|Similar to a 2013 IIA Position Paper, a new document by EY maintains that implementing the three lines of defense model can help organizations eliminate coverage gaps and duplications by coordinating the work of their risk and control management professionals and independent assurance providers.
A new education and advocacy publication by EY LLP nicely supplements a 2013 IIA Position Paper that recommends adoption of the so-called three lines of defense (LOD) approach to coordinating enterprisewide risk management- and control-related activities. CAEs at organizations whose boards and senior executives still are reluctant or unable to fully implement this model — which recognizes internal audit's assurance expertise — may wish to distribute one or both of these concise yet informative documents to their key stakeholders.
CAE Bulletin readers may recall that The IIA's January 2013 position paper (PDF) observes that although most midsize and large enterprises employ expert teams of risk and control professionals to help management identify and deal with threats to the achievement of objectives set by the board, these organizations often are challenged by clearly defining and consistently communicating the roles and responsibilities — including expected coordination — of those professionals so there are neither "gaps" in controls nor unnecessary duplications of coverage. The document asserts that adopting the systematic LOD approach to meeting this formidable challenge has become a best practice worldwide.
Under this approach, management control is the first line of defense, because operations managers are responsible for performing risk- and control-related procedures on a day-to-day basis. The second line of defense includes the various risk management, internal control, security, quality inspection, compliance oversight, fraud investigation, and other functions staffed by management to ensure the first line is designed, in place, and operating as intended. The third line is internal audit, whose role, the paper says, is to provide senior management and the board comprehensive assurance — including periodic assessments of the manner in which the first and second lines are achieving the organization's risk management and control objectives — "based on the highest level of independence and objectivity within the organization." The third line also may comprise the external auditor, regulators, or other external parties.