Can Internal Audit be a Star Player in your Second Line of Defense?

In a sense, managing your company’s risk can be a lot like managing a professional sports team.  There are budget restraints, shortage of players, periodic changes to the rules and regulations…the list is endless.  Similar to a team executing a successful game plan while facing various limitations, companies are often forced to make decisions on who will manage risks based on limited resources. 

The Institute of Internal Auditors’ (IIA) Position Paper The Three Lines of Defense in Effective Risk Management and Internal Control describes the Three Lines of Defense model as allocations of responsibilities amongst various functions of the organization. 

Three Lines of Defense in Effective Risk Management and Internal Control

  • First Line of Defense:  Operational management, primarily responsible for ensuring that a risk and control environment is established as part of daily operations.
  • Second Line of Defense:  Risk management and compliance oversight, responsible for ensuring that processes are properly designed and operating effectively.  This line of defense can include, but is not limited to, security, quality, inspection and compliance.
  • Third Line of Defense:  Internal audit function, responsible for providing independent assurance over processes and controls

With the continuous restraints many companies are facing, businesses are relying on the Chief Audit Executive (CAE) and internal audit to assume some or all of the second line of defense responsibilities.  The key to the third line of defense is independence.  If internal audit is taking any of the second line of defense roles, it is essential that independence and objectivity are maintained.  Additionally, verification of the safeguards to maintain independence and objectivity should occur on a regular basis to ensure that these controls are operating effectively. 

So, what are the key plays for utilizing the internal audit function for second line of defense functions while effectively maintaining independence?

How to Utilize Internal Audit for the Second Line of Defense

  • Confirm that the CAE, management, and the board understand the risks associated with internal audit assuming second line of defense responsibilities.
  • Ensure that operational management takes ownership of risks.  The third line of defense should avoid setting the risk appetite or managing risks.
  • Define the roles for all activities where second line of defense activities overlap with third line of defense activities.
  • Determine and document if the assignment to second line of defense activities is temporary or long-term.  If temporary, a formal transition plan should be documented and discussed with management and the board.
  • Document second line of defense activities that will be performed by internal audit in the charter or in the annual board update.
  • Perform an independent assessment of internal audit’s second line of defense roles periodically.The CAE should include an assessment of these roles in the quality assurance program.

If your strategy is to use internal audit for some or all of the second line of defense responsibilities, make sure you play smart.  Follow the rules above and continuously evaluate internal audit’s role in performing second line of defense activities, to ensure that your company has a strong defense while maintaining independence and objectivity.

Contact us with questions regarding managing your company's risk and visit our Internal Audit and Risk Advisory page to learn about services that we offer.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Benefits of a Trusted Co-Source Audit Partner During the Great Resignation
Business Continuity and Disaster Recovery Planning
What Should a Service Organization Consider When Determining Its SOC Report Testing Period?
Benefits of a Contract Lifecycle Management System
Changes in Athletics with the New NCAA Constitution Approval
Higher Education Institutions Looking to Cryptocurrency for Future Gift Acceptance Considerations
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.