ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Three lines of defence model: ensuring the independence and effectiveness of internal audit

Three lines independence of internal audit
  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Steve Bruce CA

30 November 2017

Main points

  • Organisations asking their internal auditors to take on more responsibility may impact their independence and blur the lines of defence.
  • Such instances should be documented to include any mitigating factors and the positioning and governance of internal audit in the organisation.
  • The IIA has issued revised standards for internal auditors to protect their independence and objectivity along with a call for more guidance.

Following on from my previous article explaining the Three Lines of Defence model, this article focusses on action CAs in internal audit can take to demonstrate independence if their responsibility as the third line of defence becomes blurred with the first or second line.

The Chartered Institute of Internal Auditors (CIIA) highlighted this issue in a position paper titled The Three Lines of Defence. As a refresher, this paper also neatly summarises the three lines of defence model in the below diagram.

What are some of the extra roles and responsibilities performed by CAs in internal audit?

Management may request you to take on extra roles and responsibilities that traditionally lie outside the third line of defence in either the first or second line. Some examples are:

  • Managing whistleblowing arrangements;
  • Managing Business Continuity Planning arrangements;
  • Performing regular inspection work such as monthly monitoring testing, that possibly could be performed by other departments and which is different to your risk-based audits; and
  • Approving (signing-off) new projects or new business processes.

Management may also seek to combine the role of the Chief Audit Executive with other roles. For example, the Chief Audit Executive role is sometimes combined with the Head of Legal, Compliance or the CFO. In another scenario, the Chief Audit Executive can be asked to report to another department such as the CFO or Chief Legal Officer instead of, or in addition to the Board / Audit Committee.

Management might request that you carry out these tasks for the following reasons:

  • They trust and value your objective mindset and independent opinion;
  • They believe the most appropriate skillset and knowledge lies within internal audit; and
  • You may have capacity to take on additional work or could create capacity for example, by spending less time on risk-based audits.

Could this potentially impact CAs independence and effectiveness, or create that perception?

In short, yes.

For example, you decide to perform an audit of Business Continuity Planning but may already be managing that process on a day-to-day basis. Alternatively, you may decide not to audit Business Continuity Planning at all as you are already managing this process. There is a risk that you are checking your own work or it’s not checked at all.

There may be a reality or perception that internal audit inadvertently becomes part of the control environment instead of acting as an assurance function assessing and checking that control environment.

Consequently, existing problems or issues that should be identified and resolved for the organisation’s benefit may not be promptly identified or prioritised. You may be unwilling or unable to effectively identify and report issues on yourself.

The organisation’s reporting lines structure may potentially hamper your independence. For example, where the Chief Audit Executive is also the Head of Compliance, there may be a risk that an audit of the Compliance function is of limited scope or not performed at all, as the Head of Compliance does not want their function audited.

Separately, if the internal audit headcount remains the same and management requests audit to take on additional roles and responsibilities, then less time may be spent by internal audit on traditional third line risk-based audits, advisory services, risk assessments or continuous monitoring potentially reducing the overall effectiveness of the internal audit function.

How should you manage such situations?

Firstly, all internal audit functions should identify and document instances of any role or responsibility they undertake that lies outside of the traditional third line. You should then assess these instances to determine if your independence or effectiveness could be compromised to help prioritise areas of focus and for further discussion. As part of this assessment, you should document any mitigating factors such as Board oversight, outsourcing of audits, rotation of audit staff, or structure of your team.

The assessment document can be shared with management as transparency is important and it’s always useful to obtain different opinions. In addition, the assessment document and management’s views should ideally be presented for discussion at an Audit Committee or Board meeting. Best practice suggests that such a presentation and discussion should occur on a regular basis for example, annual, and included in the minutes.

Another point to consider is if the roles and responsibilities of internal audit are clearly stated, or need to be updated or clarified within the existing Internal Audit charter and the Audit Committee charter.

For some industries such as financial services, regulators are focussed on assessing the independence and effectiveness of Internal Audit and the above practice is something they may expect.

What next?

The 2017 paper states: ‘Changes to governance codes, standards, guidance or regulation should promote internal audit’s role as a core part of the third line of defence and must avoid undermining its unique position in monitoring and providing assurance on the management of risk. Demarcation between the third line of defence and the first two lines must be preserved to enable internal audit to provide an objective overview to the Board, independent of management, on the effectiveness of all risk management and assurance processes in the organisation.

To help internal auditors, the IIA published revised standards and guidance effective from January 2017, which was the subject of a previous ICAS article titled: Institute of Internal Auditors – Revised Standards 2017. Two new standards were issued and directly relate to the topics discussed in this article namely IIA Standard No. 1112 (Chief Audit Executive Roles beyond Internal Auditing) and No. 1130 (Impairment to Independence or Objectivity).

A position paper published in June 2017 by the IIA titled Independence and Objectivity said ‘IIA recognises that companies should be given flexibility to establish their internal audit arrangements according to their size and circumstance’. The paper also calls for other professional bodies, such as the FRC, to provide more detailed guidance on how independence and objectivity of internal auditors can be protected. If the internal audit function in your organisation is not currently considering and then discussing the issues in this article at either Board or Audit Committee level, it’s not too late to start.

modern office.jpg

Institute of Internal Auditors - Revised Standards 2017

By Alan Simpson CA

2 August 2017

2-23-marsh 2-23-marsh
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: