Connect Support Advance

White Paper

An Integrated
Governance Model
August 2023

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia

 An Integrated Governance
Model
Contents Discussion
Background 2 Governance
- Purpose 2 What is governance?
- Background 2
There are many definitions of “governance”. The IIA has
Discussion 2 defined it as:
- Governance 2
The combination of processes and structures
- Risk Management 6
implemented by the board1 to inform, direct, manage,
- Compliance 8 and monitor the activities of the organization toward the
- Assurance 9 achievement of its objectives.
Summary 10
(International Internal Auditing Standards Board, 2016)
Bibliography and References 11
The Governance Institute of Australia has defined it
Glossary 11 similarly:
Purpose of White Papers 11
Governance encompasses the system by which an
Author’s Biography 12 organisation is controlled and operates, and the
About the Institute of Internal Auditors– 12 mechanisms by which it, and its people, are held to
Australia account. Ethics, risk management, compliance and
Copyright 12 administration are all elements of governance.
Disclaimer 12 (2022)

The domain of governance is very wide. It has been

Background
Purpose
An organisation should have a single, integrated, process
for achieving its purpose. Commonly this process is
defined in terms of governance and management. There
are many frameworks designed to assist organisations to
set up processes such as governance, risk management
and compliance but these have been independently
developed and are not completely consistent.
This model maps each of the subordinate frameworks onto
a single governance framework.
Background
There are multiple Standards and models that describe
ideal structures for governance, risk management, control
and assurance within organisations. Each of these has
value, but the way in which they relate to each other is not
clear.
described in ISO 37000:2021 Governance of organizations
– Guidance as having eleven “principles”. Other, older,
guidance such as COSO Enterprise Risk Management –
Integrating with Strategy and Performance (2017) describes
a different set of relevant “principles”.
All definitions indicate that governance includes
› Establishing structures
› Determining objectives
› Assigning priorities
› Determining the manner in which the organisation will
behave
› Holding members of the organisation to account
› Confirming that objectives have been achieved.
While ISO 37000 includes such matters as social
responsibility and long-term viability these are
characteristics that relate to the behaviour of the
organisation and do not directly relate to governance. An

1 In this context the term “board” is used to describe the group or individual accountable for the overall performance of the
organisation. In the corporate sector this is generally a Board of Directors, in other contexts it might be an individual such as a head of
function, a commander or a principal officer.

© 2023 - The Institute of Internal Auditors - Australia 2

 An Integrated Governance
Model
organisation may elect to operate in conflict with societal expectations and/or may be intended for short term existence
only. These do preclude the organisation from being effectively governed.

Governance differs from management. Governance establishes goals, direction, limitations and accountability
frameworks; management is the allocation of resources and the supervision of day -to-day operations.

A practical model
An organisation is established for a purpose and operates within its external context. The governance processes must
recognise these factors. It can attempt to influence them, but it cannot control them. The owners of an organisation
may change an organisation’s purpose and this may involve a conversation with the board; the political and regulatory
environment may change around an organisation, but the organisation can attempt to influence this by various forms of
lobbying.

Exhibit 1 shows a skeleton model for governance of an organisation. It is intended to be scalable – that is it can be
applied to any organisation of any size.

Purpose of Organisation
Governance (External) Context

Culture Structures Priority Setting Performance Monitoring

Values Committees Objectives Standards/Measures Line 2 Monitoring

Social responsibility Operational Structures Risk Appetite Accountability Line 3 Monitoring
Competence Delegations Strategy Risk Management
Compliance
Resilience

Exhibit 1 - High level model of governance

The model shows a number of identifiable activities. Each of these activities may be assigned to a senior member of the
organisation to manage.

Culture
The culture of an organisation is an emergent property of the members of that organisation. It consists of the shared
perceptions about what is correct, what is prioritised and what is likely to be rewarded. In an organisation, individual
behaviour is affected by the way in which actions are rewarded or punished.

People learn what is acceptable behaviour by observing the behaviours of others in the organisation. The board can
build organisational culture by setting expectations and holding individuals to account for their behaviour.

