The IIA’s New Three Lines of Defense Model Misses The Mark
“Life is really simple, but we insist on making it complicated.”
“One day I will find the right words, and they will be simple.”
― Jack Kerouac, The Dharma Bums
Corporate governance and compliance is not as hard as everyone tries to make it. Much of management theory, risk management, and theories surrounding corporate operations is intuitive.
Be wary of those who try to complicate issues, especially when it comes to professionals. We all bear some responsibility when it comes to legal, compliance, forensic accounting, management and other professional services. We have a duty to provide practical advice that is accessible and easily applied to specific problems.
Professionals that follow this basic axiom provide important support and advance the cause of corporate governance. Professionals that complicate the issue by developing complex (and oftentimes incomprehensible) solutions and then solving their self-created complicated answer are doing their profession and their clients a serious disservice.
The Institute of Internal Auditors recently announced revisions to its three-lines of defense model for corporate governance and risk management. The IIA has adopted a new framework with little justification, and in the end, has hurt its credibility. In doing so, the IIA has acted contrary to the interests of Internal Auditors and the ongoing evolution of Internal Auditors as critical actors in the corporate governance framework. Internal Auditors should summarily reject the IIA’s recent action and frankly look to make serious changes to the IIA and replace the IIA with a new leadership vehicle that accurately reflects the Internal Auditor profession.
My criticism is not just limited to recent arguments made by Jonathan Marks and Nicole Di Schino that the IIA’s new model removed compliance as a key player in its overall corporate governance and risk management framework. Marks points out that the IIA’s new model diminishes the role of the chief legal officer and the chief compliance officer. Di Schino argues that the IIA model “undervalues” the compliance function.
Let me put it a little more bluntly – the IIA’s transparent attempt to elevate the importance of the Internal Audit function at the expense of proactive legal, ethics and compliance roles reflects a fundamental misunderstanding of the last twenty years of corporate governance innovation. The IIA’s revised model should be ignored and relegated to the ash heap of bad ideas.
The IIA’s model ignores the critical importance of a corporation’s ethical culture as its most important control and risk mitigation strategy. I will not repeat the overwhelming evidence that corporations that promote and protect their respective ethical cultures perform better than companies that ignore their culture. Ethical companies are more financially sustainable than unethical companies.
Contrary to the IIA’s suggestion, the role of compliance is not limited to ensuring legal and regulatory compliance. To the contrary, the chief ethics and compliance function is responsible for promoting a company’s culture. The CECO is the steward of the company’s culture with the assistance and support of senior management.
The IIA model ignores this basic function and its critical role in the corporate governance framework. Corporate boards, CEOs and senior executives know that a company’s ethical culture is its most valuable intangible asset, and for that reason, should be committed to elevating and supporting the ethics and compliance function.
The IIA model expands the role of Internal Auditors by add Internal Audit to frontline risk management responsibilities with senior management. Under the IIA model, Internal Auditors should assist senior management in identifying and managing business risks while serving as an important, independent check in the third line of defense through audits and reviews of corporate activities. The obvious contradiction in these dual roles subverts basic internal audit responsibilities.
Perhaps more significantly, the new IIA model ignores an important partnership between ethics and compliance and internal audit as independent voices in the corporate governance landscape responsible for ensuring effective operation of internal financial and compliance controls. The corporate board depends on this alliance to obtain accurate information concerning the operation of corporate internal controls. Compliance and Internal Auditors are an important check on senior management and undermining this partnership by diminishing the role of compliance and improperly extending internal audit into frontline risk management would be a disaster.
Internal auditors provide invaluable protections against corporate misconduct and financial failures. The Sarbanes-Oxley Act transformed the internal audit function as guardians of the accuracy of corporate financial reporting. There is no reason to dilute this important role, particularly at the expense of an effective and vibrant ethics and compliance function.