The three lines of defence

Size: px
Start display at page:

Download "The three lines of defence"

Transcription

1 Audit Committee Institute Sponsored by KPMG The three lines of defence 1 The three lines of defence Audit committees these days are burdened with a lengthy list of mandatory agenda items, and must find the time to address these and other topics. The following article summarises some practical hints to help you focus your audit committee agendas. The challenges arising from the current economic situation, and potential changes in legislation, will increase the pressure for companies to adopt a robust governance framework, and for the need to sustain a good relationship and communication between management, internal audit and the audit committee. The three lines of defence How can companies and financial institutions strengthen these relationships? The three lines of defence model can be used as the primary means to demonstrate and structure roles, responsibilities and accountabilities for decision making, risk and control to achieve effective governance risk management and assurance. First line of defence: business operations risk and control in the business Businesses are responsible for ensuring that a risk and control environment is established as part of day-to-day operations. Line management should thus be adequately skilled to create risk definitions and make risk assessments. The risk profile needs to be proactively reviewed, updated and modified for changes to the business environment and emerging risk changes. Active risk management and periodic reporting on risks is crucial to quick identification and response, and will allow the company to have a strategic advantage on competitors. Ensure the risk framework is able to respond quickly management must make best use of early warning indicators to identify, evaluate and respond to changes quickly. And, with quick identification and response, it may be possible to discern new strategic opportunities before they are discovered by the competition. The first line of defence provides management assurance, and informs the audit committee by identifying risks and business improvement actions, implementing controls, and reporting on progress. Second line of defence: the oversight functions These responsibilities set company boundaries by drafting and implementing policies and procedures. They are also responsible for guidance and directions for implementing their policies and for monitoring their proper execution. They provide oversight over business processes and risks.

2 2 The three lines of defence Align strategy, risk and policies these oversight functions are thus responsible for designing policies, setting direction, introducing best practice, ensuring compliance and providing assurance oversight for board members and audit committee members. Now is an opportune time to stand back and re-think how risk management activities combine within the wider system of internal control as part of an efficient, effective, integrated assurance framework. Questions which can be asked: Do you have clearly defined oversight structures with roles, responsibilities and accountability? Is risk and risk management used to drive strategic alignment, business unit performance and accountability? Does your governance and assurance add value to the organisation? Do risk and assurance providers share risk profiles, definitions and technology, and rely on each other s work, map sources of assurance over key risks and controls, and streamline their activities? Do you receive coordinated reporting on total assurance activities, emerging risks and themes in issues across the business? Review of policy frameworks assures that the right policy owners are keeping policies up-to-date, responding to new strategic priorities and risks, and that the monitoring mechanisms are working to ensure compliance with the updated policies. Third line of defence: independent assurance providers internal audit and other independent assurance providers The internal auditor s role is to provide independent, objective assurance and consulting activities designed to add value and improve a company s operations. They help the company to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The third line of defence entails independent challenge, audit of key controls, formal reporting on assurance, and audit of assurance providers and entity level controls assurance. In view of this independent challenge, appropriate reporting lines for the internal auditors (best practice is directly to the audit committee) are critical if they want to achieve their independence and objectivity, while effectively assessing the organisation s internal control, risk management and governance processes. The head of audit should meet regularly with the audit committee to discuss any assurance issues, but the meeting should not be limited should either party want to bring other issues to the table. Audit committee s role As indicated in the model, all three lines of defence have specific tasks in the internal control governance framework. It is the audit committee s role to maintain oversight and to monitor the effectiveness of internal controls and risk management processes, as well as the internal audit activities. To allow the audit committee to monitor and render opinions on the effectiveness of the company s internal controls and risk management, there is a need for a clear overview of the company s risk and control framework. A close working relationship and enhanced communication is also crucial between management, the risk function, internal audit and the audit committee. This relationship is essential for each to fulfil its responsibilities to management, the board, shareholders and other stakeholders.

3 The three lines of defence 3 To allow the audit committee to monitor and render opinions on the effectiveness of the company's internal controls and risk management, there is a need for a clear overview of the company's risk and control framework. The three lines of defence: First Line 1st 2nd Business operations: Oversight functions: finance, HR, Quality, and Risk Management An established risk and control environment Strategic management Policy and procedure setting Functional oversight Board, Excom & Audit Committee The first level of the control environment is the business operations which perform day to day risk management activity Second Line Oversight functions in the company, such as Finance, HR and Risk Management set directions, define policy and provide assurance Third Line Internal and external audit are the third line of defence, offering independent challenge to the levels of assurance provided by business operations and oversight functions 3rd Independent assurance: Internal Audit, external Audit and other independent assurance providers Provide independent challenge and assurance Audit Committee Institute KPMG in Belgium

