BACKGROUND PAPERS
ABSTRACT
Background Papers are provided in
advance of Global Council to provide
comprehensive information on each of the
topics to be discussed during the event.
1
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Table of
Contents
AGENDA
2
2019 GLOBAL COUNCIL OVERVIEW
3–4
BACKGROUND PAPER 1: GLOBAL ASSEMBLY
5–10
BACKGROUND PAPER 2: THREE LINES OF DEFENSE
11–15
BACKGROUND PAPER 3: GLOBAL CONTENT STRATEGY
16–19
APPENDIX:
COMPLETE RESPONSES FROM ADVANCE POLLING QUESTIONNAIRE
CURRENT THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT
AND CONTROL
20-40
2
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Agenda Sunday, 17 March 2019
12:00–17:00 Registration
09:00–15:00 Affiliate Management Workshop (by invitation only)
18:00–20:00 Welcome Reception
Monday, 18 March 2019
07:15–08:15 Registration
08:30–10:00 Opening Session
10:00–10:30 Break
10:30–12:30 Breakout Discussion Session 1: Global Assembly
12:30–13:30 Lunch
13:30–15:30 Breakout Discussion Session 2: Three Lines of Defense
15:30–16:00 Break
16:00–17:00 Knowledge Exchange Session
18:30–21:30 Transportation to Cultural Evening and Dinner Hosted by IIA–Japan
Tuesday, 19 March 2019
08:30–10:00 General Session: The Global State of the Profession & Trends Impacting the Profession
10:00–10:30 Break
10:30–12:30 Breakout Discussion Session 3: Global Content Strategy
12:30–13:30 Lunch
13:30–15:00 Knowledge Exchange Session
15:00–15:30 Break
15:30–17:00 Closing Session: The Year Ahead
Wednesday, 20 March 2019
07:30–16:00 Transportation to Cultural Tours Hosted by IIA Japan (groups depart/return at different times)
All meetings will be held at the Hilton Tokyo Odaiba in Tokyo, Japan.
3
2019 GL OBAL COUNCIL BACKGROUND PAPERS
OVERVIEW
The IIA’s annual Global Council brings together IIA leaders from around the world to contribute insights
that shape the future of our global organization and profession, to learn about key global strategies, and
to share knowledge with each other. Leveraging The IIA’s 100+ Affiliates’ differences in membership
sizes, levels of maturity, and ranges of activities, the Global Council serves as a platform where each
Affiliate’s contributions add to the capacity, depth, and diversity of The IIA’s global network, propelling the
association forward.
OPENING SESSION
Following the traditional roll call of all Affiliates present and a special welcome from IIA–Japan, The IIA’s
2018–19 Chairman of the Global Board, Naohiro Mouri, CIA, will officially open and preside over 2019
Global Council. The Opening Session will include an update on key efforts conducted since the 2018
Global Council, in Panama City, where delegates discussed the 2019–23 Global Strategic Plan.
BREAKOUT DISCUSSION SESSIONS
Breakout Discussion Sessions will be held on each of the 2019 Global Council topics:
1. Global Assembly,
2. Three Lines of Defenses, and
3. Global Content Strategy.
The sessions are supported by a facilitator and a note taker from The IIA’s Executive Committee and IIA
staff. During the sessions, participants are seated either randomly or by Affiliate size/maturity at
roundtables of seven to eight participants. Table participants change for each session, and
representatives from the same Affiliate will be seated at different tables.
During these sessions, participants will have two hours to debate and share their views on the Discussion
Questions included in the Background Papers (below). The discussions are intended to collect input and
ideas from all participants, to generate debate, and ultimately, to provide collective, agreed-upon
suggestions, recommendations, and direction in answer to the discussion questions. So while each
participant will come to the Global Council prepared with their Affiliate’s views and ideas, it is expected
that additional, unique insights will be gained from the collective sharing and exchange that occurs during
the Breakout Discussion Sessions.
4
2019 GL OBAL COUNCIL BACKGROUND PAPERS
GENERAL SESSION
During the General Session, IIA President and CEO Richard Chambers will present the Global State of
the Internal Audit Profession and will host the discussion “Trends Impacting the Profession,” featuring a
panel of industry experts from around the world.
KNOWLEDGE EXCHANGE SESSIONS
Two Knowledge Exchange Sessions will give delegates opportunities to learn, share, and build relations
with other Global Council participants. These fun, engaging sessions include a variety of activities and
contests that will give everyone a chance to participate and win prizes!
SOCIAL EVENTS
Global Council provides a unique opportunity for participants to network with each other socially and
become acquainted with other cultures. The IIA and IIA–Japan have arranged several social events to
provide opportunities to see local sites and experience Japanese culture.
Global Council begins with a Welcome Reception hosted by The IIA on Sunday, 17 March, at the Hilton
Tokyo Odaiba. Monday night, IIA–Japan will host the Cultural Evening and Dinner, an exquisite evening
of entertainment and Japanese cuisine at a beautiful off-site venue steeped in Japanese tradition and
surrounded by ambient scenery.
A highlight of Global Council is the Cultural Tour where delegates and guests are invited to explore the
sights and sounds of Japan and its culture. IIA-Japan is inviting delegates and their guests to join
Wednesday’s optional tour to Kamakura which includes visits to Tsurugaoka Hachimangu Shrine,
Komachi Street, and the Hasedera Temple. Pre-registration for the tour is required.
CLOSING SESSION
The Closing Session will provide a high-level overview of several global initiatives and projects for 2019-
2020 and plans for the first IIA Global Assembly to be held in 2020. Following closing remarks, delegates
will gather to commemorate the event with the annual group photo.
BACKGROUND PAPERS
Global Council seeks input from Affiliates on the discussion topics in two ways: advance polling questions
(done via a survey of all Affiliates conducted in November/December 2018) and onsite discussion
questions. Preparation and participation by all attendees are key to a successful Global Council. Affiliates
must review the following Background Papers in advance of the event to ensure their Global Council
representatives are fully informed about the topics and familiar with the results of the advance polling.
