Many corporate businesses tend to restrict their defensive strategies, without looking at the bigger picture. To define defence as merely a protection from risk would be a misnomer. It offers so much more than that. A comprehensive defence safeguards the organisation from established or potential threats. It also structures a company risk culture across the board starting from the executive committee to the audit and risk committee including all its segregated oversight functions and ultimately across all its employees. Defence is the springboard to a good offensive strategy as it helps company personnel adopt a proactive approach in managing risks which in turn provides a competitive advantage over less defence minded organisations in the marketplace.
The three lines of defence concept is a well-established risk framework. However, is it really providing fully-fledged protection in practice? To answer this question, we must first breakdown each line of defence. Let us start from the first line, represented by the executive committee. Here, management personnel are naturally concerned with the business operations. They set the tone for the corporate risk culture and internal control environment. A risk aware chief executive adopts the ‘business as usual’ approach for risk management and consequently implements an ‘open door’ policy. This helps communication to flow from the bottom up to help executive and senior management address, on a continuous basis, the risks from the various divisions within the firm.
The second line of defence relates to risk committees. These are effective when there is active participation from several departments within the business, including (but not limited to) finance, legal, compliance, human resources and risk management. Their objective is to ensure that their operation runs smoothly and takes the necessary precautions to avoid risk, and action when exposed to it. A sensible risk committee will establish policies and procedures and monitor their application throughout.
So far, we have looked into two defences. The overall risk culture is set from the first line and monitored through the second line. One must also consider the annual external audit: an in depth assessment carried out from an independent firm providing an opinion on the truth and fairness of the financial statements of the organisation. Occasionally, and typically when things go wrong, there is a debate on whether “the auditor should have detected/reported that”. The external auditor’s task is very much focused on the financial statements’ truth and fairness and there is more to corporate wellbeing than what is reflected in the broad numbers on a balance sheet.
Indeed, the board of directors have a greater role to play in seeing that the organisation is operating correctly and to do so from the board room is almost impossible without the structures and good practices that make up good governance. This is where the third line of defence in the form of an internal audit function can assist the board of directors. Should companies be looking at an internal audit function to back up the external audit and to supplement the first two lines of defence?
The Laws of Malta on the ‘Prevention of Money Laundering and Funding of Terrorism’ takes a risk based approach on the internal audit requirement but is open to interpretation as they have not provided any minimum requirements for businesses to hold such a function. Regulation 5 (5) of subsidiary legislation 373.01.
“Every subject person shall implement, where appropriate, with regard to size and nature of the business, an independent audit function to test the internal measurers, policies, controls and procedures.”
This law had businesses rather perplexed, as to figuring out the cut-off point to have an independent internal audit function.
The Gaming Act, 2018 and in particular the Gaming Authorisations Regulations have since mandated that internal audit is one of the key functions for licence holders holding such licences with the Malta Gaming Authority:
An operator may tick a legislative box by stating it has effective internal policies, controls, procedures and measures but the internal audit function will assess their adequacy and test their effectiveness. Consequently, testing is a crucial step in order to identify ineffective policies - otherwise the policy will simply be paying lip service.
To capture the value of the internal audit function, we must sieve through its development. The birth of the modern notion of having an independent internal audit function as part of a company’s defence structure has been around as early as 1941 with the foundation of the Institute of Internal Auditors (IIA). As the global dynamic leader in internal audit, the IIA has shaped the function significantly throughout the years. However, it was not until scandals by major corporations that produced financial implications on the global economy that eventually brought internal audit’s importance in the spotlight.
Enter Sarbanes Oxley Act (SOX) – the US legislative response to the catastrophes. SOX’s aim was to protect shareholders from fraud and deception by strengthening corporate oversight and by enhancing internal control through third party independent authentication. Over the years, the launch of the Committee of Sponsoring Organizations’ (COSO) Integrated Control Framework in 1992 and the growing importance of data analytics and IT internal audits have further supplemented internal auditing.
Artificial Intelligence, blockchain, the Internet of Things (IoT), the explosion of mobile computing, and digitalisation driving the 4th industrial revolution have triggered further changes in economic and social structures. Such developments have particularly provoked the fast-paced iGaming industry. Executive boards and senior management within the iGaming industry are under unprecedented pressure to remain abreast of current and emerging risk for which they require increasingly specialised skills and knowledge.
