This white paper discusses combining internal audit and second line of defense functions. It finds that while combining functions may be beneficial in some situations, it is generally not preferred from the perspective of independence and objectivity. If combined, basic conditions must be met and safeguards established. The paper provides an overview of stakeholder perspectives, professional standards, and conditions and safeguards required to maintain independence if functions are combined.
This article aims to provide a comprehensive knowledge and understanding of the Sub ledger accounting (SLA) in Oracle E-Business Suite (EBS) R12. It uncovers some of implementation tips and techniques and also shows how users can meet their financial and reporting needs using SLA.
The article highlights how to use SLA functionality to automate and control various scenarios using specific business rules.
A Study on Investment banking Portfolio Management and DerivativesPunith M
This project is the study of Investment banking and its activities which also includes the portfolio management and a brief of Modern Instrument Derivatives.
The main reason to do research on above mentioned topics are to understand and let know the modern technique of Investment banking to distinguish the IB with normal banks, And also helps to comprehend the Market management which can be called as Portfolio management, The modern instrument derivatives which is nowadays has become significant in Market to perform Trade activities or to build a career in Investment bank as Financial analyst.
Here in this project I have chosen top listed Investment Banks for research purpose, companies such as JPMC, Goldman Sachs, State Street, Northern Trust, HSBC, and RBC Capital Market
Edexcel IGCSE & O Level
Accounting
Correction of errors
Situations where errors occur
Two types of errors
Trial Balance
Errors which do not affect Trial Balance agreement
Omission, Commission, Original Entry, Principal, Compensation, Complete Reversal, Duplication
Errors which affect the agreement of trial balance
suspense account
All igcse past papers
model questions
Activity Based Costing:
The latest costing method in this centaury;
Cost Drivers; Cost Pool; Cost Driver Rates ; All the ABC Cambridge A Level Past paper questions ; ABC Model questions
This article aims to provide a comprehensive knowledge and understanding of the Sub ledger accounting (SLA) in Oracle E-Business Suite (EBS) R12. It uncovers some of implementation tips and techniques and also shows how users can meet their financial and reporting needs using SLA.
The article highlights how to use SLA functionality to automate and control various scenarios using specific business rules.
A Study on Investment banking Portfolio Management and DerivativesPunith M
This project is the study of Investment banking and its activities which also includes the portfolio management and a brief of Modern Instrument Derivatives.
The main reason to do research on above mentioned topics are to understand and let know the modern technique of Investment banking to distinguish the IB with normal banks, And also helps to comprehend the Market management which can be called as Portfolio management, The modern instrument derivatives which is nowadays has become significant in Market to perform Trade activities or to build a career in Investment bank as Financial analyst.
Here in this project I have chosen top listed Investment Banks for research purpose, companies such as JPMC, Goldman Sachs, State Street, Northern Trust, HSBC, and RBC Capital Market
Edexcel IGCSE & O Level
Accounting
Correction of errors
Situations where errors occur
Two types of errors
Trial Balance
Errors which do not affect Trial Balance agreement
Omission, Commission, Original Entry, Principal, Compensation, Complete Reversal, Duplication
Errors which affect the agreement of trial balance
suspense account
All igcse past papers
model questions
Activity Based Costing:
The latest costing method in this centaury;
Cost Drivers; Cost Pool; Cost Driver Rates ; All the ABC Cambridge A Level Past paper questions ; ABC Model questions
Cambridge O level
Accounting
Principles of Accounting
7110
7707
Correction of Errors
Correction of Accounting errors
with Past papers and model papers
by
Sanjaya Jayasundara
Wtzapp: +94712545001
The Global Innovation Index 2012 profile of France
Measurement and ranking of all factors contributing to France's innovation efficiency
Source : the GII 2012 http://www.globalinnovationindex.org/
Correction of accounting errors for a Level or level under National , Edexcel and Cambridge Syllabuses
Situations where errors take place:
Two types of errors , Errors which are not revealed by the trial balance and errors which are revealed by the trial balance, errors of omission , commission , principle, original entry , compensating and complete reversal , suspense account , past papers
This Business Improvement Proposal was created by WebIT2 Consultants (Sarah Killey, Donald Gee, Mark Cottman-fields, Darren Cann and Sean Marshall) for the Queensland University of Technology (QUT) Library.
The plan outlines an in-depth situational analysis, proposal description, recommended solution, key benefits, business drivers, return on investment and implementation plan.
This is an assessment piece for INB346 - Enterprise 2.0 unit, Semester 2, 2009 (Lecturer Dr Jason Watson).
Standard Costing: Management Accounting Cambridge A Level Paper 3 last 2 questions: Payback period: Discounted Payback period: Accounting Rate of Return (ARR): Net Present Value (NPV): Internal Rate of Return (IRR) : Sensitivity Analysis: Cambridge A2 Standard Costing Past Papers
The Three Lines of Defense Model & Continuous Controls MonitoringCaseWare IDEA
Presented at ACFE conference.
Long gone are the days when organizations could afford to treat each risk, fraud and compliance issue as an individual problem and allow business processes, employees and systems to operate in silos. In order for businesses to activate robust fraud detection, diverse teams of fraud investigators, internal auditors, enterprise risk management specialists, business executives and compliance officers must work in unison; each brings a unique perspective and skill set that can be invaluable to the organization. One approach we’ll examine is the Three Lines of Defense Model where management control is the first line of defense in risk management. The various risk control and compliance functions are the second line of defense, and independent assurance is the third. Each team or “line” plays a distinct role to achieve organizational objectives.
You Will Learn How To:
1. Make a business case for collaboration while remaining true to the principles of your profession
2. Derive business benefits from risk management and internal audit working collaboratively to fulfill their second and third line of defense mandates
3. Tailor the Three Lines Defense Model to fit your organization
SLIDESHARE: www.slideshare.net/CaseWare_Analytics
WEBSITE: www.casewareanalytics.com
BLOG: www.casewareanalytics.com/blog
TWITTER: www.twitter.com/CW_Analytic
Second line of defense - advantages and set up Jim McClanahan
An overview of the three lines of defense model in managing risk, the risk management gaps that a second line of defense fills, and practical steps for setting up a second line of defense.
