The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model

Tawfik, Omar Ikbal; Durrah, Omar; Aljawhar, Karima Ali

doi:10.3390/jrfm16070341

Open AccessArticle

The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model

by

Omar Ikbal Tawfik

^1,*

,

Omar Durrah

²

and

Karima Ali Aljawhar

³

¹

Department of Accounting, Dhofar University, Dhofar, Salalah 211, Oman

²

Department of Management, Dhofar University, Dhofar, Salalah 211, Oman

³

Department of Accounting, Mustansiriyah University, Baghdad 14022, Iraq

^*

Author to whom correspondence should be addressed.

J. Risk Financial Manag. 2023, 16(7), 341; https://doi.org/10.3390/jrfm16070341

Submission received: 12 June 2023 / Revised: 12 July 2023 / Accepted: 13 July 2023 / Published: 20 July 2023

(This article belongs to the Special Issue Contemporary Issues on Auditing and Financial Reporting)

Download

Browse Figure

Review Reports Versions Notes

Abstract

:

Purpose: This paper aims to investigate the impact of the three lines of defense (TLOD) in strengthening corporate governance in industrial companies in the Sultanate of Oman. Methodology: A questionnaire was used to collect data from industrial companies in the Sultanate of Oman. A total of 300 questionnaires were distributed; for the 159 valid questionnaires used for analysis, PLS-SEM was used in the data analysis. Results: The results showed a significant impact of the three variables (commitment of operational management to legal, regulatory, and ethical requirements; risk management, compliance, and quality functions; and the role of assertive internal auditing according to the third line of defense model) in strengthening corporate governance. Practical implications: The study indicates that the TLOD model plays a more decisive role in determining the strengthening of corporate governance, and therefore, the results of the study can help industrial companies to understand the role of the TLOD model in strengthening control procedures, risk management, and governance. Originality/value: The study constitutes a management strategy that assists organizations in diagnosing the degree of corporate compliance with the TLOD and identifying weaknesses in their procedures.

Keywords:

three lines of defense model; corporate governance; industrial companies; Sultanate of Oman

1. Introduction

The separation of ownership and management leads to management sometimes carrying out activities that are harmful to the interests of shareholders, which leads to an agency problem between management and shareholders. To solve the agency problem, good corporate governance (CG) is required to regulate the relationship between the actors of the company and to define the rights and responsibilities of each party (Brickley and Zimmerman 2010). The CG system provides an infrastructure that contributes to reducing the cost of capital, achieving a high level of performance, enhancing corporate competitiveness, and ultimately creating sustainable wealth for shareholders (Agyemang et al. 2013).

The issue of CG is of great practical importance in both developed and developing economies. Governance plays a major role in the management of organizations in all countries regardless of governance structure, ownership structure, level of country, or company (Davies and Schlitzer 2008). Castrillo et al. (2010) asserts that there is no integrated model (ideal or standard) for CG that can be applied to all countries and all companies. Several studies suggest that effective CG depends on “Compatibility of organizational and environmental characteristics” (Aguilera et al. 2008; Aguilera and Desender 2012). As a result, governance functions have evolved to counteract fraud and manipulation. This evolution included classic control systems such as the internal control system (ICS), risk management system (RMS), and internal auditing (see Gramling et al. 2004; Behrend and Eulerich 2019).

To meet these risks and challenges, the Institute of Internal Auditors (IIA) has proclaimed the TLOD model for risk control since 2011. Several studies have confirmed that the three lines of defense model is an effective model that can be used in risk management (Decaux and Sarens 2015; EY 2013; The Institute of Internal Auditors (IIA) 2013; KPMG 2012; PWC 2017). It has been considered the best practice for companies and a regulatory model required by banking regulators such as the Basel Committee on Banking Supervision to respond to inefficient risk management during financial crises (Minto and Arndorfer 2015; Bantleon et al. 2021). According to the paper released by The Institute of Internal Auditors (IIA) (2013), The TLOD provides a simple and effective way to enhance risk management and control communication by clarifying essential roles and duties.

The first line of defense (LOD) expresses that the executive departments in the organization are operational or service departments. The required first LOD is to create self-monitoring mechanisms to follow up on the daily operational work. As for the second LOD, this refers to departments assisting in setting control mechanisms for the first LOD, and then examining and measuring the achieved and unrealized performance in the first LOD and submitting reports to the executive management in the organization, such as the executive director or the undersecretaries of the ministry.

In 2020, the IIA renewed the model to reflect changes in concepts and issues related to risk management and governance. The new project included a comprehensive review of approaches to control worldwide, an analysis of how the legacy paradigm is being incorporated into rule and regulation, and a compilation of internationally recognized experts and opinion leaders’ feedback. In the recent update of the three lines model, the new model was built around the idea that good governance encourages goal achievement, and that thoughtful risk management is one of the actions. This requires that governance gives the organization scope to pursue goals that involve a certain degree of risk, such as mergers, product development, new sales strategies, or something else.

This study adds value to the literature on the role of internal auditing and CG by applying the TLOD model and examining its impact on CG. The research provides powerful practical insights into the adoption and use of the TLOD in developing countries such as the Sultanate of Oman. The research aims to study the role of the TLOD in strengthening CG in industrial companies in the Sultanate of Oman. The main question of the research is: Does the three lines model contribute to strengthening CG in the economic units of the same research? What are the lines most committed by the industrial companies in the Sultanate of Oman? To achieve the goal of the research, a questionnaire was designed based on the TLOD model and previous studies. The results of the study showed that there is a positive relationship between the TLOD (operational management compliance with legal, regulatory, and ethical requirements, risk management, compliance, quality functions, and assurance internal audit) and strengthening governance.

The results of this research provide valuable recommendations to policymakers and researchers and will enable them to learn more about the key features of the successful adoption of the three lines of defense. The study makes several contributions: first, encouraging industrial companies to benefit from the advantages of the system of applying the three lines of defense; second, encouraging the executive authorities to implement risk management practices and continue to improve them; and third, the study contributes to assisting internal auditing bodies in providing advice to management on the adequacy and effectiveness of governance and risk management procedures.

