If anyone’s auditing here, then it’s me!

… said the Chief Audit Executive to the QA Auditor who had just appeared in his doorway and announced that he is about to conduct an audit of the internal audit function. Saddle up your horses, Dear Members of the Auditing Community, and prepare to go to war against all those scoundrels who dare try their hand at auditing within the company other than us, the most glorious auditors!

Well, that perhaps sounds a bit dramatic but, all the same, at a recently held audit working group, there was actually a quite interesting debate as to whether the compliance organization in the company had the right to audit.

So it is – a new age is dawning and it is one to be feared – in the broad light of day, we will no longer be alone in this auditor’s universe.

At first, the situation seems quite clear: an article from 2012 by Prof. Dr. Eulerich in the “Zeitschrift für Interne Revision” puts it quite simply when he says that the operating effectiveness audit of financial and operational controls is “traditionally” the responsibility of Internal Audit.

In addition to the lecturer at the working group above, who so much as dared to grant the compliance organization the right to audit the internal control system, there are however a number of other voices who have also recently been moving towards a less stringent interpretation of the traditional approach in the practice-oriented SME sector.

But now let us put an end to all this hyperbole and devote our attention to the objective arguments.

First, we will briefly devote our attention to the Three-Lines of Defense Model as a starting point and try to classify the arguments for and against the principle of “If anyone’s auditing here, then it’s me”, as well as taking a brief glance at what the situation looks like in the age of continuous monitoring.

The Three-Lines-of Defense model tries to establish order in the company’s defense against risk. As part of corporate governance, there are three independent lines of defense below corporate management. One thing is clear: the overall accountability for the internal control system lies with the top-level management.

The First Line of Defense

Responsibility for the first line of defense lies with operational management. In addition to the classic internal controls, this line of defense also includes control elements that lie outside the controls. The risk defense of the first line of defense is directly integrated into the operational processes through the control and monitoring elements.

The tasks and responsibilities of the first line of defense are undisputed both in the specialist literature and among auditors, since this function works in the same way in every company.

The Second Line of Defense

The definition of the second line of defense is company-specific and depends, amongst other things, on the business model and the regulatory environment. Depending on the business model, the management or the supervisory board / board of directors defines business units that perform this function. The following are just a few examples of this:

  • Compliance
  • Risk Management
  • Legal
  • Controlling
  • Quality Management
  • Sustainability Management
  • Corporate Security
  • Fraud Management

Basically, the tasks of the second line of defense can be described as acting as advisors and supporters of the first line of defense, as well as of the board. In addition to the supervision and control of operational management, the second line of defense also has an advisory character with regard to risk control and the design of the first line of defense.

The resulting potential “proximity” to the first line of defense provide the grounds for skeptics to claim that the Second Line of Defense is unable to audit due to its lack of independence.

In addition to the potential lack of independence, company-specific characteristics, as well as a conceptual lack of clarity in the definition of business units represent the greatest challenge in this area of the debate.

The Third Line of Defense

The potential lack of independence of the second line of defense provides the grounds for the existence of the third and last risk-controlling body, the Internal Audit function. The internal audit function is risk-oriented and absolutely independent of the first and second lines of defense.

The external auditor, the regulators, the supervisory authorities and, of course, the supervisory board or administrative board as a potential fourth and fifth line of defense are not things that we are going to go into in further detail in what follows.

“There can only be one auditor” is how we could sum things up at this point, if one consults the usual industry literature and, that is, assuming the compliance organization does not explicitly ask you to provide proof of your company-specific or even process-related independence and, of course, of your auditing competence. In order to further qualify this conclusion at this stage, the Three-Lines of Defense Model is there explicitly to deal with risk defense.

At this point, we’re allowed to ask ourselves the question: Does the added value of auditing really just lie solely in defense against risk, as described in the Three-Lines of Defense Model?

Haven’t we left this self-image behind us long ago? What about opportunities and showing added value? Could there be a better “Trusted Advisor” within the company than Internal Audit? What is the core competence of Internal Audit? How and where does Internal Audit add value to the organization?

Who actually audits the ICS if Internal Audit doesn’t have a subsidiary on its risk-oriented audit plan for 3 years?

If we expand the current discussion to include the domain of application of Continuous Auditing, things soon become far more complex. What happens if the audit department perfects data analyses for audits internally and applies them continuously or in an almost process-integrated way? Does this then still fall within the sphere of responsibility and core competence of auditing?

Is the run-of-the-mill purchasing audit or the auditing of simple control matrices really part of our core competence or isn’t it rather a matter of doing what auditing is really about, in other words: To ask open questions, and to listen and identify risks and opportunities in every imaginable situation by asking the right questions and employing audit techniques. The ultimate skill is then to charismatically sell the “jointly developed solution” to the specialist department, which can hardly say no anymore. And if the specialist department cannot take over the continuous auditing control that has just been handed over to it in everyday life, then Compliance will soon start to take an interest in the recognition and taking over of the control / data analysis initiated by Internal Audit. This is something that is also likely to please management.

In my career as an auditor, there haven’t been any moments more boring than those spent checking predefined control matrices, possibly even ones that are standardized worldwide, which did not fit into the actual process exactly.

For us auditors, there can be nothing better than a specialist department that itself takes responsibility for monitoring your processes, either through internal controls or through data indicators that point to an exceptional situation.

If, at any point in the audit process, we were in a position to finally assess these indications without the help of a specialist department, then our place would not be in Internal Audit. Then we would belong in the specialist department.

Please then see this as a clear plea to hand over mature data analyses either to the specialist or compliance organization for monitoring or explicitly for process-integrated or process-related auditing. Finally, that would mean more time for us to drive the organization forward with new topics, opportunities or risks! The audit department may also see itself as a pool for innovation and source of inspiration for the specialist department and thus also for the corporate governance organization as a whole.

So what is stopping us from doing just that? Every auditor may ask precisely that question while standing in front of the mirror and saying: Mirror, mirror on the wall, who is the most vain auditor of them all?

If we are not the innovator within the company, there is indeed an underlying danger that we will be overtaken in the company by innovations in the specialist department and that we will no longer generate real added value apart from run-of-the-mill purchasing audits, control matrices and the outsourcing of difficult topics.

So you auditors, climb up on your high horse, join forces with all your fellow auditors and take to the field of battle to show who wields the sharpest sword beyond the scope of the risk control matrix and standard audit catalogues.

Sources and further literature:

[1] Institut für interne Revision, Positionspapier zur Abgrenzung der Funktionen Interne Revision & Compliance

[2] Flemming Ruud & Adrian Kyburz, Gedanken zum Three Lines of Defense Modell – was ist mit Verteidigung gemeint?

[3] ZIR Zeitschrift für Interne Revision, Prof. Dr. Marc Eulerich, Das Three Lines of Defence-Modell

Artikel teilen