Cambridge O level
Accounting
Principles of Accounting
7110
7707
Correction of Errors
Correction of Accounting errors
with Past papers and model papers
by
Sanjaya Jayasundara
Wtzapp: +94712545001
The Global Innovation Index 2012 profile of France
Measurement and ranking of all factors contributing to France's innovation efficiency
Source : the GII 2012 http://www.globalinnovationindex.org/
Correction of accounting errors for a Level or level under National , Edexcel and Cambridge Syllabuses
Situations where errors take place:
Two types of errors , Errors which are not revealed by the trial balance and errors which are revealed by the trial balance, errors of omission , commission , principle, original entry , compensating and complete reversal , suspense account , past papers
This Business Improvement Proposal was created by WebIT2 Consultants (Sarah Killey, Donald Gee, Mark Cottman-fields, Darren Cann and Sean Marshall) for the Queensland University of Technology (QUT) Library.
The plan outlines an in-depth situational analysis, proposal description, recommended solution, key benefits, business drivers, return on investment and implementation plan.
This is an assessment piece for INB346 - Enterprise 2.0 unit, Semester 2, 2009 (Lecturer Dr Jason Watson).
Standard Costing: Management Accounting Cambridge A Level Paper 3 last 2 questions: Payback period: Discounted Payback period: Accounting Rate of Return (ARR): Net Present Value (NPV): Internal Rate of Return (IRR) : Sensitivity Analysis: Cambridge A2 Standard Costing Past Papers
The Three Lines of Defense Model & Continuous Controls MonitoringCaseWare IDEA
Presented at ACFE conference.
Long gone are the days when organizations could afford to treat each risk, fraud and compliance issue as an individual problem and allow business processes, employees and systems to operate in silos. In order for businesses to activate robust fraud detection, diverse teams of fraud investigators, internal auditors, enterprise risk management specialists, business executives and compliance officers must work in unison; each brings a unique perspective and skill set that can be invaluable to the organization. One approach we’ll examine is the Three Lines of Defense Model where management control is the first line of defense in risk management. The various risk control and compliance functions are the second line of defense, and independent assurance is the third. Each team or “line” plays a distinct role to achieve organizational objectives.
You Will Learn How To:
1. Make a business case for collaboration while remaining true to the principles of your profession
2. Derive business benefits from risk management and internal audit working collaboratively to fulfill their second and third line of defense mandates
3. Tailor the Three Lines Defense Model to fit your organization
SLIDESHARE: www.slideshare.net/CaseWare_Analytics
WEBSITE: www.casewareanalytics.com
BLOG: www.casewareanalytics.com/blog
TWITTER: www.twitter.com/CW_Analytic
Second line of defense - advantages and set up Jim McClanahan
An overview of the three lines of defense model in managing risk, the risk management gaps that a second line of defense fills, and practical steps for setting up a second line of defense.
Portifólio de patrocínio Global Risk Meeting 2011Mariana Lima
O evento que por cinco anos consecutivos discutiu Continuidade de Negócios, Governança Corporativa, Segurança da Informação, Responsabilidade Social Corporativa, Gestão de Crises, Segurança, Saúde e Meio Ambiente e Leis e regulamentações, apresenta diretrizes e estratégias baseadas nos aspectos estratégicos, mercadológicos e tendenciais.
A sexta edição do Global Risk Meeting, acontecerá em 12 de setembro, e pela primeira vez será realizada em Fortaleza, no Ceará. Contribuindo para o progresso de empresários e gestores do nordeste brasileiro, o evento elucidará a importância das corporações estarem preparadas para gerir crises e manter a sobrevivência das empresas em momentos difíceis ou imprevisíveis.
Com o objetivo de fomentar cada vez mais as melhores práticas internacionais no mercado nacional, o evento reunirá as maiores organizações para discutir demandas atuais e tendências mundiais relacionadas às melhores práticas sobre os temas de: Gestão de Riscos, Segurança da Informação, e Controles Internos.
Coaching e Mentoring de Controles Internos, Compliance, Segurança da informação, Auditoria Interna, Gestão de Riscos e Mapeamento de Processos
Se a sua empresa possui uma equipe e necessita montar uma estrutura de controles, necessita de capacitar ou reciclar os conhecimento da equipe, criar metodologias próprias para o seu negócio, aprimorar os processos, buscar melhorias e validação das atividades solicitadas pelos órgãos reguladores, nossa empresa oferece a oportunidade de realizar a capacitação de seus colaboradores dentro de sua empresa, utilizando recursos da própria empresa e fazendo com que os processos de gestão sejam melhor utilizados, realizamos treinamentos com as melhores metodologias de mercado COSO, COBIT, ISO 27000, ISO 31000 entre outros e ainda no processo de mentoria, auxiliamos na implementação, validação e aplicação das melhores praticas de mercado sempre com foco em sua estrutura, solicite uma visita para apresentarmos o nosso modelo de trabalho e nossos exemplos reais de implementação em clientes de ramo financeiro e não financeiro, pois a base é conhecendo o negócio e implementando controles.
Governanca corporativa e controles internos - Boas práticas nas pequenas e mé...HSCE Ltda.
Apresentação utilizada pela Hands-on Solutions, consultoria empresarial do Rio de Janeiro, para o 3o Workshop sobre "Governança Corporativa e Controles Internos - Boas práticas nas pequenas e médias empresas sob controle familiar"
No workshop abordamos como adpatar os conceitos e premissas a realidade das pequenas e médias empresa, como elaborar controles internos inteligentes, como monitorá-los e como medir o risco da empresa.
Como aplicar o COSO para SOX e Controles InternosCompanyWeb
Um exemplo prático da aplicação da estrutura do COSO (framework para Gerenciamento de Riscos Corporativos). Criação da matriz de riscos e repositório de Controles Internos.
Download:
http://www.companyweb.com.br/downloads/
Cód. 132 | Gestão de Riscos e Controles Internos - Como aplicar o COSO Para SOX, ERM
Vídeo: https://youtu.be/5w-fx3Y2IB0
Presentation by Vincent Tophoff, IFAC Senior Technical Manager and J. Stephen McNally, Campbell Soup Company Finance Director and Comptroller at the IMA Annual Conference and Exposition, June 2014
Thèse professionnelle sur les indicateurs de performance RSE et le management...Chris Delepierre
Thèse professionnelle sur les indicateurs de développement durable dans le cadre du Master of Science de gestion de projet à Skema Business School - octobre 2013.
La mesure de la performance durable des projets en entreprise est un thème assez récent que de nombreuses recherches tentent d'approfondir car, après s'être peu à peu installées en entreprise, les stratégies RSE ont désormais besoin de s'armer d'outils et de méthodes rationnels pour légitimer leurs bénéfices et mesurer les progrès accomplis grâce à des données fiables à l'échelle des projets, au niveau opérationnel, et non plus seulement au niveau corporate de la stratégie globale de l'entreprise.
