making internal audit a value added partner
by Shipra Khandelwal
changing role “In this world nothing can be said to be certain, except death and taxes”, Benjamin Franklin wrote in 1789. If he was alive now, he might have added auditors to the list. Governance in the financial industry is being set up as three lines of defense, where the first line is business units, who are the creators and owners of risk. The second line is the risk management and compliance functions, which are responsible for monitoring and controlling the first line. Lastly, the third line is the Internal Audit function, whose primary objective is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. Since Internal Audit is an independent unit, it reports directly to the board of directors and audit committee. While the third line internal audit function is fully independent, it still looks at governance in a piecemeal fashion. The focus is on whether individual units are meeting their laid-down processes and controls, and if these processes and controls are effective. The role of internal audit has changed with time. As demonstrated in Table 1 below, nowadays the FSB wants internal audit to go beyond this remit to produce an opinion on whether the whole risk governance framework seems appropriate, which is much more judgmental. Table 1: Responsibilities of the three lines of defence under FSB recommendations (FSB 2013a)
Intelligent Risk - February 2022
027