Relationship Between Key Roles
Between organ management and management (First and Second Line Role)
The management organs generally determine the direction of the organization by defining the organization’s vision, mission, values, and appetite for risk. The management organ then delegates responsibility for the achievement of organizational goals to management, along with the necessary resources. The management organ receives reports from management regarding planned, realized (actual), and expected results, as well as reports on risks and risk management.
Various organizations vary in the degree of overlap and separation between the governing and management organs. Management organs can more or less “interfere” with matters of a strategic and operational nature. The management organ can take a role in leading the development of the strategic plan, or make it a joint task. In some jurisdictions, the chief executive officer or chief executive officer (CEO, Chief Executive Officer) may be a member of the governing organ and may even be its chairman. Regardless of the form, there needs to be strong communication between management and the governing body. The chief executive officer (chief executive) is generally the focal point for this communication. However, other members of the board of directors may also have frequent interactions with the management organ. The organization may want, and its regulators may require, leaders in second-line roles such as director of risk management (CRO, Chief Risk Officer) and director of compliance (CCO, Chief Compliance Officer) to have a direct reporting line to governing organs. This condition is fully consistent with the Principles of the Three-Line Model.
Between management (First Line and Second Line Roles) and Internal Audit
The independence of internal audit over management ensures that internal audit is free from obstacles and bias in planning and carrying out its work, has unrestricted access to the people, resources, and information it needs. Internal audit is responsible to the organ of the management. However, independence does not imply isolation. There must be regular interactions between internal audit and management to ensure that internal audit work is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds knowledge and understanding of the organization, which contributes to the assurance and advice provided as a trusted advisor and strategic partner. There is a need to collaborate and communicate from first-line and second-line management roles with internal audits to ensure that unnecessary duplication, overlaps, or gaps do not occur.
Between Internal Audit and management organs
Internal audit is responsible to and sometimes referred to as the “eyes and ears” of, the management organ. The management organ is obliged to oversee internal audit, including ensuring the establishment of an independent internal audit function, including the appointment and dismissal of the Chief Audit Executive (CAE); provide itself as the main reporting channel of the CAE; approve the audit plan and provide resources; receive and pay attention to reports from the CAE; and provide unrestricted access from the CAE to the management organ, including private sessions without management present.
Among all roles
Organizational management, management, and internal audit have different responsibilities, but all of their activities need to be aligned with organizational goals. The conditions for successful coherence are regular and effective coordination, collaboration, and communication