Fundamental 1: The three lines

The Institute of Internal Auditors (IIA) has developed a framework called the ‘three lines model’ that makes it clear that it is the role of staff and managers (in the first line) and specialist functions (e.g., Finance, IT, Legal etc., in the second line) to set objectives (approved by governance bodies such as the board) and then to put in place processes and procedures that ensure that these goals are met and that any risks are managed to within agreed limits. 

This means that the first and second lines need to check what they are doing as they go, and report any key problems upwards in real time, not after the event. 

So, when thinking about the role of internal audit (IA), it is critical to recognise it comes in as a third line to provide advice or assurance to senior management and the board on selected key risk areas of particular importance, but not simply to be a substitute for what should already be happening in the first and second lines. 

This is set out in the following ‘three lines’ diagram, promoted by the IIA: 

Have a documented internal audit planning process 

To establish a proper basis for the deployment of internal resource as a third line function, it is a requirement of the new Global Internal Audit Standards (GIAS) that the internal audit plan is developed in accordance with a documented methodology. An example of a documented methodology is set out in the diagram below: 

Here it’s clearly important to gather some sort of assessment of potential assurance requirements from key stakeholders through an Assurance Needs Assessment (ANA) but this needs to be complemented by carefully considering alternative sources of assurance, (in lines 1 and 2) rather than simply relying on IA (in line 3). 

Recognise various assurance options are possible

Thus, options for assurance can include 

• Manager assurances (e.g., concern the management of a project), which may be supplemented by specialist input (e.g., a consultant working on a project)
• Second line assurances (e.g., the CISO concerning cyber security arrangements), again which may also be supplemented by external support (e.g., a consultant who specialises in ethical hacking) 
• Third line assurances – either across a broad range of risk areas or a very narrow area (which will depend on the precise assurance need). This can include double-checking or validating the assurances already provided by lines 1 and 2.

Thinking carefully about specific resource needs

When it is agreed that IA should do work in a particular area, it will need to establish that it has the right quantity and quality of resources, depending on factors such as 

• The nature and of the risk(s) involved
• The risk appetite threshold/criteria by which to judge the area
• The breadth and complexity of any processes, systems, data sets, functions and locations involved
• The skills and experience of the IA team. 

Consequently, IA teams nowadays often recruit non finance staff and supplement their finance and internal audit skills and ask for consulting support or guest auditors or guest advisors (from within the organisation), to make sure they have an ability to judge things appropriately.

Given all the foregoing, IA plans require: 

• A risk-based approach
• Co-ordination (and sometimes reliance) on other sources of assurances
• The need to establish the right level of resourcing to deliver the plan properly. 

Audit plans will encourage strategic thinking about the future direction of the IA team

Thus, preparing an IA plan will often raise strategic questions about the role and future plans of the IA team (e.g., is the need for additional support going to be temporary or likely to repeat in future assignments?). 

For this reason, IA teams are now required under the new IIA GIAS to develop an audit strategy that makes clear IA’s requirements in terms of: 

1. Financial resources, 
2. HR resources (which may involve recruitment and co-sourcing but also training and development programmes for the IA team), and 
3. Technological resources (e.g., the use of data analytics, Machine Learning and Artificial Intelligence etc.).

Further specific considerations: 

Outsourcing and co-sourcing

When managing co-sourced or out-sourced relationships to support IA:

• tender for specialist suppliers suitably balancing cost and quality considerations
• ensure robust and clear contracts are in place with requirements covering, pricing, confidentiality, data security, ownership of intellectual copyright and working papers, dispute resolution, and exit terms
• establish clear operating procedures and approval processes to ensure that each assignment is delivered in accordance with expectations.

Knowledge management/Training and development 

Sometimes it’s important that IA team members develop the skills, experience and knowledge to help them work on new areas. 

The following points are useful to remember when developing in-house skills:

• have a structured appraisal and performance management (note the IIA has a structured competency framework that explains key IA skills areas and different competency levels)
• offer training and coaching at an individual level (e.g., influencing and political savvy) but also in relation to the working of the whole IA team (e.g., high performing team skills)
• sometimes it’s better to recognise that external, specialist consultants are the best option for a high-quality assignment (e.g., Cyber risk, IT General Controls, Assurance Mapping and Auditing Culture)
• joint delivery of reviews with other assurance functions or co-sourced providers can facilitate knowledge transfer to IA team members (and so that IA team members can better understand how they work) 
• organise regular assignment learning reviews and encourage an open approach to what went well and what could have been done better.