Aspects include

› The values of the organisation. These are the principles and beliefs that define the way in which the organisation will
behave both internally and towards its stakeholders and customers. This aspect has been considered important for
some time and appears in COSO Internal Control (2013) as

Management sets an ethical climate that fosters honesty and integrity through their actions, code of conduct,
whistleblower policy, etc.

© 2023 - The Institute of Internal Auditors - Australia 3

 An Integrated Governance
Model
It also warrants mention in COSO ERM (2017) as
Principle 4: Demonstrates Commitment to Core
Values.
› Social responsibility. It is common for organisation
to have a formal commitment to act in the best
interests of the environment and society as a whole.
The commitment becomes one of the values of the
organisation. There is an emerging trend towards
Corporate Social Responsibility (CSR) reporting. See
also Principle 10 of ISO 37000:2021.
› Commitment to competence. This principle was
expressed as a critical aspect of the Control
Environment in the COSO Internal Control: Integrated
Framework
The organization hires and retains competent
employees to carry-out tasks and provides appropriate
internal or external training and evaluations
(COSO, 2013)
This aspect is also incorporated in the Governance &
Culture Component of COSO ERM (2017) as the principle:
Attracts, Develops, and Retains Capable Individuals.
Structures
Mechanisms are set up within the organisation to
facilitate the delivery of organisational value. This
includes management committees, operational structures,
and monitoring capabilities. The overall framework of
management includes rules, procedures, roles and the
division of responsibilities.
Priority setting
The board sets the general approach and relative
importance of various aspects of operation. This would be
expressed by
› Objectives. Clearly expressed, measurable
objectives are important for the sound operation of
an organisation. An objective specifies what is to be
achieved without indicating how it is to be achieved.
They must be expressed in a way that allows those
who are to deliver them to be able to determine
whether or not they have been successful.
› Risk Appetite. The risk appetite guides decision-
making. It allows managers to determine what is
© 2023 - The Institute of Internal Auditors - Australia
important to the organisation and how to weigh up the
best approach to delivering value.
› Strategies for delivery. Some decisions in relation
to organisational strategies will be reserved to the
board. The stated risk appetite will determine which
decisions these are.
Performance
The organisation is required to produce something. This is
the responsibility of operational management. Operational
management are frequently referred to as Line 1 (see page
9).
Performance is guided and monitored in terms of
› Standards & Measures of performance. The
organisation must decide what standards of
performance will be required and how performance
will be measured.
› Accountability for performance. Accountability must
be clear. Joint accountability should be avoided. While
the board is ultimately accountable for all aspects of
the organisation, individual officers will be assigned
responsibility for particular matters. In order for them
to be held accountable they must have both the
authority and the competence (available skills and
resources) to deliver.
› Risk Management. Risk management is about
delivering on organisational objectives. Formal
risk management methods help managers make
sound decisions or develop effective procedures.
Every decision affects the organisation’s risks.
Most organisational risks are addressed by the
development of procedures that prescribe action and
constrain decision-making. See COSO Internal Control
principle 12:
The organization deploys control activities through
policies that establish what is expected and
procedures that put policies into action.
(2013)
› Compliance. Some of the risks to be considered
will be associated with organisational obligations.
Obligations may be imposed from outside or may be
self-imposed. They may rise from many factors such
as the regulatory environment, organisational values,
4
 An Integrated Governance
Model
or policy decisions. A formal compliance framework
may assist the organisation to manage meeting
their obligations. (International Organization for
Standardization, 2021b)
› Resilience. Organisations will face adverse
circumstances from time to time. Resilience is
the ability of organisations to manage such
circumstances: to protect the organisation from the
worst consequences of these circumstances and
to enable the organisation to work through the
consequences being experienced. Some of these –
typically low likelihood, high consequence effects
– will have contingency arrangements in place.
Resilience also reflects the need for organisations
to adapt to a continually changing business
environment.
Monitoring
The principle of independent monitoring to verify
performance has been generally accepted for many years.
Principle 4 (Oversight) of ISO 37000:2021 says:
The governing body should oversee the organization’s
performance to ensure that it meets the governing
body’s intentions for, and expectations of, the
organization, its ethical behaviour and its compliance
obligations.
All aspects of the organisation should be monitored by the
board. ISO 37000 and the “Three Lines Model” (see page
9) both advise that the board should seek information
about performance from many places in the organisation.
They will gain most of that information from those
responsible for undertaking the business activities (Line 1)
but they will also gain information by:
— direct reports by, and private sessions with, risk
management and compliance management as
independent control functions;
— direct reports by, and private sessions with, internal
audit as an independent provider of assurance,
including insight and advice, on the effectiveness and
performance of governance processes and the internal
control system, in particular risk management and
compliance management;
— external audit and associated reporting to
stakeholders and the governing body;
© 2023 - The Institute of Internal Auditors - Australia
— whistleblowing processes and personnel and
customer feedback mechanisms, both formal and
informal
(p. 21)
The board may take notice of, but cannot control, the
activities of external audit, but they do have control over:
› monitoring set up by, and reporting to, to top
management (Line 2)
This is monitoring by those other than the group
directly responsible for delivery. It includes: Quality
monitoring, Financial monitoring, Pulse surveys –
culture monitoring, Compliance monitoring, Safety
monitoring and Risk profile monitoring.
› monitoring by the internal audit activity (Line 3)
Monitoring established by the board and independent
of management reporting to the board through its
audit committee.
Governance is not management
Governance is about what is to be achieved; management
is about how it should be achieved. While some sources
(COSO, 2017 & COSO, 2013) emphasise that boards
should be independent of management, in reality, there is
considerable interaction between the two activities: boards
rarely come to a strategic decision without the input of
management. Boards set priorities, but sensible boards do
so in a manner that is informed by management opinion.
The COSO Internal control: Integrated Framework (2013)
suggests that there are a number important aspects to this:
› governance determine objectives in line with
the expectations of stakeholders and engage
management to deliver;
› governance provides constructive challenge to
management;
› governance applies an objective view to the
performance of the organisation;
› governance calls management to account;
› governance determines the risk appetite and
management makes decisions within these
parameters.
5
 An Integrated Governance
Model
The hierarchical nature of governance
For most organisations, many constraints are inherited from the environment; divisions or departments of organisations
are also governed and inherit much of their context from the parent organisation.