2. Theoretical Framework and Hypothesis Development

2.1. Three Lines of Defense Model

The TLOD model provides a simple and effective way to enhance communication on risk management and control by clarifying essential roles and duties. The TLOD model has become a reliable and effective tool in a wide range of industries. The model includes three basic lines.

2.1.1. First Line: Operational Management

The first LOD relates to the risk-causing functions, which are the operational management that identify and manage risks. The first LOD management is required to create internal self-control mechanisms to follow up on the daily work and take appropriate corrective actions to address deviations, in addition to verifying that the control procedures are working effectively. One of the simplest control mechanisms is performance indicators that show what is being achieved regularly (Leech and Hanlon 2016). Operational management is responsible for maintaining effective internal controls and implementing risk control procedures daily. Following governance frameworks and legislation such as COSO, SOX, and King III, the board of directors is primarily responsible for establishing and maintaining an appropriate and effective internal control structure and verifying the existence of appropriate control mechanisms and effectively (Moeller 2013). Principle 2 of King III states that the board of directors is the central governance and risk management authority. The board of directors can delegate these oversight functions to other management and governance committees. Therefore, management must support all areas of value creation and the optimum utilization of resources to achieve the company’s objectives and to minimize or mitigate the inherent risks. Finally, first-line responsibility also includes compliance with legal, regulatory, and ethical guidelines and requirements (Eulerich 2021). Based on the above, the first hypothesis was formulated:

H₁.

Operational management compliance with legal, regulatory, and ethical requirements (MC) has a significant influence on governance procedures (GP).

2.1.2. Second Line: Risk Management and Compliance Functions

The second LOD refers to the auxiliary functions that monitor risks continually in some way along with what actions management is taking. Management defines these functions to ensure that the first LOD is properly designed and functioning as required. The second line plays an important role in supporting the first line based on its experience in managing current or potential risks. Jobs in the second LOD vary by organization and industry, but typical functions in the second LOD include risk management, compliance, and quality. Risk management assist and monitors the implementation of practices defined by operational management and assists risk owners in identifying target risks and reporting risk-related information throughout the organization. The compliance function monitors various identified risks such as compliance with applicable laws and regulations, expected ethical behavior, internal control, information and technology, security, and sustainability (The Institute of Internal Auditors (IIA) 2020). The quality function is responsible for ensuring the quality of services. The second line of defense should also ensure management hierarchy, particularly concerning risk perspective (Eulerich 2021). Based on the governance system, second-line management may be assigned to the board of directors or to a lower hierarchical level. Based on the King III rules, the audit committee is responsible for carrying out risk management, governance, and internal control tasks. The audit committee must also ensure that a common assurance model is applied to provide a coordinated approach to all assurance activities (PWC 2017).

H₂.

Risk management, compliance, and quality functions (RM) has a significant influence on governance procedures (GP).

2.1.3. Third Line: Internal Audit

In light of agency theory, the board of directors and the audit committee assign the internal audit body to provide advice and reports to management regarding the organization’s internal control (Schreurs and Marais 2015). In a business environment characterized by change, the internal audit function should be keen to meet the renewed needs of organizations to support and enhance their competitive position (Chambers and Odar 2015). The internal audit profession has taken important steps toward implementing joint assurance in business organizations. The internal audit profession provides independent assurance of the effectiveness of risk management and plays an important role in evaluating the effectiveness of the first and second line concerning achieving the objectives of control and risk management. Internal auditing is defined as a department that is not involved in the organization’s direct management functions, but provides assurance services that support and assist management in making decisions. An organization’s internal auditing department has two primary tasks that no other LOD can carry out. The first is to submit reports to management after an assessment of all other lines of defense in the organization. The second task, which may be more difficult, is that it should cooperate and interact with external supervisory authorities, such as the external auditor, and meet his needs. A goal-oriented and structured internal audit process combined with expertise and knowledge help to achieve high-level audit results, thus supporting first- and second-line management, as well as supporting senior management and the supervisory board/audit committee (Christ et al. 2015; Carcello et al. 2018). Based on the above, the following hypothesis was formulated:

H₃.

The role of the assurance internal audit (IA) has a significant influence on governance procedures (GP).

3. Previous Studies

The study conducted by Eulerich (2021) critically addressed the new model of the TLOD and discussed the similarities and differences with the old model. The study showed that the internal organization of governance functions, internal control system, risk management, compliance, and internal auditing still constitute a complex task. On the other hand, the new three-line model provides a high degree of flexibility and freedom in designing the management structure. This freedom means that among the many options available, the one that best reflects the specific characteristics of the company can be selected. For this reason, the new model should initially be seen as an additional aid that can support companies with integrated approaches in particular. The study carried out by Bantleon et al. (2021) aimed to analyze the determinants and challenges of implementing the TLOD among the various stakeholders in governance. In the study, 415 chief internal auditors from Austria, Germany, and Switzerland were surveyed to analyze the determinants that help implement the TLOD model without any difficulties, and to explore the extent of coordination between the internal audit function and governance stakeholders. The study results show great variance. If the company is listed, there are fewer coordination issues with the board of directors and external auditors. The results also indicate that a great fit with the international professional framework increases challenges with the compliance function, but reduces challenges with the external auditor. In addition, the results show significant variance in the extent of coordination challenges dependent on different determinants and the respective governance stakeholder. Bäßler and Eulerich (2022) implemented a framework that redefines the role of the internal auditor using predictive process monitoring within the three-line model. The study analyzed two publicly available event logs and proposed time- and state-based bucketing of prefixes in combination with a risk-based cost model for threshold optimization. In addition, the study used machine learning methods to predict the process outcomes. The study showed that by clustering traces according to their state and remaining time, internal auditors can use process predictions to provide assurance, reduce risk, and prevent undesired outcomes.

