Why Internal Audit?
We are often asked about the ‘Three Lines of Defence’ model and why boards and regulators are so focused on it. Simply put, the ‘Three Lines of Defence’ is the method used by organisations to describe the roles and responsibilities of stakeholders relating to the organisation’s framework for governance and risk management.
|1st Line of Defence||
Consists of the executive management team and functional areas within the business that are responsible for the day-to-day ownership and management of risks.
Key players: First line of defence functions report into the Chief Executive Officer, often via other C-suite 1st line positions or departmental heads e.g. CFO, COO etc.
|2nd Line of Defence||
Responsible for establishing an appropriate and effective risk management framework and for ensuring ongoing oversight and challenge to risk management across the business.
Key players: The 2nd line of defence is provided by the Compliance and Risk function, headed by thye Chief Risk Officer (CRO) of Chief Compliance Officer (CCO). The CRO/CCO typically reports into one or more of the CEO, the Chairman of the Board or the Rick Comittee Chair depending on the underlying governance model adopted by the firm.
|3rd Line of Defence||
Provides independent assurance on the appropriateness and effectiveness of controllership across the business, the effecftiveness of risk management activity (undertaken by the first and second lines) and the overall effectiveness of governance.
Key players: The 3rd line of defence is the Internal Audit function headed by the Chief Internal Auditor/Head of Internal Audit, who reports directly into the Board/Audit Committee Chair.
In our experience, many businesses either overlook the potential of their Internal Audit (IA) or omit it altogether. This is particularly true when an IA function is not mandated by the regulator, as is typically the case for the Trust and Corporate services sector.
According to the Institute of Internal Auditors Standards, “Internal Audit is responsible for providing independent and objective assurance over key and material organisation risks to ensure that the controls are designed and operating effectively to help organisations achieve their business strategy and objectives”. This forms a valuable supplement to the first two lines of defence, which are more directly integrated into the business. As such, an effective IA function can provide independent insights, identifying potential issues before they result in reputational and/or financial damages. In other words, it provides additional preventative and detective checks and balances.
Opportunities for Internal Audit to provide value for Trust and Corporate Services providers
In recent years, IA has evolved to be proficient in areas such as data analysis, robotic process automation and emerging topics (e.g. ESG). However, businesses may be reluctant to invest in the third line of defence without a clear vision of how the function will add value. An effective IA function can assist Trust and Corporate Service providers in the following areas:
|Independent opinion||Providing independent and objective challenge of key business decisions|
|Readiness||Assisting in compliance and readiness for regulatory developments and inspections|
|Comfort and assurance||Providing additional comfort to buyers in the case of deal transactions, along with being a requirement if a business intends to undertake a listing on a recognised stock exchange|
|Increase visibility and drive change||Enabling the board, audit committee and executive management to gain visibility and drive progressive changes on key processes, controls and issues affecting the organisation|
|Improve risk management||Improving management and control of material risks across the organisation, through developing and assessing a robust and effective control framework, which also acts to reduce errors and operational losses|
|Provides strategic insight||In a KPMG survey*, 33% of companies surveyed responded that their IA insights enabled them to focus on sustainable profit generation|
Developing an Internal Audit function
Establishing an IA function from a standing start can be challenging, particularly with the resource constraints experienced in the Crown Dependencies markets. However, it is not necessary for the entire IA function to be performed in-house; hence, local businesses can consider either:
- Outsourcing: All IA services are provided by an external professional services firm. This allows for the function to be performed by experts, with quality assured by the service provider.
- Co-Sourcing: A professional services firm collaborates with the organisation to fill skills and resources gaps identified in the organisation’s IA function. This allows access to external experts while retaining control in-house. Alternatively, co-sourced experts may be used for undertaking one-off assignments or to train the organisation’s IA function, serving as a ‘bridge’ to a full in-house IA team.
Market trends indicate that use of an IA function is becoming more common, and we expect this to become industry standard over the next 3-5 years for the Trust and Corporate Services sector.
Please contact Linda Johnson in Guernsey or Alexandra Reip in Jersey if you would like to know more.