Not long ago, I was playing a game of football (which I will reluctantly refer to here by its given name in the United States—“soccer”) with some colleagues in a tournament organized by my company. As we huddled, waiting for the match to begin, our coach remarked, “we won’t find better than an internal auditor to trust as a goalkeeper.”
This comment stuck in my mind and reminded me initially of the Three Lines of Defense Model (3LoD), where internal audit is considered the third and final line of defense. As I watched the players move about in front of me and thought more about it, however, analysis of the soccer team formation against the corporate organizational structure made more sense than the current or previous Three Lines models.
The more I considered it, the way the players are positioned on the field provided an excellent analogy for sound risk management and governance structures in the modern corporation. Even the roles of the coaches, referees, and the spectators in the stands can provide some insight to explain governance and internal audit roles and interactively allow non-specialized governance professionals to visualize the governance lines away from the technical jargon that governance professionals and internal auditors typically spout.
And so the Soccer Field Governance Model was born. It aims to explain different governance concepts related to the interaction among board, executive management, operational management, compliance, risk management, and internal audit within the corporate context. With the World Cup tournament just weeks away, I thought the time was right to explore this soccer-based governance model in some depth.
Problems with the Three Lines Model
Before we dive in to what the soccer pitch can teach us about corporate governance, let’s first discuss some problems with existing models. Most of us are aware of the Institute of Internal Audit’s Three Lines Model (previously known as 3LoD), which is still under significant criticism due to its failure to communicate the varied organizational relationships clearly and concisely. The initial 3LoD model focused on the defensive roles of all lines, including operational management, risk management, and internal audit. Internal audit roles were initially limited to protecting the organization rather than creating value. Relationships between the board, executive management, and lines of defense were not defined clearly, in addition to vague responsibilities among the 3LoD.
The updated model was introduced in 2020 with a strong promotion from the IIA that the new model will change how organizations work and how organizations treat risks and controls. In reality, the new model did not change much in how organizations work. Internal auditors are still confused between the two models (many still refer to the old 3LoD), and the message is lost between the eliminated defense role (value protection) and the lack of emphasis on the newly promoted offense roles (value creation). The new model is still emphasizing silo-based reporting and failed to illustrate how internal auditors can be less isolated, as clearly shown in the model below:
With this confusion among internal auditors, you can imagine that this model is less likely to be used as a reference to explain the different lines’ roles, responsibilities, and interactions. In addition, this is not a simple model to utilize in raising awareness about the vital role the internal audit function plays in any organization.
Furthermore, the illustration of how governance, risk, compliance, and internal audit are aligned and integrated into the Three Lines Model is weak and does not encourage collaboration among the three lines.
Soccer Team Formation and Governance Structure
The typical soccer team formation consists of four lines: offense, midfield, defense, and goalkeeper. The company structure can also be represented in four lines as follows:
Offense/Forward (First Line): Consists of the CEO (being the team’s captain), and chiefs of operations, commercial, financial, marketing, investments, and other front-line managers and employees who deal directly with customers, clients, products, and services. This line is responsible for scoring goals and achieving business objectives and targets.
At the same time, this line can stop any threats against the organization in the early stages by pressing in the opponent’s half or exercising a “high press” in soccer terms.
Midfield (Second Line): This line is somehow missing in the Three Lines Model, and it plays a critical role in supporting the forwards (First Line) in achieving business objectives and managing financial, operational, legal, and reputational risks. The line consists of the accounting department, information technology, middle office, human resources, admin, and other support functions. Operational risk functions are also part of this line which plays a significant role in supporting the offensive role of the First Line and is different from the defensive position of the enterprise risk management functions.
The midfield line’s quality will determine the first line’s ability to score goals and achieve business objectives. Midfielders have a massive role in how the team moves from back to front or front to back. They do not need to score goals to be important to the team. They just need to be good passers and technical players that can lead their team to win.
Furthermore, the defense roles also exist within the midfield as some midfielders play a strictly-defined defensive role, breaking up attacks, and are known as defensive midfielders (such as back-office support in business terms).
Defense (Third Line): Defenders’ primary roles are to stop attacks during the game and prevent the opposing team from scoring goals. This is the organizational role of the enterprise risk management, compliance, cybersecurity, health & safety, quality assurance, and other functions with similar defensive roles.
Goalkeeping (Fourth Line): Goalkeeping is a complex position requiring physicality, a strong mentality, and a unique set of skills. Similarly, the internal auditor should have outstanding skills to excel and be recognized as a value-added resource.
The goalkeeper is the only player who can see the whole soccer field and often acts as the team’s organizer when defending, such as on a free kick or a corner kick. This means the goalkeeper needs to be loud and concise (as do internal auditors), with a voice that can project over the defensive area of the pitch.