We are trying to develop our working and branding of our Brand in international markets of Denim and Leathers Products. And i hope you all my friends and supporting members are always support us. Our aim to gives you best and new generation of denim products.
Thanks To All
* Our Investor partners
* Working Partners
* Media Partners
And Our All Working Staffs........
Optimization of Post-Scoring Classification and Impact on Regulatory Capital ...GRATeam
The 2008 crisis was the main cause of tough market regulation and banks’ consolidation basement. These new constraints have caused a major increase in banks’ capital. As a result, banks need to optimize their return on equity, which has suffered a big drop (due both to a drop in profitability as well as an increase in capital).
Moreover, as this crisis showed loopholes in risk measurement and management, regulators’ tolerance becomes more and more stringent. Consequently, banks are facing challenges while dealing with Low Default Portfolios (LDP) and discerning the way to meet regulatory requirements in terms of credit risk management under the Advanced Approach (IRBA) of Basel rules.
The purpose of this paper is to focus on post-scoring classification for LDPs with the aim to study the possibility of building a rating scale for these portfolios, that meets regulatory requirements as well as to identify the opportunities to optimize RWA. This will be accomplished by studying the relationship between the number of classes within a rating scale and the impact on RWA. The analysis will follow different steps.
The Business Model Design of Social EnterpriseLuke Kao
A social enterprise is an organization whose aim is to find the balance between
earning profits for shareholders and creating positive impacts in society. In the
following thesis, I shall share the building blocks needed for a business model directing
towards building a social enterprise, and draw comparison to those of for-profit
enterprises. Osterwalder and Pigneur proposed nine building blocks as a universal
business model (Business Model Generation 2010). My research considers this
proposed model while also considering three additional building blocks that specifically
pertaining to social enterprise: “social and environment revenue,” “social and
environment costs,” and “the social entrepreneur.” My research uses the information
collected from three social enterprise case studies, considering the social entrepreneurs
themselves, in addition to information concerning their company documents. My result
validates the theoretical foundation and practicality for these three additional building
blocks for developing social enterprises and for supplementing additional important
considerations while starting a social enterprise.
Was sind die Rahmenbedingungen für ein erfolgreiches Datenqualitätsmanagement?Torben Haagh
Data Governance, Datenkonsistenz und Datenqualität sind die Basis für ein effizientes internes & externes Meldewesen und für eine ertragsorientierte Gesamtbanksteuerung.
Doch was sind die Rahmenbedingungen für ein erfolgreiches Datenqualitätsmanagement?
Nutzen Sie dafür dieses interessante Whitepaper der Universität St. Gallen!
http://bit.ly/Framework_CDQM
Employers’ Toolkit: Making Ontario Workplaces Accessible to People With Disab...Bob Vansickle
This toolkit was created to help Ontario employers tap into a vibrant and underutilized labour pool—people with disabilities—and to assist employers in meeting the Employment Standard of the Accessibility for Ontarians with Disabilities Act.
We offer Oxford Brookes ACCA RAP Thesis writing and Mentoring services, Oxford approved mentors, 100% plagiarism free guaranteed work. Book your orders now at ghostwritingmania@yahoo.com
4. 4
Foreword – President of IIA Netherlands
Many different organizational design models are in place to
assist the Management Board in its accountability for effec-
tive risk management, compliance and audit activities across
the organization. Of course the primary responsibility for
maintaining sound controls and compliance lies with line
management, but increasingly dedicated functions are es-
tablished to support and oversee these ‘in control’ activities.
The different design models range from separate support
functions (i.e. Risk Management, Compliance and Internal
Control in addition to Internal Audit) to a fully combined Risk,
Compliance and Audit function.
There are many different views across companies and industries
on the benefits, feasibility and acceptability of combining risk,
compliance and assurance functions. Management Boards,
Supervisory Boards (in particular the Audit Committee) and
other governing bodies want to know if such combinations are
possible, under which circumstances, based on which basic
conditions and facilitated by which safeguards. The key ques-
tion is if the internal audit function can work independently and
objectively if support is provided on areas relating to risk man-
agement, compliance and internal controls.
In order to answer these questions and provide clear direc-
tion to the stakeholders involved, a task force of IIA Nether-
lands conducted research and held roundtable sessions.
This paper provides an overview of existing global standards
and good practices and considers the different stakeholder
perspectives.
Stakeholders and Governance, Risk Management and Com-
pliance (GRC) professionals are invited to engage in further
dialogue about this subject.
Finally, I would like to thank those who have participated in
the research and roundtables and, in particular, Sam Huibers
for his key role in the task force and for writing this paper.
Michel Kee,
President of IIA Netherlands
5. 5
Executive Summary
The Three Lines of Defense Model, in which Internal Audit is
positioned as an independent separate function in the third
line of defense, is considered to be a good practice from the
perspective of independent assurance. Management acts as
the first line of defense (owning the processes, risks and con-
trols), various support functions including Risk Management,
Internal Control and Compliance oversight functions are the
second line of defense (monitoring the process, its risks and
controls), and internal audit represents
the third line of defense (providing as-
surance and advice). However, in prac-
tice the responsibilities and, hence, job
titles of Chief Audit Executives (CAEs)
vary. Often combinations exist of In-
ternal Audit and second line of defense
functions such as Risk Management, Compliance and Internal
Control. At both smaller and larger organizations, various names
are used for the audit function, including “Audit”, “Internal Au-
dit Internal Control”, “Risk Management Internal Audit”, or
simply “Compliance”.
This triggered the question of to what extent and how these
second line of defense functions can be combined with the
Internal Audit function (IAF) without jeopardizing the auditor’s
independence and objectivity.
In this paper, we will refer to the total portfolio of assurance
and consulting activities as the Governance, Risk Manage-
ment and Compliance (GRC) activities in which both the IAF
and second line of defense functions, such as Risk Manage-
ment, Internal Control and Compliance, have a role.
Conclusion
The outcome of our research and
roundtable sessions is that combining
the IAF and second line of defense
functions is not the preferred solution
considering the Three Lines of Defense
Model as well as safeguarding the auditor’s independence and
objectivity as advocated by the Institute of Internal Auditors
(The IIA). However, situations may arise where combining
functions is perceived to be beneficial to the organization and
where it is possible to do so. If so, the basic conditions are to
be met and adequate safeguards should be in place to ensure
the independence and objectivity of the auditor.
(…) combining the IAF and second line
of defense functions is not the pre
ferred solution from the perspective of
the three lines of defense model and the
auditor’s independence and objectivity.
