The Three Lines of Defense
The three lines of defense model provides guidance for effective risk management and governance. Each of the three lines plays a distinct role with the University’s control environment.
First Line of Defense – Management
The first line of defense lies with the business and process owners. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. This consists of identifying and assessing controls and mitigating risks. Additionally, business and process owners guide the development and implementation of internal policies and procedures and ensure activities are consistent with University goals and objectives. Mid-level managers may design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.
Second Line of Defense – Risk Management and Compliance
The second line supports management to help ensure risk and controls are effectively managed. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defense controls. Typical functions in this second line of defense include:
- “A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization.
- A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management.
- A controllership function that monitors financial risks and financial reporting issues.”
Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. The second line of defense serves an important purpose but because of their management function, they cannot be completely independent.
Third Line of Defense – Internal Audit
The third line of defense provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. The main difference between this third line of defense and the first two lines is its high level of organizational independence and objectivity. Internal Audit may not direct or implement processes, but they can provide advice and recommendations regarding processes. Additionally, Internal Audit may support enterprise risk management but may not implement or perform risk management other than inside of its own function. Internal auditors accomplish their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
External auditors are responsible for expressing an opinion on the fairness (accuracy within a degree of materiality) of the financial statements in conformity with certain accounting standards. Additionally, external auditors may provide assurance to the Board of Trustees regarding institutional compliance requirements (such as Title IV funding of financial aid).
For additional information regarding the Three Lines of Defense, see IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control (PDF).
COSO’s Take on the Three Lines of Defense
Leveraging COSO across the Three Lines of Defense, July 2015