Nigel Iyer pohtii IIA Finlandille kirjoittamassaan analyysissä, miten kolmen linjan malli käytännössä näkyy väärinkäytöksiä vastaan puolustautuessa, ja mikä on sisäisen tarkastuksen rooli tässä.
🔖 Huom: Opi aihe teoriassa ja käytännössä Nigel Iyerin ja Maria Salmelan vetämällä kurssilla Väärinkäytösten jäljillä – Fighting Fraud (24.3.2025)
all three lines against fraud
In football, there are always three lines. But if you ask any coach, they will tell you there are still eleven defenders on the team.
When we talk about three lines in an organization – it still means everybody can, and should, defend their organizations against fraud.
Just like bad weather, organizations are constantly hit by suppliers and customers who try to take them for a ride or take advantage. Then there are unscrupulous middlemen, third parties and opportunists, and maybe also employees who exploit loopholes for a personal benefit. This all comes under that large umbrella of things we call wrong-doing or “fraud” in the widest sense of the word.
The global cost of fraud is enormous: 2024 estimates put it at over 5% of a company’s turnover or around 5% of global GDP. These are huge figures which also impact the wealthier countries where arguably it is even harder to spot. Wherever we are, wrong-doing and fraud also take their toll on an organization’s reputation and employee culture. But it IS still avoidable. And in recent years, we recognize that there has been much needed investment in up-front prevention such as routines, controls and training to prevent fraudsters slipping through.
Who Should Stop Fraud?
But what does still seem a bit unclear is that when fraudsters get through the gate, which they do regularly…. whose responsibility is it to pick it up and stop it early?
Take the example of a supplier who has been getting away with overcharging for a long time, maybe also delivering less or substandard services when they can. We could be so used to this that no one even bothers to take it up anymore. Or take the customer who gets away by not paying in full or part. These “everyday” scenarios are sometimes not even recognized as “fraud” and are just seen as the cost of doing business. They could of course be more sinister if we added bribes, middlemen, front companies, and more to the mix. But the question remains: Who has the job of spotting it, saying it and sorting it out? Some would say “That’s why we have a hotline!” or “That’s why we have internal auditors!”. But given that whistleblowers often turn up late – if at all – and auditors maybe once a year, surely, we can do better by spotting what falls between the cracks and spotting it and dealing with it early?
The Second and Third Lines Are a Dot
Three defensive lines are prevalent in sport, and but also the same model is applied in battle, for example for aircraft carriers. The same basic idea is visible in IIA’s Three Lines Model, well known to internal auditors. In our organization the third line would be internal audit, line two could be compliance, risk management and internal control, and line one, the front line…everybody else.
In my experience I see two issues. Firstly, typically in an industrial organization with maybe say 1000 to 5000 employees there are often between zero and five Internal Auditors, and if lucky, a handful of compliance, risk and internal control specialists. This makes the second and third lines of defence not really a barricade, but more like a very thin line, or even an almost invisible “dot”. Furthermore, most of the workforce (the first line) are often not aware of how thin the 2nd and 3rd lines are, or in fact how much responsibility rests on them.
Defense Belongs to the Whole Organization
To address the “thinness” of the second and third lines, no one is suggesting that internal audit and compliance departments should grow massively. Instead, organizations need to recognize how much responsibility is placed on all the employees to detect fraud early, and thereby contribute to defend their organizations against financial, reputational and cultural damage.
This can be achieved effectively if the 2nd and 3rd lines play a role in upskilling and motivating their colleagues, to be aware of how their organization could be cheated and spot and raise the early warning signs.
The expertise of internal auditors is therefore critical. In addition to learning the practical skills of how to spot fraud early, it’s important to teach and galvanize the whole organization to defend against the commercial “dark arts”, using both human and technological resources. This way you can help to ensure that the whole organization is keeping a finger on the pulse!
🔖 You can learn these practical skills on 24th March 2025 at the upcoming IIA course Väärinkäytösten jäljillä – Fighting Fraud, led by Maria Salmela and Nigel Iyer!
Nigel Iyer (BSc, MA, ACA) is a Partner in B4 Investigate and has been a Fellow of the University of Leicester School of Management where he launched the “Defense against the Commercial Dark Arts” Masters module. For over 25 years as a Fraud Detective, Nigel has passionately, some will say pathologically, helped organizations across the world recognise and resolve fraud.
➡️ Lue myös Nigelin edellinen artikkeli: Palauta inhimillinen kosketus data-analyysiin