6. 6
From a management perspective, combining functions can
even be preferable and can provide the basis for the design
of the organization’s GRC structure. If the organization’s GRC
processes are not yet very mature, there may be a temporary
role in which Internal Audit supports the setup and design
of the methodology. In other situations it may be a deliber-
ate choice to have some functions combined as part of the
organization’s assurance model. The drivers for combining
functions can be reducing the span of control; expected
efficiency and synergies from having all expertise related to
assurance, governance, risk, internal
control and/or compliance under one
umbrella; or simply the fact that the
structure grew historically without
making explicit rational decisions on
how to optimize the organization’s
GRC structure.
While the Supervisory Board may have
similar considerations, it may put for-
ward other or additional, perhaps even contradictory views.
The Supervisory Board/Audit Committee (SB/AC) may play a
balancing act to ensure that both internal and external stake-
holders are satisfied and adequate safeguards are in place to
achieve the company objectives. Considerations with respect
to structuring governance in a way that optimizes the safe-
guarding of assets and compliance with laws and regulations
may prevail over more internally oriented considerations. In
addition, the SB/AC should monitor that the IAF can and will
operate in an effective and objective manner.
Note that in some sectors, such as the financial services in-
dustry, regulations apply that require separate Risk Manage-
ment and Compliance functions. The decisive factor will be
the sector-specific regulations the
organization has to comply with, and
guidance set by relevant governing
bodies is to be adhered to.
Basic conditions and safeguards
The basic conditions and safeguards
to ensure the auditors’ independence
and objectivity when combining the
IAF and other functions are summa-
rized below and will be described in more detail in this paper.
References to the relevant parts of The IIA’s International Pro-
fessional Practices Framework (IPPF), comprising the Standards
and further guidance, are included in the document as well.
However, situations may arise where
combining functions is perceived to
be beneficial to the organization and
where it is possible to do so. If so, the
basic conditions are to be met and
adequate safeguards should be in
place to ensure the independence
and objectivity of the auditor.
7. 7
Basic conditions and safeguards
Overarching basic conditions and safeguards
[The IIA Position Paper, 2013]
• Effectiveness not to be compromised: lines of defense
should not be combined or coordinated in a manner that
compromises their effectiveness with respect to providing
independent and objective assurance.
• Make consequences explicit: Internal Audit should clearly
communicate the impact of the combination to senior man-
agement and the governing bodies (and obtain their approval).
Subsequent basic conditions and safeguards
• No management responsibility: Internal Audit should not
assume any managerial responsibilities with respect to the
audit object. The IAF can facilitate and support, but should
never assume ownership.
• Formalize: roles and responsibilities are to be described in
the audit charter in order to avoid ambiguity and provide
clarity in the organization.
• Maturity: in case of a temporary role in which Internal Audit
supports the setup of second line of defense functions or
design of methodology, the approach is to be approved by
the AC.
• Outsourcing: if Internal Audit is involved in second line of
defense activities, the task of providing objective assurance
regarding these specific activities will have to be outsourced,
either externally or internally to other departments.
• Segregation of duties: potentially conflicting roles are to be
allocated to different individuals and/or (sub-)departments.
Table 1. Basic conditions and safeguards when combining
Internal Audit and second line of defense functions
Finally, when combining internal audit and second line of
defense functions and addressing the question of the audi-
tor’s independence, one has to go beyond focusing on the
function’s label only. Therefore, in this paper we also describe
the different types of roles that can be fulfilled by the audi-
tor, always taking into consideration any basic conditions
and safeguards that may apply.
The common principles to take into consideration when
combining internal audit and other functions are full trans-
parency regarding the considerations involved and formal-
izing the organization’s assurance model. This is important
not only to ensure compliance with the international Stan-
dards for the professional practice of internal auditing, but
also to ensure the full support and commitment of senior
management and the SB in order to be perceived as a true
value-adding business partner in the organization.
8. 8
1 Introduction and context
The Three Lines of Defense Model (see Figure 1, p. 8) is pro-
moted as a good governance practice and advocated by pro-
fessional bodies, such as The IIA. In early 2013, The IIA issued
an international position paper on the three lines of defense
model as part of an effective control environment. This paper
presents the implementation of the model as a way to enhance
clarity on roles and responsibilities regarding ownership and
monitoring of risks and controls and on how the effectiveness
of risk management systems can be improved.
Three lines of defense model
“In the Three Lines of Defense Model, management control
is the first line of defense in risk management, the various
risk, control and compliance oversight functions established
by management are the second line of defense, and inde-
pendent assurance is the third. Each of these three ‘lines’
plays a distinct role within the organization’s wider gover-
nance framework” [The IIA, 2013]. The different lines of de-
fense within an organization can be described as follows:
• First line of defense – management: business management
has the primary responsibility for monitoring and controlling
the operations. They own the processes, risks and controls.
• Second line of defense – support functions: management
is supported in its monitoring responsibility by separate
functions. Examples of these second line of defense func-
tions are Internal Control, Risk Management and Compli-
ance. They monitor the risks and controls.
• Third line of defense – Internal Audit: provides additional
independent assurance on the activities of the first and
second line of defense. This may include operational audits
to assess the controls in various business processes and
review the effectiveness of the second line of defense
ORGANIZATION
1st line of
defense
2nd line of
defense
3rd line of
defense
Figure 1. The Three Lines of Defense Model
Line
Manage
ment
Internal
Audit
Risk
Manage
ment
Internal
Control
Com
pliance
9. 9
functions, such as Risk Management.
• Fourth line of defense – external auditor, regulators and
external bodies: additional independent assurance by the
external auditor, e.g. typically the company’s financial au-
ditor, limited to the area of financial reporting.
Second line of defense functions
As explained above, management often establishes various
support functions to help build and/or monitor the first line
of defense tasked with risk management, control and com-
pliance monitoring. The nature and activities of these func-
tions will vary per organization and industry. Typical functions
in the second line of defense charged with GRC activities
include:
• ”A Risk Management function that facilitates and monitors
the implementation of effective risk management practic-
es by operational management and assists risk owners in
defining the target risk exposure and reporting adequate
risk-related information throughout the organization”
[The IIA, 2013].
• “A compliance function to monitor various specific risks
such as noncompliance with applicable laws and regula-
tions. Multiple compliance functions often exist in a single
organization, with responsibility for specific types of com-
pliance monitoring, such as health and safety, supply chain,
environmental, or quality monitoring” [The IIA, 2013].
• An internal control function supports management in iden-
tifying key process risks and defining and implementing
preventive and detective controls to mitigate these risks.