Many gaming companies are operating in several jurisdictions and will therefore need to comply with their respective legal obligations. A sound internal audit can, amongst other things, help provide independent and objective assurance over the regulatory risks faced by the company and recommendations to build a strong regulatory compliance environment. The past few years have been the witness of the introduction of several key legislations which are very relevant to the Gaming industry. The introduction of the General Data Protection Regulation (GDPR) on 25th May 2018 led to gaming operators having to ensure that their policies and procedures are aligned with this regulation. Similarly, since July 2018 the fifth AML Directive has been published by the European Union hence amending the fourth AML Directive (which had been into force since 1 January 2018). The fifth AML Directive has been in force since 1 January 2020.
The gaming industry is infamous for money laundering vulnerabilities as evidenced by the significant fines being issued in recent years by authorities such as the UK Gambling Commission, the KSA in the Netherlands, the Danish Gambling Authority and more recently the Swedish Gambling Authority. Yet, a robust internal audit framework will help to mitigate such punishments from the legislator. In addition to money laundering and financing terrorism, the significant volumes of players’ monies handled on a day-to-day basis also poses the threat of fraud and reputational risk. Finally yet importantly, the internal audit function will help to shape the strategy and risk culture of the operator amid the changing gaming landscape. Therefore, an effective internal audit function can assist in minimising the negative impact and grasp the opportunities such risks might present. However, a nominal internal audit function set up to minimally tick the regulatory box will seldom add value and address the needs of a rapidly evolving business landscape.
For an effective internal audit function, it should functionally report to the audit committee - which is a sub-committee of the board of directors. The main mission of the internal audit function is to provide an independent and objective assurance on different risk areas of the organisation to the audit committee. One of the roles of the audit committee is their oversight of the internal audit function. The internal auditors are “the eyes and ears” of the audit committee to investigate and gather information because if internal audit fails, then corporate governance can follow suit. Typically, internal audit reports are discussed with the audit committee and as part of their oversight role, to monitor the implementation of internal audit recommendations by management.
According to contemporary literature, the internal audit has two principal objectives. The first is to provide assurance that the internal controls and risk management systems implemented from the first two lines of defences are efficient, effective, and fit for purpose. The internal auditor will analyse core financial and operational aspects of the firm, such as payables, procurement, payroll and health and safety issues and the systems that support these processes to ensure that such functionaries are up to standard across the firm in mitigating major risks. The areas covered by the internal auditor as part of their plan are products of the risk register, i.e. areas considered as “high” risk and devoid of adequate controls.
The second is to provide advisory services to chief and senior level executives. Such a service is essentially a by-product of having the assurance service, because having scrutinised all the controls and measures, the internal audit function may highlight ineffective or inefficient practices; after feedback; and recommend amendments to particular systems across the operation. Only an internal auditor playing no part in the day-to-day operations of the departments under inspection, is able to remain objective and prudent in their judgement, and thus avoiding any conflict of interest.
Yet a third objective that is unlikely to be delivered from a minimalistic internal audit function is perhaps, anticipation. Often, the role is taking a backward looking view on the mistakes made and risks exposed. Much more value can be delivered with a forward looking and proactive approach. A transformation that sets to uncover risks before they occur and being well prepared to tackle them when they do arise.
What qualities constitute a desirable internal auditor? Primarily, the internal auditor must maintain professional scepticism throughout the internal audit process. What does this really mean? Essentially, there are no grounds for a complacent approach or taking things at face value. The internal auditor should delve deeper in the traditional paradigm through a new perspective. It is not a rebellion against the hierarchy of the business or an attempt to enforce change for the sake of it, but rather about thinking outside of the proverbial box. Likewise, an internal auditor should be steadfast in reporting to the audit committee without fear or favour, perhaps a skill that develops with experience, particularly if the internal auditor is appointed from within the company ranks and is expected to change from “poacher to gamekeeper” overnight.
An internal audit function will be concerned with a number of questions within a gaming operation. For instance, they will be inquisitive on the level and type of players’ complaints; the sales culture dispersed; compliance with AML and CTF regulations and how player protection regulations are being effectively met.
The third line of defence is a means to an end. It relies on the first two lines of defence to satisfy its objective of assuring, advising and anticipating risks that the firms face. The third line of defence on its own will simply not work. Despite this fact, an operator that has the first two lines of defence in place should consider implementing an internal audit function too. It may be false economies to establish a basic internal audit function that simply addresses regulatory requirements. A high-performing internal audit function will improve operational performance and fine tune the corporate engine.
Assurance Partner, PwC Malta
Tel: +356 2564 7293
Assurance Partner , PwC Malta
Tel: +356 2564 2456
Advisory, PwC Malta
Tel: +356 2564 2405