Using three lines of defence to manage internal controls

Establishing just who is responsible for specific internal controls can be a challenge at many organisations.

Effective internal controls help organisations manage risks in a systematic, effective way. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) helps many organisations manage risks. But the framework does little to establish who is responsible for the specific duties it describes.

A new COSO white paper released Tuesday, Leveraging COSO Across the Three Lines of Defense, describes how organisations can better establish and co-ordinate duties related to risk and control. The American Institute of CPAs is a member of COSO.

Co-ordination under this model can help minimise gaps in controls and eliminate unnecessary duplication of assigned duties. The model proposes that senior management and the board oversee and direct three separate groups (or lines of defence) that contribute to effective management of risk and control. These separate groups:

• Own and manage risk and control (operating management).
• Monitor risk and control in support of management (risk, control, and compliance functions put in place by management).
• Provide independent assurance about effectiveness of risk management and control to the board and senior management (internal audit).

A recent global survey of internal auditors found that 56% of organisations use this model and consider internal audit to be the third line of defence. But 20% of global respondents, including 43% in South Asia, were not familiar with the three-lines-of-defence model.

Under the model, each group has a distinct role within the organisation’s governance framework:

• Senior management and the board of directors have ultimate responsibility for making sure governance, risk management, and control processes are effective.
• All three lines of defence should exist in some form at every organisation.
• Each group within the three lines of defence should have clearly defined roles and responsibilities.
• Sharing information and co-ordinating activities among the lines of defence is necessary to improve efficiency, avoid duplication of work, and ensure that risks are addressed effectively.
• Lines of defence should not be combined or co-ordinated in a manner that compromises their effectiveness.

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.