COURSE Update to the Three Lines Model for Effective Risk Management and Control DECEMBER 1, 2020 Brian Kirkpatrick, Managing Director | Risk Advisory Services Justin Gwin, Managing Director | Risk Advisory Services BDO and Our Internal Audit Webinar Series Polling Question From which time zone are you joining us today? A B C D E Eastern Central Mountain Pacific Other Brian Kirkpatrick, MBA, CIA, CRMA Managing Director | Risk Advisory Services Brian Kirkpatrick is the Risk Advisory Services practice leader for the Pittsburgh and Ohio regions He is an experienced risk management leader with more than 20 years of experience assisting today’s organizations (public and privately held) with internal control, process, governance, risk and compliance issues His practice emphasis is internal audit services (co-source, outsource and external quality assessments), Enterprise Risk Management (ERM), Sarbanes-Oxley (SOX) compliance, controls optimization advisory, regulatory and contract compliance, and information technology (IT) advisory services PROFESSIONAL AFFILIATIONS Institute of Internal Auditors (IIA) EDUCATION M.B.A., Baldwin-Wallace College B.S., Accounting, Penn State University Six Sigma Green Belt, Villanova University Brian’s clients include a variety of public and privately held domestic and multinational companies across a broad range of industries including manufacturing & distribution, healthcare, insurance, financial institutions, technology, natural resources, private equity and real estate and construction Brian is a frequent speaker on advisory matters (internal audit, quality assessments, risk management and information technology) for professional audiences Justin Gwin, CIA, CISA, CPA, CRISC, CRMA Managing Director | Risk Advisory Services Justin Gwin is the managing director of the Risk Advisory Services practice in BDO’s Miami office He has more than 16 years of experience in financial, operational and IT-related controls testing His specialties include internal audit, business process control assessments, compliance reviews, information technology and security evaluations, risk management assurance, Service Organization Control (SOC) reporting, SOX compliance, and external quality assessment reviews PROFESSIONAL AFFILIATIONS Institute of Internal Auditors, Miami Chapter Board of Governors and Past President Institute of Internal Auditors, Global Professional Development Committee Member Institute of Internal Auditors, 2020 International Conference Co-Chair ISACA, Member EDUCATION M.S., Accounting, University of Missouri B.S., Accounting -Information Systems, University of Missouri Justin has significant experience helping clients manage and mitigate risk across a wide variety of industries, including manufacturing/distribution, financial services, real estate, nonprofit, professional services, technology, and more Justin holds several licenses and is certified in COSO Internal Controls Today’s Learning Objectives At the conclusion of this course, participants will be able to:  Identify changes in the First, Second and Third lines -Operational management, Risk management and compliance functions, and Internal Audit, respectively  Assess how an organization's governing body and senior management may coordinate The Three Lines Model for enterprise-wide independence and objectivity  Discuss how the Three Lines Model may be adaptable and tailored to organizations of all sizes and sectors The Three Lines Model - From Old to New Three Lines of Defense Model Why Now  An Evolving Model for Risk Management, brought about by ▪ Corporate governance ▪ Technological advancement ▪ Organizational complexity ▪ Rapid pace of growing and ever complex risks  Demands of Internal Audit (IA) Profession ▪ Current challenges ▪ Emerging challenges  Response to change 10 Concerns regarding the old model  Varying definitions / understandings  Rigid structure (Silos)  Defense oriented  Limiting advancement of IA  Uncertainty in ‘blurred lines’  “Stakeholder” vs participant  Communication between lines 11 Relationships 26 Polling Question In the responses to the 3LOD Exposure Draft, which group of responders rated it the lowest? A B C D E F 27 Governing Body First Line Second Line Third Line External Auditors Regulators Adopting and Implementing 28 Adopting The Three Lines Model Questions to Consider  What are the key objectives?  Are we aligned with our Company’s Strategies and strategic plan?  What is the value proposition for implementing Line Model?  How we define Value? 29 A path to success for Internal Audit How can Internal Audit impact a positive change to the Three Lines Model?         30 Be a leader Be flexible Embrace and anticipate change – “visionary” Stakeholder “buy-in” Be relevant and aligned Be insightful Be available and accessible Be present IA Value & Expectations Independent and objective assessment of risk management  Provides a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes  Provides visibility of the processes and controls and issues to the Board and Audit Committee  IA Department required by The New York Stock Exchange (NYSE); however, Nasdaq does not have this requirement         Assessed differently by stakeholders Understanding stakeholder needs and expectations Deliver through “Value Proposition” Consider development of an Objectives Register Assurance Insight Objectivity *Source: Institute of Internal Auditors 31 Barriers to implementing      32 Inherent resistance / difficultly of change Lack of understanding / skill sets Management buy-in / Lack of support (Board through management) Cost v Value Regulators Implementing a successful model        33 Recognize it may be a challenge Tone at the Top Stakeholder buy-in and participation Defined sense of purpose Interact Communicate Educate Polling Question What barriers you foresee in your organization in implementing the new model? A B C D E F 34 Management buy-in / Lack of Support IA skillset in providing assurance over strategic objectives Regulators that prefer old model Inherent resistance / difficultly of change None, will be easy transition Other Concluding thoughts 35 Concluding thoughts 36 Polling Question Our 2021 Internal Audit Webinar Series features the following sessions Which one are you looking forward to the most? A Internal Audit in the Wake of a Crisis B Corporate Social Responsibility: Reporting on Environmental, Social and Governance (ESG) C Internal Audit and IT Audit’s Role in Digital Transformation D Gen Z Talent Development: How to Attract, Develop, & Retain Top Professionals E Building Blocks to Mitigate Risk and IA’s Role in Evaluating Segregation of Duties 37 Questions 38 Brian Kirkpatrick Justin Gwin bkirkpatrick@bdo.com 412-315-2317 jgwin@bdo.com 305-420-8028 Registration Now Open Registration opens today December 1, 2020 www.bdo.com/IA-webinar-series 39 Available for Download www.bdo.com/global-risk-landscape 40