Increasing regulatory attention has created a growing need across financial organizations to establish more formal coverage and independent assurance over their second-line control functions, such as Risk and Compliance. Typically considered the gate-keepers who calculate business risk and safeguard the firm against legal and regulatory violations, Risk and Compliance departments are increasingly undergoing a similar check and challenge by third-line Internal Audit.
Depending on the size of the organization and resources allotted to the second-line control functions, companies are allocating more third-line assurance professionals to continuously monitor or coordinate the timing and scope of Audit coverage with Risk and Compliance colleagues, which raises the question: How do second-line control functions and third-line internal audit operate effectively and efficiently without over-taxing front-line resources and causing Audit fatigue?
“It really needs to be a partnership, with the one line feeding the other,” said an Audit executive at a large foreign bank organization. “The more focus, the more assurance you’re going to get (but) you want to make sure the parties are all focused on the right things and working together. You don’t want duplication. You want coordination. You don’t want to put yourself in the place of second line functions.”
With that point of collaboration in mind, the Institute of Internal Auditors (IIA) updated the Three Lines of Defense Model last year to de-emphasize the original defensive approach and focus on more flexibility and cooperation between the three lines of defense
In the IIA’s own words, “The new Three Lines Model helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.”
But what if your organization does not have strong flexibility and collaboration between functions? This will undoubtedly not only cause friction and tension between, say Compliance departments and Audit, but also create significant strain on the business if the second line control functions and Audit are duplicating testing and monitoring efforts, but each in their own way.
From a talent perspective, there has been increasing amount of cross-over of second-line Risk and Compliance professionals to third-line Audit, specifically at organizations under greater regulatory pressures. Similar to the transition in recent years of first-line business professionals to second-line control function roles, this movement “between the lines” may provide a stronger perspective from professionals who know what to look for and are better aligned in their controls assurance.