Nurdiani (2022) investigated the relationship between the elements of the TLOD model in different banks in Indonesia. The results showed that the TLOD model was able to not only measure the financial position of the bank, but also to reinforce the basic principles, expand the scope, and explain how the main roles cooperate within the bank to enhance corporate governance in terms of strength and risk management. According to the results, some banks have already reduced their risk by efficiently implementing the TLOD model. Iskak and Muslih (2022) discussed the impact of the TLOD model on the performance of state-owned enterprises in Indonesia. The study sample included practitioners, observers, and academics. The results indicated that the first line of defense (LOD) has a positive impact on the company’s performance, the second LOD has a negative impact on the company’s performance, and the third defense risk (internal audit function) does not affect the company’s performance. In addition, the audit committee amended the effect of the third line of defense (internal audit) on the company’s performance, while it mitigated the impact of the second LOD (risk management unit) on the company’s performance.

Luburic’s (2017) study focused on the role of the TLOD model in enhancing the efficiency of managing operational risks (those that arise as a result of human factors and unsuccessful processes and systems, as well as those that can occur as a result of external events). The study confirmed that the TLOD can be strengthened through the synergy between the principles of risk management and the principles of quality management. The synergy and integration of quality management principles into the company’s systems and processes will significantly enhance the TLOD in terms of the effective management of operational risks. Chambers and Odar (2015) concluded that the TLOD approach was not entirely effective and gave a false sense of reassurance. The internal audit function needs to move firmly into the area of corporate governance; to review corporate governance more effectively and to provide more reliable assurance to boards. A study (Davies and Zhivitskaya 2018) analyzed the TLOD in terms of whether it was a strong regulatory framework, or just lines in the sand. The study showed that regulators tried to strengthen governance mechanisms by applying the “three lines of defense” model to include risk management in all financial companies. The study found that this form is in use in several countries, but its origins are obscure, and its effectiveness has not been tested. It is not yet possible to make a final judgment on its effectiveness.

Several studies conducted by international audit firms (EY 2013; KPMG 2012; PWC 2017) confirmed that companies that suffer from weaknesses in applying the TLOD model may face a host of challenges: inconsistent reporting, gaps in risk coverage, and overwork.

4. Practical Method of Research

This section describes the questionnaire, the research sample, and the data collection and analysis.

4.1. Questionnaire Design

The questionnaire consisted of two parts (Appendix A). The first part contained scales that measure the demographic characteristics of the sample, while the second part contained axes that measure independent and dependent variables. Section 2 contained four axes: the first axis used six questions to measure the commitment of the operational management to legal, regulatory, and ethical requirements (MC); the second axis used nine questions to measure the commitment to risk management and compliance functions and quality (RM); the third axis used seven questions to measure the role of the internal assurance ascertainment according to the three lines of defense model (IA); and the fourth and final axis used six questions to measure the governance procedures (GP). The questionnaire was developed based on previous studies and the TLOD model issued by the IIA (Table 1). A five-point Likert scale was used to answer the questions. Finally, the data were analyzed using Smart PLS 3.3.3 software.

4.2. Participants

The study population consisted of internal auditors, financial managers and their assistants, general managers, board members, and members of the audit committee in industrial companies in the Sultanate of Oman, from which a sample was chosen. The questionnaire was distributed to the study sample electronically; 123 valid questionnaires were received for analysis. The response rate was medium because the questionnaire was distributed electronically to the sample and was followed up by the researchers.

Table 2 shows some demographic characteristics of the sample. The industrial sector was chosen because it is one of the most important sectors in the Omani economy after the oil sector. During 2021, the sector was one of the main sources of economic growth, effectively contributing to the increase in the country’s exports. According to statistics issued by the National Centre for Statistics and Information, the non-oil industries sector recorded a growth of 5.7% during the year, bringing its contribution to the GDP to OMR 1.5 billion (about USD 4 billion).

5. Data Analysis and Results

According to Henseler et al. (2009), the research analysis was based on a two-step way for reporting PLS-SEM findings using Smart PLS 3.3.3. The first step is the measurement model assessment, and the second step is the structural model assessment (Durrah and Kahwaji 2023). Operational management compliance with legal, regulatory, and ethical requirements, risk management, compliance, and quality functions, and the role of the assurance internal auditor were used as exogenous constructs, and governance procedures were used as endogenous constructs, as shown in Figure 1.

5.1. First Step: Measurement Model Assessment

For the assessment of the measurement model, outer loading, Cronbach’s alpha (α), composite reliability (CR and rho_A), average extracted variance (AVE), and discriminant validity were examined, as shown in Figure 1 and Table 3 and Table 4.

It is evident from Figure 1 and Table 3 that the outer loading values for all study constructs were greater than 0.6 (Hair et al. 2010). The Cronbach’s alpha (α) values were more than 0.6 (Tawfik et al. 2022; Tawfik and Durrah 2023), and the composite reliability values (rho_A and CR) were higher than 0.7 (Dijkstra and Henseler 2015; Raykov 1997). Moreover, the results of the study showed that the average extracted variance values (AVE) exceeded the 0.50 cut-off (Hair and Lukas 2014). So, it can be said that the convergent validity is met. On the other hand, Table 3 shows that the means of the research variables were high, with a value ranging between 3.98 and 4.07, and that the standard deviation values were of low dispersion.

Fornell and Larcker’s (1981) criterion was implemented to determine the discriminant validity, which compares the correlations between the square root of the AVE and the constructs. The results in Table 4 point out that all constructs (MC, RM, IA, and GB) had values (in boldface) greater than the other construct correlation values. Thus, these findings confirm adequate discriminant validity (Durrah 2022; Gye-Soo 2016).

5.2. Second Step: Structural Model Assessment

To determine the direct impact of the independent variables (MC, RM, and IA) on the dependent variable (GB), structural equation modeling (SEM) was implemented using Smart PLS. To estimate the path coefficients’ significance, bootstrapping was performed through Smart PLS, as shown in Table 4, showing that all of the path coefficient absolute values were more than 0.1, indicating the effect of the independent variable predictor on the dependent variable (Nasaruddin et al. 2018).