• Business ethics and special investigations: functions with
professionals that focus on communicating and providing
training on the company’s code of conduct, overseeing
the whistleblowing process and promoting fraud aware-
ness. A team of specialists may be dedicated to follow up
on suspicions and allegations of fraud.
Assurance
2nd and 3rd lines of defense
ORGANIZATION
1st line of
defense
Line
Manage
ment
Risk, Compliance and Audit
Compliance
Consultancy
Risk
Internal
Controls
Figure 2. Example of combination of Internal Audit and
second line of defense functions
10. 10
Management establishes these functions to ensure that pro-
cesses and controls are properly designed, in place and
operating effectively and that identified risks are mitigated.
Particularly in the non-financial sector, when there are no
specific regulator requirements regarding the establishment
of separate Risk Management and Compliance functions, the
activities are often combined (see Figure 2, p.9).
In practice, the boundaries between the activities relating
to internal auditing, risk management and compliance are
not always that well defined. This triggered the question of
to what extent these second line of defense functions can
be combined with the IAF, and, if so, how and under which
circumstances and conditions this would be acceptable.
11. 11
Quote of CAE during one of the roundtable meetings:
“I have been the CAE in four different organizations.
And, although one might expect that I would use these
experiences to change the structure and activities of my
internal audit departments so they would look similar,
I can tell you one thing: that is not the case.”
The objective of the task force of IIA Netherlands was to ad-
dress dilemmas with respect to combining internal audit with
second line of defense functions in the organization’s assur-
ance model. The key dilemma was if and how to combine
certain activities while remaining objective and independent
in the Internal Audit role. The main research question was:
To what extent and, if so, under what conditions is
combining the IAF with Risk Management,
Compliance and Internal Control and/or other
second line of defense functions acceptable?
First, the aim of the project was not to issue new guidance,
but to provide a synthesis of existing guidance in order to be
consistent with The IIA’s global Standards as a starting point.
Second, the aim was to gain insight into current audit prac-
tices. To this end, we held roundtable sessions with Dutch
CAEs of multinational organizations and other leading audit
professionals. In the next section we will further address this
dilemma and the perspectives of the different stakeholders.
12. 12
2 Perspectives
2.1 Stakeholder perspective
The initial research by the task force and the subsequent
roundtable meetings clearly highlighted that the design of
the GRC structure and the IAF varies per organization and is
usually driven by what senior management and the SB (sup-
ported by the AC) consider desirable.
The management considerations regarding combining func-
tions discussed at the roundtable meeting can be summarized
as follows:
• Optimizing the span of control: limiting the number of
people reporting to the Board on
assurance activities.
• Efficiency: cost control and provid-
ing more efficient assurance when
organizing assurance activities are
under one umbrella. Combining
functions may make it easier to
prevent the duplication of activities, and oversight as a
whole may require fewer resources than in a situation
where activities are dispersed across separate functions. If
there is separation, coordination can still happen, but may
depend on the willingness of managers to cooperate in-
stead of having clear accountability under one combined
leadership role.
• Historical: the organization of activities could be the prod-
uct of historical developments; activities may have been
gradually expanded and allocated to a single department.
• Synergy: creating synergies by bringing together profes-
sionals under one umbrella.
This may result in a more holistic approach on GRC ac-
tivities driven by one shared vision. In addition, the vision
and strategy will be executed by a group of professionals
with a similar mindset as well as com-
plementary competencies. This may
be perceived by management as
more effective than separating func-
tions. In addition, a larger function
might facilitate career planning since
in a larger pool more positions and
development opportunities can be offered. Furthermore,
combining various duties into one leadership role could
potentially attract better qualified and more experienced
professionals.
…the design of GRC and the IAF varies
per organization and is usually driven
by what senior management and the
SB (supported by the AC) consider
desirable.
13. 13
• Maturity: the role of Internal Audit may also depend on
the maturity of the processes and controls of the orga-
nization. Internal Audit may have a (temporary) role to
support the design of the methodology and GRC activities
in the company.
While the SB may have similar considerations, it may put
forward other, additional, or perhaps even contradictory
views. The SB/AC may play a balancing act between ensur-
ing that both internal and external stakeholders are satisfied
and that adequate safeguards are in place to achieve com-
pany objectives. Considerations with respect to structuring
governance in a way that optimizes the safeguarding of
assets and compliance with laws and regulations may prevail
over more internally oriented considerations such as effi-
ciency. In a recent trend analysis titled Enhancing Value
Through Collaboration [The IIA, The Pulse of the Profession,
Global Report, 2014], ACs have ‘risk management effective-
ness’ in their top five attention areas. The associated invest-
ment could clash with cost reduction, which is highlighted
as a main priority for executive management. In addition,
the SB/AC should monitor that the IAF can and will operate
in an effective and objective manner.
Finally, the design of governance and other considerations
are often very situational and may involve a combination of
the factors mentioned above. It may also be affected by the
personal preference and experience in other companies of
CAEs, management and the SB/AC.
2.2 Professional standards perspective
During one of the roundtable sessions, the following dilem-
mas were raised with respect to combining internal audit
with other assurance-related activities:
• How to provide an independent opinion on the effective-
ness of the second line of defense;
• How to provide assurance on GRC activities that are pro-
vided by professionals in the same department;
• How to deal with the potential perception that the objec-
tivity of activities of the second line of defense in which
the audit function is involved has been compromised.
The International Professional Practices Framework of the
Institute of Internal Auditors (IPPF), comprising of the Stan-
dards and other guidance, does not explicitly address the
combination of functions in one department. In most cases
the focus is at the activity, rather than the organization, level.
14. 14
IPPF Performance Standard 2050 – Coordination states that
the CAE should share information and coordinate activities
with other internal and external providers of assurance and
consulting services to ensure proper coverage and minimize
duplication of efforts.
The IIA Practice Guide for this standard, Coordinating Risk
Management and Assurance [The IIA, 2012], states that if the
IAF facilitates risk management activities, basic conditions ap-
ply. These basic conditions are described in the next section.
The IIA’s recent Position Paper The Three Lines of Defense
in Effective Risk Management and Control states that “risk
management is normally strongest when there are three
separate and clearly identified lines of defense” [The IIA, 2013].
Based on this model, combining functions is not the preferred
solution, but it may occur nonetheless. In certain situations
it is possible to combine the IAF with functions of the second
line of defense, such as Risk Management and Compliance,
provided that the necessary basic conditions are met.
