Utfordringer med de tre forsvarslinjer
Utfordringer med de tre forsvarslinjer Norges Interne Revisorers Forening 31. mai 2016 Prof. Flemming Ruud, PhD, Statsautorisert revisor Handelshøyskolen BI, Oslo University St. Gallen, Sveits [email protected] Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 2 The Three Lines of Defense Model – - “tre forsvarslinjemodellen” Governing Body / Board / Audit Committee Senior Management 3rd Line of Defense Financial Control Security Management Controls Internal Control Measures Risk Management Quality Internal Audit Compliance … (IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, 2013, p. 2) Regulator 2nd Line of Defense External Audit 1st Line of Defense Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 3 Innhold • Modell – forenkling av virkeligheten – Presentiøs fremstilling…? • Risiko management - reduksjon • Terminologi - forsvar vs. beskyttelse • Skille vs. samarbeid • Valg av variabler i modellen • «Continuous auditing» - eller monitoring, eller 1. linje? • Videre utvikling – nye elementer eller variabler? • Oppsummering Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 4 Leveraging COSO across the Three Lines of Defense Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015 SUPPORT Governance Structures How the organisation assigns specific tasks and responsibilities in internal control (COSO, Leveraging COSO Across the Three Lines of Defense, 2015) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 5 Leveraging COSO across the Three Lines of Defense Thought Paper of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2015 SUPPORT Governance Structures How the organisation assigns specific tasks and responsibilities in internal control (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 4) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 6 Leveraging COSO across the Three Lines of Defense (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 5) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 7 Leveraging COSO across the Three Lines of Defense (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 7) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 8 Flere 2. linjefunksjoner • • • • • • • • • • • • Risk Management Information Security Financial Control Physical Security Quality Health and Safety Inspection Compliance Legal Environmental Supply chain Other (depending upon industry-specific or company-specific needs) (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 9 Og som … • • • • • • • • Assisting management in design and development of processes and controls to manage risks Defining activities to monitor and how to measure success as compared to management expectations Monitoring the adequacy and effectiveness of internal control activities Escalating critical issues, emerging risks and outliers Providing risk management frameworks Identifying and monitoring known and emerging issues affecting the organization’s risks and controls Identifying shifts in the organization’s implicit risk appetite and risk tolerance Providing guidance and training related to risk management and control processes (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 6) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 10 Leveraging COSO across the Three Lines of Defense (COSO, Leveraging COSO Across the Three Lines of Defense, 2015, S. 8) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 11 Forsvar vs. risikoreduksjon vs. in control • Den iboende risikoen i verdikjeden blir redusert gjennom de Restrisiko Internes Audit 3rd Line of Defense … Qualitätssicherung Compliance Risikomanagement 2nd Line of Defense Interne Steuerung und Kontrolle Management Control 1st Line of Defense Iboende risiko tre forsvarslinjene Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 12 In Control Attention Radar Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 13 Internal Control • Directive Controls: Support the achievement of objectives • Preventive Controls Design − − − Checking − Prevent non-beneficial behavior or events Organizational measures: Control effected by the company itself in terms of separation of functions, design of work processes Organizational tools: Plan of the organization, plan of processes, plan of functions, guidance, time stamp, signatory power Technical tools: Securities, IT controls • Detective Controls: designed to detect misstatements or omissions as soon as possible • Corrective Controls: designed to re-align the actual state with the target state Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 14 «Defense» - Forsvar • Betydning av “forsvar”: • Fransk; Defense som stammer fra latin; Defensa – «Protection» 1. Beskytte seg mot angrep; Angrep fra noen / forhindre noe 2. Argumentere for en person, sak - som er utsatt for kritikk 3. I en rettssak - anklaget i en straffesak forsvare seg i en rettssak (Bibliografisches Institut, 2013) 4. Sport … • Forsvare hvem - seg mot hvem? • • • • • – ? Ledelsen? Styret? Eiere Kreditorer? Ansatte Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 15 Forsvar vs. verdiskapning • “Forsvar vs. Defense” – Lingvistiske aspekter • Verdiskapende – merverdiskapning i intern revisjon (3rd linje) og risk management funksjoner (2nd linje) Lines of Control? Lines of Responsibility? 