Governance principles apply at every level of responsibility in every organisation. Managers are accountable to their
superiors and govern their areas of responsibility. The scope that they may have for independent action will depend on
the organisation and the level of the manager within it. As ISO 37000 says:

The degree of separation of duties between the governing body and managers varies according to organizational
needs and circumstances. In certain circumstances…an individual can be required to fulfil both governance and
management responsibilities.

(International Organization for Standardization, 2021a)

At the highest levels of the organisation, there is more governance than management; at the lower levels there is
increasing management and corresponding decrease in governance.

Risk Management
What is risk?
The frameworks for management of risk have evolved over time and, while they use many of the same words, they have
different philosophical approaches.
Level Concept Level of risk Explanation Used in Controls
Risk as hazard Conceivable Safety Physical
1
damage
Mechanical
(exposure)
Risk as a potential Consequences Introduces the AS/NZS 4360:1995 Process-based
event of the event and concept of hard controls to
COSO ERM (2004)
the likelihood of likelihood. prevent/detect/
experiencing them. COSO ERM (2017) correct adverse
2 23
events.
Also the concept
Systems used in most of Some thought
the commercial is given to
literature coming soft controls
out of the USA. (behavioural
measures)
Risk as an effect Consequence Expands the ISO 31000 Human-factors are
of effect and concept of prominent in the
Most Australian
likelihood of uncertainty to go approach.
Government
3 experiencing the beyond potential
official guidance. Controls must
Humanist consequence events.
be designed
with a conscious
understanding of
human behaviour.

Exhibit 2 - Evolution of concepts of risk 3

2 Often approximated by:

• Typical outcome of the event and Likelihood of experiencing it.
• Worst conceivable outcome of the event and Likelihood of experiencing it.
3 I am indebted for this analysis to Prof Gilles Motet (l’Institut National des Sciences Appliquées de Toulouse [INSA]). See also
Human and Organizational Factor of Safety: State of the Art (Daniellou, et al., 2011).

