In the wake of drastic updates to the “Three Lines Model” for managing risk, Institute of Internal Auditors President and CEO Richard Chambers caught up with Compliance Week to discuss the changes, how COVID-19 has impacted the internal audit profession, and much more.
Q. The IIA recently unveiled a modernized version of its widely adopted Three Lines Model. What’s your take on the final product?
A. This was a labor of love on the part of the IIA. The original Three Lines of Defense Model was developed a couple of decades ago. I’m not sure anyone can really pinpoint precisely when and where the first version of it was published, but, regardless, over time it took on an iconic status as a reference model for people trying to understand roles and responsibilities in risk management and controls and governance. Over the years, the IIA began to recognize how useful it was in illustrating the importance of internal audit’s role in these areas. So, we ended up putting our own endorsement on it in the early 2000s. It was not the IIA’s model, but we wanted to make sure people understood the model better, and we wanted to provide some perspective on it.
I’m very proud of the work that the task force did. This was the work of a group of very talented and dedicated IIA leaders, volunteers, and staff.
Q. What was the impetus behind changing the old model? Were there particular criticisms? If so, how does the new model reconcile those criticisms?
A. Over the years, there were a number of concerns—criticisms, if you will—of the model. One is that it was being perceived as a very rigid, siloed model—that each line stayed within its line and you didn’t end up with any collaboration or crossover. The other is that the model was fine in illustrating how the various participants help to protect the value of an organization. But organizations don’t exist just to protect value. They exist to create value. So, you obviously have to protect the value you have while creating more.
We began to agree with some of the critics that perhaps the model needed to be refreshed to reflect (1) the importance of collaboration across the organization and (2) that organizations have to have all their key players aligned in creating that value. The new model I think does address both those concerns. It stresses the importance of collaboration across the lines.
Q. What’s the biggest change you’ve seen in the profession, since we last spoke in 2009, when you were first elected IIA president?
A. Internal audit has made tremendous strides in the last 12 years. In 2009 when you and I spoke, we were all mired in the depths of a great recession and a financial crisis. Internal audit was being thrust into service in a lot of organizations to help identify ways to reduce cost and navigate the challenges that were being presented by the financial crisis.
As we moved beyond that, there was heightened expectation on the part of regulators and others … calling out the value that internal audit can bring and the role that it should play in ensuring the effectiveness of controls of risk management within the industry. It was a real opportunity for internal audit to demonstrate not only that it has a strong role to play in controls assessment, but in the assessment of risks.
Over the course of the middle of the last decade, we started to see more and more financial debacles and scandals at big companies that clearly had culture at the root. It became more common for people to ask, ‘Who is looking at culture?’ So, you started to hear more regulators, the IIA, and others say, ‘This is a role for internal audit.’ You started to see internal audit being involved in auditing culture or providing assurance to boards about the culture of the organization. That was further evolution of the profession.
You also saw during that period a lot of huge cyber-security breaches. What that did was to highlight how internal audit could provide value to an organization in providing assurance around the effectiveness of cyber-security controls.
The common thread here is that internal audit has demonstrated over this past decade its agility—the ability of our profession and of individual internal audit departments to pivot quickly and decisively to address new or emerging risks. This last decade has been yet further evidence of the ability of the profession to pivot, to demonstrate its agility, and stay focused on the real risks of the organization.
Q. What is the role of internal audit in fostering culture?
A. Where I think we can add real value when it comes to culture is by being part of the organization, but most importantly being in a position of having reporting relationships to management, reporting relationships to the board, and tentacles that reach into the organization every day in every corner of the organization. We have the ability to provide insight and assurance to management that the culture of the organization is healthy—that the organization is walking its talk. So, our value is to be there in an eyes-and-ears role for the board and for management.
But auditing culture is not easy. I gave a speech a couple of years ago in India to a group of corporate chairmen to the board talking about the concept of auditing culture. A gentleman stood up, and he made the observation that when auditors do their work, they typically use their sense of sight and sound. We see evidence. We hear evidence. He said auditing culture also requires you to use your sense of smell. I thought that was quite profound. Culture is not always evident. Not until you really take the time to understand what is going on, how are people being treated, how are they getting measured—one of the clearest indicators in my mind that a culture is not healthy is if what gets measured is the only thing that gets rewarded. If I am rewarding you based on what you do, and not how you do it, then you’re going to be inclined to focus more on the outcomes and not the means.
Q. How do you see the IIA and internal audit evolving, post-COVID-19?
A. There are a lot of things I think are going to be different going forward. I believe that how internal audit is resourced will be impacted. As companies are having to make expense reductions, we’re already seeing internal audit budgets being reduced in a number of organizations. In some organizations, that equates to reductions in staffing.
How we assess risk is also going to be important. I’ve been espousing for years that internal auditors have to become much more adept at continuous risk assessment and that technology is a platform and means to do that. If these last few months have taught us anything, it’s that risks are incredibly volatile. The velocity of change in the risk profile of most organizations over the last six months is almost unprecedented. That is fundamentally going to have to influence how we assess risks going forward.
We’re becoming more adept at how we audit remotely. As an internal auditor … there are different types of evidence that you have to obtain to be able to draw conclusions. There is physical evidence, documentary evidence, testimonial evidence. Each of those has value. The most valuable of evidence and the most reliable and unassailable always seemed to be physical evidence. But we’re all working from home now, so there’s not a whole lot you can do around physical evidence. Testimonial—yes, we can still call and interview people all day long. My point here is that’s going to fundamentally change the way we think about how we draw conclusions as auditors, and it goes to the heart of how we do our jobs.
Q. You’ll be stepping down in March 2021 as the IIA’s president. What are your plans moving forward?
A. I’ve intentionally not made any definite plans, because I still have almost eight months in this role. Important for me is to remain active and to continue in some way to serve the profession that I’ve dedicated a significant percentage of my life to.
I am incredibly proud of the almost 12 years I have been in this role. I’ve been very fortunate to be supported by boards, directors, and leaders within our volunteer side of the IIA. I was very fortunate, because of that support, to be able to attract and retain the talent to do the things that we needed to do. As a result, we have truly had a remarkable run at the IIA—not just in what we’ve be able to do as a board and profession, not just in the way we elevated the voice of our organization to serve this profession around the world, but in terms of being able to acquire the resources to support the profession.
We’ve had a good, solid, productive period. But I’m also confident that even greater things lie ahead. It’s also why I felt like I needed to step back and let someone else come forward and lead. I believe if you stay in a role for a long period of time, sometimes you may be inclined to think the world needs to continue to look like it has looked. I know coming out of this crisis and looking at the IIA and America and our profession that it’s supposed to look very different, and I think it’s time for someone else to come in with fresh ideas to lead the organization.