In order to start modeling the “as-is” situation we first have to gather sufficient information about the current situation. From theory [27] we learned about the theoretical model that encompasses the three lines of defense, but in order to make sure the model will represent the actual situation in companies we will have to consult experts in the field about the day-to-day practices that they observe or perform. This is important because high level frameworks like the three lines of defense are often not followed completely in practice or altered slightly to conform to the business. We will first summarize the information from the literature study relevant to the model. The IIA paper [27] explains that every line has their own role in a company. We will describe these roles in this chapter to clarify our design choices in the “as-is” model.
According to the IIA’s “The Three Lines of Defense in Effective Risk Management and Control” paper [27] the first line of defense, or the operational department, has three mayor responsibilities. The first of these is that the operational department owns the risks of a company. This means that risks identified by the second line of defense will have to be counter measured in order to accommodate the organizations risk appetite. In order to identify if these
countermeasures have reduced a risk sufficiently some control will have to be implemented and tracked by the first
line of defense. Intended is, that the first line of defense provides independent assurance reporting to the senior management.
The second line of defense, or risk department, is mainly involved in identifying risks to the organization, based on certain risk frameworks like COBIT [25] and COSO [7], that we described in the literature study. In addition to this the risk department also has to determine the company’s risk appetite, based on the organizational strategy. Risks to the company also have to be monitored to provide independent assurance from the first line of defense. This is done by developing controls and monitoring these controls. Risk management reporting to the senior management fulfills two critical roles. It provides input for management policies and alerts operation management to emerging issues. The second line of defense is also responsible for providing risk trainings and guidance when needed [27].
In the “The Three Lines of Defense in Effective Risk Management and Control” paper of the IIA [27] the role of third line of defense, or internal audit department, is explained less clearly. Since this model is also widely used by companies we expect that this is also one of the reasons that companies struggle to organize the internal audit department successfully in a data-driven way. The main function of the third line of defense is, that the internal audit is independent from the company and is therefore able to report directly to the top management as well as the senior management. In order to gain more insight into the activities of the third line we will conduct an exploratory interview with an Ernst & Young expert of the internal audit function. The interview structure and a summarization of the results can be found in appendix E. The interview resulted in the following key points:
• Every year a list of objectives is set up by the governing bodies of the company.
• The list of objectives is based on what the governing bodies deem important that year and will differ from year to year.
• The list of objectives is used by the internal audit department to audit relevant processes.
With the key points of the literature and the expert interview the conceptual alpha version model in figure 34 of the “as- is” situation could be made.
Model explaination:
The first line of defense consists of the operations department, who check every business process instance on correctness via a control process. In this control process the operations department is dependent on information from the risk department, such as an up to date list of controls and a list of current threats. The control process uses transactional data stored by the different systems used in a business process to evaluate if a business process has been completed correctly. The first line of defense reports to the senior managament.
The second line of defense consists of the risk department of a company and is responsible for selecting business relevant controls for business relevant risks. Relevant risks and risk appetite are based upon the strategy of the firm. Based on the identified risks several controls can be selected and implemented. The residual tasks of the risk department are to monitor the risks and report to the senior management.
The third line of defense consists of the internal audit department. The funtion of this deparment is to provide individual assurance of the business. The internal audit department receives multiple audit objectives from the top management and determines their own operational audit targets, based on these objectives. In order to do the operational audits several datasets from relevant information systems will be requested and used. These datasets are however not constrcuted for the purpose of audit and will therefore not always provide the information needed to succesfully audit a business process. Findings are both reported to the senior management and the top managament directly.