Fundamentals of Risk Management
Internal audit activities
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Internal audit activities
421 tactics to be adopted by the organization. In some cases, audit of the treasury function is specifically outside the scope of an internal audit department in a large company. It will, therefore, be the external auditors that review and audit the treasury function. Another weakness of the three lines of defence model is that it is more relevant to hazard (or operational) risks, including internal financial control. The three lines of defence model is also well suited to the governance of compliance risks. However, the audit committee generally does not audit the upside of risk, or seek to identify circumstances where opportunities have been missed. Therefore, it is possible that there will be a disconnect between the scope of work of the risk management and internal audit departments compared with the full range and scope of enterprise risk management activities. Another aspect of the three lines of defence relates to the particular role and status of the board of directors. The board provides assurance, but the board is not usually identified as a line of defence. In fact, the board both receives assurance as a stakeholder group and provides assurance to other stakeholders, including external stakeholders. The board will receive assurance from departments inside the organization, as well as receiving assurance from outside, including external auditors. The three lines of defence model is well established, but sometimes, it is extended to five lines of defence by showing external audit as the fourth line and regulators as the fifth line. However, this does not represent the five lines of assurance approach, as it is currently being developed. In order to enhance the effectiveness of the three (or five) lines of defence model, the alternative approach of the five lines of assurance has been put forward. The five lines of assurance model suggests the following sources of assurance: 1 The board of directors with overall responsibility for ensuring that effective risk management processes are in place and the other lines are managing risk to within appetite. 2 Senior executives and senior managers with overall responsibility for building and maintaining a robust risk management process and delivering reliable information on the principal risks. 3 Business unit leaders with assigned ownership or responsibility for reporting on specific risks, and ensuring resources are protected and objectives are being achieved. 4 Specialist units providing expertise on specific types of risk, such as treasury, safety, environment, legal and insurance with responsibility for related risk management processes. 5 Internal audit activities, providing independent and timely information to the board on reliability of the risk management processes in the organization and producing consolidated reports. Inevitably, there are variations on the format described above and different organiza- tions will develop a structure for the five lines of assurance that suits their specific needs. The main enhancement to the three lines of defence model, as provided by the five lines of assurance model, is that the first line of defence is divided into the board, senior executives and business unit leaders, each of these identified groups being responsible for providing assurance in relation to their allocated responsibilities. |