In the Annex, we will give a more detailed overview of the
main guidance that is currently available from professional
bodies, such as The IIA and the Risk Insurance Management
Society (RIMS). In the table in this Annex, we include refer-
ences on the conditions and safeguards in relation to the
guidance described in the next section.
From the guidance it can be concluded that the combination
of Internal Audit with other second line of defense functions,
such as Risk Management and/or Compliance functions, is
possible in certain situations, provided that the required ba-
sic conditions and safeguards are in place. In order to provide
further practical guidance, we will discuss these situations
and basic conditions in more detail in the next section.
Closing remark: Sector-specific regulations
Another important factor for GRC processes, such as risk
management, is the nature of the entity where they occur.
Combining functions is certainly not justifiable for organi-
zations where these processes, e.g. risk management, are a
part of the primary process. It will depend on the sector-
specific regulations and laws the organization has to comply
with. Also, in heavily regulated sectors a combination of
supporting functions and Internal Audit may not be desirable.
15. 15
3 Basic conditions and safeguards
In the previous section we described the current profession-
al guidance regarding the auditor’s role with respect to other
assurance providers. In this section we will discuss in more
detail the possible safeguards and conditions when combin-
ing Internal Audit with second line of defense functions.
3.1 Basic conditions and safeguards when
combining functions
If the IAF and second line of defense functions are combined,
the key overarching basic conditions and safeguards that
need to be in place, as described in
the IIA’s Position Paper [The IIA, 2013],
are the following:
• Effectiveness not compromised
‘There are instances where internal
audit has been requested to estab-
lish and/or manage the organiza-
tion’s risk management, compliance and internal control
activities.’ If this is the case, the different functions should
never be combined or coordinated in a manner that com-
promises the effectiveness of the IAF and the expectation
of senior management and the governing bodies that in-
dependent, objective assurance will be provided regarding
being ‘in control’ of the business.
• Make consequences explicit
‘Internal audit should clearly communicate to senior man-
agement and the governing bodies the nature and impact
of the combination.’
Besides this guidance in The IIA Position Paper, we would like
to emphasize that in addition to the IAF communicating the
consequences to senior management and the AC, there should
also be a clear common understanding
of the considerations involved, the
mitigating measures taken and explicit
approval of the combination. In this
way the expectation of senior manage
ment and the governing bodies that
independent, objective assurance will
be provided by the IAF is addressed in a transparent way.
The Position Paper is not very specific on what kind of com-
pensating measures may be considered. We will therefore
provide some more insight into the conditions and safeguards
Make consequences explicit
‘Internal audit should clearly com
municate to senior management
and the governing bodies the
impactof the combination.’
16. 16
based on professional Standards, Position Papers and Prac-
tice Guides.
‘There are instances where Internal Audit has been
requested to establish and/or manage the organiza
tion’s risk management, compliance and internal
control activities.’
Subsequent basic conditions and safeguards:
• No management responsibility
The IAF should not make managerial decisions and remains
accountable for the process [The IIA, 2004, 2009]. The IAF
can facilitate, but should never assume ownership: line man-
agement should always be closely involved with the process
and they should decide on the risk appetite and the mitigat-
ing controls. If, for example, the Internal Audit facilitates the
documentation of an internal control framework, then man-
agement, in its capacity as process owner, has to sign off on
the overall process design, including the control design.
• Formalization by documenting roles and responsibilities in
the audit charter
It is important to avoid any ambiguity regarding the poten-
tial roles of Internal Audit and second line of defense func-
tions in the organization by explicitly defining these roles.
The aim, mandate and nature of the IAF’s activities should
be documented in the organization’s audit charter and be
approved by the Management Board and the AC. If the IAF
is also responsible for one or more second line of defense
functions, this should be explicitly stated in the charter,
along with the role and responsibilities of the IAF in this
respect and the impact on the IAF’s mandate.
17. 17
• Maturity
Internal audit professionals may have the knowledge and
expertise to support management in setting up, designing
and strengthening risk management controls and compli-
ance programs. In fact, they may be considered the GRC
experts in a particular organization that are best equipped
to help management with this matter. In case of a tempo-
rary role in which internal audit supports the setup and
design of methodology, the approach is to be aligned with
the Audit Committee [Practice Guide – Performance Stan-
dard 2050, The IIA, 2012].
• Outsourcing
Some organizations allocate risk management activities to
the IAF, which then acts as a provider of consulting services.
In that capacity, the IAF can play a facilitating role in identi-
fying, assessing and introducing risk management methods.
If an IAF coordinates a second line of defense function
such as Risk Management, another (external) party will have
to provide objective assurance on these activities so that
Internal Audit does not give an opinion on its own activities
[IPPF Performance Standard 2010/2050, The IIA, 2013].
The level of assurance required, if any, may vary per func-
tion and organization and is to be determined as part of
the annual risk assessment. The scope and frequency of
the second line of defense activities is part of the risk-based
audit plan that will be approved by senior management
and the AC.
• Applying segregation of duties within the IAF
Auditors should avoid any potential conflicts of interest by
maintaining an independent position. The perception of
independence is also an important aspect of this. One of
the alternative measures available to help achieve this is
to put into place segregation of duties within the IAF. One
of the key principles here is ensuring segregation by group-
ing together activities whose aims are non-identical or at
least not potentially conflicting. For example, within the
IAF, assurance-related activities could be segregated from
consulting-related GRC activities. If the size of the depart-
ment permits it, an additional safeguard (i.e. ‘second best’
option) would be to segregate the assurance-related ac-
tivities into a separate sub department.
Based on the principle of independence, the Standards
require that internal auditors who were previously respon-
sible for a particular item in another capacity should refrain
from auditing that object during the same year [Perfor-
mance Standard 1130 A.1, The IIA, 2013]. This rule should
18. 18
also be applied to consulting and participating roles as
described in the section below. An auditor who played a
role with respect to an audit object should be precluded
from conducting assurance activities regarding that object
for a period of at least one year.
A key point here is that the organizational structure is not
the only factor in deciding what is permissible; the actual
roles and activities also need to be considered, as well as
the basic conditions mentioned before. Therefore, in the
next section we will look in more detail at the roles and re-
sponsibilities at activity level.
3.2 Assurance roles and roles with safeguards
and basic conditions
The roundtable meetings explicitly concluded that what
matters is not so much the name given to a function; what
really matters is how its activities are carried out and what
actual activities are being performed or not.
Often these roles are linked to the maturity of the organiza-
tion’s process and controls. The IAF has a key role in the
design and embedding of GRC-related activities in terms of
supporting or participating in projects or even coordinating
these activities.