3rd Line-Assurance? • Tradisjonelt tankemønster • • • – Intern revisjonen som “politi” for ledelse og styre? Gammeldags bilde av intern revisjonen? Fra «compliance revisjoner til strategic assurance» (Austbø, Statoil) Alternativ til tilbakeskuende – «offense»? • Se mer «upstream» og mindre «downstream» (May Ibsen) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 16 Adskilte vs samarbeidende funksjoner - Objektivitet vs uavhengighet Governing Body / Board / Audit Committee Senior Management 3rd Line of Defence Financial Control Security Management Controls Internal Control Measures Risk Management Quality Regulator 2nd Line of Defence External Audit 1st Line of Defence Internal Audit Compliance … (Adapted from IIA Position Paper: The Three Lines of Defence in Effective Risk Management and Control, 2013, p. 2) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 17 Integrated Assessment and Assurance – Zurich Financial Services (Zurich Financial Services, Annual Report 2014, p. 56) Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 18 Utviklingen av The Three Lines of Defense-Model Board of Directors / Audit Committee Senior Management 1st line : Value generation Controls embedded in operational processes 2nd line : Strategy & Policies Definition and organization of systems Risk management : protection, prevention & transfer actions Risk management : Definition of ERM system Definition of risk policies, risk appetite Reporting to governance bodies Internal controls : Key controls Internal control : Definition of IC system Choice of critical processes & key controls Reporting to governance bodies Ethics & Compliance : Implementation of whistle blowing Ethics & Compliance: Definition of E&C system Reporting to governance bodies External certifications : Operational controls linked to : QSE, Basel 2, … External controls Definition of certification policy Reporting to governance bodies 3rd line : Assessment of control environment Internal audit Assessment of processes Testing External audit Assessment of processes Testing Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 19 Utviklingen av „The Three Lines of Defense-Model“ Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 20 Utviklingen av Three Lines of Defense-Model Board of Directors / Audit Committee Senior Management 1st Line of Defense 2nd Line of Defense 3rd Line of Defense Supervisory Authority Others External Audit Risk Management Internal Audit Risk Management and Internal Control procedures, built into business processes Operational And Supporting Functions Compliance Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 21 The Three Lines of Defense Model – - hva med dataanalyser og kontinuerlig revisjon? Governing Body / Board / Audit Committee Senior Management 3rd Line of Defense Financial Control Security Management Controls Internal Control Measures Risk Management Quality Internal Audit Compliance … “Big data… Analytics… Continuous auditing…”??? Regulator 2nd Line of Defense External Audit 1st Line of Defense Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 22 Nature of work – governance, risk management, and control processes The IAA should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: • Promoting appropriate ethics and values within the organization. • Ensuring effective organizational performance management and accountability. • Effectively communicating risk and control information to appropriate areas of the organization. • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management. Governance Processes (2110) Risk Management Processes (2120) Control Processes (2130) The internal audit activity should evaluate risk exposures relating to the organization’s governance, operations, and information systems; .....and based on the risk assessment ... Evaluate the adequacy and effectiveness of controls ... • Achievement of the organization’s strategic objectives • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations; • Safeguarding of assets; and • Compliance with laws, regulations, and contracts. Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 23 Vekst Intern revisjon - utvikling Update Update COSO NUES / Internal Control (2013) Swiss Code (2014) Basel Committee: The internal audit COSO function in banks (2012) ERM Standard 2110 (2004) NYSE Listing Rules: Section 303A.07(d): "Each listed company must have an internal audit function.“ (2003) Ongoing Compliance Introduction SOX Compliance (2002) Governance Basel Committee: Risk Internal audit in banks and the supervisor's relationship with audit (2001) COSO Internal Control (1992) Internal Control over Financial Reporting Control Governance prosesser Risiko management prosesser Standard 2120 Interne styringsog kontrollprosesser Standard 2130 Financial Reporting Re-Performance Operations Compliance 1990 ? Quo vadis 2000 2010 2020 Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 24 Tre forsvarslinje modell – Prosessorientert Overordnet uttalelse - «Helhetlige bekreftelser» Shareholders Legislation Investors Government Other Stakeholders Nomination BoD Remuneration Audit Vision External Audit Objectives 1st Line 3rd LineAssurance Strategies Controlling Suppliers Compliance Customers Value Adding Process Risk Management Employers Indicators Quality Management Signals 2nd Line Risk Management and Internal Control Accountability Direction CEO Committee Prof. T. F. Ruud, PhD Utfordringer med tre forsvarslinjemodellen IIA-NO, 31. mai 2016 Slide 25 Development and Current State of Internal Auditing “Internal auditing has got to be the coolest profession in the world.” (Tom Peters, The Institute of Internal Auditors – International Conference, Orlando, 2013) Tom Peters (*November 7, 1942) • • American “management guru” and writer on business management practices; Co-author (with Robert H. Waterman, Jr.) of best-seller “In Search of Excellence”, 1982
© Copyright 2024