Affiliate representatives are encouraged to seek input on the discussion questions from their boards and,
if applicable, their staff, and come prepared to share, representing their Affiliate’s views on the three
discussion topics.
We look forward to seeing everyone in Tokyo! Please direct any questions to
5
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Background Paper: Moving from Global Council to Global Assembly
INTRODUCTION
In 2019, The IIA began restructuring its global governance by introducing significant changes to the
Global Board of Directors and Executive Committee. In 2020, the Global Assembly will replace Global
Council and introduce several enhancements.
Under the leadership of the 2017-2018 and the 2018-2019 Chairman of the Global Board, a Global
Governance Task Force has been working on key concepts for the future Global Assembly.
The IIA’s Bylaws have been updated with the following references to
Global Assembly:
Section 1. Global Assembly. The Global Assembly will provide a forum
for Affiliates to have input to the Global Board on the strategic direction
for the profession, and key IIA initiatives, priorities and activities.
Section 2. Members. The Global Assembly shall include such
representatives as defined by the Global Board.
Section 3. Meetings. The Global Assembly shall meet at such dates
and times as may be prescribed by the Global Board.
The 2019 Global Council discussions will give Affiliates an opportunity to
provide feedback on some changes being considered for the new Global
Assembly before its implementation in 2020.
BACKGROUND
Global Council has been somewhat effective as a forum for IIA Affiliates to share insights and input on
The IIA’s Global Strategic Plan and key global projects and initiatives. However, the main goals of
enhancing the model with the creation of the new Global Assembly are:
o To elevate the voice and influence of The IIA’s 100+ Affiliates.
o To increase Affiliate accountability to The IIA and its Global Board.
o To enhance the effectiveness of the global governance process.
Below are preliminary key definitions and concepts for the future Global Assembly, subject to Global
Board approval in July 2019:
6
2019 GL OBAL COUNCIL BACKGROUND PAPERS
What is Global Assembly?
o A forum for Affiliates to provide input to the Global Board.
o A collective voice that helps inform, advise, and influence the Global Board* on strategy.
o A body that creates a liaison between the Global Board and the Affiliate Boards.
*Global Board decisions are final.
What is the Mission of Global Assembly?
o To serve as a sounding board for new ideas and concepts under consideration.
o To provide solicited input to global initiatives, projects, and strategies.
o To provide solicited feedback to draft global plans, positions, policies, etc.
o To communicate and offer insights regarding local trends, needs, issues, and risks.
o To share leading practices and facilitate benchmarking among Affiliates.
Who presides over Global Assembly?
o The Chairman of The IIA’s Global Board.
Who is entitled to a voice in the Global Assembly?
o Each IIA Affiliate shall have one voice (one per Institute and per international chapter).
o North America shall have three voices (USA, Canada, and the Caribbean).
Who are the Members of Global Assembly, how are they selected, and for how long?
o The Global Assembly Representatives are the members of Global Assembly.
o Each Affiliate and North America shall appoint their Global Assembly Representative.
o Each Global Assembly Representative shall serve on the Global Assembly for a three-year
term.
Who are the Observing Members of Global Assembly and what are their responsibilities?
o Each director of the Global Board is an observing member.
o Observing members are responsible to prepare for and attend Global Assembly meetings
and to consider input and feedback from Global Assembly.
What are the responsibilities of a Global Assembly Representative?
o To attend all Global Assembly in-person and teleconference meetings.
o To act as the liaison (connection) between the Global Assembly and their Affiliate Board.
o To actively participate in all Global Assembly meetings and activities.
o To share their knowledge with Global Assembly and report back to their Affiliate Board.
What are the attributes of a Global Assembly Representative?
o To be an active member or actively engage/participate in the Affiliate Board.
o To be knowledgeable about their Affiliate activities and operations.
o To be able to effectively communicate (write and speak) in English.
o To have the necessary time to dedicate to the outlined responsibilities.
o To be empowered by their Affiliate to represent its views and needs at Global Assembly.
7
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Should the Global Assembly Representative be the current Affiliate Top Elected Officer?
o The Global Assembly Representative may be the current, past, or future Top Elected Officer
or any other member of the Affiliate Board including the Chief Staff/Executive Officer as long
as they can meet the outlined responsibilities and attributes of a Global Assembly
Representative.
o Each Affiliate is encouraged to recognize the role of “Global Assembly Representative” as an
addition to the appointee’s other responsibilities.
How often does the Global Assembly meet?
o One in person meeting and up to three teleconference meetings per year.
Does Global Assembly change the relationship between an Affiliate and The IIA or impact the
Master Relationship Agreement (MRA)?
o No, Global Assembly does not change the current relationship between IIA Global and an
Affiliate.
o No, Global Assembly does not have any impact on the current obligations of The IIA and
each Affiliate outlined in the MRA.
How can Global Assembly impact decisions of the Global Board?
o Global Assembly serves as an advisory body and sounding board to the Global Board.
o Global Assembly input and feedback is intended to represent the collective voice of all
Affiliates, not the individual voice of each Affiliate.
o Global Assembly does not have official governance authority and any views of the Global
Assembly are guiding, not authoritative.
o All official final decisions are the responsibility of the Global Board of Directors.
What are the main differences between the current Global Council and future Global
Assembly?
Current Global Council Future Global Assembly Global Council is mainly an in-person meeting held once a year at an event. Global Council participants might not have any connection with IIA Global Headquarters outside of this annual meeting. They have no set accountability or responsibilities outside of the actual annual Global Council meeting.
Global Assembly is a group made up of official members appointed by the Affiliates to represent them at several meetings and to carry a series of responsibilities. Global Assembly meets several times a year, and the members act as the official liaisons between the Global Assembly (not IIA Global Headquarters) and their Affiliate Boards.
Global Council has a defined role but no direct connection to the Global Board nor any joint meetings. Global Board members do not attend Global Council meetings.
Global Assembly has a defined role and collective responsibilities to the Global Board. Global Assembly members are invited to attend the open Global Board meeting prior the Global Assembly in-person meeting. Global Board members attend all Global Assembly meetings as observing members.