© 2023 - The Institute of Internal Auditors - Australia 6

 An Integrated Governance
Model
The Australian Standard (AS ISO 31000:2018) defines risk
as

effect of uncertainty on objectives

Improvement
Integration
(International Organization for Standardization, 2018)

While ISO 31000 allows that uncertainty may arise Leadership

from potential future events, this is not the only form of and
uncertainty that the framework is intended to manage. Evaluation Commitment
Consequences may be beneficial or damaging to an Design
organisation. Both types of consequence are addressed
by ISO 31000. The treatment of risk should not be Implementation
referred to as “mitigation” – risks are “managed”. The
word “mitigation” can only refer to responses to potential
adverse consequences. Exhibit 3 - Risk Management Framework

Risk Management Principles and Framework
Risk management is a management activity. An important
aspect of AS ISO 31000:2018 Risk management –
Guidelines is its emphasis on human factors. The standard
while not including issues of culture within the framework
recognises that human behaviour and culture significantly
influence all aspects of risk management at each level and
stage. This emphasis on culture is an emerging issue in
organisational management.
ISO 31000 describes a risk management framework as
containing five components (Exhibit 3). Most of these
components are internal to the risk management activity.
The framework as suggested in ISO 31000 is based on the
Plan->Do->Check->Act cycle of quality management and
touches on the governance framework in the Leadership,
Integration and Design components.
Governance
An important part of leadership in establishing sound risk
management is determining the amount and type of risk
that may or may not be taken. This is often called the
organisation’s risk appetite.
The Integration component includes consideration of
organisation structures, strategy, leadership, objectives
and operations. Design should consider: organisational
context (including external pressures and obligations);
organisational roles, authorities, responsibilities and
accountabilities; the allocation of resources; and
communication and consultation processes.
Risk management in the integrated model
Risk management maps on to the integrated model
as shown in Exhibit 4. Nearly every aspect of the risk
management activity overlaps the governance model.
Purpose of Organisation
(External) Context

Culture Structures Priority Setting Performance Monitoring

Values Committees Objectives Standards/Measures Line 2 Monitoring

Social responsibility Operational Structures Risk Appetite Accountability Line 3 Monitoring
Competence Delegations Strategy Risk Management
Compliance
Resilience

Exhibit 4 - Risk Management activities within the governance model

© 2023 - The Institute of Internal Auditors - Australia 7

 An Integrated Governance
Model
Compliance

Objectives
Compliance is the process of making sure an organisation
and its members fulfill the organisation’s obligations.

ts
Or

in
tra
ga
Obligations may be mandated or assumed voluntarily but

ns
nis

co
ati
they are usually driven by external pressures. They are

al
on

rn
effectively a subset of the objectives of the organisation.

al

te
Va

Ex
lue
Individual managers are accountable for their performance

s
in relation to obligations.

As with objectives, obligations have mechanisms by which Obligations

they are measured (for example “hours lost through injury”)
and standards or targets for performance (such as “zero
hours lost”). As with objectives they have associated risks.

To achieve compliance, the associated risks must be

controlled. Managers set up plans, processes and
procedures to control the risks and thereby fulfill the
obligations.

Processes are also established to establish documentary Adjust for

evidence that the prescribed controls are being followed. deviations
Good management of compliance uses this documentation
Design
Process
to calculate the level of compliance and report it though
the accountability process.

Supplementing this accountability reporting are Line

2 “compliance audits” that confirm the adequacy of
documentation and validate this reporting.
Monitor
performance Execute and
Compliance Management
document
These concepts are combined in the compliance
management process:

Set of interrelated or interacting elements of an Exhibit 5 - Compliance Management Process

organization to establish compliance policies and
objectives as well as processes to achieve those
objectives. Compliance management in the integrated model

After ISO 37301:2021 Compliance management Compliance management maps on to the integrated model
systems – Requirements with guidance for use. as shown in Exhibit 6. Every aspect of the compliance
management activity is also part of the risk management
Exhibit 5 shows the essentials of a compliance
activity.
management process: obligations arising from decisions
of the governing body as well as from external constraints;
and a process designed to meet the obligations.

ISO 37301:2021 also mentions the importance of

leadership and culture.