4 kpmg.ru Êîíòàêòû: Contact us: Q25 Audit Committee Institute in Russia Boris Lvov Corporate Governance, Performance and Compliance Tel: This text is an unaccredited and adapted by KPMG in Russia and the CIS version of "The three lines of defence" text, prepared by Audit Committee Institute sponsored by KPMG. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation ZAO KPMG, a company incorporated under the Laws of the Russian Federation and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

The New Third-Party Oversight Framework: Trust but Verify kpmg.com Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory

More information

Practice Guide. Reliance by Internal Audit on Other Assurance Providers

Practice Guide. Reliance by Internal Audit on Other Assurance Providers Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External

More information

ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014

ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014 ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014 DISCLAIMER TABLE OF CONTENTS Introduction...1 Five Strategies for Internal Audit Success in the Year Ahead...5 Improve Upon

More information

Work Plan for 2015 2016: Enhancing Audit Quality and Preparing for the Future. The IAASB s Work Plan for 2015 2016 December 2014

Work Plan for 2015 2016: Enhancing Audit Quality and Preparing for the Future. The IAASB s Work Plan for 2015 2016 December 2014 The IAASB s Work Plan for 2015 2016 December 2014 International Auditing and Assurance Standards Board Work Plan for 2015 2016: Enhancing Audit Quality and Preparing for the Future This document was developed

More information

Environmental Management System Tool

Environmental Management System Tool Environmental Management System Tool How to use this Tool The Department of the Environment, Water, Heritage and the Arts (DEWHA) has developed the EMS Tool to assist office based organisation who are

More information

Coordination and Cooperation between SAIs and Internal Auditors in the Public Sector

Coordination and Cooperation between SAIs and Internal Auditors in the Public Sector INTOSAI GOV 9150 The International Standards of Supreme Audit Institutions, ISSAIs, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org

More information

Addressing Disclosures in the Audit of Financial Statements

Addressing Disclosures in the Audit of Financial Statements Exposure Draft May 2014 Comments due: September 11, 2014 Proposed Changes to the International Standards on Auditing (ISAs) Addressing Disclosures in the Audit of Financial Statements This Exposure Draft

More information

MiFID - what is it, and what does it mean?

MiFID - what is it, and what does it mean? MIFID MATTERS - ASSESSING THE WIDER AGENDA MiFID - what is it, and what does it mean? February 2012 kpmg.com 2 MiFID - what is it, and what does it mean? In October 2011, the European Commission published

More information

CODE OF PRACTICE FOR THE GOVERNANCE OF STATE BODIES

CODE OF PRACTICE FOR THE GOVERNANCE OF STATE BODIES CODE OF PRACTICE FOR THE GOVERNANCE OF STATE BODIES PREFACE The first set of guidelines on Corporate Governance in State Bodies entitled State Bodies Guidelines was issued by the Department of Finance

More information

Taking it on trust. A review of how boards of NHS trusts and foundation trusts get their assurance

Taking it on trust. A review of how boards of NHS trusts and foundation trusts get their assurance Taking it on trust A review of how boards of NHS trusts and foundation trusts get their assurance Health National report April 2009 The Audit Commission is an independent watchdog, driving economy, efficiency

More information

Community planning. Turning ambition into action

Community planning. Turning ambition into action Community planning Turning ambition into action Prepared by Audit Scotland November 2014 The Accounts Commission The Accounts Commission is the public spending watchdog for local government. We hold councils

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Examination of an Entity s Internal Control 1403 AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:

More information

Guidance on Transfer Pricing Documentation and Country-by-Country Reporting

Guidance on Transfer Pricing Documentation and Country-by-Country Reporting OECD/G20 Base Erosion and Profit Shifting Project Guidance on Transfer Pricing Documentation and Country-by-Country Reporting ACTION 13: 2014 Deliverable OECD/G20 Base Erosion and Profit Shifting Project

More information

Transparency of Firms that Audit Public Companies

Transparency of Firms that Audit Public Companies Transparency of Firms that Audit Public Companies Consultation Report TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS September 2009 This paper is for public consultation

More information

Corporate Governance Principles and Recommendations

Corporate Governance Principles and Recommendations ASX Corporate Governance Council Corporate Governance Principles and Recommendations 3rd Edition ASX Corporate Governance Council Disclaimer Although Council members and their related bodies corporate

More information

Cyber security: it s not just about technology

Cyber security: it s not just about technology Cyber security: it s not just about technology The five most common mistakes kpmg.com b Cyber security: it s not just about technology Contents Preface 1 01 Understanding the cyber risk 3 02 The five most

