We are picking up our previous discussion of audit committee priorities as we continue to answer your questions from our popular January 7 webinar, The 2016 Audit Committee Agenda. This blog series answers questions we were unable to address during the webinar.
In our first installment, we addressed questions regarding the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Part 2 of the series continued the cybersecurity discussion and focused on the opportunity for many organizations to add data analytics capabilities to their internal audit function.
The questions addressed here, in Part 3, pertain to fraud and the various lines of defense. Jim DeLoach provides the answers.
Q: Relative to other rising concerns (such as cybersecurity), is fraud less important than in previous years?
Jim: Fraud is, and always will be, a huge area for concern, particularly for public companies and not-for-profits dependent on continued funding, because of its impact on reputation and brand image. As fast-paced and globally connected as everything is today, and as many alternatives as there are for investors, money can move from one organization to another in a heartbeat. The reality is that capital flight from a company besieged by significant fraud can be brutal.
There are certain things investors take as a given about a company. They are going to inherently assume that its products are safe, that it complies with all applicable laws and regulations, and that people aren’t stealing from it. This understanding is often taken for granted, and therefore may not come up in conversation. But once the veil of that inherent presumption is pierced when a problem arises, then it’s going to be all that people talk about. Given that investors/donors can easily move their money elsewhere, a significant reputation hit from material fraud can mean “game over.”
Q: Aren’t the auditors the third line of defense?
Jim: If by auditors you mean external auditors, the answer is no. The third line of defense is internal audit, or the assurance function.
Those of us who spend a lot of time around internal auditors have become so familiar with the “three lines of defense” model for organizing risk management that we may not always explain it as well as we should.
The model, promulgated by The Institute of Internal Auditors, was designed to clarify the risk management responsibilities of internal auditors, as distinguished from those of independent risk oversight functions (the second line of defense), and the day-to-day risk mitigation efforts of operational management and staff whose activities create risk (the first line of defense).
In our fourth and last part of this discussion, we will address the critical importance of preparing now for pending changes in the revenue recognition rules.
[…] for many organizations to add data analytics capabilities to their internal audit functions. Part 3 addressed fraud and clarified the role of internal control in the three-lines-of-defense […]
I Agreed, in three lines of defense model internal auditor should be in 3rd lines, risk management or quality assurance 2nd line of defense and process owner is 1st line of defense who day to day control.