From the findings in Table 5, it can be observed that the TLOD (the operational management’s commitment to regulatory and ethical legal requirements (MC), risk management and compliance functions (RM), and the role of assurance internal auditor (IA)) had an effect on strengthening CG procedures (GP).

MC had a positive influence on GP at the significance level of 0.01 (T-Statistic = 2.889, p-value = 0.004), and RM had a positive influence on GP at the significance level of 0.05 (T-Statistic = 2.413, p-value = 0.016). Also, IA had a positive influence on GP at the significance level of 0.05 (T-Statistic = 2.544, p-value = 0.011).

Regarding the effect size f², H₁, H₂, and H₃ had a small effect (0.080, 0.083, and 0.069, respectively) according to Cohen (1988). Thus, H₁, H₂, and H₃ are supported by the results. Moreover, the determination coefficient (R² = 0.662) indicates that there is a moderate interpretive ability, as explained by Falk and Miller (1992).

In addition, the predictive capacity of the model was analyzed to interpret the Q²_predict values in this study. The predictive relevance of the TLOD (MC, RM, and IA) was higher than zero (0.327), supporting the claim that this study model has adequate ability to predict (Fornell and Cha 1994; Hair et al. 2019). Furthermore, the model fit value was GoF = 0.594. Thus, we can conclude that the GoF model is highly adequate for considering model viability (Durrah et al. 2022; Wetzels et al. 2009).

6. Discussion

The TLOD model has become a trusted tool in a wide range of industries, addressing issues related to governance, risk management, and control. The IIA’s latest update in 2020 changed the way organizations examine risk, controls, accountability, and assurance. Only a few empirical studies have addressed the use of the TLOD model. The operational management’s commitment to legal, regulatory, and ethical requirements plays an important role in the strengthening of governance. The organization’s operational management must have the responsibility and accountability for assessing, controlling, and mitigating risks. Lines of defense play an important and effective role in strengthening the communication between risk management and control, and it was considered by the Basel Committee for Banking Regulation as the best method for banking control. Leech and Hanlon (2016) indicate that operational management is responsible for maintaining effective internal controls and implementing risk and control procedures daily. Table 4 shows the existence of positive relationships between the TLOD (operational management compliance with legal, regulatory, and ethical requirements, risk management, compliance, and quality functions, and the role of the assurance internal auditor were used as exogenous constructs) and the strengthening of governance. The results of the statistical analysis showed that there is a significant relationship between the operational management’s commitment to legal, regulatory, and ethical requirements and the strengthening of governance in economic units. These results are consistent with the results of previous studies conducted in several countries (Leech and Hanlon 2016; Decaux and Sarens 2015; EY 2013). The reason for this, according to the opinion of the respondents, is that the first LOD provides internal control mechanisms to follow up the daily work and take appropriate corrective measures when deviations or errors occur, in addition to making sure that the control procedures work effectively.

The second LOD sets policy and directives for risk management, provides risk advice and guidance, and monitors the first LOD on effective risk management. According to The Institute of Internal Auditors (IIA) (2020), the second LOD helps develop and implement risk management practices and works continuously to develop them, in addition to achieving risk management objectives such as compliance with laws, instructions, control methods, and information security. The results of the statistical analysis showed that there is a significant relationship between risk management, compliance functions, quality, and the enhancement of governance. These results are consistent with the results of previous studies (KPMG 2012; PWC 2017; Luburic 2017). The reason for this is that the second line supports the management of the first line in the mitigation of all risks arising in the first line. In general, the second line can be viewed as a specialized function that supports the first line. Interestingly, all first- and second-line functions can be combined or separated.

The third variable in the model is internal audit. Internal auditing plays a pivotal role in the audit process and contributes significantly to strengthening CG. The results of the statistical analysis showed that there is a statistically significant relationship between internal auditing and the enhancement of governance in economic units. The reason for this, according to the respondents, is that internal auditing evaluates the efficiency and effectiveness of the first and second lines of defense, in addition to ensuring the effectiveness of governance and risk management. These findings are consistent with the findings of previous studies (Anderson and Eubanks (2015); Eulerich et al. (2015); Lewis (2014); King III report). The internal audit function plays an important role in strengthening control procedures and constitutes an essential element in supporting joint assurance. In addition, Harrington and Piper (2015) found that 54% to 64% of auditors globally believe that internal auditing is an independent function in their organizations, and that it is responsible for strengthening governance procedures.

7. Implications

The results of this study could have significant implications for the industrial companies in the Sultanate of Oman, because the study of the TLOD model and its impact on enhancing governance procedures is very beneficial in several aspects. First, the study provides a better understanding of the conditions under which the TLOD can operate successfully. In light of the development of the business environment, it has become necessary to search for new control methods to enhance the credibility of the information contained in these reports. In addition, the increasing level of complexity in the business environment in general requires an improvement in the efficiency and effectiveness of internal control mechanisms to provide assurances regarding the ability of organizations to perform their work. Second, in light of the results of this study, companies can coordinate the control of internal functions in order to avoid the duplication of efforts and gaps in risk coverage. The results of the study also help corporate management to coordinate assurance activities and work methods between different functions to increase assurance effectiveness, as well as ensuring continuous improvement.

The different perspectives on the TLOD model covered in this study form a management strategy that helps companies improve control procedures in light of the available economic resources. This strategy also helps managers to choose and invest in the most appropriate dimension of TLOD to significantly improve their performance (Laloux 2017; Pricewaterhouse Coopers (PWC) 2016). Hence, a comprehensive and multifaceted visualization of the adoption of the TLOD can help managers to identify the available options (The Institute of Internal Auditors—Australia 2018).

