• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
karate-1665747_1920.jpeg

Internal audit - a view from the board

April 29, 2021

The three lines model and its various interpretations provide useful tools for positioning and championing Internal Audit within organisations.  Like many concepts the model is not without its critics but, on the whole, it does provide a good basis to frame the discussion regarding the Board’s assurance needs.

Internal auditors are familiar with the need to ensure governance and assurance frameworks are aligned.  They have been using the three lines model for over a decade to help guide the interplay between management and the internal audit function. The recent revision to the model, with an increased focus on collaboration, speaks to the importance of ensuring assurance providers – wherever they sit in the organisation – have clear lines of sight and effective working relationships.

As assurances funnel up through the organisation the audit committee has a prime position at the top of this funnel looking across the three lines and trying to make sense of the various sources of assurance it has available. The Risk Coalition has undertaken significant work in this space looking to understand the connection between board strategy, risk management and the assurance framework. From its work interviewing risk and audit committee members, some common themes emerge:

  • The need for assurance to be driven top down from the board

  • A stronger linkage between board objectives and assurance activity

  • A greater focus on assurance stemming from the first line

  • A more effective way of presenting the totality of assurance activity across the three lines. 

For internal auditors, this poses some interesting issues on how best to support the board and audit committee.   Internal Audit’s voice should have a key role in shaping the assurance agenda and closing the gap between board level expectation and current practice.

So how should Internal Audit use that voice?

  • Senior level engagement – ensuring regular dialogue between Internal Audit, the audit committee and the wider c-suite is time well spent in building mutual trust and understanding.

  • Objective led assurance – working with the board to develop a culture of objective led assurance, ensuring that the board is clearly communicating to Internal Audit its needs for third line assurance.

  • Clarifying assurance responsibilities – opening a wider conversation on the role of the first line in assurance as ‘UK SOX’ will put a focus on attestations as a key mechanism for ensuring accountability for control and control assurance is clearly placed on the first line.

  • The big picture view – investing in developing and maintaining this holistic assurance landscape, which will pay dividends in allowing the board to gain a succinct coherent view of assurance activity.

While there is a current focus and debate on financial reporting and control, the above points have much broader applicability across the risk and control framework.  Cyber, ESG and wider geo-political risks are all examples of priorities jostling for attention.  Staying close to the board and its agenda, working to understand how assurances across the three lines combine, and helping the board to understand the totality of assurance, are all areas that will pay dividends in Internal Audit’s standing within the organisation, now and in the future. 

Tim Le Mare is Regional Sales Director, Integrated Risk for Workiva. He will be leading a webinar to discuss this topic further. To join the debate, register for ACCA’s free webinar on 13 May at 12.30pm when he will look at this topic further with Bryan Foss of Risk Coalition and Lee Glover of Haines Watts.

Tags: Tim Le Mare
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson