Effective internal controls help organizations manage risks and processes in a systematic and effective way. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) helps many organizations manage risks. However, one of the drawbacks the framework does little to establish is who is responsible for the specific duties it describes. A recent study entitled, Leveraging COSO Across the Three Lines of Defense, from the Institute of Internal Auditors, describes how organizations can better establish and coordinate roles to improve communication and coordination with others around those duties. Below is a summary of the key points which help can augment the internal controls at most companies.
Three Lines of Defense
The Three Lines of Defense refer to different levels within the organization (and potentially outside assurance) and delineates the function as related to risk management.
- Line 1 – Refers to business and process owners who ultimately make the decisions about activities that either create and/or manage business risks. It is their responsibility to own and manage that risk, including taking the “right” risks that allow the organization to achieve its objectives. They also own the design and execution of the organization’s controls to respond to any risks.
- Line 2 – Those individuals put in place by management to support them by helping business and process owners ensure that risks and controls are effectively monitored. These positions include risk, control, and compliance management and/or oversight functions with ownership of many risk management and process aspects. Duties can vary widely, depending on the size, industry, and complexity of the organization.
- Line 3 – Internal auditors, who typically have no management duties, separating them from the other groups. As such, they provide independent, objective assurance to the board about effectiveness of governance, risk management, and internal controls. In addition, while external auditors are not formally included in the three lines of defense model, they may provide important observations and assessments of the organization’s controls over financial reporting and related risks.
Importance of Communication
Along with defined roles and responsibilities for each line of defense, supported by appropriate policies and procedures, information reporting mechanisms should be established to improve efficiency while ensuring all significant risks are appropriately addressed. Senior management and the board of directors are ultimately responsible for clearly communicating expectations around reporting and activity coordination among the entire team. Information sharing and coordination will enhance overall effectiveness and allow continual improvement of risk and control management to support the organization in achieving its objectives.
Consider using the COSO Three Lines of Defense Model for your organization, whether you have a formal risk management framework or system in place and regardless of your firm size or complexity. The best practices outline herein will be useful to ensuring an effective risk management process.
An effective internal controls structure is essential to the reduction of organizational risk. If you have questions about your organization’s risk management profile or need assistance with internal audit issues, JLK Rosenberger can help! For additional information please contact us at 949-860-9902 or click here to contact us.