More information

Professionalism does not occur overnight. Rather, it is a process that evolves out of focused commitment and dedication, ongoing study and

Professionalism does not occur overnight. Rather, it is a process that evolves out of focused commitment and dedication, ongoing study and What does it take......to be a professional? Professionalism does not occur overnight. Rather, it is a process that evolves out of focused commitment and dedication, ongoing study and professional growth,

More information

Resource Manual for the Principles of Accreditation:

Resource Manual for the Principles of Accreditation: Resource Manual for the Principles of Accreditation: Foundations for Quality Enhancement Southern Association of Colleges and Schools Commission on Colleges 1866 Southern Lane Decatur, Georgia 30033-4097

More information

Mary E. Galligan Kelly Rau

Mary E. Galligan Kelly Rau C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G

More information

Operational Excellence Management System. An Overview of the OEMS

Operational Excellence Management System. An Overview of the OEMS Operational Excellence Management System An Overview of the OEMS Contents 2 4 6 8 14 16 17 Back Cover Operational Excellence Management System Leadership Accountability Management System Process OE Expectations

More information

EXCELLENCE. Characteristics of. in Higher Education. Middle States Commission on Higher Education

EXCELLENCE. Characteristics of. in Higher Education. Middle States Commission on Higher Education Characteristics of EXCELLENCE in Higher Education Requirements of Affiliation and Standards for Accreditation Online Version - Revised March 2009 (pages xii and xiii) Middle States Commission on Higher

More information

A Look at the Varied Responsibilities of Internal Auditors. internal auditing: All in a days work

A Look at the Varied Responsibilities of Internal Auditors. internal auditing: All in a days work ALL IN A DAY S WORK A Look at the Varied Responsibilities of Internal Auditors internal auditing: All in a days work The Institute of Internal Auditors Achieving Objectives For the most part, companies

More information

Examining Quality Culture: Part 1 Quality Assurance Processes in Higher Education Institutions. By Tia Loukkola and Thérèse Zhang

Examining Quality Culture: Part 1 Quality Assurance Processes in Higher Education Institutions. By Tia Loukkola and Thérèse Zhang E U A P U B L I C A T I O N S 2 0 1 0 Examining Quality Culture: Part 1 Quality Assurance Processes in Higher Education Institutions By Tia Loukkola and Thérèse Zhang Copyright by the European University

More information

CONTENTS PREFACE 3 1. THE PURPOSE OF THE GRI SUSTAINABILITY REPORTING GUIDELINES 5

CONTENTS PREFACE 3 1. THE PURPOSE OF THE GRI SUSTAINABILITY REPORTING GUIDELINES 5 CONTENTS PREFACE 3 1. THE PURPOSE OF THE GRI SUSTAINABILITY REPORTING GUIDELINES 5 2. HOW TO USE THE GUIDELINES 2.1 The Guidelines 7 2.2 Using the Guidelines to Prepare a Sustainability Report: The Steps

More information

The Auditor's Responsibilities Relating to Other Information

The Auditor's Responsibilities Relating to Other Information Exposure Draft April 2014 Comments due: July 18, 2014 Proposed International Standard on Auditing (ISA) 720 (Revised) The Auditor's Responsibilities Relating to Other Information Proposed Consequential

More information

Assessing your management system and the approach that you take

Assessing your management system and the approach that you take Management system management by matrix Assessing your management system and the approach that you take raising standards worldwide About the author John Osborne is Product Manager for BSI Training. The

More information

ISO 9001. What to do. for Small Businesses. Advice from ISO/TC 176

ISO 9001. What to do. for Small Businesses. Advice from ISO/TC 176 ISO 9001 for Small Businesses What to do Advice from ISO/TC 176 ISO 9001 for Small Businesses What to do Advice from ISO/TC 176 ISO Central Secretariat 1, chemin de la Voie-Creuse Case postale 56 CH -

More information

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE Final version of 23/02/2009 COCOF 09/0002/01-EN EUROPEAN COMMISSION DIRECTORATE-GENERAL REGIONAL POLICY GUIDANCE NOTE ON THE CONCEPT OF RELIANCE ON THE WORK OF OTHER AUDITORS DISCLAIMER This is a Working

More information

How to make your Quality Surveillance Group effective. National Quality Board, 2 nd Edition, March 2014

How to make your Quality Surveillance Group effective. National Quality Board, 2 nd Edition, March 2014 How to make your Quality Surveillance Group effective National Quality Board, 2 nd Edition, March 2014 CONTENTS 1. Introduction and purpose... 3 2. What is a Quality Surveillance Group?... 5 3. Scope of

More information