Despite all of the above contributions, the study has several limitations. These limitations may be addressed in future studies that may investigate the relationship between the elements highlighted in this research as well as other related fields. First, the research tool was a survey questionnaire based on the opinions of a group of workers in industrial companies that may be related to auditing and control. In this regard, there may be some bias in their opinions, even if the research tool has already been tested for correctness or reliability. This bias can be mitigated if the opinions of external parties such as allied partners, customers, competitors, and suppliers are considered. Furthermore, it would be useful to evaluate the annual reports to validate the information provided by the respondents. Second, all key elements were collected and measured only once during one period, so it is important to consider the long-term effects, especially those that may affect the development and establishment of the services of the internal audit function along with the presence of senior management support. Third, the data were collected from one country (Oman), so potential cultural differences, particularly differences between developed and developing societies affecting performance practices, must be considered. To generalize the ideas and concepts of the review, the research framework needs further research and needs to be attached to samples from different countries. In addition, current cultural differences can influence individuals’ opinions about certain key activities, so future research can test more hypotheses.

8. Conclusions

The TLOD model is a simple and effective way to enhance communication about risk management and control by clarifying the essential roles and duties of each of the three lines. Lines of defense reduce information asymmetry between principles and agents at all levels of the hierarchy and reduce the risk of discretionary decisions by agents. It is important to note that the IIA paper notes that senior management and boards of directors act as stewards of the TLOD, and are not active participants or additional lines of defense. This model achieves effective results if the three lines of the structure act as organized lines of defense. A questionnaire was developed and distributed to a sample of internal auditors, financial managers and their assistants, general managers, board members, and members of the audit committee in a sample of industrial companies in the Sultanate of Oman. The results indicated that there is a significant impact of the three axes (the operational management’s commitment to legal, regulatory, and ethical requirements, risk management and compliance and quality functions, and the role of the assurance and advisory internal auditor according to the three LOD model) on strengthening governance. The results also showed a significant correlation between the TLOD and the effectiveness of governance in non-oil industrial companies in the Sultanate of Oman. The results of this study can have significant effects on senior management to reveal the risks related to the policies, processes, and structures of organizational governance and to recommend to the board of directors improvements in the methods used to manage the risks associated with the policies and operations of the company. In addition, the internal control framework can be improved by relying on international frameworks and standards for control. On the other hand, companies with internal control problems can plan to use the TLOD model.

Future research can address the external auditor’s dependence on the TLOD model in developing a form to periodically examine the roles of the internal auditor, senior management, the board of directors, and affiliated committees. Future research can also address the evaluation of the CG structure and the impact of the organizational structure and culture on the overall control environment and risk management strategy. Our results help firms to determine whether or not there is a particular challenge, and which specific factor may be the most influential.

Author Contributions

Conceptualization, O.I.T. and K.A.A.; methodology, O.I.T. and K.A.A.; software, O.D.; formal analysis, O.D.; investigation, O.D.; writing—original draft preparation, O.I.T.; writing—review and editing, O.I.T. and O.D.; project administration, O.I.T. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. The Questionnaire

Demographic characteristics

Qualification

Diploma Bachelor Postgraduate

Major

Accounting Finance Others

Experiences

<5 years 5–10 years >10 years

		The scale
No.	Questions	Strongly agree	agree	neutral	disagree	Strongly disagree
First axis	The administration is committed to the following procedures
1	Determine the regulatory requirements for the use of economic resources
2	Adhere to local legislation when implementing various activities
3	Adhere to ethical rules when making various decisions
4	Reviewing the internal control procedures that are put in place within the sub-departments
5	The administration determines the methods of communication between it and the Board of Directors
6	The administration is committed to the rules of ethical behaviour in terms of integrity and reviewing the management’s minutes and decisions
Second axis	The Board of Directors, through its committees, is committed to:
1	Reviewing the oversight and supervision reports submitted by the subsidiary departments of the company
2	Checking contracts with third parties and their compliance with laws
3	Determine the level of risk that is accepted in the business
4	Monitor the extent of compliance with the laws and legislation regulating work
5	Verifying information security policies within the company
6	Develop and review the company’s quality policies
7	Reviewing change policies and accompanying control procedures
8	Placing qualified cadres in sub-units
9	Setting rules of ethical behavior in terms of integrity and reviewing plans and management decisions
Third axis	The company’s internal audit staff has
1	Provide information to management and communicate with the external auditor
2	Full independence in his work to carry out his assurance services
3	The Internal Audit Authority has qualified and sufficient staff to carry out its work and provide its services
4	Active participation in determining the effectiveness of governance structures and risk management policies
5	The advice of the internal auditor is sought when important decisions are taken by the Board of Directors
6	Submitting annual reports showing the results of the internal audit work to the Board of Directors
7	Periodic reports are submitted in case the auditor encounters obstacles that affect his independence
Fourth axis	Governance procedures are described in the company
1	Existence of a written and effective framework that clarifies the governance procedures within the company
2	The procedures applied by the company guarantee the rights of all stakeholders fairly
3	Disclosure of all important information to stakeholders
4	The duties of management, the board of directors and the internal auditor are clear and non-overlapping
5	The goals are strategic for the company and the set of values and principles are known to all.
6	The company’s liability policies are clear