In line with The IIA Position Paper on ERM [The IIA, 2004/2009]
and based on publications on the role of the internal auditor
in project auditing [Huibers, 2008-2013], the roles regarding
GRC activities can be broken down into four categories:
• The assurance role: the traditional roles of the internal auditor
• The consulting role: consulting roles are roles that can be
undertaken, provided that the basic conditions are met and
safeguards are in place;
• The participating role: participating roles that can be un-
dertaken, again provided that the basic conditions are met
and safeguards are in place;
• Roles that auditors should certainly not undertake.
Table 2 (on the next page) provides examples of the po-
tential internal auditor roles, including those subject to
basis conditions and safeguards that are similar to the ones
described in the previous section (for safeguards, see also
the professional standards and guidance in the references,
in particular [The IIA, 2004/2009]). The table is not a com-
prehensive list; it merely illustrates the different type of
roles involved.
Roles that can be undertaken by the internal auditor
Table 2 describes the roles that can be undertaken by the
internal auditor with respect to GRC activities, with safeguards
where appropriate.
19. 19
Table 2. Examples of roles of the internal auditor in GRC (adapted from [The IIA, 2004 2009] and [Huibers, 2008 -2013])
Type of role GRC roles Description Example
Assurance
Assurance on second line
of defense
Provide assurance on the effectiveness of the sec-
ond line of defense organization and its activities.
Review the effectiveness of the Risk
Management function.
Compliance and process
audits
Provide assurance by performing operational
audits.
Perform operational audits, such as HR,
supply chain and IT audits.
Consolidated risk reports Consolidate reporting on risks to
senior management
Identify risks during internal audits and, for ex-
ample, safety review by Compliance are com-
bined in one report to senior management.
Evaluate risks and controls Evaluate control frameworks and assess related
risks and controls.
Design review on control framework of a
business process redesign project.
Consulting
roles –
legitimate
roles with
safeguards
Advise second
line on methodology
Advise the second line on methodology such
as risk assessment methodology.
Advise on the design of a risk assessment
program and the relevant awareness creation.
Advise on internal
control design
Advise on documentation of standard control
frameworks.
Advise on the format and the way controls
are documented in the ORCA format
(i.e. Objective-Risks-Control Alignment).
Sounding board –
objective observer
Raise questions to reflect on. Act as a business sparring partner and challenge
management based on best practices.
Coach/trainer Advise on designing learning experiences or
act as coach.
Train the organization in describing procedures
and controls.
Participat-
ing roles –
legitimate
roles with
safeguards
Facilitate risk assessments Facilitate business risk assessments. Assist management with risk awareness and
risk identification sessions.
Initiate GRC initiatives Initiate GRC initiatives to improve governance
and assessment of risks and controls.
Initiate projects to improve the governance and
monitoring of risks and controls, supported by
issue and task management tools to monitor
the status of follow-up actions.
Project/process
coordinator
Coordinate project activities regarding risk
methodology and Control Self Assessments
(CSAs).
Coordinate a project to implement CSAs
so management can assess the level of
compliance with company rules themselves.
Documentation
of controls
Support in the documentation of controls. Support management in documenting controls
using a predefined format as part of a business
process redesign project.
Proactive Quality
Assurance (QA) partner –
facilitating role
QA partner that not only identifies risks but
also translates them into real business issues
and makes recommendations.
Support management by proactively providing
recommendations on how to mitigate
identified risks.
20. 20
Roles that should not be undertaken by
the internal auditor
Roles that should not be undertaken by the internal auditor
with respect to GRC activities.
Table 3. Example of roles not to be undertaken by internal
audit with respect to GRC (adapted from [The IIA, 2004
2009] and [Huibers, 2008 -2013])
The IAF can assist business management but should not
assume managerial responsibility. In Table 3 above, we give
clear examples of roles the IAF should not undertake. If it
assumes these roles, it has crossed the line and, therefore,
cannot provide sufficient safeguards to ensure independence
and objectivity.
The main conclusion of this final section is that when com-
bining risk, compliance and assurance functions and ad-
dressing the question of auditor’s independence, one should
not only look at the name of the function. The focus should
be on what Internal Audit is actually doing and how this is
aligned with the expectations of management and other
stakeholders. This should be clearly defined in the audit
charter and communicated to the stakeholders.
Type of role
Description of roles not to be undertaken
by the internal auditor
No role
Internal
audit
Setting the risk appetite.
Imposing the GRC process.
Managing risks identified in quality assurance.
Taking managerial decisions regarding
the proposed solutions.
Implementing solutions on behalf of management.
Being accountable for project deliverables.
Being accountable for embedding project
deliverables in the organization.
21. 21
References
The literature listed below is a selection of recent publica-
tions by professional organizations discussing the role of
internal auditing in relation to second line functions. While
these sources reflect the current trends and views, they are
not intended, if that were even possible, as a comprehensive
list of the available literature.
The Institute of Internal Auditors UK Ireland, Position Paper
– The Role of Internal Auditing in Enterprise-wide Risk Man-
agement, 2004.
The Institute of Internal Auditors, Position Paper – The Role
of Internal Auditing in Enterprise-wide Risk Management,
edition 2009.
The Institute of Internal Auditors, Inc. and the Risk and In-
surance Management Society, Inc., Executive Report – Risk
Management and Internal Audit: Forging a Collaborative
Alliance, 2012.
The Institute of Internal Auditors, Practice Guide – Coordi-
nating Risk Management and Assurance, 2012.
The Institute of Internal Auditors and the IIA Research Foun-
dation, International Professional Practices Framework, 2013.
The Institute of Internal Auditors, Position Paper – The Three
Lines of Defense in Effective Risk Management and Control,
2013.
The Institute of Internal Auditors, The Pulse of the Profession
– Enhancing Value Through Collaboration: A Call for Action’,
The Pulse of the Profession, Global Report, 2014.
Huibers, S.C.J., American journal EDPACS, The Role(s) of the
Auditor in Projects: Proactive Project Auditing, Taylor and
Francis, 2013.
References for the overview of internal audit roles in relation
to GRC. The tables are based on and have been supplement-
ed from:
• Institute of Internal Auditors, The Role of Internal Auditing
in Enterprise-wide Risk Management, Position Paper, 2004,
2009.
22. 22
• Dissertation and various related articles based on ongoing
research of S.C.J. Huibers published by IIA Netherlands and
the professional bodies in the Netherlands for registered
IT auditors (NOREA) and chartered accountants (NBA).
