Utfordringer med de tre forsvarslinjer

Utfordringer med de tre forsvarslinjer
Norges Interne Revisorers Forening
31. mai 2016
Prof. Flemming Ruud, PhD, Statsautorisert revisor
Handelshøyskolen BI, Oslo
University St. Gallen, Sveits
flemming.ruud@bi.no
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 2
The Three Lines of Defense Model –
- “tre forsvarslinjemodellen”
Governing Body / Board / Audit Committee
Senior Management
3rd Line of Defense
Financial Control
Security
Management
Controls
Internal Control
Measures
Risk Management
Quality
Internal
Audit
Compliance
…
(IIA Position Paper: The Three Lines of Defense in
Effective Risk Management and Control, 2013, p. 2)
Regulator
2nd Line of Defense
External Audit
1st Line of Defense
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 3
Innhold
• Modell – forenkling av virkeligheten – Presentiøs fremstilling…?
• Risiko management - reduksjon
• Terminologi - forsvar vs. beskyttelse
• Skille vs. samarbeid
• Valg av variabler i modellen
• «Continuous auditing» - eller monitoring, eller 1. linje?
• Videre utvikling – nye elementer eller variabler?
• Oppsummering
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 4
Leveraging COSO across the Three Lines of Defense
 Thought Paper of the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO) 2015
 SUPPORT Governance Structures
 How the organisation assigns specific
tasks and responsibilities in internal
control
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 5
Leveraging COSO across the Three Lines of Defense
 Thought Paper of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) 2015
 SUPPORT Governance Structures
 How the organisation assigns specific tasks and responsibilities in
internal control
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 4)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 6
Leveraging COSO across the Three Lines of Defense
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 5)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 7
Leveraging COSO across the Three Lines of Defense
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 7)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 8
Flere 2. linjefunksjoner
•
•
•
•
•
•
•
•
•
•
•
•
Risk Management
Information Security
Financial Control
Physical Security
Quality
Health and Safety
Inspection
Compliance
Legal
Environmental
Supply chain
Other (depending upon industry-specific or company-specific needs)
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 9
Og som …
•
•
•
•
•
•
•
•
Assisting management in design and development of processes and
controls to manage risks
Defining activities to monitor and how to measure success as
compared to management expectations
Monitoring the adequacy and effectiveness of internal control activities
Escalating critical issues, emerging risks and outliers
Providing risk management frameworks
Identifying and monitoring known and emerging issues affecting the
organization’s risks and controls
Identifying shifts in the organization’s implicit risk appetite and risk
tolerance
Providing guidance and training related to risk management and control
processes
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 10
Leveraging COSO across the Three Lines of Defense
(COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 8)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 11
Forsvar vs. risikoreduksjon vs. in control
• Den iboende risikoen i verdikjeden blir redusert gjennom de
Restrisiko
Internes Audit
3rd Line of Defense
…
Qualitätssicherung
Compliance
Risikomanagement
2nd Line of Defense
Interne Steuerung
und Kontrolle
Management Control
1st Line of Defense
Iboende risiko
tre forsvarslinjene
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 12
In Control
Attention
Radar
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 13
Internal Control
• Directive Controls: Support the achievement of objectives
•
Preventive Controls
Design
−
−
−
Checking
−
Prevent non-beneficial behavior or events
Organizational measures: Control effected by the company itself in
terms of separation of functions, design of work processes
Organizational tools: Plan of the organization, plan of processes, plan of
functions, guidance, time stamp, signatory power
Technical tools: Securities, IT controls
•
Detective Controls: designed to detect misstatements or omissions as
soon as possible
•
Corrective Controls: designed to re-align the actual state with the target
state
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 14
«Defense» - Forsvar
• Betydning av “forsvar”:
• Fransk; Defense som stammer fra latin; Defensa – «Protection»
1.
Beskytte seg mot angrep; Angrep fra noen / forhindre noe
2.
Argumentere for en person, sak - som er utsatt for kritikk
3.
I en rettssak - anklaget i en straffesak forsvare seg i en rettssak
(Bibliografisches Institut, 2013)
4.
Sport …
•
Forsvare hvem - seg mot hvem?
•
•
•
•
•
–
?
Ledelsen?
Styret?
Eiere
Kreditorer?
Ansatte
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 15
Forsvar vs. verdiskapning
• “Forsvar vs. Defense” – Lingvistiske aspekter
• Verdiskapende – merverdiskapning i intern revisjon (3rd linje)
og risk management funksjoner (2nd linje)
 Lines of Control?
 Lines of Responsibility?
 3rd Line-Assurance?
• Tradisjonelt tankemønster
•
•
•
–
Intern revisjonen som “politi” for ledelse og styre?
Gammeldags bilde av intern revisjonen?
Fra «compliance revisjoner til strategic assurance» (Austbø, Statoil)
Alternativ til tilbakeskuende – «offense»?
