Chambers, who said he isn’t impugning the integrity of CFOs, said there are risks involved with having internal audit report to the CFO or CEO.
“A lot of internal audit’s work is done looking at financial risks, financial controls, and so forth,” Chambers said. “Even if you have an objective chief audit executive, how does that look to third parties that, in essence, that individual is leading audit work of their boss’s area of responsibility?”
Having internal audit report to the CEO is much more common in other parts of the world than in the United States. A majority of CAEs in Africa (55%), Europe-Central Asia (55%), Asia Pacific (53%), and Western Europe (51%) report administratively to the CEO, according to an IIA-sponsored survey of more than 13,500 internal auditors conducted in 2010.
In contrast, just 21% of respondents in the United States and Canada said CAEs in their organizations report administratively to the CEO. More respondents—23%—in the United States and Canada said their CAEs report administratively to the CFO.
Globally, 34% of CAEs report to the CEO, according to the survey, while 43% report administratively to the audit committee. In the United States and Canada, 61% report administratively to the audit committee.
IIA highlighted that in order to maintain independence, is of best practices for companies to report to the board of directors with a dotted line to the CEO or the CFO.
Internal auditors at an overwhelming majority of US companies also report functionally to the audit committee, Chambers said. A 2017 IIA survey showed that a majority of CAEs functionally report to the audit committee in North America (74%), Asia/Pacific (69%) and Europe (65%). Latin America (36%) trailed the other regions in the survey.
In this functional relationship, Chambers said, the audit committee typically:
- Approves internal audit’s charter and the annual internal audit plan.
- Has regular briefings and interactions with the CAE.
- Participates in executive sessions with the CAE.
Over the past 10 years, the number of CAEs reporting administratively to the CFO has decreased as more CAEs have reported to CEOs and Audit Committee, Chambers said. In some cases, the CAE reports administratively to the general counsel, chief risk officer, or COO.
Three Lines Defense Model
What are the Lines of Defense?
In a compliance management system, the lines of defense are related to the areas (departments) of the financial institution responsible for different aspects of risk management.
Broadly speaking, a line of defense includes the employees, their policies, procedures, and practices, and the lines of reporting and escalation.
In the past, the compliance and management were considered the two key lines of defense, but for the last decade, that has been changing. We’ll talk more about that next.
What are the Three Lines of Defense?
As compliance management systems have evolved, having three lines of defense has become more important.
Here is an overview of the three lines of defense:
- First Line: The first line of defense is the employees of the institution who are involved in the creation and selling of products and services, or operationally supporting customers, products, and services. It includes both sales roles and operational roles, like product and Customer Service. It is their responsibility to understand their roles and responsibilities, create and apply internal controls, and respond to risks that their work, sales, and interactions may present.
- Second Line: The second line of defense is the institution’s compliance- and risk-related functions. They are responsible for providing guidance and oversight of the first line of defense. Additionally, they are responsible for proactively testing and monitoring high risk areas to ensure policy, procedures and processes implemented by the first line are working as intended to comply with rules and regulations. They are also responsible, in most institutions, for fostering relations between the first and third line of defense, and providing some reporting to the Board and Senior Management.
- Third Line: The third line of defense is the external and internal auditors who independently evaluate the compliance risks and controls. They are also responsible for reporting to the Board and Senior Management’s oversight functions.
If only one line of defense is working well, it can present risks to the other lines as well as the institution.