Original dissertation of drs. S.C.J. Huibers EMIA RO CRMA,
Executive Master of Internal Auditing: The role(s) of the
internal auditor in projects, Amsterdam Business School,
University of Amsterdam, 2008. Published by Kluwer (http://
financebase.kluwerfinancieelmanagement.nl/) and can be
downloaded from the website of the IIA Netherlands
(www.iia.nl/iia-academy/universiteiten/scripties).
His international publications are available in the Knowledge
leader®
database of Protiviti (http://tinyurl.com/mlo4bua)
and the site of Taylor and Francis in the United States
(http://tinyurl.com/pnvacz3).
23. 23
Annex Professional guidance
IIA - International Professional Practices Framework (IPPF)
The International Standards and Guidance of the Institute of
Internal Auditors, the International Professional Practices
Framework (IPPF), do not explicitly address the combination
of functions in one department.
IPPF Performance Standard 2050 – Coordination states that
the CAE should share information and coordinate activities
with other internal and external providers of assurance and
consulting services to ensure proper coverage and minimize
duplication of efforts.
The IIA Practice Guide for this standard, Coordinating Risk
Management and Assurance [The IIA, 2012], states that if
internal audit facilitates risk management activities, the fol-
lowing basic conditions apply:
• It should be clear that management remains responsible
for risk management and ”whenever Internal Audit acts to
help the management team to set up or to improve risk
management processes, the AC should approve its plan of
work” [The IIA, 2012].
• “The nature of Internal Audit’s responsibilities should be
documented in the internal audit charter and approved by
the board. Any work beyond the assurance activities should
be recognized as a consulting engagement and the im-
plementation standards related to such engagements
should be followed” [The IIA, 2012].
• This is in line with IPPF Attribute Standard 1000 [The IIA,
2013] that states that the purpose of and authority and
responsibility for the internal audit activity should be for-
mally defined in an internal audit charter.
• “Internal Audit cannot give objective assurance on any part
of the risk management framework for which it is respon-
sible. Other suitably qualified parties should provide such
assurance” [The IIA, 2012].
Position Paper on Three Lines of Defense
The IIA’s recent Position Paper The Three Lines of Defense
in Effective Risk Management and Control states that “risk
management is normally strongest when there are three
separate and clearly identified lines of defense” [The IIA,
2013]. Based on this model, combining functions is not the
preferred solution, but it may occur nonetheless. In certain
situations it is possible to combine the IAF with functions of
24. 24
the second line of defense, such as Risk Management and
Compliance, provided that the necessary basic conditions
are met.
Practice Guide on Coordinating Risk Management
and Assurance
The Practice Guide Coordinating Risk Management and As-
surance states that management activities may be delegated
to a separate Risk Management function [The IIA, 2012]. In
addition, some organizations allocate risk management ac-
tivities to the IAF, which then acts as a provider of consulting
services. In that capacity, the IAF can play a role in identifying,
assessing and facilitating risk management methods.
Publication by RIMS and IIA
The Risk Insurance Management Society (RIMS) and the
IIA have issued a joint publication focusing on optimal col-
laboration between the Risk Management function and the
IAF [The IIA / RIMS, 2012]. It calls for more collaboration, and
in some cases even sharing of resources, in order to meet
stakeholder expectations as effectively and efficiently as
possible.
Position Paper on Role of Internal Auditing in ERM
The Position Paper The Role of Internal Auditing in Enterprise-
wide Risk Management by the IIA [The IIA, 2004/2990] pro-
vides further guidelines on the roles of the IAF in risk man-
agement. These roles should not necessarily be allocated to
a single department. The paper includes a diagram that
distinguishes between assurance roles and consulting roles,
both of which can be undertaken by internal auditors, pro-
vided the basic conditions are met. For example, the IAF can
coordinate the activities to put into place risk management
and develop and maintain the ERM framework. However, as
mentioned before, this requires that certain basic conditions
are met; the key condition is that internal auditors do not
assume any management responsibility, so as to ensure their
independence.
In the table on the next page we summarize the basic con-
ditions and include references to the standards and guidance.
25. 25
Basic conditions and safeguards
Overarching basic conditions and safeguards in the IIA Position Paper [2013]
• Effectiveness not to be compromised: lines of defense should not be combined or coordinat-
ed in a manner that compromises their effectiveness with respect to providing independent
and objective assurance.
The IIA Position Paper
Three Lines of Defense
[2013]
• Make consequences explicit: Internal Audit should clearly communicate the impact of the
combination to senior management and the governing bodies (and obtain their approval).
The IIA Position Paper
Three Lines of Defense [2013]
Subsequent basic conditions and safeguards
• No management responsibility: Internal Audit should not assume any managerial responsibili-
ties with respect to the audit object. The IAF can facilitate, but should never assume ownership.
The IIA Position Paper ERM
[2004/2009]
• Formalize: roles and responsibilities are to be described in the audit charter in order to avoid am-
biguity and provide clarity in the organization.
IPPF – Attribute Standard 1000
[2013]
• Maturity: in case of a temporary role in which Internal Audit supports the setup of second line
of defense functions or design of methodology, the approach is to be approved by the AC.
IPPF – Performance Standard 2050
[2013]
• Outsourcing: if Internal Audit is involved in second line of defense activities, potential assur-
ance regarding these specific activities will have to be outsourced externally or internally to
other departments.
IPPF – Performance Standard
[2010/2050]
• Segregation of duties: potentially conflicting roles are to be allocated to different individuals
and/or (sub-)departments.
IPPF – Performance Standard 1130 A.1
[2013]
Table 4. References and guidance from the IIA regarding basic conditions and safeguards when combining Internal Audit and
second line of defense functions
26. 26
The IIA glossary – abbreviations
AC – Audit Committee
CAE – Chief Audit Executive
IIA – Institute of Internal Auditors
IAF – Internal Audit Function
GRC – Governance, Risk Management and Compliance
IPPF – International Professional Practices Framework
of the IIA
ORCA – Objective-Risks-Control Alignment; framework
to ensure alignment of objectives, risks and
controls across the enterprise.
RIMS – The Risk and Insurance Management Society, Inc.
(RIMS) is a not-for-profit organization dedicated to
advancing the practice of risk management.
SB/AC – Supervisory Board / Audit Committee
QA – Quality Assurance
About the Institute
Established in 1941, the Institute of Internal Auditors (the IIA)
is an international professional association.
IIA Netherlands is an independent association, based in
Naarden, the Netherlands. IIA Netherlands is recognized
by IIA as a national institute. This paper is based on the out-
come of a study of the Professional Practices Committee of
IIA Netherlands. The author can be contacted via IIA
Netherlands at iia@iia.nl.