In a sense, managing your company’s risk can be a lot like managing a professional sports team. There are budget restraints, shortage of players, periodic changes to the rules and regulations…the list is endless. Similar to a team executing a successful game plan while facing various limitations, companies are often forced to make decisions on who will manage risks based on limited resources.
Three Lines of Defense in Effective Risk Management and Internal Control
First Line of Defense: Operational management, primarily responsible for ensuring that a risk and control environment is established as part of daily operations.
Second Line of Defense: Risk management and compliance oversight, responsible for ensuring that processes are properly designed and operating effectively. This line of defense can include, but is not limited to, security, quality, inspection and compliance.
Third Line of Defense: Internal audit function, responsible for providing independent assurance over processes and controls
With the continuous restraints many companies are facing, businesses are relying on the Chief Audit Executive (CAE) and internal audit to assume some or all of the second line of defense responsibilities. The key to the third line of defense is independence. If internal audit is taking any of the second line of defense roles, it is essential that independence and objectivity are maintained. Additionally, verification of the safeguards to maintain independence and objectivity should occur on a regular basis to ensure that these controls are operating effectively.
So, what are the key plays for utilizing the internal audit function for second line of defense functions while effectively maintaining independence?
How to Utilize Internal Audit for the Second Line of Defense
Confirm that the CAE, management, and the board understand the risks associated with internal audit assuming second line of defense responsibilities.
Ensure that operational management takes ownership of risks. The third line of defense should avoid setting the risk appetite or managing risks.
Define the roles for all activities where second line of defense activities overlap with third line of defense activities.
Determine and document if the assignment to second line of defense activities is temporary or long-term. If temporary, a formal transition plan should be documented and discussed with management and the board.
Document second line of defense activities that will be performed by internal audit in the charter or in the annual board update.
Perform an independent assessment of internal audit’s second line of defense roles periodically.The CAE should include an assessment of these roles in the quality assurance program.
If your strategy is to use internal audit for some or all of the second line of defense responsibilities, make sure you play smart. Follow the rules above and continuously evaluate internal audit’s role in performing second line of defense activities, to ensure that your company has a strong defense while maintaining independence and objectivity.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.