Non-Player Components of the Soccer Field Governance Model
The governing body, shareholders, and stakeholders are crucial components of any governance model. They play similar roles as some of the critical components of any soccer team:
Coach (Governing Body): Soccer coaches coordinate, instruct, motivate and organize the team. The governing body roles are similar to the coach’s responsibilities in the sense that they do not participate as players in the match; however, they lead, organize, instruct, inspire, establish accountability, and are responsible for the organization’s overall performance, achieving objectives, and fulfilling their fiduciary role. The governing body relies on communications from the various lines to exercise oversight and ensure the achievement of objectives. Internal audit independently reports to the coach on the overall effectiveness of governance, risk management, and controls, just as the goalkeeper provides important feedback to the coach about what he or she is seeing on the field.
Coach Assistants (Board Committees): Coach Assistants are responsible for supporting the coach in performing tasks and overseeing the implementation of necessary action plans. The board may appoint committees to delegate specific responsibilities and support the board in certain activities, including overseeing areas such as financial reporting, audit, risk, remunerations etc.
Soccer Club Owners (Shareholders): Club owners buy, sell, and lease facilities, oversee performance and play a role in the hiring and firing of the coach. This is identical to the role of the organization’s shareholders, who are responsible for appointing the board of directors and ensuring that the company is well run and well managed.
Referee (Regulators and External Assurance Providers): The primary duty of a referee is to monitor the game and enforce fair play. Referees have the power to penalize players with yellow or red cards, stop or terminate play due to risk factors, and assess fouls and penalties. The role of the regulators and government auditors can be well associated with the role of the referee in a soccer match. External auditors and other assurance providers who are entirely independent of the company can also play this role.
The Fans (External Stakeholders): Either attending the match in the stadium or supporting their teams remotely, they will be impacted by the team’s performance on the pitch. This is no different from the external stakeholders who have a role to play at varying levels of influence on business operations, from customers to local communities, and many other stakeholders in between.
The Internal Audit as Goalkeeper
We have all encountered many perceptions and self-images of the internal auditor role, which either provide a negative image about the internal audit role (such as the organization’s police force), underestimate the internal audit role (such as doctor), or partially describe what the internal auditor does (such as consultant or change agent).
In the context of the soccer field governance model, however, the analogy of the goalkeeper is more relevant for the following principal reasons:
Visibility and Positioning: The goalkeeper is the only player who can see the whole field. This is a unique view that the internal auditor has for the entire organization, which no other department has, including sometimes the CEO. The level of granularity that the internal audit can access within the organization provides a comprehensive understanding of each area and can be the base to provide the required assurance to the governing body and senior management.
Alignment with the Strategies, Objectives, and Risks of the Organization: The goalkeepper plays an integral part of the game even when the action is down the other side of the pitch. The match cannot start without the goalkeeper, and it is the same case with the internal auditor. The pitfall of the Three Lines Model or other perceptions and images of the internal auditor is that it draws an impression that the internal audit function is nice to have and the system can still work without it.
It is not acceptable anymore to define the internal audit role as one of the audiences or a completely independent party who is not part of the game. This image we draw about our work isolated us and will continue to do so until we clearly define our role as “in the game.” Internal auditors are a crucial component of the organization and a major player in ensuring the achievement of business objectives.
Integration and Communication: The stronger the other lines, especially defense, the better the goalkeeper’s performance will be. The strength of the third line (ERM, Compliance, Cybersecurity, and others) will improve the performance of the internal audit function and result in a better risk management, governance, and internal controls environment.
Value Protection and Creation: It is often said that goalkeepers score a goal with every save. it is not only about defense. The narrow understanding of the internal auditor role always focuses on the defensive roles of the internal auditor. However, every time the internal auditor identifies risks or provides insight and foresight and recommends a better way of doing things, the function contributes to the achievement of organizational objectives hand in hand with all other departments.
Change and Improvement Agents: If necessary, the goalkeeper can assume other roles, including scoring goals. Goalkeepers can take penalties and free-kicks when they have the skill to do this, such as the Paraguayan goalkeeper Chilavert. Similarly, with proper measures in place, the internal auditor can be asked to assume roles beyond internal audit if necessary.
Independent Positive Assurance: Strong goalkeepers give confidence to other lines. Likewise, strong internal audit departments provide positive assurance to the board and management that they are on the right track when it comes to the risk management, governance, and internal controls environment.
Competent, Proactive, and Future Focused: Goalkeepers need to be agile, strong, fit, focused, brave, and decisive. it is not easy to be a great internal auditor. You need a unique set of skills to navigate the internal politics, fulfill the audit committee’s assurance needs, communicate with confidence, and provide the right advisory services to the management.
Demonstrates Quality and Continuous Improvement: Being a goalkeeper is physically and mentally challenging. As an internal auditor, in many instances, you must be fully prepared to carry the weight of the organization on your shoulders, wear mistakes, handle stress, and accept that you will rarely experience the glory outfield players do.
Integrity and Objectivity: Goalkeepers always face more criticism than praise. It is hard to see a goalkeeper winning an individual trophy. In history, Lev Yashin (the Soviet Union Goalkeeper) was the only goalkeeper who won the Ballon d’Or for FIFA “Player of the Year” in 1963. Similarly, internal auditors are hardly ever recognized for their hard work even if they save the company in difficult situations.
On the other hand, they will be easily blamed if they receive any goals (which are likely not their mistakes). However, this should not impact the internal auditors’ commitment, integrity, and objectivity.
Applying the Right Team Formation Strategy
The coach (governing body) is responsible for structuring the team and assigning roles and responsibilities. The coach also has to decide whether to adopt an “offensive” or a “defensive” approach to a match. This strategic decision depends on the strengths and weaknesses of his team with respect to the opponent, but also on the strategy chosen by the opponent’s coach. Similarly, the governing body needs to define the organization’s risk appetite, which can be adjusted to how the coach changes the team formation.
Players in the team should act in an organized way and know their roles and positions. Organizations also require teams to function as one cohesive unit with a shared plan and common understanding of the organizational objectives. The cooperation, collaboration, communication, and alignment between the four lines within the organization will significantly impact the success of achieving organizational objectives and scoring goals.
So in November, when you tune in to watch your favorite team battle for the World Cup or if you are lucky enough to attend in person, and as you watch the players move up and down the pitch, think of the interactions of the various players and positions, the coaches, referees, and fans and how they align with corporate governance models. And when you see a goalkeeper make a spectacular save, its fine to mutter under your breath,”Well done internal audit! Well Done!”
Ehab Saif, MSc, CMA, CIA, CFE, is a specialist in internal audit, risk management, and governance, based in Abu Dhabi, United Arab Emirates.
Thanks Ehab, this article is a great teaching aid and I’ll share with my education/apprenticeship contacts. It makes tangible the roles, responsibilities and communication channels that exist across a well-functioning organisation. I guess it’s why it’s difficult to predict the World Cup winner because there are so many dynamically moving parts across a high performing operation. Having said that, I do think England’s recent run of bad form is just a tactic and they will come good in Qatar 2022! Come on England!
Thank you for your article. It helps me have better understanding of the governance model.
When the 3 LoD was revised in 2020, I was happy to have a better visualized image of the governance model but still was uncomfortable to deliver it to others who are not familiar with internal auditors’ roles, even though I could not tell clearly to myself what was lack in the model.
Now reading your article, I found what in the 3 LoD made me difficult. Your model is just right for me to explain all the functions’ roles in my company to my colleagues.
I am looking forward to seeing your writings again in the future. Thank you!
Thanks Heeyoung
Perfect. The demonstration is spot on. Internal Auditor is the goalkeeper of the corporate body. I’m in love your creativity Ihab
Thank you Kennedy. I am glad you liked it.
Good write up and very educative.
Thanks Joseph
What a visual map you created. Right on the money. I have never seen a better analogy than this. Nothing can better describe the value protection and value creation role of an Internal Auditor.
Thanks for sharing
Very insightful, especially talking about offense – the primary goal of organization, as well.
Quite informative and educational as well. Well, reasoned innovative analogy and spot on.
Thanks Moiz.
Mr Ehab Saif, reading this your article gives me a broader understanding of the impact auditors as a whole have on corporate governance laws. It is really important to have reliable and hard working auditors in a company who monitor the financial situation of every corporation, because internal auditors are really like goalkeepers in a soccer match and at the same time gatekeepers. Their presence is important more of significant, to avoid corporate scandals like fraud, embezzlement, etc well I’m a student in the university of Buea, Cameroon and I will be working on Corporate Governance laws and it’s impact of internal and external auditing of a firm and I’m looking forward to reading more of your articles thanks a lot for this article
Very awesome. Very innovative.
I love this
Ehab, thanks for this insight. I am both an internal auditor and an avid football fan (we shouldn’t change the name of a global sport because it’s referred to differently in one part of the world where it’s neither that popular nor played particularly well). I understand well how the game works and appreciate how you have drawn on it to explain the professional space of internal audit. Very well done. That is the kind of innovative thinking that is very much in demand not just in internal audit but everywhere else.
Dear Ehab Saif,
Thank you for this insightful article. It really drives home the importance of the Internal Auditor within an organization.
Very interesting to ready and easily relate with.