Three Lines of DefensePosted: October 8, 2012
I have written several blogs on controls and the internal control process, but I want to use this blog to cover one of the basic tenants of internal control that I have not spent sufficient time on in the past – the concept of three lines of defense. ISO 31000 and the COSO Internal Control Integrated Framework both incorporate this concept; it is part of the very foundation of internal control. So, what are the three lines of defense?
2) Risk Management & Compliance Functions – also known as Monitoring
3) Internal Audit
Management is everyone in the business or organization. They have to set the tone, implement the controls and actually perform them. If management does not embrace the idea of an appropriately controlled environment, then the second and third lines of defense are meaningless.
The risk management and compliance functions of the business are there to monitor the practices of management. Monitoring requires more than just checking on the controls. It also encompasses looking for new and emerging risks that had not previously been contemplated by the business and getting that information back to management so it can be incorporated into the first line of defense. Done right, there is a constant feedback loop between the second line and the first line of defense.
Internal Audit is the final line of defense. They provide objective assurance about the first and second lines of defense to those responsible for governance. They have to have a full understanding of the business and its risk management processes. This certainly isn’t the stereotypical check the box, numbers driven auditor that all too many people associate with the Internal Audit function.
While, as stated, the first line of defense must be in place for the other two lines to have any meaning, that doesn’t mean you can let the second and third lines of defense lag. The financial crisis was at least partially due to a lack of ability to think about what might happen (housing prices going down) and how that would impact a business. The second line of defense deals with those and many other issues. The third line of defense is also critical because those governing the organization are depending on the third line’s expertise and integrity to make sure the first and second lines of defense are appropriately working.
I know some businesses are too small to have internal audit departments, but no business is too small to not have the functions performed by internal audit. That’s where professional accountants, such as CPAs, CGMAs and others can step in to help. We bring that objectivity and integrity to any work we do which helps insure that three lines of defense are always there.