8
2019 GL OBAL COUNCIL BACKGROUND PAPERS
The Executive Committee sets the topics that are discussed at the Global Council. The outcome of the discussions are shared with all Affiliates, the Executive Committee, and the Global Board of Directors. However, there is no systematic process to ensure a continuous flow of information between the Global Board of Directors and the Global Council.
The Global Board of Directors will approve the topics that are to be discussed by the Global Assembly. The outcome of the discussions will be shared with all Affiliates and the Global Board of Directors. There will be a systematic process in place to ensure a continuous flow of information between the Global Board of Directors and the Global Assembly.
There is no expectation of continuity for Global Council attendees. Affiliates designate whomever they chose from year to year, some changing the delegate each year, others keeping the same person in place for up to 10 years. The practice of changing Global Council attendees frequently can be ineffective and inefficient. The lack of continuity from year to year requires constant adjustment to the Global Council process, format, and relationship building by those new attendees. On the other hand, the practice of maintaining the same Global Council attendees for six or more years in a row does not afford the benefits of different perspectives, learning, and new relationship building.
Affiliates will be expected to appoint their Global Assembly Representative to serve for a period of three years. In that regard, Global Assembly operates more like a committee whose members are held accountable to fulfill a list of outlined responsibilities during their tenure on Global Assembly. This will require commitment and continuity by the representatives for a three-year term. It is understood that occasionally, a representative may not be able to complete his or her term due to changing personal or professional circumstances. Those situations shall be handled on an exception basis with a formal request process for the Affiliate to change their representative before the end of their three-year term.
Global Council attendees are often the Affiliate Top Elected Officer (current or incoming). These positions may be demanding without the added workload that comes with preparing, attending, and reporting on Global Council. Some attendees do not possess enough fluency in English to effectively participate in the discussions and discharge the responsibilities.
Global Assembly Representatives can be anyone on the Affiliate Board and/or appointed by the Affiliate because they have the time, knowledge, and skills to fulfill the outlined responsibilities. Command of the English language to effectively communicate verbally and in writing will be necessary to effectively discharge the responsibilities.
Participation in the annual Global Council meeting is strongly encouraged for all Affiliates but not required. There are no consequences for nonparticipation (*see exception below).
Participation in all meetings of the Global Assembly is required by all Affiliates. Attendance is tracked and nonparticipation in meetings could lead to consequences (to be determined).
Funding support is available to select Affiliates based on demonstrated needs and *subject to strict conditions of participation in the Global Council meeting.
Funding support will be available to Affiliates in need to ensure their participation at the in-person meeting of the Global Assembly.
Affiliates may send up to two delegates to participate in the Global Council. IIA Global Headquarters pays for the cost of hosting the Global Council (meeting rooms, meals, tours, etc.)
Affiliates may designate only one representative to Global Assembly. IIA Global pays for the cost of hosting the Global Assembly. However, the cost savings of limiting Global Assembly participation
9
2019 GL OBAL COUNCIL BACKGROUND PAPERS
for all delegates (up to two per Affiliate) and up to one of their guests. There is no revenue to defer the costs of hosting the events. The co-hosting Affiliate funds one of the dinners and occasionally cultural tours for all delegates and their guests. Limited travel support (covering full or partial airfare) is provided to some Affiliates that are newer or demonstrate they are struggling financially and could not otherwise attend the in-person meeting. Those who request and accept funding may not send more than one attendee to Global Council.
to one representative per Affiliate and no longer offering free cultural tours for all delegates and their guests will be redirected to provide financial support to Affiliates who demonstrate they are struggling financially to send their Representative to the Global Assembly in-person meeting. IIA Global Headquarters will seek additional ways to defer the costs of hosting the Global Assembly in-person meetings.
DISCUSSION QUESTIONS
Considering the background information and concepts outlined below, please review the below questions
and ensure your representative will come prepared to Tokyo to share your Affiliate’s view and ideas on
these questions during the Breakout Discussion Sessions.
Concepts Questions In order to manage the size of the Global Assembly’s in-person meetings and teleconference meetings, it is expected that each Affiliate and each group in North America (U.S., Canada, Caribbean) will have only one representative at Global Assembly. This person could be the current, past, or incoming Top Elected Officer, Chief Staff/Executive Officer or any designated Affiliate Board Member who meets the list of attributes.
1. Assess the feasibility of Affiliates designating one person to fulfill the responsibilities of Global Assembly Representative.
2. Share your feedback regarding the proposed list of attributes of Global Assembly Representatives: o To be an active member of their Affiliate
board or actively participate/engage in the Affiliate Board.
o To be knowledgeable about their Affiliate activities and operations.
o To be able to effectively communicate (write and speak) in English.
o To have the necessary time to dedicate to the Global Assembly responsibilities.
o To be empowered by their Affiliate to represent their views and needs at Global Assembly.
Global Assembly Representatives act as the liaisons between their Affiliate Board and the Global Assembly. Each must ensure that Global Assembly topics are communicated to their Board, that they seek their Board’s input to prepare for Global Assembly discussions, and report outcomes to their Board. Ideally their role of “Global Assembly Representative” is officially added to other responsibilities the representative may have on their Affiliate Board. There should be flexibility to appoint any board member who can fulfill these responsibilities in case the current Top Elected Officer lacks the time, knowledge or the English language skills to do so.
3. Share your feedback regarding the list of responsibilities of Global Assembly Representatives: o To attend all Global Assembly in-person
and teleconference meetings. o To act as a liaison (connection) between
the Global Assembly and the Affiliate Board.
o To actively participate in all Global Assembly meetings and activities.
o To share their knowledge with Global Assembly and report back to the Affiliate Board.
10
2019 GL OBAL COUNCIL BACKGROUND PAPERS
It is expected that all Affiliates appoint a Global Assembly Representative. Failure for the representative to attend all meetings of the Global Assembly would result in consequences for the Affiliate (to be determined). To facilitate this, the following must also be considered:
Attendance at the teleconference meetings and participation in all activities (responding to all Global Assembly surveys and polls) is compulsory in all cases.