References

Aguilera, Ruth V., and Kurt A. Desender. 2012. Challenges in the measuring of comparative corporate governance: A review of the main indices. West Meets East: Building Theoretical Bridges 8: 289–322. [Google Scholar]
Aguilera, Ruth V., Igor Filatotchev, Howard Gospel, and Gregory Jackson. 2008. An organizational approach to comparative corporate governance: Costs, contingencies, and complementarities. Organization Science 19: 475–92. [Google Scholar]
Agyemang, Otuo Serebour, Emmanuel Aboagye, and Aaron Yao Ofoe Ahali. 2013. Prospects and Challenges of Corporate Governance in Ghana. International Journal of Scientific and Research Publications 3: 1–9. [Google Scholar]
Anderson, D. J., and G. Eubanks. 2015. Leveraging COSO Across the Three Defense Lines. Altamonte Springs: The Institute of Internal Auditors Research Foundation (IIARF)). [Google Scholar]
Bantleon, Ulrich, Anne d’Arcy, Marc Eulerich, Anja Hucke, Burkhard Pedell, and Nicole V.S. Ratzinger-Sakel. 2021. Coordination challenges in implementing the three lines of defense model. International Journal of Auditing 25: 59–74. [Google Scholar] [CrossRef]
Bäßler, Tim, and Marc Eulerich. 2022. Three Lines 4.0-Predictive Process Monitoring for Internal Audit. SSRN Electronic Journal. [Google Scholar] [CrossRef]
Behrend, Joel, and Marc Eulerich. 2019. The evolution of internal audit research: A bibliometric analysis of published documents (1926–2016). Accounting History Review 29: 103–39. [Google Scholar] [CrossRef]
Brickley, James A., and Jerold L. Zimmerman. 2010. Corporate governance myths: Comments on Armstrong, Guay and Weber. Journal of Accounting and Economics 50: 235–45. [Google Scholar] [CrossRef]
Carcello, Joseph V., Marc Eulerich, Adi Masli, and David A. Wood. 2018. The Value to Management of Using the Internal Audit Function as a Management Training Ground. Accounting Horizons 32: 121–40. [Google Scholar] [CrossRef]
Castrillo, Luis Angel, Sonia Marcos, and Juan Manuel San Martín. 2010. Corporate governance, legal investor protection, and performance in Spain and the United Kingdom. Corporate Ownership and Control 7: 416–29. [Google Scholar] [CrossRef]
Chambers, Andrew D., and Marjan Odar. 2015. A new vision for internal audit. Managerial Auditing Journal 30: 34–55. [Google Scholar] [CrossRef]
Christ, Margaret H., Adi Masli, Nathan Y. Sharp, and David A. Wood. 2015. Rotational internal audit programs and financial reporting quality: Do compensating controls help? Accounting, Organizations and Society 44: 37–59. [Google Scholar] [CrossRef]
Cohen, Jacob. 1988. Set correlation and contingency tables. Applied Psychological Measurement 12: 425–34. [Google Scholar] [CrossRef] [Green Version]
Davies, Howard, and Maria Zhivitskaya. 2018. Three lines of defence: A robust organising framework, or just lines in the sand? Global Policy 9: 34–42. [Google Scholar] [CrossRef] [Green Version]
Davies, Marlene, and Bernadette Schlitzer. 2008. The impracticality of an international “one size fits all” corporate governance code of best practice. Managerial Auditing Journal 23: 532–44. [Google Scholar] [CrossRef]
Decaux, Loïc, and Gerrit Sarens. 2015. Implementing combined assurance: Insights from multiple case studies. Managerial Auditing Journal 30: 56–79. [Google Scholar] [CrossRef]
Dijkstra, Theo K., and Jörg Henseler. 2015. Consistent partial least squares path modelling. MIS Quarterly 39: 297–316. [Google Scholar] [CrossRef]
Durrah, Omar. 2022. Do we need friendship in the workplace? The effect on innovative behavior and mediating role of psychological safety. Current Psychology. in press. [Google Scholar] [CrossRef]
Durrah, Omar, and Ahmad Kahwaji. 2023. Chameleon leadership and innovative behavior in the health sector: The mediation role of job security. Employee Responsibilities and Rights Journal 35: 247–65. [Google Scholar] [CrossRef]
Durrah, Omar, Olga Charbatji, Monica Chaudhary, and Fahad Alsubaey. 2022. Authentic Leadership Behaviors and Thriving at Work: Empirical Evidence from the Information Technology Industry in Australia. Psychological Reports. in press. [Google Scholar] [CrossRef]
Eulerich, Marc, Patrick Velte, and Jochen Theis. 2015. Internal auditors’ contribution to good corporate governance. An empirical analysis for the one-tier governance system with a focus on the relationship between internal audit function and audit committee. An Empirical Analysis for the One-Tier Governance System with a Focus on the Relationship between Internal Audit Function and Audit Committee (1 July 2015). Corporate ownership and Control 13: 141–51. [Google Scholar]
Eulerich, Marc. 2021. The New Three Lines Model for Structuring Corporate Governance—A Critical Discussion of Similarities and Differences. SSRN Electronic Journal. Available online: https://virtusinterpress.org/IMG/pdf/cocv18i2art15.pdf (accessed on 15 March 2022). [CrossRef]
EY. 2013. Maximizing Value from Your Lines of Defence. A Pragmatic Approach to Establishing and Optimizing Your LOD Model. Insights on Governance, Risk and Compliance. Available online: http://www.ey.com/Publication/vwLUAssets/EYMaximizing-value-fromyour-lines-of-defense/$File/EY-Maximizing-valuefrom-your-lines-ofdefense.pdf (accessed on 15 March 2022).
Falk, R. Frank, and Nancy B. Miller. 1992. A Primer for Soft Modelling. Akron: University of Akron Press. [Google Scholar]
Fanning, Kirsten, and M. David Piercey. 2014. Internal auditors’ use of interpersonal likability, arguments, and accounting information in a corporate governance setting. Accounting, Organizations and Society 39: 575–89. [Google Scholar] [CrossRef]
Fornell, Claes, and David F. Larcker. 1981. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18: 39–50. [Google Scholar] [CrossRef]
Fornell, Claes, and Jaesung Cha. 1994. Partial least squares. Advanced Methods of Marketing Research 407: 52–78. [Google Scholar]
Gramling, Audrey A., Mario J. Maletta, Arnold Schneider, and Bryan K. Church. 2004. The role of the internal audit function in corporate governance: A synthesis of the extant internal auditing literature and directions for future research. Journal of Accounting Literature 23: 194. [Google Scholar]
Gye-Soo, Kim. 2016. Partial least squares structural equation modelling (PLS-SEM): An application in customer satisfaction research. International Journal of u-and e-Service, Science and Technology 9: 61–68. [Google Scholar] [CrossRef]
Hair, Joseph F., and Bryan Lukas. 2014. Marketing Research. Australia: McGraw-Hill Education. [Google Scholar]
Hair, Joseph F., Jeffrey J. Risher, Marko Sarstedt, and Christian M. Ringle. 2019. When to use and how to report the results of PLS-SEM. European Business Review 31: 2–24. [Google Scholar] [CrossRef]