© 2023 - The Institute of Internal Auditors - Australia 8

 An Integrated Governance
Model
Purpose of Organisation
Governance (External) Context

Culture Structures Priority Setting Performance Monitoring

Values Committees Objectives Standards/Measures Line 2 Monitoring

Social responsibility Operational Structures Risk Appetite Accountability Line 3 Monitoring
Competence Delegations Strategy Risk Management
Compliance
Resilience
Exhibit 6 - Compliance management activities in the governance model
Assurance
What is assurance?
ISO 37000 makes the point that

The governing body should oversee organizational performance.

(Paragraph 6.4.3.2)
and that

in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself
that the governance system is appropriately designed and operating as intended.
(Paragraph 6.4.3.3)
In this context, assurance may be defined (consistent with the meaning in standard English) as “a positive declaration
intended to give confidence”.
It might also, consistent with the concept espoused by Deming (1982), be a process designed to achieve and to confirm
the achievement of particular objectives.
This assurance, when the board is not in a position to directly validate the processes, is obtained by reports produced by
independent review functions.
Assurance is therefore obtained by receiving reports and by direct enquiry across multiple, independent sources of
information.

Three Lines Model for assurance information

The Three Lines Model was developed to describe the sources of information available to decision-makers and to
indicate the extent to which information is developed independently of those who are operating the activities of the
organisation. The IIA’s Three Lines Model (The Institute of Internal Auditors, Inc, 2020) is illustrated in Exhibit 7.

This is represented in the integrated model by four components across two governance activities as illustrated in Exhibit

© 2023 - The Institute of Internal Auditors - Australia 9

 An Integrated Governance
Model
KEY:

GOVERNING BODY
Accountability, reporting

Accountability to stakeholders for organizational oversight

Governing body roles: integrity, leadership and transparency

EXTERNAL ASSURANCE PROVIDERS

resources, oversight
Delegation, direction,

MANAGEMENT INTERNAL AUDIT

Actions (including managing risk) to achieve Independent
organisational objectives assurance

Third line roles:

Second line roles: independent and
coordination, collaboration
Alignment, communication,

First line roles:

expertise, support, objective assurance
provision of
monitoring and and advice on all
products/services
challenge on risk- matters related to
to clients
related issues the achievement of
objectives
Exhibit 7 - The Three Lines Model
8.

Purpose of Organisation
Governance (External) Context

Culture Structures Priority Setting Performance Monitoring

Values Committees Objectives Standards/Measures Line 2 Monitoring

Social responsibility Operational Structures Risk Appetite Accountability Line 3 Monitoring
Competence Delegations Strategy Risk Management
Compliance
Resilience

Exhibit 8 - Assurance within the Integrated Governance Model

Summary
This paper has introduced a five factor model of governance that is compatible with common standards that address
governance, risk management, compliance and assurance. These standards overlap in their scope and application and
yet are expected to operate as an integrated whole.