•
Se mer «upstream» og mindre «downstream» (May Ibsen)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 16
Adskilte vs samarbeidende funksjoner
- Objektivitet vs uavhengighet
Governing Body / Board / Audit Committee
Senior Management
3rd Line of Defence
Financial Control
Security
Management
Controls
Internal Control
Measures
Risk Management
Quality
Regulator
2nd Line of Defence
External Audit
1st Line of Defence
Internal
Audit
Compliance
…
(Adapted from IIA Position Paper: The Three Lines of Defence in
Effective Risk Management and Control, 2013, p. 2)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 17
Integrated Assessment and Assurance –
Zurich Financial Services
(Zurich Financial Services, Annual Report 2014, p. 56)
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 18
Utviklingen av The Three Lines of
Defense-Model
Board of Directors / Audit Committee
Senior Management
1st line :
Value generation
Controls embedded in
operational processes
2nd line :
Strategy & Policies
Definition and organization
of systems
Risk management :
protection, prevention & transfer actions
Risk management :
Definition of ERM system
Definition of risk policies, risk appetite
Reporting to governance bodies
Internal controls :
Key controls
Internal control :
Definition of IC system
Choice of critical processes & key controls
Reporting to governance bodies
Ethics & Compliance :
Implementation of whistle blowing
Ethics & Compliance:
Definition of E&C system
Reporting to governance bodies
External certifications :
Operational controls linked to : QSE, Basel
2, …
External controls
Definition of certification policy
Reporting to governance bodies
3rd line :
Assessment
of control environment
Internal audit
Assessment of processes
Testing
External audit
Assessment of processes
Testing
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 19
Utviklingen av „The Three Lines of
Defense-Model“
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 20
Utviklingen av Three Lines of
Defense-Model
Board of Directors / Audit Committee
Senior Management
1st Line of Defense
2nd Line of Defense
3rd Line of Defense
Supervisory Authority
Others
External Audit
Risk Management
Internal Audit
Risk Management and
Internal Control procedures,
built into business processes
Operational
And Supporting Functions
Compliance
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 21
The Three Lines of Defense Model –
- hva med dataanalyser og kontinuerlig revisjon?
Governing Body / Board / Audit Committee
Senior Management
3rd Line of Defense
Financial Control
Security
Management
Controls
Internal Control
Measures
Risk Management
Quality
Internal
Audit
Compliance
…
“Big data… Analytics… Continuous auditing…”???
Regulator
2nd Line of Defense
External Audit
1st Line of Defense
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 22
Nature of work – governance, risk
management, and control processes
The IAA should assess and make appropriate recommendations
for improving the governance process in its accomplishment of
the following objectives:
• Promoting appropriate ethics and values within the
organization.
• Ensuring effective organizational performance management and
accountability.
• Effectively communicating risk and control information to
appropriate areas of the organization.
• Effectively coordinating the activities of and communicating
information among the board, external and internal auditors
and management.
Governance
Processes
(2110)
Risk
Management
Processes
(2120)
Control
Processes
(2130)
The internal audit activity should
evaluate risk exposures relating to the
organization’s governance, operations, and
information systems; .....and based on the risk assessment ... Evaluate the adequacy
and effectiveness of controls ...
• Achievement of the organization’s strategic objectives
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations;
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 23
Vekst
Intern revisjon - utvikling
Update
Update COSO
NUES /
Internal Control (2013) Swiss Code
(2014)
Basel Committee:
The internal audit
COSO function in banks
(2012)
ERM
Standard 2110
(2004)
NYSE Listing Rules:
Section 303A.07(d):
"Each listed company
must have an internal
audit function.“ (2003) Ongoing
Compliance
Introduction SOX
Compliance (2002)
Governance
Basel Committee:
Risk
Internal audit in banks and the
supervisor's relationship with audit
(2001)
COSO Internal
Control (1992)
Internal Control
over Financial
Reporting
Control
Governance
prosesser
Risiko
management
prosesser
Standard 2120
Interne
styringsog kontrollprosesser
Standard 2130
Financial
Reporting
Re-Performance
Operations
Compliance
1990
?
Quo vadis
2000
2010
2020
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 24
Tre forsvarslinje modell – Prosessorientert
Overordnet uttalelse - «Helhetlige bekreftelser»
Shareholders
Legislation
Investors
Government
Other Stakeholders
Nomination
BoD
Remuneration
Audit
Vision
External
Audit
Objectives
1st Line
3rd LineAssurance
Strategies
Controlling
Suppliers
Compliance
Customers
Value Adding Process
Risk Management
Employers
Indicators
Quality Management
Signals
2nd Line
Risk Management
and Internal Control
Accountability
Direction
CEO Committee
Prof. T. F. Ruud, PhD
Utfordringer med tre
forsvarslinjemodellen
IIA-NO, 31. mai 2016
Slide 25
Development and Current State of
Internal Auditing
“Internal auditing has got
to be the coolest profession
in the world.”
(Tom Peters, The Institute of Internal Auditors –
International Conference, Orlando, 2013)
Tom Peters (*November 7, 1942)
•
• American “management guru” and writer on business management practices;
Co-author (with Robert H. Waterman, Jr.) of best-seller “In Search of Excellence”, 1982