In a sense, managing your company’s risk can be a lot like managing a professional sports team. There are budget restraints, shortage of players, periodic changes to the rules and regulations…the list is endless. Similar to a team executing a successful game plan while facing various limitations, companies are often forced to make decisions on who will manage risks based on limited resources.
The Institute of Internal Auditors’ (IIA) Position Paper The Three Lines of Defense in Effective Risk Management and Internal Control describes the Three Lines of Defense model as allocations of responsibilities amongst various functions of the organization.
Three Lines of Defense in Effective Risk Management and Internal Control
- First Line of Defense: Operational management, primarily responsible for ensuring that a risk and control environment is established as part of daily operations.
- Second Line of Defense: Risk management and compliance oversight, responsible for ensuring that processes are properly designed and operating effectively. This line of defense can include, but is not limited to, security, quality, inspection and compliance.
- Third Line of Defense: Internal audit function, responsible for providing independent assurance over processes and controls
With the continuous restraints many companies are facing, businesses are relying on the Chief Audit Executive (CAE) and internal audit to assume some or all of the second line of defense responsibilities. The key to the third line of defense is independence. If internal audit is taking any of the second line of defense roles, it is essential that independence and objectivity are maintained. Additionally, verification of the safeguards to maintain independence and objectivity should occur on a regular basis to ensure that these controls are operating effectively.
So, what are the key plays for utilizing the internal audit function for second line of defense functions while effectively maintaining independence?
How to Utilize Internal Audit for the Second Line of Defense
- Confirm that the CAE, management, and the board understand the risks associated with internal audit assuming second line of defense responsibilities.
- Ensure that operational management takes ownership of risks. The third line of defense should avoid setting the risk appetite or managing risks.
- Define the roles for all activities where second line of defense activities overlap with third line of defense activities.
- Determine and document if the assignment to second line of defense activities is temporary or long-term. If temporary, a formal transition plan should be documented and discussed with management and the board.
- Document second line of defense activities that will be performed by internal audit in the charter or in the annual board update.
- Perform an independent assessment of internal audit’s second line of defense roles periodically.The CAE should include an assessment of these roles in the quality assurance program.
If your strategy is to use internal audit for some or all of the second line of defense responsibilities, make sure you play smart. Follow the rules above and continuously evaluate internal audit’s role in performing second line of defense activities, to ensure that your company has a strong defense while maintaining independence and objectivity.