Recently IIA has re-named the Three Lines of Defence Model as Three Lines Model. This is done to recognise that ‘defence’ indicating value protection, which does not justify the value enhancement role played by Internal Audit.
As an Internal Auditors we frown upon the exceptions, whereas exceptions are the risk that any process carry.
Do you think that a process which has the “exception handling process” which enhance the internal control environment?
This question got multiple answers:
- Yes, in principle we should have an exception handling process. However, exceptions are expensive, and the organization should be careful that people do not start using exceptions too frequently. My recommendation would be to have an appropriate approval mechanism for regularising exceptions.
- Existence of exception handling mechanism in the policy as well as process is the basic tenet of internal controls. Processes to be more effective need ‘controlled work arounds’. I think any process without work around/exception handing mechanism will be inherently flawed in terms of its design.
- Recognising & provide for “Exception” is must for any process & that’s why having well defined “exception handling mechanism” in itself is good control each process should have. The treatment to each exception can be basis the prevailing appetite. IA shall review design effectiveness of such controls.
- One may need to look at Exception Handling based on nature of Business Risks that needs to be addressed. Approaches on Audit or Risk are better managed when it meets the needs of business rather than just the need for compliance.
- Here in exception handling process, we require to understand the reason why company is running with exception handling process and accordingly we should give our opinion. Needless to mention approval is required from Management in this case considering the exposure of risk and ensure that mitigating controls to be in place.
- Ultimately it always boils down to what the organization wants to achieve. Exceptions when lead to removing roadblocks in achieving those organisational objectives, are value adding, others are not. Everyone adds value in their different unique and characteristics way; sales may pitch in with increasing top lines, operations and enabling help in having higher bottom lines. IA does it too in its own way by objectively and independently evaluating the GRC environment and letting the management and the board know the true internal health of the GRC eco system. Perceived risks with no practical use case and precedence of occurrence, should be strategically countered at a design level. Compliance environment must also evolve to compensate by removing redundant adherence requirements and bringing in structural reforms for a harmonious compliance system where there is a balance b/w Business objectives and Societal Objectives.
- Many times, exception handling process becomes rule of the game over a period as organizations fails to update the control environment with growing business risks. Hence there should be provision for monitoring of exceptional handling process to assess whether the current controls are becoming outdated and there is a need to update the internal controls and limit the usage of exceptional handling processes. Such processes must be used during emergencies only with highest authority approval only.
- Non updation of process will lead to exceptions and exceptional handling process will lead to reduce needs for keeping process updated.
- “Exception handling process” may be an escape route for auditor and auditee too.
- I think a greater solution is when we move out from the word “Audit” from Internal Audit.”
- What IA need is a rethinking of the stated objectives of roles and responsibilities. No longer the world is same which demanded cut and dried formulations of check, verify and audited transaction. Compliance and risk management are way too specialisation that unless treated with respect could cause more harm than good. The August profession of internal audit need a pragmatic look and decide the course of action rather than going for low hanging fruits to remain relevant. It is to know yourself, what defines IA profession. What are tenets of IA profession and matching them to evolving environment. The requirement is to look how IA can be of more service to clients as associate then be the bearer of independent outsider safety valve. Be a part of machine, protect if need be but do not find avenues to apply scare tactics. Hiding behind compliances and sop and rules and law is diminishing the efficiency which the evolved mind of a curious observer could provide. Everyone in the profession would simply add more and more complexities to the process and thereafter clamour for SOP to handle the exception. However, do not we all know that exceptions are deviation from the rules, hence what IA would achieve is making rules for known incidents. For unknown, whether by choice or natural deviation to standards there are already practices present then why create another nomenclature. What no one is talking about that exceptions needs to be treated as exceptions and handled such rather than making SOP around it to give weightage to practice. Then all deviation would become exceptions and learning would cease.
Conclusion:
- Exception handling process is a good control as it considers the possibilities of events when things are not following set pattern.
- If there is a need, management can define manner in which exception can be handled or exception to process need to be handled.
- It will also be in line with ISO 9001:2015 for clause 6 planning where manner of handling nonconformity is pre decided as well as clause 9: Performance evaluation and clause 10: improvement.
- Most important: It gives clarity to everyone involved on how to handle exceptions leading to planned execution of process instead of reacting to the emergency.
- At the same time root cause analysis of exceptions is important.
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)