GRC Tuesdays: Three Lines of Defense and Integrated Reporting—Getting Internal Auditors Out of Control and Into the Business
The role of internal auditors is to provide “assurance,” right? What does “assurance” look like? It looks like this—“In our opinion, internal control (substitute risk management, compliance, IT security) is effective…” or words to that effect.
If there are exceptions, there will be audit findings. If the audit findings are significant, the assurance may be negative and the opinion will reflect “ineffective” controls (and so on).
Question: What’s the opposite of assurance? Read on.
Assurance Means You Think You Know
Let me give you a contrary view on assurance.
I believe that “assurance” enables and perpetuates ignorance, blocking real knowledge about the things that executives should know about governance risk and compliance (GRC). It provides no guidance for managers to run the business or for stakeholders to assess the business.
Check out how many of the banks and other businesses that failed in the financial crisis were given positive opinions on internal control over financial reporting.
Years ago, I was appointed chief internal auditor. My CEO told me to be his eyes and ears. Managing a far-flung complex enterprise before the technology innovations of today, some ignorance was excusable. Relying on more eyes and ears was understandable and to some extent essential.
But that is not the case today. Virtually all the data necessary to manage governance, risk and compliance strategically exists somewhere in the business in machine readable form.
All the tools, capabilities, and frameworks to create, sustain and report knowledge are here today.
Assurance and exception reporting is not simply acceptable. Assurance reporting lowers a curtain on knowledge.
I believe internal auditors are now able to lead in the creation and reporting of real knowledge and they should be measured on their progress in doing so. It’s a massive shift but the path has been charted.
It’s time for internal auditors to get out of control and into the business.
A Leap Forward for GRC: Integrated Thinking from Exxaro
I have always believed that GRC is a manageable dimension of the business and the real challenge for GRC professionals was to provide business leaders with a lens to look through and levers to pull.
We need a framework for reporting the results of GRC and for illustrating the link between GRC and performance.
While integrated reporting may be relatively unknown in the US, it’s a growing global phenomenon. In my view, it provides this “lens to look through,” a framework for organizing GRC information and linking to business performance. If you don’t like the capital model, as the organizing principle for reporting, use your business strategy as a framework.
The Three Lines of Defense to me is the engine of integrated reporting. It provides the levers to pull for management to run the business. In the Three Lines of Defense model,
- knowledge is created by the business,
- aggregated by GRC experts, and
- attested to by internal audit.
One of our customers, Exxaro Resources, has integrated the Three Lines of Defense with integrated reporting. Exxaro is based in South Africa, where integrated reporting is mandatory.
What Does Knowledge Look Like in GRC?
The graphic below is from page 19 of the 2015 Exxaro Integrated Report.
This report is a top-level dashboard from which the business can drill down, looking at individual business processes and relevant information about risks and how they are managed.
Saret Van Loggerenberg, Exxaro’s brilliant manager of risk and compliance, summarizes their story in this short video.
Insight vs. Assurance
Exxaro has identified, documented, and assessed their risks and controls, measured the net impact of the risks against the 5 capital model used by integrated reporting, linked the results to their stakeholders, and identified and reported the risk appetite levels and related key performance indicators.
This is what knowledge looks like and it is the extreme opposite of “assurance.”
Knowledge, not an unsupported opinion, is the ultimate assurance.
Armed with this knowledge and the related key performance indicators, Exxaro management runs their business. The knowledge is created by the Three Lines of Defense.
They don’t need “assurance.” They have knowledge instead. This report does for GRC what financial statements do for financial management.
Here are some questions to consider:
- Does this report provide the necessary information on the effectiveness of risk and control management?
- Does this report provide the business and stakeholders with information about how well the business is managed?
- Can internal auditors get out of control and into the business?