Attendance at the in-person meetings could be subject to exceptions in some circumstances.
The Affiliate may request to replace their appointed Global Assembly Representative if that person’s circumstances change during their three-year term. (This should be by exception only.)
Affiliates must ensure their representative has funding to fulfill their obligation.
Affiliates that are newer, smaller, and struggle financially to ensure their representative can travel to the Global Assembly in-person meeting may obtain reasonable financial support (to cover basic airfare and hotel accommodations) from IIA Global Headquarters.
Representatives who don’t participate or have unexcused absences may be asked by the Global Board to resign. The affected Affiliates may be asked to replace the representatives or face consequences.
4. Is compulsory participation of all Affiliates’ Global Assembly Representatives in all meetings and activities necessary so that Global Assembly can fulfill its mission?
5. Alternatively, for the in-person meeting of
Global Assembly only, should there be criteria that an Affiliate should meet for their participation to be classified as either compulsory or optional? Please consider the following criteria:
a. Affiliate size of their membership? b. Affiliate finances? c. Affiliate maturity? d. Other?
6. What consequences should be
considered if an Affiliate with mandatory participation does not attend? Please consider the following criteria:
a. Lose their seat/voice in the Global Assembly for one year?
b. No longer qualified to nominate candidate for the Global Board of Directors?
c. Other? 7. If participation isn’t compulsory or some
have unexcused absences, how do we ensure non-participating Affiliates (that lose their seat/voice or for whom it’s optional) remain informed, involved and accountable to their obligations?
11
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Background Paper: Three Lines of Defense
INTRODUCTION
Goal A of The IIA’s Global Strategic Plan 2019-2023 focuses on strengthening the profession and
includes specific strategies for equipping members with resources to “strengthen the influence and
position” of internal auditing while deploying appropriate messages among key stakeholders. Undertaking
a review of The IIA’s Position Paper Three Lines of Defense is one short-term tactic to help achieve this
goal.
The review of the IIA Position Paper “The Three Lines of Defense in Effective Risk Management and
Control” was initiated in July 2018 and aims to deliver a revised position paper in 2019. The IIA’s
Executive Committee assigned the Working Group to lead this project, chaired by Jenitha John, vice chair
of Professional Certifications.
So far, the group has identified key strengths of the Three Lines of Defense model that should be
preserved and opportunities for improvement. The Working Group has also established guiding principles
for the development work.
The key next steps include regular consultation with an advisory group of around 30 stakeholders,
discussion at Global Council to seek input from all Affiliate leaders, and public exposure of an updated
position paper, before submitting it to the Global Board for final approval. Thereafter, sustained promotion
of the new position paper to members and stakeholders will be essential for its recognition and adoption.
BACKGROUND
The Three Lines of Defense model has been around for more than 20 years and has been a major
contribution to the collective understanding of governance, risk management, and internal control in
organizations. The model provides a simple yet powerful way of recognizing and explaining how certain
activities enable the governing body (regardless of how this is structured) to exercise its responsibilities
for direction, performance, transparency, oversight, and accountability.
When The IIA released its original Position Paper “The Three Lines of Defense in Effective Risk
Management and Control” in January 2013, the model was already well-known and widely implemented.
Since then, the model has gained additional recognition and adoption. Yet, as organizations and the
environments in which they operate have evolved, the need to revise the model has become evident.
Globalization, technological innovation, demographic shifts, environmental changes, resourcing
constraints, and similar trends are creating major disruptions and exposing governance weaknesses
across all kinds of entities. There is an ongoing need for measures that enhance organizational integrity,
advance public trust, and increase societal value derived from institutions.
The Three Lines of Defense model is built on an analogy that draws on the capabilities of a castle in
repelling attacks from hostile forces, being a combination of physical structures (moat, drawbridge, castle
walls, and so on) and the activities of the soldiers and king’s guards. Such comparisons have limited
12
2019 GL OBAL COUNCIL BACKGROUND PAPERS
compatibility with most modern thinking on governance. The current analogy suggests static components
(the lines) and sequential operations (the first line acting first, the second line taking over if the first fails,
and so on), with a sole focus on defense.
Effective governance differs from this in certain fundamental regards:
The components of good governance must operate together as a single mechanism, requiring a
high degree of coordination between the “lines of defense”.
The same processes and structures that work to protect organizational value must also serve to
enhance and realize value, mitigating against the negative impact of risks as well as leveraging
opportunities to optimize outcomes.
The goals of updating the position paper are to broaden the scope with emphasis on coordination and
collaboration in the Three Lines model and to elucidate how the “lines” operate in a more flexible and
holistic fashion. This will require new terminology and explanations and an amended graphic to help
explain the important enhancements under consideration.
The graphic deployed by The IIA in 2013, and subsequently widely shared, is instantly recognizable and
has served its purpose well over the years. However, it has also left room for a misperception that the
Three Lines of Defense model requires a fixed way of organizing functions per tightly defined silos of
responsibility. Given the diversity and relentless evolution of organizations and their operating
environments, when it comes to effective governance, it is highly unlikely that a one-size-fits-all approach
can apply to all situations.
The updated position paper will make clear that the model works better when it is understood as an
explanatory framework for certain kinds of activities that make distinctive contributions to organizational
governance, rather than being a prescription for organizational structure. Nevertheless, for there to be
credible challenge and independent assurance, which are both fundamental components of the model to
be highlighted in the new position paper, it is necessary to maintain certain important internal
relationships among the functions that have been assigned specific responsibilities.
Attempts to multiply the number of lines of defense are recognized and understood to be consistent with
the basic Three Lines model. It is often a matter of perspective and interpretation. It is possible to retain
the simple Three Line model and be pragmatic with alternates that identify other lines external to the
organization as lines of defense from a broader external stakeholder view (such as the regulator,
government, or the public interest).