Hair, Joseph F., William Black, and Barry J. Babin. 2010. Multivariate Data Analysis: A Global Perspective. Personal communication. Available online: https://books.google.co.jp/books/about/Multivariate_Data_Analysis.html?id=SLRPLgAACAAJ&redir_esc=y (accessed on 10 July 2022).
Harrington, L., and A. Piper. 2015. Driving success in a changing world: 10 imperatives for internal audit. The Global Internal Audit Common Body of Knowledge, CBOK. Available online: https://slideplayer.com/slide/15248009/ (accessed on 10 July 2022).
Henseler, Jörg, Christian M. Ringle, and Rudolf R. Sinkovics. 2009. The Use of Partial Least Squares Path Modeling in International Marketing. In New Challenges to International Marketing. Bradford: Emerald Group Publishing Limited. [Google Scholar]
IFAC, and IIA. 2018. United, Connected and Aligned. In How the Distinct Roles of Internal Audit and the Finance Function Drive Good Governance. Available online: https://www.ifac.org/knowledge-gateway/developing-accountancy-profession/publications/united-connected-and-aligned-how-distinct-roles-internal-audit-and-finance-function-drive-good (accessed on 15 March 2023).
Iskak, Jamaludin, and Mochamad Muslih. 2022. The Effect of the Three Lines of Defense Model on the Performance of State-Owned Enterprises Moderated by the Audit Committee. International Journal of Science and Society 4: 240–55. [Google Scholar] [CrossRef]
KPMG. 2012. The Convergence Evolution: Global Survey into the Integration of Governance, Risk and Compliance, in Cooperation with Economist Intelligence Unit. Zurich: KPMG. [Google Scholar]
Laloux, Oliver. 2017. Combined Assurance Model Is It Something Everyone Should Aspire To? Available online: http://www.mondialcons.com/Newsletter/A%20combined%20assurance%20model_Oliver%20Laloux.pdf (accessed on 21 January 2022).
Leech, Tim J., and Lauren C. Hanlon. 2016. Three lines of defense versus five lines of assurance. In The Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not-for-Profit Board Members. Hoboken: John Wiley & Sons, pp. 335–55. [Google Scholar]
Lewis, Izelle. 2014. The Role of Internal Auditing in Providing Combined Assurance: Assessing Internal Financial Controls. Doctoral dissertation, University of Pretoria, Northen Sotho, South Africa. [Google Scholar]
Luburic, Radoica. 2017. Strengthening the three lines of defence in terms of more efficient operational risk management in central banks. Journal of Central Banking Theory and Practice 6: 29–53. [Google Scholar] [CrossRef] [Green Version]
Minto, A., and Isabella Arndorfer. 2015. The four-line-of-defence model for financial institutions. Taking the three-line-of-defence model further to reflect specific governance features of regulated financial institutions. Financial Stability Institute Working Paper-BIS 11: 1–26. [Google Scholar]
Moeller, Robert. 2013. Executive’s Guide to COSO Internal Controls: Understanding and Implementing the New Framework. New York: Wiley and Sons. Available online: https://www.wiley.com/en-us (accessed on 15 March 2022).
Nasaruddin, N., I. Abdul Rahman, and Mustafa Musa Jaber. 2018. PLS-SEM model of leadership characteristics facing challenges in Malaysia construction industry. International Journal of Engineering & Technology 7: 620–24. [Google Scholar]
Nurdiani, Tanti Widia. 2022. Implementation of three lines of defense model across comparison: Sharia banks, regional banks, rural banks, and national BAN. Journal of Tianjin University Science and Technology 55: 355–61. [Google Scholar] [CrossRef]
Pricewaterhouse Coopers (PWC). 2016. Internal Audit Matters: Combined Assurance Risk Assurance. Available online: https://www.pwchk.com/en/riskassurance/racombined-assurance-oct2016.pdf (accessed on 15 March 2022).
PWC. 2017. The Three Lines of Defence Model of Tomorrow. Available online: https://www.pwc.nl/nl/assets/documents/pwc-3linesofdefencemodel.pdf (accessed on 15 March 2023).
Raykov, Tenko. 1997. Estimation of composite reliability for congeneric measures. Applied Psychological Measurement 21: 173–84. [Google Scholar] [CrossRef]
Rittenberg, Larry. 2013. Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance. Available online: https://www.pwc.co.za/en/issues/combined-assurance.html (accessed on 20 September 2022).
Rossouw, Duane, and Marinda Marais. 2015. The Impact of Combined Assurance on the internal Audit Function. Master’s thesis, University of Pretoria, Northen Sotho, South Africa. [Google Scholar]
Roussy, Mélanie, and Michelle Rodrigue. 2018. Internal audit: Is the third line of defense’ effective as a form of governance? An exploratory study of the impression management techniques chief audit executives uses in their annual accountability to the audit committee. Journal of Business Ethics 151: 853–69. [Google Scholar] [CrossRef]
Sarens, Gerrit, Loïc Decaux, and Rainer Lenz. 2012. Combined Assurance: Case Studies on a Holistic Approach to Organizational Governance. Altamonte Springs: The Institute of Internal Auditors Research Foundation (IIARF). [Google Scholar]
Schreurs, H. K., and Marinda Marais. 2015. Perspectives of chief audit executives on the implementation of combined assurance. Southern African Journal of Accountability and Auditing Research 17: 73–86. [Google Scholar]
Tawfik, Omar Ikbal, and Omar Durrah. 2023. Factors Affecting the Adoption of E-Learning During the COVID-19 Pandemic. In Handbook of Research on Artificial Intelligence and Knowledge Management in Asia’s Digital Economy. Hershey: IGI Global, pp. 317–34. [Google Scholar]
Tawfik, Omar Ikbal, Omar Durrah, Khaled Hussainey, and Hamada Elsaid Elmaasrawy. 2022. Factors influencing the implementation of cloud accounting: Evidence from small and medium enterprises in Oman. Journal of Science and Technology Policy Management. in press. [Google Scholar] [CrossRef]
The Institute of Internal Auditors—Australia. 2018. Factsheet: Combined Assurance. Available online: http://iia.org.au/sf_docs/default-source/technicalresources/2018-fact-sheets/combined-assurance.pdf?sfvrsn=2 (accessed on 15 March 2022).
The Institute of Internal Auditors (IIA). 2013. IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control. Altamonte Springs: The Institute of Internal Auditors Research Foundation (IIARF). [Google Scholar]
The Institute of Internal Auditors (IIA). 2020. The IIA’s Three Lines Model: An Update of the Three Lines of Defense. Available online: https://global.theiia.org/about/about-internal-auditing/Pages/Three-Lines-Model.aspx (accessed on 2 March 2022).
Wetzels, Martin, Gaby Odekerken-Schröder, and Claudia Van Oppen. 2009. Using PLS path modeling for assessing hierarchical construct models: Guidelines and Empirical Illustration. MIS Quarterly 33: 177–95. [Google Scholar] [CrossRef]

