In order to start building upon the “as-is” situation towards a “to-be” situation we will have to know if our model as shown in figure 34 is correct. In order to validate this several experts will be asked to provide feedback on the model. This validation interview was conducted according to the book “Qualitative Research Practice: A Guide for Social Science Students and Researchers” by Ritchie et al. [49]. As such it combines flexibility with structure. The interview will be interactive and the “as-is” model will be used as a probe to achieve depth. In addition to this the six stages of a qualitative interview will be followed in the interview structure. As this interview is a validation interview the questions are designed to be content mining. The goal of the interview is as follows:
Goal of the interview: Validate that the “as-is” situation as modeled in figure 34 represents the reality of the three lines of defense in practice.
Two experts participated in this interview:
• Expert 1: EY internal expert. This expert will answer the questions from a market point of view. The expert has substantial expertise with both mature and immature clients in the financial sector on the subject of information management within the three lines of defense.
• Expert 2: Client expert of an immature company on the subject of information management within the three lines of defense. The company of this expert is situated at the “as-is” situation described in this paper.
Interview structure:
• Thanking the Interviewee for his/her time.
• Provide a short introduction about the topic of the research.
• Show and explain the “as-is” situation model to the experts and explain how the process flows work if needed.
• Questions:
Question 1: Does the model explain the function of the first line of defense well? Explain. Question 2: Does the model explain the function of the second line of defense well? Explain. Question 3: Does the model explain the function of the third line of defense well? Explain Question 4: Does the model explain the function of the senior management well? Explain. Question 5: Does the model explain the function of the top management well? Explain.
Question 6: Is de sharing of data and other information between the different defense lines and management lines represented well in the model? Explain.
• Ending the Interview.
RESULTS Interview Expert 1:
Question 1: First line of defense is explained well. Operational department does however not get all of its controls from the risk department. Sometimes they work ad-hoc when controlling a process by establishing their own controls. Question 2: Risks department establishes controls which are not used by the internal audit department. They use their own set of controls. The process in the risk department is correct.
Question 3: It is not the case that top management designs audit objectives for the internal audit department. In practice the internal audit department will construct a report with audit objectives and will present this to the top management, who will approve this or not. The action perform audits should be split in financial, operational and IT audit. Furthermore there is a division between compliance audit and normal audit. The first only looks at regulations while the second also takes business performance into account.
Question 4: Senior management function is correct, when only looking at it from an audit perspective.
Question 5: Top management function is correct, when you remove the action design audit objectives and add an action that is called approve audit plan, which is linked to the internal audit department.
Question 6: The risk department might also look at some transactional data when establishing risks and controls. Internal audit department does not receive audit objectives but instead sends their audit objectives for approval to the top management. The operational department uses their own controls next to the controls of the risk department.
Interview Expert 2:
Question 1: First line of defense is explained well. I think the activity “Establish list of controls” is situational. At our company the first line of defense only implements and monitors controls established by the second line of defense. Question 2: The process of the risk department is very much COBIT focused. COBIT focuses only at IT risks and controls and therefore you should make sure that the process also supports COSO activities.
Question 3: Top management does not design audit objectives for the internal audit department. The internal audit department designs audit objectives based on findings that the first and second line have reported and based on key processes within the company. Splitting up the audit function in financial, operational and IT audit activities clarifies the differences.
Question 4: The function of the senior management within the three lines of defense is correct.
Question 5: Within the top management process the management should only approve or decline internal audit objectives and not design the objectives themselves. The other processes activities are correct in this context. Question 6: The internal audit department looks at findings from both the first and second line of defense when designing audit objectives. Audit objectives are not received from the top management.