While focusing on the entity, the model must also communicate the importance of the governing body as
central to governance rather than outside it, as a mere observer or passive stakeholder of governance. It
is equally critical to emphasize the need for lateral integrity to the model rather than falsely
communicating a silo, vertical approach. Enterprise risk management is a shared responsibility across all
three lines — requiring extensive communication, planning, cooperation, and collaboration; a shared
taxonomy, data, and reporting; and an assurance approach that involves coordination and reliance
among providers.
13
2019 GL OBAL COUNCIL BACKGROUND PAPERS
In important respects the term “three lines of defense” may be inadequate for the strengthened and
enhanced descriptions proposed for the new position paper. However, due to its widespread recognition,
changing the name may cause confusion. The Working Group will continue to ponder this risk.
14
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Three improvements to the Three Lines of Defense model to empower The IIA to better support, promote, and embed the model.
Recognition and Importance of the Three Lines of Defense
ADVANCE POLLING RESULTS
The following data summarize the results of the advance polling, conducted in November/December
2018, where 87 IIA Affiliates responded to a series of questions on the Three Lines of Defense.
Industry where the Three Lines of Defense is the most understood and applied to a large extent. Financial Services
Please refer to the Appendix for the complete results of the advance survey on the Three Lines of Defense.
15
2019 GL OBAL COUNCIL BACKGROUND PAPERS
DISCUSSION QUESTIONS
Considering the background information and results of the advanced polling survey included above and in
Appendix, review these questions and ensure your representative comes prepared to Tokyo to share your
Affiliate’s view and ideas during the Breakout Discussion Sessions.
1. Which individuals, groups of individuals, and organizations are the most important stakeholders of the
Three Lines of Defense?
2. We want the new IIA Position Paper on the Three Lines of Defense model to be accepted and
adopted by governing bodies in the public and private sectors, regulators, policy makers, accounting
firms, academics, and others around the world. For this to happen, when compared with the existing
paper:
a. What must be new?
b. What must remain the same?
3. How important is the Three Lines of Defense model and the relevant IIA Position Paper for the
recognition and promotion of the profession of internal auditing?
4. What are the best ways in which The IIA can encourage recognition and adoption of its new IIA
Position Paper once it has been released in July 2019?
16
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Background Paper: Global Content Strategy
INTRODUCTION
The goal of the Global Content Strategy is to develop content that addresses issues impacting the
internal audit profession globally.
Content is defined as a principal substance of knowledge, such as written matter contained in reports,
publications, white papers, blogs, and more, both digitally and in print, or contained within an educational
medium such as a course, webinar, or other learning resource.
The plan aims to leverage The IIA’s collective resources to deliver valuable content to IIA members
globally. The Global Content Strategy’s objectives is to develop creative, strategically aligned content by:
1. Fostering a collaborative mindset between all who develop, contribute to, and deliver the content.
2. Providing a common framework.
3. Prioritizing and maintaining focus on quality, relevance, timely delivery, and return on investment.
BACKGROUND
The Global Content Strategy supports Vision 2024 and Global Strategic Goal B of The IIA’s Global
Strategic Plan.
Vision 2024: The IIA is the primacy global resource for members and the internal audit
profession, enabling internal audit professionals to be recognized as critical to enhancing and
protecting organizational value.
Global Strategic Goal B – Competent Professionals: Members are competent and confident to
deliver on stakeholder expectations and demonstrate the value of our profession.
The Global Content Strategy supports Vision 2024 and Global Strategic Goal B because:
Content is the core of The IIA’s resources.
The IIA provides insight through content.
Content provides members with the information they need to be competent and confident.
The IIA delivers value through content.
To date, The IIA has completed the following to help drive the Global Content Strategy:
Resourced a full-time Director of Global Content Strategy and created a content harmonization
task force at IIA Global Headquarters.
Created a glossary to define and align content definitions.
Identified target audiences and skill levels for all content.
Developed a taxonomy that includes the following elements: topic, resource type, industry,
membership type, audience segment, and geography.
Developed a content library (SharePoint repository) to collect information about current and
planned content.
Completed a needs analysis and researched best practices in content marketing and
development.
17
2019 GL OBAL COUNCIL BACKGROUND PAPERS
ADVANCE POLLING RESULTS
The following data summarize the results of the advance polling conducted in November/December 2018
where 86 IIA Affiliates responded to a series of questions on The IIA’s Global Content Strategy.
Please refer to the following definitions:
Skill Level Abbreviation Explanation Introductory I Limited awareness of task/skill/knowledge.
Follows instructions under direct supervision.
General Awareness GA General awareness of task/skill/knowledge.
Can perform routine tasks under normal business conditions.
Can perform some, but not all, of the applied tasks with supervision/coaching.
Applied Knowledge AK Demonstrates consistent, independent application of task/skill/knowledge in most situations.
Uses insight from this knowledge to coach and supervise others.
Can perform all of the applied tasks without supervision.
Can perform complex tasks independently.
Expert E Demonstrates consistent, independent application of task/skill/knowledge in all situations.
Applies foresight to help senior management and the board guide the organization.
Assists management to identify innovative approaches to mitigate risk.
Provides mentorship to assist individuals across the organization to move to the next level.
Provides subject matter expertise to others in addressing situations with higher complexity.
Serves as a role model.
18
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Most Urgent Content Topics by Skill Level
I = Introductory / GA = General Awareness / AK = Applied Knowledge / E = Expert
Most Important Content Topics for Members by Category
Content Development
Please refer to the Appendix for the complete results of the advance survey on the Global Content Strategy.
14 Affiliates would be
willing to participate
in global content
development group
47%
of Affiliates
occasionally create
original content as the
need arises
of Affiliates rarely or
never create original
content
36%
19
2019 GL OBAL COUNCIL BACKGROUND PAPERS
DISCUSSION QUESTIONS
Considering the background information and results of the advanced polling survey included above,
please review these questions and ensure your representative comes prepared to Tokyo to share your
Affiliate’s view and ideas during the Breakout Discussion Sessions.
