THREE LINES OF DEFENSE
Cards (18)
- Three Lines of Defense modelA framework for managing risk and control in an organization
- First Line of Defense1. Operational management2. Own and manage risks3. Design and implement internal controls4. Responsible for maintaining effective controls
- Operational management
- Responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis
- Identifies, assesses, controls, and mitigates risks
- Guides the development and implementation of internal policies and procedures
- Ensures that activities are consistent with goals and objectives
- Second Line of Defense1. Risk management & compliance2. Help build and monitor first line of defense3. Ensure compliance with regulations4. Monitor financial risks and reporting requirements5. Identify changes in risk appetite
- Risk management function
- Facilitates and monitors the implementation of effective risk management practices by operational management
- Assists risk owners in defining the target risk exposure
- Reports adequate risk-related information throughout the organization
- Compliance function
- Monitors various specific risks such as noncompliance with applicable laws and regulations
- Reports directly to senior management, and in some business sectors, directly to the governing body
- Controllership function
- Monitors financial risks and financial reporting issues
- Third Line of Defense1. Internal audit2. Provide senior management with assurance3. Monitor the effectiveness of the first and second lines of defense4. Independent
- Internal audit
- Covers a broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts
- Covers all elements of the risk management and internal control framework
- Covers the overall entity, divisions, subsidiaries, operating units, and functions — including business processes
- Internal audit should have a functional reporting line to the board or one of its committees, making it independent of the executive, able to make objective judgements, and giving it the authority to conduct its work across the whole organization without constraint
- Internal audit must be properly resourced, including ensuring a consistently high level of professionalism and quality based on the International Standards, plus appropriate knowledge, skills and experience
- Internal audit should use a risk-based approach in developing and executing the internal audit plan in order to focus on the greatest threats to the organisation
- Internal audit's scope should be unrestricted, including all areas of risk – such as key corporate events, culture and ethics, reputation, new products and the outcomes of processes
- Continuous Controls Monitoring (CCM)Independent monitoring of automated and partially automated controls<|>Continuous detection of breaches<|>Transparency in detection and remediation<|>Addresses IT concerns<|>Collaborative approach to timely remediation
- CCM testing
- Frequency: Daily
- Detect: Any non-compliance over and below the threshold
- Assignment: To the control owner
- Deadline: Resolve same day
- Evidence: Due diligence performed on those over the threshold and any other exceptions detected
- Value: Ensure that control effectiveness is sustained at a high level
- CCM at each line of defenseEffectively monitor internal controls at the first and second lines of defense<|>Allow the third line of defense to be confident in its assurance role<|>Create a remediation process that minimizes the impact of a control breakdown<|>Provide evidence of due diligence for external auditors and regulators
- Internal control effectiveness is positively impacted by collaboration that covers collaboration at all three levels
- CCM is a compelling vehicle to facilitate a collaborative process