise new framework conditions.
Or to put it more poetically with Jean Jaurès: "Tradition is the preservation of fire and not the worship of ashes". I too would prefer simple and straightforward approaches to address complexity and uncertainty from a risk management perspective. But this does not work if critical drivers of change are ignored.
WireCard and the lessons learned
The example of Wirecard has clearly shown that classical methods and instruments do not succeed in identifying and making transparent the risks in a technology and IT group. That a (single!) financial auditor on the part of Bafin is not in a position to substantially audit electronic payment transactions when these are based on mass, cross-border transactions executed at high speed in a complex IT environment. I am already looking forward to the results of the EY audit activities to see what audit methods were used here to try to identify risks.
With the Wirecard disaster in mind, one can only hope that companies will once again become more aware of their own responsibility and put compliance structures to the test and critically question them. They will not be able to fall back on modern support from the IIA, but must rather find their own answers as to how they want to address corporate risks in the future and protect management and the board of directors from excessive risks. The role of internal auditing must be realigned, otherwise the next Wirecard is only a matter of time.
With the update of the 3 Lines of Defence model, one has not done oneself any favours, one should rather have let it die with dignity. New ideas are needed to develop contemporary and effective compliance structures.