© 2023 - The Institute of Internal Auditors - Australia 10

 An Integrated Governance
Model
Bibliography and References
COSO, 2013. Internal Control - Integrated Framework.
[Online]
Available at: www.coso.org
COSO, 2017. Enterprise Risk Management—Integrating with
Strategy and Performance. [Online]
Available at: www.coso.org
Daniellou, F., Simard, M. & Boissières, I., 2011. Human and
organizational factors of safety: a state of the art, Toulouse,
France: Foundation for an Industrial Safety Culture.
Deming, W. E., 1982. Out of the Crisis. Boston:
Massachusetts Institute of Technology.
Governance Institute of Australia, 2022. What is
governance?. [Online]
Available at: https://www.governanceinstitute.com.au/
resources/what-is-governance/#:~:text=Governance%20
encompasses%20the%20system%20by,are%20all%20
elements%20of%20governance.
International Internal Auditing Standards Board, 2016.
International Standards for the Professional Practice
of Internal Auditing, Lake Mary, FL, USA: Internal Audit
Foundation.
International Organization for Standardization, 2018.
ISO 31000:2018 Risk managment - Guidelines, Geneva:
International Organization for Standardization.
International Organization for Standardization, 2021a.
ISO 37000:2021 Governance of organizations - Guidance,
Geneva: International Organization for Standardization.
International Organization for Standardization, 2021b.
ISO 37301:2021 Compliance management systems —
Requirements with guidance for use, Geneva: International
Organization for Standardization.
The Institute of Internal Auditors, Inc, 2020. The IIA’s Three
Lines Model: an update of the three lines of defense.
[Online]
Available at: https://www.theiia.org/en/content/position-
papers/2020/the-iias-three-lines-model-an-update-of-the-
three-lines-of-defense/
© 2023 - The Institute of Internal Auditors - Australia
Glossary
Assurance Activities within an organisation
intended to give confidence to decision-
makers.
A process designed to achieve and to
confirm the achievement of particular
objectives.
Compliance The process of making sure an
organisation and its members fulfill the
organisation’s obligations
Compliance Set of interrelated or interacting
Management elements of an organisation to
establish compliance policies and
objectives as well as processes to
achieve those objectives.
Governance The combination of processes and
structures implemented by the board to
inform, direct, manage, and monitor the
activities of the organization toward the
achievement of its objectives.
Risk Effect of uncertainty on objectives.
Risk Appetite The amount and type of risk that may
be taken in pursuit of objectives.
Risk Coordinated activities to direct and
Management control an organisation with regard to
risk
Purpose of White Papers
A White Paper is a report authored and peer reviewed
by experienced practitioners to provide guidance on a
particular subject related to governance, risk management
or control. It seeks to inform readers about an issue and
present ideas and options on how it might be managed. It
does not necessarily represent the position or philosophy
of the Institute of Internal Auditors-Global and the Institute
of Internal Auditors-Australia.
11
 An Integrated Governance
Model
Author Biographies Copyright
This White Paper written by: This White Paper contains a variety of copyright material.
Michael Parkinson BSc(Hons), GradDipComp, PFIIA, CIA, Some of this is the intellectual property of the author, some
CISA, CRMA, CRISC is owned by the Institute of Internal Auditors-Global or the
Institute of Internal Auditors-Australia. Some material is
Michael is an internal auditor and risk management
owned by others which is shown through attribution and
consultant in private practice. He has more than 40
referencing. Some material is in the public domain. Except
years of experience in a range of government and
for material which is unambiguously and unarguably in
non-government environments. He has been active
the public domain, only material owned by the Institute
in the development of risk management and internal
of Internal Auditors-Global and the Institute of Internal
auditing standards and guidance for more than 15 years.
Auditors-Australia, and so indicated, may be copied,
Michael has practiced in Australia and South East Asia
provided that textual and graphical content are not
and currently serves on a number of Audit and Risk
altered and the source is acknowledged. The Institute of
Management Committees.
Internal Auditors-Australia reserves the right to revoke that
Michael has been the recipient of the IIA–Australia Bob permission at any time. Permission is not given for any
McDonald Award and the IIA–Global Victor Z Brink Award commercial use or sale of the material.
for services to the profession of internal auditing.
This White Paper edited by: Disclaimer
Barry Davidow B.Com, B.Acc, MTaxLaw, ACA, CFE, Whilst the Institute of Internal Auditors–Australia has
PMIIA, attempted to ensure the information in this White Paper is
as accurate as possible, the information is for personal and
About the Institute of Internal Auditors- educational use only, and is provided in good faith without
Australia any express or implied warranty. There is no guarantee
given to the accuracy or currency of information contained
The Institute of Internal Auditors (IIA) is the global in this White Paper. The Institute of Internal Auditors–
professional association for Internal Auditors, with global Australia does not accept responsibility for any loss or
headquarters in the USA and affiliated Institutes and damage occasioned by use of the information contained in
Chapters throughout the world including Australia. this White Paper.
As the chief advocate of the Internal Audit profession,
the IIA serves as the profession’s international standard-
setter, sole provider of globally accepted internal auditing
certifications, and principal researcher and educator.
The IIA sets the bar for Internal Audit integrity and
professionalism around the world with its ‘International
Professional Practices Framework’ (IPPF), a collection of
guidance that includes the ‘International Standards for the
Professional Practice of Internal Auditing’ and the ‘Code of
Ethics’.
The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
influencers, and is extensively represented on a number
of global committees and prominent working groups in
Australia and internationally.
The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of
local area Chapters. Generally, members work in internal
auditing, risk management, governance, internal control,
information technology audit, education, and security.

© 2023 - The Institute of Internal Auditors - Australia 12