Internal audit – three lines of defence

Internal audit – three lines of defence

Internal audit – Internal audit – three lines of defence – Seminar No. B13


The Minimum Requirements for Risk Management already regulate the main duties of Internal Auditing. According to this, the auditing activity of Internal Auditing must in principle extend to all activities and processes of the company on the basis of a risk-oriented audit approach.
Internal Auditing must be involved in essential projects while maintaining its independence and avoiding conflicts of interest.
In the case of significant outsourcing to another company, the internal audit department of the institute may waive its own audit procedures, provided that the audit work performed elsewhere complies with the German MaRisk requirements in AT 4.4 and BT 2.
The internal audit of the outsourcing company has to regularly check that these conditions are met. The relevant audit results for the company are to be forwarded to the internal audit department of the outsourcing company.


Internal audit – three lines of defence

All information compact and up to date we have prepared with our seminar series
  • Internal revision update
  • Compliance in the focus of banking supervision as well as
  • Compliance Advanced Seminar


Do you have questions about Internal audit – three lines of defence? We are happy to inform you!


Legal risks for the Internal Audit – Internal audit – three lines of defence

According to German MaRisk, the following three principles apply to internal auditing:
The internal audit department has to perform its tasks independently and independently. In particular, it must be ensured that it is not subject to any instructions when reporting and evaluating the results of the audit. The right of management to issue additional audits does not preclude the independence and independence of Internal Auditing.
As a matter of principle, the employees employed in the internal auditing department may not be entrusted with non-audit tasks. In particular, they may not perform any duties that are inconsistent with the audit activity. Insofar as the independence of Internal Auditing is ensured, it may act as an advisor to the Executive Board or other organizational units of the Institute as part of its duties.
Employees who are employed in other organizational units of the institute may in principle not be entrusted with internal audit tasks. However, this does not exclude that in justified individual cases, other employees temporarily work for the Internal Audit due to their special knowledge.



Seminar Price – Seminar Internal audit – three lines of defence

Price: 690, – £ excl. 19% VAT.

Included in the price:
Participants documents as PDF,  3-course meal, coffee, tea, Soft drinks and Snacks in the breaks



Internal audit - three lines of defence


Which organizational law principles apply to Internal Auditing?

The following overview shows the corporate law standards that apply to the management, the Supervisory Board and also to the activities of the Internal Audit:
  • §43 para. 1 GmbHG:  Due Diligence for Managing Directors of a GmbH
  • §93 para. 1 AktG: Standard of Due Diligence for Management Board Members
  • Section 76 (1) AktG: Management function of the Executive Board
  • Section 93 (1) no. 2 AktG: Business Judgment Rule
  • Section 91 (2) AktG: Obligation to safeguard the existence of the Board of Management
  • §161 AktG in conjunction with the DCGK declaration of compliance
  • Para. 4.1.3 Compliance obligation of the Management Board
  • Para. 4.1.4 Risk management and risk controlling
  • Para. 5.3.2 Audit Committee
  • Section 107 (3) (2) AktG Tasks of the Audit Committee




Business Judgment in German Law – Internal audit – three lines of defence

In 1997, the German BGH introduced the principles of Business Judgment Rule into German law with the ARAG ruling.
Background: The CEO of ARAG was jointly responsible for the fact that the company had suffered losses of more than DM 80 million as a result of illegal financial transactions by its former chief financial officer. The subsequent demand to use the Chief Executive Officer to compensate for this loss was rejected by the majority of the Supervisory Board responsible for this decision. The plaintiffs, who considered this decision to be unlawful, had succeeded in bringing their claim before the Regional Court for a declaration of invalidity of the relevant resolution of the Supervisory Board. On the other hand, the Higher Regional Court Dusseldorf, which was responsible for the appeal, gave the majority of the supervisory board a right to vote.
Due to §93 AktG (prerequisites of the Business Judgment Rule), there is no lack of duty if the member of the Executive Board
  • an entrepreneurial decision
  • based on appropriate information
  • free of special interests and extraneous influences
  • for the good of society has taken and at the same time
  • was in good faith.



Business Judgment Rule and Internal Audit – Internal audit – three lines of defence

For senior management to act in an entrepreneurial decision for the benefit of society, it is essential that senior management can rely on reliable information.
In doing so, Internal Audit takes over the important information as a quality assurance provider and as an information provider.
A sensitive special case arises when the internal audit determines that the management body in principle under-informed or unaudited information used as a basis for decision.



Requirements for cooperation between the Supervisory Board and Internal Audit – Internal audit – three lines of defence

The legislature has issued §25d German Banking Act (KWG) extensive regulations for the administrative and supervisory body. The administrative or supervisory body of a company referred to in section 25d KWG (3) sentence 1 must appoint an audit committee from among its members, taking into account the criteria pursuant to subsection (7) sentence 1. The Audit Committee assists the administrative or supervisory body in particular in monitoring
  • the accounting process;
  • the effectiveness of the risk management system, in particular the internal control system and internal audit;
  • the performance of statutory audits, in particular with regard to the independence of the auditor and the services provided by the auditor (scope, frequency, reporting). The Audit Committee shall submit proposals for the appointment of an auditor and the amount of its remuneration to the administrative or supervisory body, and shall advise the administrative or supervisory board on the termination or continuation of the audit engagement and
  • the timely removal of the deficiencies identified by the auditor by the management by means of suitable measures.
Pursuant to Section 25c of the KWG, internal auditing must report to the management and the supervisory or administrative body at appropriate intervals, but at least quarterly.



5 points check to limit the risks of internal audit – What is important?

To limit liability risks, at least the following 5 points must be taken into account in the audit practice:
Source of the totality The total number of events that should be theoretically reviewed is to be assessed for the respective audit focus.
Sample selection and sample density When choosing a sample, it must be differentiated whether the risk of irregularities is below average, average or above average.
Consequences of Irregularities The depth of control must be extended if significant risks can arise for the company.
Special facts Control depth depends on whether there have been any irregularities in the past.
Examination documentation The working papers should contain a statement about the selected sample density and the criteria considered.


Our services for your safety as internal audit

Would you like more information on this topic? We are happy to assist you with our revision check to limit possible liability risks. Current project reports can be found directly in our information blog Internal Audit.
Send your message to the department Internal Audit, Achim Schulz or call us directly at +49 89 452 429 70 – 101.


S & P Compliance Tool – Industry-Specific Application – Compliance – Internal audit – three lines of defence

The S & P Compliance Tool can be used in the equipment and engineering, pharmacy and medical products, automotive, banking, construction (civil engineering, civil engineering), apparel and textiles, biotechnology, chemical, services, retail, iron and steel industry, electronics and electrical engineering, Energy, waste disposal technology, environmental technology and service technology, precision mechanics and optics, financial services, healthcare drinks and breweries, wholesale and freight transport. The S & P Compliance Tool is also used in the following sectors: retail, hotels, real estate, information technology, engineering, IT, communication technology, consumer goods, logistics, aerospace, luxury goods, engineering, media and entertainment, medical products, as well as medical technology, furniture industry, Food, oil and gas (utilities), pharmaceuticals, print media and publishers, travel companies and tourism, defense industry, steel and metal industry, transportation and insurance as well as insurance companies. The S & P Tool MaRisk Compliance was designed for the banking, insurance, financial services, factoring, leasing and fund companies industries. This fulfills the legal requirements of the MLA, the IdW requirements for fraud prevention measures and the MaRisk compliance requirements.

Internal audit - three lines of defence

Leave a Reply