IIA’s Three Lines Model Diagram
General Notes
- in general management has to make sure that the audits are in place and working
- 3 lines of defense not present in smaller companies
- per 1.000 employees there should be an auditor
- depends on business model (can be as low as 1 per 40 employees)
- governing body
- is my customer a terrorist?
- management
- risk management
- e.g. 4 Eye Principle
- internal control system
- compliance management
- internal audit
- what is audited?
- how is it audited?
- what routines exists?
- importance should not be understated
- can also be done by external service
- direct communication with supervisory board
- e.g. CFO does something wrong → communication through management board would be leaky and low