Using three lines of defense to manage internal controls

By Ken Tysiac

Establishing just who is responsible for specific internal controls can be a challenge at many organizations.

Effective internal controls help organizations manage risks in a systematic, effective way. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) helps many organizations manage risks. But the framework does little to establish who is responsible for the specific duties it describes.

A new COSO white paper released Tuesday, Leveraging COSO Across the Three Lines of Defense, describes how organizations can better establish and coordinate duties related to risk and control. The AICPA is a member of COSO.

Coordination under this model can help minimize gaps in controls and eliminate unnecessary duplication of assigned duties. The model proposes that senior management and the board oversee and direct three separate groups (or lines of defense) that contribute to effective management of risk and control. These separate groups:

  • Own and manage risk and control (operating management).
  • Monitor risk and control in support of management (risk, control, and compliance functions put in place by management).
  • Provide independent assurance about effectiveness of risk management and control to the board and senior management (internal audit).

A recent global survey of internal auditors found that 56% of organizations use this model and consider internal audit to be the third line of defense. But 20% of global respondents, including 43% in South Asia, were not familiar with the three-lines-of-defense model.

Under the model, each group has a distinct role within the organization’s governance framework:

  • Senior management and the board of directors have ultimate responsibility for making sure governance, risk management, and control processes are effective.
  • All three lines of defense should exist in some form at every organization.
  • Each group within the three lines of defense should have clearly defined roles and responsibilities.
  • Sharing information and coordinating activities among the lines of defense is necessary to improve efficiency, avoid duplication of work, and ensure that risks are addressed effectively.
  • Lines of defense should not be combined or coordinated in a manner that compromises their effectiveness.

Ken Tysiac (ktysiac@aicpa.org) is a JofA editorial director.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

COLUMN

Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.