Compliance Governance and the Need for a Fourth Line of Defence Model

Blog by Brendan Moore, General Manager Member Services, Leading Age Services Australia.
Featured in the Winter 2020 LASA Fusion Magazine

Aged care governing bodies need independent audits to reassure them of operational compliance.

All organisations engage independent, external auditors for their financial reports. However, there is a strong case for governing bodies to engage independent, external auditors for their operational performance.

While internal audit plays a key role in the corporate governance structure to provide ongoing assurance on the effective management of risk within an organisation, there are many organisations that do not have a formalised, structurally independent role of internal audit within their business.

For those organisations that do have such a role, there is a case to be made for a fourth line of defence in the form of an external auditor of operational compliance.

According to the Chartered Institute of Internal Auditors (CIIA), ‘internal audit is a cornerstone of an organisation’s corporate governance’.

Many aged care providers will be limited in their ability to resource such a function and governing bodies will be reliant on the first and second lines to provide reports via senior management.

There have been notable instances in the Aged Care Royal Commission where such an approach has been found wanting for a variety of reasons (e.g. management withholding information, inadequate systems for documenting and interpreting risk information, processes not identifying key risks).

For these reasons, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of internal audit.

The CIIA lists four key issues for Directors to ask about and be reassured upon in regards to any internal audit function:

  1. It must be structurally independent and report directly to the governing body. (Noting that any internal audit also needs to have access to management information and have a good relationship with management.)
  2. The function must be properly resourced and staffed by a person with appropriate knowledge, skills and experience.

  • It should focus on the greatest risks to the organisation and have a plan executed to respond to these.
  • The scope of activity is the whole business and it should be unrestricted in pursuing its role purpose.

Leading Age Services Australia (LASA) is engaged by many operators to conduct ad hoc gap analysis/mock audit services. These engagements are invariably by management, who sometimes may be a contributing factor in operational compliance—for better or worse.

As the diagram indicates, using LASA to substitute for internal audit in compliance risk/audit can be appropriate to circumstances where resourcing capability to fill such a role internally is not possible.

While ad hoc, it is fair to say ‘at least it is happening’. For organisations that do not engage a substitute, or employ their own internal audit function, or an external audit service reporting to the governing body, only the first, second and fifth lines are active. With the fifth line being the regulator, this represents a risk retention setting that has left some aged care providers exposed to adverse compliance findings. Often stated responses such as ‘we didn’t know’ or ‘this result has completely surprised us’ do not invoke confidence in the regulator about the organisation’s audit and governance processes.

Research conducted in 2019 with attendees at LASA’s Governance in Aged Care workshops indicated that governing bodies could increase their focus and time on ensuring statutory and regulatory compliance, particularly with the heightened focus on organisational governance in Standard 8 of the Aged Care Quality Standards.

Reliance on management by governing bodies may expose them to liabilities and risks that independent audit of varying areas of operational performance may identify, mitigate and possibly eliminate.

If you are a Director of an age services provider, the following questions are worth reflecting on:

  1. Do you have a compliance plan that considers the regulatory framework and a stand-alone compliance/clinical governance committee supplemented by independent auditing?
  2. Are you confident you are fully informed of the areas you are ultimately accountable for under Standard 8 of the Aged Care Quality Standards?
  3. Is there sufficient focus on quality, safety and clinical governance within your governing body’s activities? 

If your organisation needs assistance with creating a third or fourth line independent operational auditing function, please contact Brendan on or 1300 111 636.

Or if you’d like to learn more about our Aged Care Standard 8 Governance Solution book a chat below.