It seems that internal auditors are increasingly hearing from stakeholders who are concerned about a duplication of efforts between internal audit and other oversight functions within an organization. No matter how meticulously roles and responsibilities are assigned and documented, issues inevitably come up that fall into a gray area between internal audit and other monitoring activities, such as compliance or risk management. And where responsibility is not clearly defined, things can go awry.
A surprising number of internal audit recommendations spring from these “Who’s on first?” quandaries. That’s one of the reasons we spend so much time preparing flowcharts and narratives aimed at delineating responsibilities. Duplication of effort is almost always viewed as inefficient, and gaps are generally viewed as risky.
Because we are sensitive to these issues, you might think that such problems would be relatively uncommon as far as internal audit’s responsibilities are concerned. Unfortunately, we and some of our other oversight colleagues are often among the more conspicuous offenders.
One of the questions in The IIA’s 2014 North American Pulse of the Profession survey asked how clear the distinctions are between the roles of internal audit and an organization’s management, risk, compliance, and control functions. Two-thirds of chief audit executives (CAEs) who responded said their organizations had only moderately, somewhat, or not clearly defined lines of defense. It’s evident the boundaries between our organizations’ various assurance groups are drawn with a blurry line.
If we don’t address this issue, we will eventually run into serious problems. Work will indeed be unnecessarily duplicated or, worse, there will be gaps in the essential services provided by internal audit, internal control groups, risk-management professionals, and other assurance providers.
The IIA position paper The Three Lines of Defense in Effective Risk Management and Control embraces a simple and effective model to clarify essential roles and duties. However, internal audit is increasingly being asked to take on risk management and compliance responsibilities and some chief risk officers are being asked to provide assurance on the overall effectiveness of risk management. Stakeholder perceptions of duplication are exacerbating feelings of “audit fatigue,” particularly among management stakeholders. As emphasis by regulators and others on effective compliance and risk management increases, the chaos in the lines of defense is likely to grow.
If we don’t strive to clarify our respective responsibilities, we may soon be playing the blame game. And that’s a game no one wins. As the Pulse of the Profession report noted, should stakeholders not understand the distinction between the various risk and control functions, the presumption may become that one or the other function is dispensable.
If the lines of defense are not clearly drawn at your organization, I urge you to circulate a copy of The IIA’s position paper as a starting point for discussions. This issue is simply too important to ignore.
How clear are the lines within your organization? Should we try to keep everyone in line? And what are you doing functionally and administratively to ensure the internal audit function owns its true responsibilities?