The Hayne Royal Commission, the CBA Inquiry, and recently the Bergin report into Crown Casinos continue to spotlight governance failings. A lack of urgency in dealing with issues, poor reporting, and the absence of vigorous oversight of non-financial risk are just a few of the issues raised that have attracted negative public reaction. But how much has changed since the Hayne Royal Commission nearly three years ago?
The expectations of audit committees are evolving
Bron Davies, Chief Auditor for Airservices Australia who is also on the board of the Institute of Internal Auditors Australia asks, “Have we continued to apply the changes initiated by the important lessons from the Royal Commission and Inquiries, or have these reports faded from our memory and we have slipped back into what we were previously comfortable doing?”
One of the key lessons from the Hayne Royal Commission and the Prudential Inquiry into the Commonwealth Bank of Australia (CBA) is that management must be challenged more robustly and held to account, directors must satisfy themselves they are receiving the right information and input from management, and they must rigorously oversight risk with a greater emphasis on non-financial risk.
What should change to address these issues? Expectations of audit committees have expanded to incorporate monitoring of corporate culture and maximising the use of various, and previously unconsidered, sources of information to understand the “lived experience” of the organisation. These previously untapped sources include behavioural insights from internal audit, ‘voice of the customer’ insights including customer complaint data, and staff engagement survey results and commentary. The expectation is that the armoury of information that audit committees are drawing on is expanding.
The respective skill base of the audit committee also needs to change. While important for financial skills to be present, and for each director to understand financial information, it is no longer acceptable that only financial skills are present. As with boards, diversity of skills and experience is required to bring robust challenge to the reporting the committee receives, and importantly, what isn’t reported.
The effectiveness of models of assurance
In the 2018 CBA Inquiry, the report confirmed that the ‘Three lines of Defence’ model is a “relatively simple model”. Whilst simple, its application is critical. A cross-industry survey conducted by the Institute of Internal Auditors Australia in 2019 identified that the model is seen as a good theoretical construct, but challenges exist in its practical application.
This is also illustrated in the CBA Inquiry, which found that the bank had not implemented the model effectively, despite several attempts over recent years. CBA made the mistake of allowing business units to tailor the model for their purposes rather than adopt a ‘one size fits all’ approach.
The recent report by an Advisory Panel Review into the way the Westpac Board handled the AUSTRAC allegations, claimed that the Three Lines of Defence model for managing risk did not always operate effectively with management of AML/CTF risk. The report states that some individuals did not sufficiently understand, at an operational level, where their responsibilities commenced or ended, and as such, end to end accountability was not always clear.
A combination of low uptake and erratic application across sectors, triggered a global review of the Three Lines of Defence model by the Global Institute of Internal Auditors in 2018.
Davies says “an important consideration of the multiple sources of assurance that an audit committee receives is the co-ordination between the activities. As important as assurance is, we need to make sure we get the most out of it and don’t overwhelm our organisation.”
Coordinating so that duplication and gaps are minimised
One option is the new Three Lines Model (pictured below) which provides a structure that is more flexible than the previous Three Lines of Defence, which was highlighted as being poorly implemented and contributing to some of our corporate failings.
The key difference is that the new model is flexible and recognises that not every organisation has a pure division between its functions. It is the relationships, the alignment and communication between the assurance providers that it important.
The first line roles are those providing products or services and support functions such as HR, administration and IT, but are also responsible for managing risk.
The second line roles focus on the specifics of risk management such as legal and regulatory compliance, control, quality assurance, and IT security.
The third line role of internal audit is critical for board directors to be aware of as the function is independent of management and provides objective assurance, and advice to the risk and audit committee of the board.
The relationship between the roles does not dictate any one structure and there can be many points of interaction between the board and management, such as the Chief Executive Officer and Chief Risk Officer as necessary.
What directors need to know
Directors need to establish whether the Three Lines Model and external assurance activities have been clearly defined for the organisation so each layer of assurance understands its role in the organisation’s overarching compliance framework. Is the ownership of assurance responsibilities clearly defined throughout the organisation?
Are the various assurance activities across all lines reflecting the risk exposures of the organisation to focus their activity and provide the audit committee with a clear rationale for what is included and not included in their planned activities?
Directors must still question whether the assurance activities that support them are adequately resourced and supported by the CEO and senior management, and the audit committee itself.
Does the organisation understand how its assurance activities fit together, and is there an independent assessment of the organisation’s governance, risk management and control processes?
The Three Lines Model
Want to explore this topic further?
Bron Davies will facilitate an upcoming webinar titled Audit committee – Responding to the new challenges. Joining Bron will be experienced non-executive director and board member of both ASX listed and privately held companies, Sandra Birkensleigh, and experienced internal audit practitioner and director of financial services at EY, Charlie Puddicombe. Register now.