1. Regarding technology, survey results indicate that overall IIA members most need information on
cybersecurity at the applied knowledge skill level. Based on your knowledge of your market:
a. What types of cybersecurity engagements might your members have in the coming year?
b. What problems or challenges are your members trying to resolve related to cybersecurity?
2. Regarding governance, survey results indicate that overall IIA members most need information on
ethics at the applied knowledge skill level. Based on your knowledge of your market:
a. Do your members most need information on organizational ethics or professional ethics?
b. What problems or challenges are your members trying to resolve related to ethics?
3. Regarding risk, survey results indicate that overall IIA members most need information on COSO at
the applied knowledge skill level. Based on your knowledge of your market:
a. What types of risk assessments might your members engage in for the coming year?
b. Which of COSO’s frameworks are your members most interested in?
i. COSO Enterprise Risk Management — Integrating with Strategy and Performance
ii. COSO Internal Control — Integrated Framework
c. What problems or challenges are your members trying to resolve related to COSO?
4. Regarding audit practice, survey results indicate that overall IIA members most need information on
assurance maps at the applied knowledge skill level. Based on your knowledge of your market:
a. What problems or challenges are your members trying to resolve related to assurance maps?
5. Regarding leadership, survey results indicate that overall IIA members most need information on soft
skills at the introductory knowledge level. Based on your knowledge of your market:
a. What types of soft skills are your members most interested in developing? Communication,
critical thinking, negotiation, emotional intelligence, or others?
b. What problems or challenges are your members trying to resolve related to soft skills?
20
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Appendix
Advance Survey Results: Three Lines of Defense Based on responses from 87 Affiliates
What impact has the Three Lines of Defense had on the profession in your area?
How well is the Three Lines of Defense model understood and applied in your area?
85%
10%
5%
Helped the profession
Little or no impact
Don't know
0%
25%
50%
75%
100%
To a large extent To some extent To a negligible extent Unsure
21
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Has the Three Lines of Defense model been codified (i.e., included in legislation, regulation, corporate
governance codes, etc.) in your area?
Compared with 2013, when The IIA’s Position Paper was first released, how important is the Three Lines
of Defense model for promoting effective governance, risk management, and internal control?
To improve the current Three Lines of Defense model, there are several potential areas of focus. Please
indicate the importance that should be given to the following topics when prioritizing potential revisions
of the current model.
The importance of communication and collaboration between the lines of defense 90%
Broader focus on governance 87%
Opportunity and organizational success in addition to risk management and internal control 86%
The nature and importance of independence for internal auditing 86%
The role of internal audit in both enhancing organizational value and protecting it 86%
56%32%
12%
No
Yes
Unsure
66%
27%
1%
6%
More important
About the same
Less important
Not sure
22
2019 GL OBAL COUNCIL BACKGROUND PAPERS
The contribution of the audit committee 83%
The public sector context 82%
Potential pitfalls of the Three Lines model 78%
A blurring between the second and third lines 77%
Integration with The IIA’s Position Paper "The Role of Internal Auditing in Enterprise Risk Management" (including the ERM framework) 76%
Based on the top ten responses of those who selected “Important” or “Very important”; 85 responses
Q17. Do you have any additional comments, including areas for improvement of the Three Lines of
Defense model, and ways in which The IIA can further support, promote, embed, and advocate for the
model?
Allowing for greater flexibility in the model reflecting size, maturity etc. 7
More advocacy for three lines of defense 5
Combined/integrated assurance 4
Most common responses (more than 1); based on an analysis of 86 responses
23
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Advance Survey Results: Global Content Strategy Based on responses from 86 Affiliates
The following responses prioritize members’ needs by topic for each of the following categories:
Technology, Governance, Risk, Audit Practice, and Leadership
24
2019 GL OBAL COUNCIL BACKGROUND PAPERS
For each of the topics, the following charts indicate the most urgent topic by skill level.
Topic: Technology
25
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Topic: Governance
26
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Topic: Risk
27
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Topic: Audit Practice
28
2019 GL OBAL COUNCIL BACKGROUND PAPERS
29
2019 GL OBAL COUNCIL BACKGROUND PAPERS
Topic: Leadership
IIA Position Paper:
THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROLJANUARY 2013
TABLE OF CONTENTS
Introduction .................................................................... 1
Before the Three Lines: Risk Management Oversight and Strategy-Setting ........................................................ 2
The First Line of Defense: Operational Management ............ 3
The Second Line of Defense: Risk Management and Compliance Functions ................................................ 4
The Third Line of Defense: Internal Audit ........................... 5
External Auditors, Regulators, and Other External Bodies ............................................................... 6
Coordinating The Three Lines of Defense ........................... 6
IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 1
IIA POSITION PAPER:
THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL
INTRODUCTIONIn twenty-first century businesses, it’s not uncommon to find diverse teams
of internal auditors, enterprise risk management specialists, compliance
officers, internal control specialists, quality inspectors, fraud investiga-
tors, and other risk and control professionals working together to help their
organizations manage risk. Each of these specialties has a unique perspective
and specific skills that can be invaluable to the organizations they serve, but
because duties related to risk management and control are increasingly being
split across multiple departments and divisions, duties must be coordinated
carefully to assure that risk and control processes operate as intended.
It’s not enough that the various risk and control functions exist — the chal-
lenge is to assign specific roles and to coordinate effectively and efficiently
among these groups so that there are neither “gaps” in controls nor unneces-
sary duplications of coverage. Clear responsibilities must be defined so that
each group of risk and control professionals understands the boundaries of
their responsibilities and how their positions fit into the organization’s overall
risk and control structure.
The stakes are high. Without a cohesive, coordinated approach, limited risk
and control resources may not be deployed effectively, and significant risks
may not be identified or managed appropriately. In the worst cases, commu-
nications among the various risk and control groups may devolve to little more
than an ongoing debate about whose job it is to accomplish specific tasks.
The problem can exist at any organization, regardless of whether a formal
enterprise risk management framework is used. Although risk management
frameworks can effectively identify the types of risks that modern businesses
must control, these frameworks are largely silent about how specific duties
should be assigned and coordinated within the organization.
2 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL
Fortunately, best practices are emerging that can help organizations delegate
and coordinate essential risk management duties with a systematic approach.
The Three Lines of Defense model provides a simple and effective way to
enhance communications on risk management and control by clarifying
essential roles and duties. It provides a fresh look at operations, helping to
assure the ongoing success of risk management initiatives, and it is appropri-
ate for any organization — regardless of size or complexity. Even in organiza-
tions where a formal risk management framework or system does not exist,
the Three Lines of Defense model can enhance clarity regarding risks and
controls and help improve the effectiveness of risk management systems.
BEFORE THE THREE LINES: RISK MANAGEMENT OVERSIGHT AND STRATEGY-SETTINGIn the Three Lines of Defense model, management control is the fi rst line of
defense in risk management, the various risk control and compliance over-
sight functions established by management are the second line of defense,
and independent assurance is the third. Each of these three “lines” plays a
distinct role within the organization’s wider governance framework.
Although neither governing bodies nor senior management are considered to
be among the three “lines” in this model, no discussion of risk management
systems could be complete without fi rst considering the essential roles of
both governing bodies (i.e., boards of directors or equivalent bodies) and
senior management. Governing bodies and senior management are the
primary stakeholders served by the “lines,” and they are the parties best
positioned to help ensure that the Three Lines of Defense model is refl ected
in the organization’s risk management and control processes.
External audit
Regulator
Governing Body / Board / Audit CommitteeGoverning Body / Board / Audit Committee
The Three Lines of Defense Model
Senior ManagementSenior Management
3rd Line of Defense3rd Line of Defense
InternalInternalAuditAudit
1st Line of Defense1st Line of Defense
ManagementManagementControlsControls
InternalInternalControlControl
MeasuresMeasures
2nd Line of Defense2nd Line of DefenseFinancial ControlFinancial Control
SecuritySecurity
Risk ManagementRisk Management
QualityQuality
InspectionInspection
ComplianceCompliance
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 3
Senior management and governing bodies collectively have responsibility
and accountability for setting the organization’s objectives, defining strate-
gies to achieve those objectives, and establishing governance structures and
processes to best manage the risks in accomplishing those objectives. The
Three Lines of Defense model is best implemented with the active support
and guidance of the organization’s governing body and senior management.
THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT The Three Lines of Defense model distinguishes among three groups (or lines)
involved in effective risk management:
� Functions that own and manage risks.
� Functions that oversee risks.
� Functions that provide independent assurance.
As the first line of defense, operational managers own and manage risks. They
also are responsible for implementing corrective actions to address process
and control deficiencies.
Operational management is responsible for maintaining effective internal
controls and for executing risk and control procedures on a day-to-day basis.
Operational management identifies, assesses, controls, and mitigates risks,
guiding the development and implementation of internal policies and proce-
dures and ensuring that activities are consistent with goals and objectives.
Through a cascading responsibility structure, mid-level managers design and
implement detailed procedures that serve as controls and supervise execution
of those procedures by their employees.
Operational management naturally serves as the first line of defense because
controls are designed into systems and processes under their guidance of op-
erational management. There should be adequate managerial and supervisory
controls in place to ensure compliance and to highlight control breakdown,
inadequate processes, and unexpected events.
4 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL
THE SECOND LINE OF DEFENSE: RISK MANAGEMENT AND COMPLIANCE FUNCTIONSIn a perfect world, perhaps only one line of defense would be needed to as-
sure effective risk management. In the real world, however, a single line of
defense often can prove inadequate. Management establishes various risk
management and compliance functions to help build and/or monitor the first
line-of-defense controls. The specific functions will vary by organization and
industry, but typical functions in this second line of defense include:
• A risk management function (and/or committee) that facilitates
and monitors the implementation of effective risk management
practices by operational management and assists risk owners
in defining the target risk exposure and reporting adequate
risk-related information throughout the organization.
• A compliance function to monitor various specific risks such
as noncompliance with applicable laws and regulations. In
this capacity, the separate function reports directly to senior
management, and in some business sectors, directly to the
governing body. Multiple compliance functions often exist
in a single organization, with responsibility for specific types
of compliance monitoring, such as health and safety, supply
chain, environmental, or quality monitoring.
• A controllership function that monitors financial risks and
financial reporting issues.
Management establishes these functions to ensure the first line of defense is
properly designed, in place, and operating as intended. Each of these func-
tions has some degree of independence from the first line of defense, but
they are by nature management functions. As management functions, they
may intervene directly in modifying and developing the internal control and
risk systems. Therefore, the second line of defense serves a vital purpose but
cannot offer truly independent analyses to governing bodies regarding risk
management and internal controls.
The responsibilities of these functions vary on their specific nature,
but can include:
� Supporting management policies, defining roles and responsibilities,
and setting goals for implementation.
� Providing risk management frameworks.
� Identifying known and emerging issues.
� Identifying shifts in the organization’s implicit risk appetite.
� Assisting management in developing processes and controls to
manage risks and issues.
IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 5
� Providing guidance and training on risk management processes.
� Facilitating and monitoring implementation of effective risk
management practices by operational management.
� Alerting operational management to emerging issues and
changing regulatory and risk scenarios.
� Monitoring the adequacy and effectiveness of internal control,
accuracy and completeness of reporting, compliance with laws
and regulations, and timely remediation of deficiencies.
THE THIRD LINE OF DEFENSE: INTERNAL AUDIT Internal auditors provide the governing body and senior management with
comprehensive assurance based on the highest level of independence and
objectivity within the organization. This high level of independence is not
available in the second line of defense. Internal audit provides assurance
on the effectiveness of governance, risk management, and internal controls,
including the manner in which the first and second lines of defense achieve
risk management and control objectives. The scope of this assurance, which
is reported to senior management and to the governing body, usually covers:
• A broad range of objectives, including efficiency and
effectiveness of operations; safeguarding of assets; reliability
and integrity of reporting processes; and compliance with laws,
regulations, policies, procedures, and contracts.
