The expectations on internal audit functions are increasing in both sides internally and externally. On the one hand chairmen, boards of directors, audit committees and executive managements all have increased expectations of the depth, quality, objectivity, and independence of the work which needs to be performed by their internal audit function, while on the other hand supervisory authorities are seeking to be able to place more reliance on internal audit functions.
The three lines of defense model (3LODM) is a valuable framework that outlines internal audit’s role in assuring the effective management of risk, and the importance for delivering this of its position and function in the corporate governance structure of Albanian banks. The model distinguishes between functions that own and manage risks, functions overseeing risks and functions providing independent assurance.
In the 3LOD model, the management of risks is strongest when there are three separate and clearly identified lines of defense. Each line of defense has unique positioning in the organization and unique responsibilities and not combined or coordinated in a manner that compromises their effectiveness. The responsibility for internal control does not transfer from one line of defence to the next line. Independence and objectivity are essential elements to consider
Setting up of an internal control system and supporting arrangements by 3LODM is relatively simple. In Albania, the real challenge is ensuring that the perceptions, contribution and expectations of bank’s executive management, audit committee and bank’s board of directors are aligned, and that risk-related information is symmetric, effectively and consistently obtained, analyzed and used by players of internal control system. Misunderstandings between players/bodies of internal control system lead in luck of optimization achievements for reaching bank objectives.
Internal auditing is designed to add value and improve an organization’s operations; help an organization accomplish its objectives by bringing in a systematic, disciplined approach; evaluate and improve the effectiveness of risk management, control, and governance processes.