Figure 1. Structural model assessment.

Table 1. Previous studies that were used in building the model and the questionnaire.

Variables	Previous Studies
Operational management compliance with legal, regulatory, and ethical requirements (MC)	Laloux (2017); Pricewaterhouse Coopers (PWC) (2016); The Institute of Internal Auditors—Australia (2018); Eulerich (2021); The Institute of Internal Auditors (IIA) (2020); Roussy and Rodrigue (2018);
Risk management, compliance, and quality functions (RM)	Rittenberg (2013); Eulerich (2021); The Institute of Internal Auditors (IIA) (2020); Roussy and Rodrigue (2018); Luburic (2017)
The role of the assurance internal audit (IA)	Rossouw and Marais (2015); Sarens et al. (2012); The Institute of Internal Auditors—Australia (2018); Eulerich (2021); The Institute of Internal Auditors (IIA) (2020); Luburic (2017); Roussy and Rodrigue (2018)
Governance procedures (GP)	Roussy and Rodrigue (2018); Fanning and Piercey (2014); IFAC and IIA (2018)

Table 2. Demographic characteristics (n = 123).

Qualification	No.	Major	No.	Experiences	No.
Diploma	23	Accounting	57	<5 years	28
Bachelor	81	Finance	48	5–10 years	51
Postgraduate	19	Others	18	>10 years	44

Table 3. Measurement model assessment.

Construct	Outer Loading	Convergent Validity
Construct	Outer Loading	α	rho_A	CR	AVE
(MC)	( $\bar{x}$ = 4.06 and σ = 0.546)				0.508
MC₁	0.664	0.806	0.806	0.861
MC₂	0.728
MC₃	0.694
MC₄	0.693
MC₅	0.736
MC₆	0.758
(RM)	( $\bar{x}$ = 4.02 and σ = 0.615)
RM₁	0.663	0.911	0.909	0.925	0.581
RM₂	0.836
RM₃	0.766
RM₄	0.814
RM₅	0.774
RM₆	0.776
RM₇	0.786
RM₈	0.744
RM₉	0.683
(IA)	( $\bar{x}$ = 4.07 and σ = 0.562)
IA₁	0.712	0.850	0.853	0.886	0.527
IA₂	0.781
IA₃	0.691
IA₄	0.788
IA₅	0.730
IA₆	0.707
IA₇	0.663
(GB)	( $\bar{x}$ = 3.98 and σ = 0.579)
GB₁	0.689	0.814	0.815	0.866	0.520
GB₂	0.653
GB3	0.772
GB₄	0.661
GB₅	0.784
GB₆	0.756

Note: α = Cronbach’s alpha; CR and rho_A = composite reliability, AVE = average variance extracted.

Table 4. Discriminant validity and multicollinearity.

Construct	MC	RM	IA	GB
MC	0.713
RM	0.694	0.762
IA	0.703	0.660	0.726
GP	0.665	0.649	0.647	0.721

The values in boldface are the square root of AVE.

Table 5. Structural model assessment results.

Hypothesis	Path Coefficient	T-Statistic	p-Value	Decision	f²	R²	Q²_predict	GoF
H₁: (MC → GB)	0.313	2.889	0.004	Supported **	0.080	0.662	0.327	0.197
H₂: (RM → GB)	0.293	2.413	0.016	Supported *	0.083
H₃: (IA → GB)	0.273	2.544	0.011	Supported *	0.069

Significant at p * < 0.05, p ** < 0.01.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Tawfik, O.I.; Durrah, O.; Aljawhar, K.A. The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model. J. Risk Financial Manag. 2023, 16, 341. https://doi.org/10.3390/jrfm16070341

AMA Style

Tawfik OI, Durrah O, Aljawhar KA. The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model. Journal of Risk and Financial Management. 2023; 16(7):341. https://doi.org/10.3390/jrfm16070341

Chicago/Turabian Style

Tawfik, Omar Ikbal, Omar Durrah, and Karima Ali Aljawhar. 2023. "The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model" Journal of Risk and Financial Management 16, no. 7: 341. https://doi.org/10.3390/jrfm16070341

Article Menu

The Role of The Internal Auditor in Strengthening the Governance of Economic Organizations Using the Three Lines of Defense Model

Abstract

1. Introduction

2. Theoretical Framework and Hypothesis Development

2.1. Three Lines of Defense Model

2.1.1. First Line: Operational Management

2.1.2. Second Line: Risk Management and Compliance Functions

2.1.3. Third Line: Internal Audit

3. Previous Studies

4. Practical Method of Research

4.1. Questionnaire Design

4.2. Participants

5. Data Analysis and Results

5.1. First Step: Measurement Model Assessment

5.2. Second Step: Structural Model Assessment

6. Discussion

7. Implications

8. Conclusions

Author Contributions

Funding

Data Availability Statement

Conflicts of Interest

Appendix A. The Questionnaire

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI