By Andi Lukman Hakim
International Centre for Education in Islamic Finance (INCEIF), The Global University of Islamic Finance, Malaysia
Cite as: Hakim , A. L. (2017), "Application of Three Lines of defense in Islamic Financial Institution ", International Journal of Management and Applied Research, Vol. 4, No. 1, pp. 44-57. https://doi.org/10.18646/2056.41.17-005 | Download PDF | Cited by
The underlying principle and concept of Islamic Financial Institution (IFI) is Shariah. Shariah itself consists of aqidah (faith and belief), akhlaq (moral and ethics) and fiqh (law). These three components are the foundation of all IFI’s activities, including risk management activities. One of the concepts used in risk management is three lines of defense. The three lines of defense’s concept provide a clarity regarding roles and responsibilities of various risk functions within an organization. IFI should adopt the concept of three lines of defense as part of their Enterprise Risk Management framework to strengthen the effectiveness of their risk management function. The author proposes three lines of defense model for an IFI in this paper. The foundation of the proposed model is Shariah while its pillars are knowledge and Islamic culture.
Shariah is the foundation of an Islamic Financial Institution (IFI). Lahsasna (2011) defined Shariah as the total sum of Islamic teachings and system, which revealed to Prophet Muhammad, peace be upon him (pbuh), recorded in the Quran as well as deducible from the Prophet’s (pbuh) divinely-guided lifestyle called the Sunnah. The Islamic teachings itself is comprehensive and complete, it is not only regulates relationship between man and Allah (God) but also regulates relationship among people, relationship between man and animals as well as environment.
Shariah consists three matters, first is aqidah (faith and belief) such as belief in six articles. Second is akhlaq (moral and ethics) such as telling the truth, sincerity and honesty while the last one is fiqh (law) (Lahsasna, 2011). Hence, Shariah covers beliefs and spirituality, ethics and moral as well as laws that regulate all aspects of human’s life and relationships. In other words, Shariah is Islamic way of life.
As Shariah is a DNA of an IFI, Shariah is also the foundation of risk management of an IFI. Unlike conventional financial institution, an IFI in managing their risks, should consider compliance from wider aspect, i.e. compliance to Islamic laws and regulations as well as adherence to Islamic moral and ethics. In this paper, the author discusses the application of the three lines of defense in an IFI and the roles and responsibilities of each line of defence towards Shariah compliance. The author divides the paper into four sections, first section to discuss the concept of knowledge in Islam and Islamic culture as pillars of the three lines of defense in an IFI. In the second section, the author is elaborating the concept of self-assessment and monitoring in Islam. Third section is about the three lines of defense model as published by Institute of Internal Audit. In the final section, the author proposes a ‘three lines of defense’ model for an IFI.
2. Literature Review
Since Islamic finance is relatively young as compare to their counterpart, i.e. conventional finance, the literature available for review in Islamic finance is also relatively lesser. Consequently, there are limited studies and research papers on lines of defense in Islamic Financial Institution (IFI). Lahsasna (2014) in his book “Shariah Non-Compliance Risk Management and Legal Documentation in Islamic Finance” introduced the concept of ten lines of defense in an IFI. He focused on how the ten lines of defense can prevent and detect the Shariah non-compliance risk event. Other than him, not many literatures, if not none, has discussed the lines of defense in an IFI.
The Institute of Internal Audit (IIA) introduced the concept of three lines of defense in 2013. The IIA, along with government agencies and accounting firms, publishes papers, guidance and articles about the three lines of defense. Nowadays, most companies implements the concept and application of three lines of defense. IFI, as part of their enterprise risk management, also implements the concept and application of the three lines of defense. However, other than some IFI’s risk management documents, there are limited literatures, if not none, has discussed the application of the three lines of defense in an IFI.
2.1. The Concept of Knowledge in Islam and the Concept of Islamic Culture
2.1.1 Knowledge in Islam
Al Ghazali stated that knowledge results from the functioning of intellect or reason (aql) which is the inherent rational faculty of man. In fact, intellect distinguishes man from animals. Intellect is the source of the kind of knowledge of which animals are incapable (Umaruddin, 2003). Knowledge in Islam, as defined by Priyoyudanto (2013), is the truth relating to the nature of Allah, His creation and all phenomena, acquired through revelation, reasoning and experiences of the senses. While Al-Attas (1980) defined knowledge as the arrival in the soul of the meaning of a thing. The ‘meaning of a thing’ means the right meaning of it which determined by the Islamic vision of reality and truth as projected by the Quranic conceptual system.
Priyoyudanto (2013) stated that the source of knowledge in Islam comes from three sources, first is from Allah’s revelation to His prophets, second is from reasoning (rational thinking) and third is from perception or empiricism (sense). Further, he stated that knowledge obtained through revelation, being divinely ordained, is absolute knowledge (haqq alyaqin), it is infallible and hence the most reliable form of knowledge. While knowledge acquired through rational thinking, known as ilm al-yaqin, has limitations hence men needs revelation to determine the reliability of what he understands through rational thinking. The last source of knowledge is experience or empiricism (ayn-al-yaqin) through man’s senses (hearing, feeling, smelling, seeing, and tasting). Similar to rational thinking, the sense has limitations and sometimes be unreliable, thus it also needs confirmation by the revealed knowledge.
Islam does not negate the function of intellect (reasoning) and senses for obtaining knowledge. In fact, God created a man with intellect so a man can obtain knowledge. However, intellect and senses themselves have limitations and are not sufficient to find a true knowledge. Knowledge obtained through intellect and senses needs confirmation by the revealed knowledge. Therefore, in Islam the revealed knowledge is a definitive and absolute knowledge that comes from God.
2.1.2. Islamic Culture
The base of Islamic culture is Islamic ethics/khuluq. Khuluq (its plural form is akhlaq) is define as character, nature and disposition. Al-Ghazali stated that khuluq (character) is the spiritual constitution of man (i.e. tawhid), his natural self from which actions proceed spontaneously and easily, without much deliberation, hesitation or restraint on his part. It involves: (a) the ability to perform actions both good and bad, (b) control over action, (c) the knowledge of actions, and (d) a state of the self, which inclined towards both good and bad. Character is inherent in the self, it is permanent and not incidental or momentary (Umaruddin, 2003). As Islam is a comprehensive religion, Islamic ethics is not only about relationship between men and God but also about relationship among individuals, relationship between men with animals as well with the environment. The main sources of Islamic ethics are the Quran and hadith.
Good characters based on the concept of tawhid (oneness of God) such as justice/equity (‘adl), benevolence (ihsan), perfection (itqan), productive, motivated, accountable, trustworthy and sincere should become natural characters and embedded in each individual employees of Islamic Financial Institution (IFI). Over times, these characters will become an identity and culture of the IFI.
2.2. The Concept of Self-Assessment and Monitoring in Islam
2.2.1. Self-Assessment and Evaluation (Muhasabah)
The observance of religious ethics has pre and post-action requirements: Al-muhasabah and Al‐Muraqabah. While Al‐Muraqabah refers to God consciousness or consciousness of Allah's presence in all time and places, Al-muhasabah, refers to the self‐accountability before Allah (Ishola, 2012).
As per the second hadith of al‐Nawawi: And tell me about Ihsan, he replied, “to worship Allah as if you are seeing Him, if you do not see him, surely He sees you”.
The prophet then follows with: Fear Allah wherever you are; follow evil deeds with good deeds, this wipes away evil, and act best in your relations with people. No servant of Allah would move, until he accounts for the following: his life, how he spent it, His knowledge, how he used it, his wealth, how he acquired it and how he spent it and his body, how he used it.
The concept of self-assessment and monitoring emerges from the understanding that God always monitors every human and all practices carried out by humankind would be evaluated and judged in the after-world (concept of ihsan and accountability). It begins from internal awareness through the process of appreciation and assimilation of trust and responsibility as a servant and caliph of God. Thus, by a continuous show of appreciation, the ethical values would indirectly assimilate the characteristics of taqwa into the soul. Based on this premise, it would then create an individual who would always be self-disciplined in practicing the teachings of Islam.
IFI can apply the concept of self-monitoring and evaluation at individual level as well as business unit level. At the individual level, all employees of an IFI should perform a self-assessment not only for the purpose of their performance review but also for their adherence to the Shariah principles and Islamic ethics. At the business level, each business unit assess their own performance and compliance to the Shariah principles.
2.2.2 Monitoring and Oversight (Hisbah)
Literally, the word Hisbah refers to “accountability”. Hisbah describes the institution to promote good conducts and avoid misconducts in line with Quran (Dogarawa, 2013). The Islamic concept of “al amr bil maroof wal nahyu anil munkar” i.e. (the task of) enjoining what is right and forbidding what is evil, is the base for establishment of a hisbah institution. In the financial world, the duty of muhtasib or the person in charge of hisbah is “to ensure that the daily business transactions are conducted in a manner that is not harming the society.” The main responsibility of muhtasib (market controller or ethics officer) is to ensure that business practices prevalent in the market are in accordance with Islamic law and they are authorised to interfere the unethical business practices (Hassan, 2016).
To a great extent, Muhasabah and Hisbah emphasise the importance of monitoring. While Muhasabah is more concerned with monitoring at individual level, Hisbah is more associated with monitoring at both team and organisational levels.
IFI can apply the concept of Hisbah as a monitoring unit in an organization and/or as an individual who has monitoring and supervision responsibility. This view is in accordance with Dogarawa (2013) who suggested that one could implement Hisbah principles through the existing organisational structure. For example, the board of director and its committees need to ensure that the daily operational activities are conducted in an ethical manner. While managers and supervisors have to ensure that their staffs perform assigned tasks in accordance with their job description and internal policies.
3. Three Lines of defense Model
In the financial institutions, various teams such as internal auditors, risk management specialists and compliance officers are working together to help their organizations in managing risks. Each of these specialties has a unique perspective and specific skills that can be invaluable to the organization. The challenge is to assign specific roles and to coordinate effectively and efficiently among these groups so that there are neither “gaps” in controls nor unnecessary duplications of coverage. Organization must clearly defines their responsibilities so that each group of risk professionals understand the boundaries of their responsibilities and how their positions fit into the organization’s overall risk and control structure (The Institute of Internal Auditors, 2013).
Three lines of defense model, introduced by the Institute of Internal Auditors in 2013, is designed to provide a means to enhance communications on risk management and control by clarifying essential roles and duties (The Institute of Internal Auditors, 2013).
3.1. Risk Management Oversight
The company’s Board is ultimately responsible for managing the company including to ensure prudent risk management framework and oversight the operation of risk management by the management. Board’s committees, such as Board Risk Committee, Board Audit Committee and Investment Committee, assist the Board to fulfil its corporate governance and oversight responsibilities. The Board is directly responsible for the broader strategy of the company including to approve the risk appetite statement, business plan, and risk management strategy. With the assistance of the Senior Management (e.g. CEO, CFO, CRO), the Board is also responsible for setting a sound risk culture.
In relation to the three lines of defense, the Board, the Committees and the senior management are the primary stakeholders served by the “lines”. They essential roles are to ensure that the establishment of the three lines of defense model which reflected in the company’s risk management framework. They are also responsible to oversight and support the implementation of the three lines of defense.
3.2. The First Line of Defence
The first line of defence is functions that own and manage risks. It comprises the business management (including all levels of management who responsible for making decisions). They are responsible for managing risk in daily basis and in accordance with the risk’s management framework (including risk identification, risk assessment, risk mitigation and risk/control monitoring). They are also responsible for reporting and escalating any relevant information (e.g. control weakness/breakdown) to responsible senior management and/or second line of defence.
3.3. The Second Line of Defence
The second line of defence is functions that oversee risks. It usually includes various risk management and compliance functions. The second line of defence works closely with the business management (i.e. first line of defence) to assist the first line in managing the risks and implementing controls to mitigate the risks. The second line of defence also assists the first line to ensure that the controls in place are adequately designed and effective to mitigate the risks. Furthermore, they may provide advice and training to the business unit or to the senior management/the board on risk and compliance related matters. The second line of defence is functionally independent of the first line of defence. However, they are still report directly to the senior management.
3.4. The Third Line of Defence
The third line of defence is independent functions that provide an independent assurance. The third line of defence does not involve in designing or implementing controls, nor responsible for the company’s operations. The internal audit, as part of the third line of defence, has a direct report to the board through the Audit Committee. The board and senior management usually rely on internal auditor to provide reliable and objective assurance regarding governance, risk, and control.
3.5. Critics to Three Lines of Defense Model
Notwithstanding the simplicity of the Three Lines of Defense model, the model is based on traditional governance mechanism and its underlying ideas do not respond well in the fast-changing business environment (Leech and Hanlon, 2016). According to the House of Lords and House of Commons (2013), the “three lines of defense model” has not prevented banks' control frameworks failing in the past, partly due to the blurring lines and the status of the compliance, risk and audit apparatus was overshadowed by the front-line, remunerated for revenue generation.
In 2014, a formal debate forum on the motion “The Three Lines of Defense philosophy is not fit for purpose” was organised in the UK. A preliminary vote on the motion indicated that 32 against the motion while 13 supported it; however, the final vote on the motion showed that the motion was defeated by 24 votes to 20, suggesting the debate on the motion remains debateable (Audit and Risk, 2015).
4. Application of Three Lines of defense Model in Islamic Financial Institution (IFI)
4.1. The Proposed Model and Its Pillars
The governing principle of IFI is Shariah. Shariah consists of aqidah (faith and belief), akhlaq (moral and ethics) and fiqh (law), thus lines of defense of an IFI should evaluate and assess the compliance of IFI’s activities with the relevant Islamic law and Islamic ethics.
In the proposed model (see Diagram 2), the pillars of the three lines of defense are Islamic culture and knowledge. An in-depth understanding of Islamic finance is essential for employees of IFI to perform their tasks. According to the survey of PwC (2011), 70% of the respondents who work in IFI agree that they have sufficient number of well-trained staffs to perform Shariah audit effectively. It thus appears that there is a need to improve knowledge of Shariah related audit risk and issues.
The second pillar of the proposed model is Islamic culture. IFI should build Islamic culture with Islamic ethics (akhlaq) as its base. The board, its committees and senior managements should promote good characters (akhlaq) and become role models among their peers and staffs. They are also responsible to reward their staff who acted in good manner. Over time, Islamic ethics will be part of the IFI’s culture.
Senior management, board, and its committees play an essential role in corporate governance and Shariah compliance. They are also the most suitable parties positioned to ensure that the Three Lines of Defense model is properly implemented. It is necessary to ensure that there is sufficient level of managerial and supervisory controls in place to indicate system breakdown and unexpected events.
4.2. Monitoring and Oversight
Bank Negara Malaysia in its Shariah Governance Framework stated that the board is ultimately accountable and responsible on the overall Shariah governance framework and Shariah compliance of the Islamic Financial Institution (IFI), by putting in place the appropriate mechanism to discharge the aforementioned responsibilities. The board is also expected to perform diligent oversight over the effective functioning of the IFI’s Shariah governance framework and ensure that the framework commensurate with the size, complexity and nature of its business (Bank Negara Malaysia, 2011).
On the other hand, the Shariah Committee shall be responsible and accountable for all its decisions, views and opinions related to the Shariah matters. The board is expected to rely on the Shariah Committee on all Shariah decisions, views and opinions relating to the business of the IFI. Furthermore, the Shariah Committee is expected to perform an oversight role on Shariah matters related to the institution’s business operations and activities. This shall be achieved through the Shariah review and the Shariah audit functions. Regular Shariah review reports and the Shariah audit observations should enable the Shariah Committee to identify issues that require its attention and where appropriate, to propose corrective measures (Bank Negara Malaysia, 2011).
Therefore, the board of director with the assistance of its committees plays a role of a muhtasib in the IFI, i.e. to ensure that the daily company’s activities are Shariah compliance. They are responsible to establish a sound and prudent Shariah governance framework (including the three lines of defense) in the IFI. They are also responsible to oversight the implementation of the framework. To ensure the effectiveness of the board’s responsibilities, the board and its committees should continuously seek Islamic Finance knowledge (e.g. Shariah law in Islamic Finance) and general knowledge (e.g. Company’s operation and business). With continuous professional developments on the knowledge of Islamic finance, the board and its committees will be able to differentiate Shariah compliance and non-Shariah compliance events and make appropriate action accordingly.
Through continuously seeking knowledge, the board also sends a strong message to its staffs that seeking knowledge is important. Furthermore, the board should facilitate the learning process for employees e.g. provides qard hasan for employees whose willing to pursue their higher education, organizes regular Islamic lecture and provides soft skills’ training. Similarly, in regards with the implementation of Islamic ethics, the board and its committees should become a role model (walk the talk). They should demonstrate ethical behaviour in their daily activities and treat all the stakeholders ethically.
4.3. The First Line of Defence
The first line of defence has two responsibilities, first is to generate business and second to manage the associated risks of doing the business (including Shariah non-compliance risks). Hence, the first line of defence is responsible for risk identification, risk assessment, risk mitigation (by ensuring relevant controls are in place) and monitoring the effectiveness of the controls. As part of the monitoring task, the first line of defence is responsible to complete a self-assessment and evaluation (muhasabah) over their own controls to ensure controls in place are working effectively to mitigate the related risks. Furthermore, they are also responsible to raise any control weakness/breakdown and/or Shariah non-compliance to the responsible senior management and/or second line of defence.
In order to perform their duties effectively, the first line of defence should continuously upgrades their skills and knowledge, not only worldly knowledge but also Islamic and Shariah knowledge. The management should monitor and facilitate the training for their staffs as well proactively take corrective actions if there is a gap in the staff’s skills and knowledge. Regarding to the Islamic culture, all managerial levels has similar responsibility with the board, i.e. to be a role model and act ethically in their daily activities.
4.4. The Second Line of Defence
The second line of defence plays a hisbah’s roles and responsibilities, i.e. to oversee risks, in Islamic Financial Institution (IFI). They have to ensure that the first line of defence is managing the risk effectively (including the Shariah non-compliance risk). The second line of defence is also responsible to provide advices and training when it is required. They comprise various risk management and compliance functions (e.g. Risk Management, Shariah Review and Shariah Research). The second line of defence is functionally independent from the first line of defence. Usually, the second line of defence has direct report to the board or its committees (e.g. Risk Management report directly to the Board Risk Committee) and indirect report to the management. Below are divisions/units that are unique to an IFI and their responsibilities as second line of defence.
Shariah Risk Management
The nature of Shariah risk management may include:
- assist and advice first line of defence in identifying, assessing, mitigating and monitoring Shariah non‐compliance risks.
- assist and advice first line of defence in preparing a risk control matrix. The matrix should outline all Shariah non-compliance risks, risk rating based on likelihood and impact as well as control activity to mitigate the risk.
- assist and advice first line of defence in creating a test plan to ensure the adequacy and effectiveness of controls in place to mitigate the identified Shariah non-compliance risks.
- ensure that Shariah non-compliance risks and the effectiveness of controls in place are regularly reported to the Board or its committee. The report should include the result of the control testing performed by the first line of defence.
- provide training and/or advices in relation to the Shariah risk management.
- develop policy and guidelines for managing the Shariah non-compliance risk.
- is part of Enterprise Risk Management of an IFI.
- liaise with Shariah Internal Audit and assist them in completing their audit when required.
- continuously seeking knowledge in risk management and Islamic finance in general.
The scope of Shariah review usually covers the following:
- ensure that activities and operations performed by first line of defence is comply with Shariah principles.
- advice possible remedial action to resolve Shariah non-compliance issues and mitigation control to avoid recurrences of the issues.
- ensure that the reporting process on Shariah non-compliance matters is carried out effectively and on timely manner (e.g. reported to the Board or its committee in timely manner).
- regularly provide Shariah non-compliance report to the Board or its Committee.
- a subject matter expert in Islamic finance matters and Islamic ethics.
- provide training and/or advice in relation to Islamic finance and Islamic ethics.
- become a role model and show a high standard in relation to Shariah compliance and Islamic ethics.
- liaise with Shariah Internal Audit and assist them in completing their audit when required.
- continuously seeking knowledge in Islamic law, specifically Islamic finance law, and audit/review process and methodology.
The responsibilities of Shariah scholars and reseachers vary on organisational context and individual interest, but can include:
- perform research and suggest potential new product to be developed.
- review new develop product and ensure there is no potential Shariah non-compliance issues prior to submission to the Shariah committee for approval.
- provide advice in accordance to the Shariah committee’s view in relation to the product Shariah non-compliance issues.
- a subject matter expert in Islamic product engineering and structuring.
- liaise with Shariah Internal Audit and assist them in completing their audit when required.
- continuously seeking knowledge in Islamic finance products, Islamic finance law and common law.
4.5. The Third Line of Defence
The third line of defence is functions that provide an independent assurance. Shariah audit either as part of internal audit or separate independent internal unit or external party is a third line of defence in an IFI. The main difference of the third line of defence with the other lines of defense are their independency and their involvement in risk management/business activities (i.e. no involvement at all in risk management and business activities).
Shariah audit itself refers to the periodical assessment conducted from time to time, to provide an independent assessment and objective assurance designed to add value and improve the degree of compliance in relation to the IFI’s business operations, with the main objective of ensuring a sound and effective internal control system for Shariah compliance (Bank Negara Malaysia, 2011).
The Governance and Auditing Standards of AAOIFI (2012: 20) indicate that Shariah audit is intended “to provide reasonable assurance that financial statements taken as a whole are free from material misstatement”, and by reasonable assurance AAOFI means that “the auditor has satisfied himself or herself that transactions examined during audit comply with Shari’a rules and principles as determined by the Islamic financial institution’s (IFI’s) Shari’a Supervisory Board (SSB)”.
Rahman (2013) in his thesis suggested that the scope of Shariah audit should cover every aspect of organizational activities as required by Islamic religious teaching. Furthermore, the scope of Shariah audit is broader than conventional audit in the sense that it comprises of an extra attribute of making sure that an IFI must comply with Shariah (Othman and Ameer, 2015). In 2011, PricewaterhouseCoopers (PwC) conducted a survey on the practice of Shariah auditing in Malaysia. The study of PwC found that more than half of the 15 institutions surveyed extended the scope of Shariah audit to credit administration, financing, recovery, treasury operations, settlements/ disbursements, legal and Shari’ah fatwa process. Additionally, half of the respondents had extended the scope of the audit to risk management and human resources functions. It thus appears that contemporary Shariah auditing in Malaysia covers nearly all relevant organisational process and business functions in financial services.
To sum up, Shariah audit is designed to ensure that all IFI’s activities is Shariah compliance and does not harming the society. The role of Shariah audit is not limited to only ensuring compliance with law and regulation but also need to consider compliance with Islamic ethics as part of their assessment. It must be emphasized that the main objective of auditing (including Shariah audit) is not designed to penalise a person/staff if there is any gaps or non-compliances; rather, their objective is to add value and recommend solutions on how to prevent the occurrence of such gaps or non-compliances.
The three lines of defense model provide a clarity regarding roles and responsibilities of various risk functions within an organization. It can help to minimize potential gaps in controls and unnecessary work duplication within the organization. Hence, Islamic Financial Institution (IFI) should adopt the concept of three lines of defense as part of their enterprise risk management framework to strengthen the effectiveness of their risk management function.
Unlike conventional financial institution, the foundation of an IFI’s three lines of defense is Shariah. As Shariah consists of faith, ethics and law, the three lines of defense of an IFI should not merely cover compliance aspect to the Shariah laws but should also cover compliance aspect to the Islamic ethics. To support these, each line of defense should obtain adequate level of Islamic finance to distinguish Shariah compliance practices. Moreover, the board and its committees with the assistance from senior managements and lines of defense should establish Islamic culture based on Islamic ethics (akhlaq) within the organization.
In this paper, the author proposes three lines of defense model for an IFI. The foundation of the model is Shariah while its pillars are knowledge and Islamic culture. The roles and responsibilities of each line of defence should be within this framework. With this model, an IFI should be able to establish effective and efficient three lines of defense that aligned with their objectives.
The proposed three lines of defense model for an IFI are from conceptual and theoretical perspective. The author did not conduct any research to analyse and asses the effectiveness of three lines of defense in an IFI. The author suggests that further research should be conducted to analyse the effectiveness of three lines of defense in an IFI. The researcher(s) should analyse the gaps between current practices with the theoretical concepts and recommend practical solutions that beneficial for the IFI.
- Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) (2012), "AAOIFI – Governance and Auditing Standards", presented in the 4th Annual IIBI – ISRA Thematic Workshop, London, United Kingdom September 2012 [Online], available at: https://www.assaif.org/ita/content/download/31770/162486/file/Mr+Khairul+Nizam+(AAOIFI+-+Governance+and+Auditing+Standards).pdf (accessed on 25 September 2016).
- Al-Attas, Syed Muhammad Naquib (1980), “The Concept of Education in Islam”, presented in the First World Conference on Muslim Education held in Makkatul MucaÀÀamah, March 1977,[Online], available at: https://www.mef-ca.org/files/attas-text-final.pdf (accessed on 25 April 2016).
- Anderson, Douglas J and Eubanks, Gina (2015), Leveraging COSO Across the Three Lines of Defense, Institute of Internal Auditor [Online], available at: https://www.coso.org/documents/COSO-2015-3LOD-PDF.pdf (accessed on 25 April 2016).
- Arndorfer, Isabella and Minto, Andrea (2015), The “four lines of defense model” for financial institutions, Bank for International Settlements, Bank for International Settlements [Online], available at: https://www.bis.org/fsi/fsipapers11.htm (accessed on 25 April 2016).
- Audit and Risk (2015), Experts debate three lines of defense model [Online], available at: https://auditandrisk.org.uk/news/experts-debate-three-lines-of-defence-model-- (accessed on 25 May 2016).
- Australian Prudential Regulation Authority (APRA) (2015), Prudential Practice Guide – CPG 220 Risk Management, APRA, [Online], available at: https://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-220-Risk-Management-January-2015.pdf (accessed on 25 April 2016).
- Bank Negara Malaysia (2011), Shariah Governance Framework for Islamic Financial Institutions, [Online], available at: https://www.bnm.gov.my/guidelines/05_shariah/ 02_Shariah_Governance_Framework_20101026.pdf (accessed on 25 April 2016).
- Committee of Sponsoring Organisations of the Treadway Commission (COS) (2013), Internal Control – Integrated Framework, COSO, [Online], available at: https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf (accessed on 25 April 2016).
- Dogarawa, A. B. (2013), “Hisbah and the promotion of ethical business practices: A reflection for the shari'ah implementing states in Nigeria”, International Journal of Islamic and Middle Eastern Finance and Management, Vol. 6, No. 1, pp. 51 – 63. https://doi.org/10.1108/17538391311310743
- Hasan, Z. B. (2016), “From legalism to value-oriented Islamic finance practices”, Humanomics, Vol. 32, No. 4, pp.437 – 458. https://doi.org/10.1108/H-07-2016-0051
- House of Lords and House of Commons (2013), “Bank governance, standards and culture”, in: Changing Banking for Good - Parliamentary Commission on Banking Standards Contents [Online], available at: https://www.publications.parliament.uk/pa/jt201314/jtselect/jtpcbs/27/27ii09.htm (accessed on 25 April 2016).
- Ishola, M. H. (2012), “Fighting corruption: an expectation augmented approach”, Humanomics, Vol. 28, No. 2, pp.133 – 147. https://doi.org/10.1108/08288661211228898
- Johnstone, K. M and Gramling, A. and Rittenberg, L. E. (2014), Auditing: A Risk Based Approach to Conducting a Quality Audit, USA: Cengage Learning, Ninth Edition.
- Lahsasna, A. (2011), Shariah Aspects of Business and Finance, Malaysia: INCEIF [Online], available at: www.inceif.org/pdfs/Shariah_Aspects_in_Business_&_Finance.pdf (accessed on 25 April 2016).
- Lahsasna, A. (2014), Shariah Non-Compliance Risk Management and Legal Documentation in Islamic Finance, Singapore: John Wiley & Sons.
- Lahsasna, A. (2016), Shariah Audit in Islamic Finance, Malaysia: IBFIM.
- Leech, T. and Hanlon, L. (2016), “Three lines of defense versus five lines of assurance”, in Leblanc, R. (ed.), The Handbook of Board Governance: A Comprehensive Guide for Public, Private, and Not-for-Profit Board Members, New Jersey: John Wiley & Sons, pp. 335-355.
- Othman. R. and Ameer, R. (2015), “Conceptualizing the duties and roles of auditors in Islamic financial institutions: What makes them different?”, Humanomics, Vol. 31, No. 2, pp. 201 – 213. https://doi.org/10.1108/H-04-2013-0027
- PwC (2011), Shariah Audit: industry insights, [Online],available at: www.isfin.net/sites/isfin.com/files/shariah-auditsecured.pdf (accessed 20 October 2016).
- Priyoyudanto, F. (2013), Model of Islamization of Knowledge: Syed Muhammad Naquib Al Attas, Ismael Raji Al-Faruqi and Fazlur Rahman.
- Rahman, M. J. (2013), The Current Perception and Practice of “Shariah Auditing” in Bangladeshi Islamic Banks, Japan: Ritsumeikan Asia Pacific University [Online], available at: https://r-cube.ritsumei.ac.jp/bitstream/10367/5903/1/52111625.pdf (accessed on 25 April 2016).
- The Institute of Internal Auditors (IIA) (2013), The Three Lines of Defense in Effective Risk Management and Control, USA: Institute of Internal Auditors [Online], available at: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf (accessed on 25 April 2016).
- Umaruddin, M. (2003), The Ethical Philosophy of Al-Ghazzali, Kuala Lumpur: A.S. Noordeen.