Integrated Assurance Embracing The Three Lines of Defense

Transcription

1 Integrated Assurance Embracing The Three Lines of Defense Stanley Y. Chang, Ph.D. CPA (Texas), CIA, CMA, CCSA, CGAP, CGFM, CRMA Chief Operating Officer, Marcum, Bernstein & Pinchuk, LLP 1

2 Stanley Chang, PH.D Dr. Chang has done extensive internal auditing, risk management, control review/implementation, and corporate governance work for major corporations, national governments and central banks, as well as provincial/state governmental entities and non-profit organizations in China, Hong Kong, Malaysia, Philippines, South Africa, Taiwan, and the United States. Before joining Marcum BP, he was Global Risk Services Leader for a major accounting firm and before that APAC Life Sciences Leader for a big four accounting firm. Dr. Chang is currently a Board member of the China Institute of Internal of Internal Auditors (CIIA) and was previously an advisor to Shenzhen Stock Exchange and the China National Audit Office. Internationally, he sat on the Global Board of the Institute of Internal Auditors (IIA) from 1997 and to He also helped establish the Asian Confederation of Institutes of Internal Auditors (ACIIA) and was its first Secretary from 1999 to Stanley served two terms on the Internal Audit Standards Board, which prescribes the global internal auditing standards. Dr. Chang has received multiple awards from governments and professional organizations for his accomplishments and services, including, among others, the 1999 IIA Chairman s Exceptional Volunteer Citation, the 1999 Fulbright-SyCip Foundations Distinguished Lectureship, the 1997 South Africa Human Science Foundation Fellowship, the 1994 IIA Leon R. Radde Educator of the Year Award and the 1991 Association of Government Accountants National Achiever Award. Being proficient in English and 4 Chinese dialects, Mr. Chang has extensive experience in leading regional and global compliance projects across various industries in recent years. Professional Certifications Certified Public Accountant (Texas) Certified Internal Auditor Certified Management Accountant Certified Government Audit Professional Certified Government Financial Manager Certificate in Control Self-Assessment Certificate in Risk Management Assurance Stanley.chang@marcumbp.com Phone

3 Origin of the concept From human physiology Analogy to medieval castle and immune system CASTLE HUMAN 1st Line Castle Walls Skins 2nd Line Archers White blood cells 3rd Line Soldiers Smart cells/antibodies 3

4 Business adoption First appear in Banking literature Proliferated in Basal II disclosures Various adoption or adaptation by organizations (and consulting companies) 4

5 Figure 1. Three Lines of Defense Model Senior Management Governing Body / Board / Audit Committee 1st Line of Defense 2nd Line of Defense 3rd Line of Defense Management Controls Internal Control Measures Financial Control Security Risk Management Quality Inspection Compliance Internal Audit External Audit Regulator The Three Lines of Defense in Effective Risk Management and Control, The Institute of Internal Auditors, January

6 Figure 2. Oversight Responsibilities for the Control Environment Governing Body / Board / Audit Committee Senior Management Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercise oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Source: "Leveraging COSO Across The Three Line Of Defence" IIA/COSO

7 Figure 3. COSO and the 1st Line of Defense 1st Line of Defense Management Controls Internal Control Measures Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over IT 12. Deploys through policies and procedures Information & Communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally Source: "Leveraging COSO Across The Three Line Of Defence" IIA/COSO 2015 Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 7

8 Figure 4. COSO and the 2nd Line of Defense 2nd Line of Defense Financial Control Security Risk Management Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Quality Inspection Compliance Source: "Leveraging COSO Across The Three Line Of Defence" IIA/COSO

9 Figure 5. COSO and the 3rd Line of Defense Assessment of Design and Implementation 3rd Line of Defense Assurance on Effectiveness Internal Audit Source: "Leveraging COSO Across The Three Line Of Defence" IIA/COSO

10 Benefits of the concept A comprehensive approach to address the risk components, particularly on monitoring Recognition of assurance from multiple sources within the organization Provide a platform to coordinate more effective assurance 10

11 Limitations of the concept Risk is a more complicated concept than disease or attack Preventable Risks Strategic Risks External Risks Implied temporal sequencing Emphasis on discovering Subject to politics of the organizations 11

12 Figure 6. COSO Pyramid 12

13 Opportunities/Best Practices Comprehensive mapping of Risks Reliance assessment Gap analysis and remediation Continuous communication within the governance process Tone at the top Proactive implementation 13