• All elements of the risk management and internal control
framework, which includes: internal control environment;
all elements of an organization’s risk management framework
(i.e., risk identification, risk assessment, and response);
information and communication; and monitoring.
• The overall entity, divisions, subsidiaries, operating units,
and functions — including business processes, such as sales,
production, marketing, safety, customer functions, and opera-
tions — as well as supporting functions (e.g., revenue and
expenditure accounting, human resources, purchasing, payroll,
budgeting, infrastructure and asset management, inventory,
and information technology).
Establishing a professional internal audit activity should be a governance
requirement for all organizations. This is not only important for larger and
medium-sized organizations but also may be equally important for smaller
entities, as they may face equally complex environments with a less formal,
robust organizational structure to ensure the effectiveness of its governance
and risk management processes.
Establishing a
professional internal
audit activity should
be a governance
requirement for all
organizations. This is
not only important for
larger and medium-
sized organizations but
also may be equally
important for smaller
entities, as they may
face equally complex
environments with
a less formal,
robust organizational
structure to ensure
the effectiveness of
its governance and
risk management
processes.
6 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL
Internal audit actively contributes to effective organizational governance
providing certain conditions — fostering its independence and professional-
ism — are met. Best practice is to establish and maintain an independent,
adequately, and competently staffed internal audit function, which includes:
� Acting in accordance with recognized international standards for the
practice of internal auditing.
� Reporting to a sufficiently high level in the organization to be able to
perform its duties independently.
� Having an active and effective reporting line to the governing body.
EXTERNAL AUDITORS, REGULATORS, AND OTHER EXTERNAL BODIESExternal auditors, regulators, and other external bodies reside outside the
organization’s structure, but they can have an important role in the organiza-
tion’s overall governance and control structure. This is particularly the case
in regulated industries, such as financial services or insurance. Regulators
sometimes set requirements intended to strengthen the controls in an organi-
zation and on other occasions perform an independent and objective function
to assess the whole or some part of the first, second, or third line of defense
with regard to those requirements. When coordinated effectively, external
auditors, regulators, and other groups outside the organization can be consid-
ered as additional lines of defense, providing assurance to the organization’s
shareholders, including the governing body and senior management.
Given the specific scope and objectives of their missions, however, the risk
information gathered is generally less extensive than the scope addressed by
an organization’s internal three lines of defense.
COORDINATING THE THREE LINES OF DEFENSEBecause every organization is unique and specific situations vary, there is no
one “right” way to coordinate the Three Lines of Defense. When assigning
specific duties and coordinating among risk management functions, however,
it can be helpful to keep in mind the underlying role of each group in the risk
management process.
FIRST LINE OF DEFENSE SECOND LINE OF DEFENSE THIRD LINE OF DEFENSE
Risk Owners/Managers Risk Control and Compliance Risk Assurance
•operatingmanagement •limitedindependence •reportsprimarilyto
management
•internalaudit •greaterindependence •reportstogoverningbody
IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 7
All three lines should exist in some form at every organization, regardless of
size or complexity. Risk management normally is strongest when there are
three separate and clearly identified lines of defense. However, in exceptional
situations that develop, especially in small organizations, certain lines of
defense may be combined. For example, there are instances where internal
audit has been requested to establish and/or manage the organization’s risk
management or compliance activities. In these situations, internal audit
should communicate clearly to the governing body and senior management
the impact of the combination. If dual responsibilities are assigned to a sin-
gle person or department, it would be appropriate to consider separating the
responsibility for these functions at a later time to establish the three lines.
Regardless of how the Three Lines of Defense model is implemented,
senior management and governing bodies should clearly communicate the
expectation that information be shared and activities coordinated among each
of the groups responsible for managing the organization’s risks and controls.
Under the International Standards for the Professional Practice of Internal
Auditing, chief audit executives are specifically required to “share informa-
tion and coordinate activities with other internal and external providers of
assurance and consulting services to ensure proper coverage and minimize
duplication of efforts.”
RECOMMENDED PRACTICES:
• Risk and control processes should be structured in accordance
with the Three Lines of Defense model.
• Each line of defense should be supported by appropriate
policies and role definitions.
• There should be proper coordination among the separate lines
of defense to foster efficiency and effectiveness.
• Risk and control functions operating at the different lines
should appropriately share knowledge and information to assist
all functions in better accomplishing their roles in an efficient
manner.
• Lines of defense should not be combined or coordinated in a
manner that compromises their effectiveness.
• In situations where functions at different lines are combined,
the governing body should be advised of the structure and its
impact. For organizations that have not established an internal
audit activity, management and/or the governing body should
be required to explain and disclose to their stakeholders that
they have considered how adequate assurance on the effec-
tiveness of the organization’s governance, risk management,
and control structure will be obtained.
All three lines
should exist in
some form at
every organization,
regardless of size
or complexity.
Risk management
normally is strongest
when there are
three separate and
clearly identified
lines of defense.
1216
91-2
Global Headquarters
247 Maitland Avenue
Altamonte Springs, Florida 32701 USA
T +1-407-937-1111
F +1-407-937-1101
W www.globaliia.org
About the InstituteEstablished in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit acknowledged leader, chief advocate, and princi-pal educator.
Position PapersPosition Papers are part of The IIA’s International Professional Practices Framework (IPPF), the conceptual framework that organizes authoritative guidance promulgated by The IIA. A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and strongly recommended guidance. Position papers are part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed by The IIA through formal review and approval processes.
Position Papers assist a wide range of interested parties, including those not in the internal audit
profession, in understanding signifi cant gover-nance, risk, or control issues, and delineating the related roles and responsibilities of internal auditing.
For other authoritative guidance materials provided by The IIA, please visit our website at www.globaliia.org/standards-guidance.
DisclaimerThe IIA publishes this document for informa-tional and educational purposes. This guidance material is not intended to provide defi nitive answers to specifi c individual circumstances and as such is only intended to be used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specifi c situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.
CopyrightCopyright © 2013 The Institute of Internal Auditors. For permission to reproduce, please contact The IIA at [email protected].