Audit Committee Institute Sponsored by KPMG The three lines of defence 1 The three lines of defence Audit committees these days are burdened with a lengthy list of mandatory agenda items, and must find the time to address these and other topics. The following article summarises some practical hints to help you focus your audit committee agendas. The challenges arising from the current economic situation, and potential changes in legislation, will increase the pressure for companies to adopt a robust governance framework, and for the need to sustain a good relationship and communication between management, internal audit and the audit committee. The three lines of defence How can companies and financial institutions strengthen these relationships? The three lines of defence model can be used as the primary means to demonstrate and structure roles, responsibilities and accountabilities for decision making, risk and control to achieve effective governance risk management and assurance. First line of defence: business operations risk and control in the business Businesses are responsible for ensuring that a risk and control environment is established as part of day-to-day operations. Line management should thus be adequately skilled to create risk definitions and make risk assessments. The risk profile needs to be proactively reviewed, updated and modified for changes to the business environment and emerging risk changes. Active risk management and periodic reporting on risks is crucial to quick identification and response, and will allow the company to have a strategic advantage on competitors. Ensure the risk framework is able to respond quickly management must make best use of early warning indicators to identify, evaluate and respond to changes quickly. And, with quick identification and response, it may be possible to discern new strategic opportunities before they are discovered by the competition. The first line of defence provides management assurance, and informs the audit committee by identifying risks and business improvement actions, implementing controls, and reporting on progress. Second line of defence: the oversight functions These responsibilities set company boundaries by drafting and implementing policies and procedures. They are also responsible for guidance and directions for implementing their policies and for monitoring their proper execution. They provide oversight over business processes and risks.
2 The three lines of defence Align strategy, risk and policies these oversight functions are thus responsible for designing policies, setting direction, introducing best practice, ensuring compliance and providing assurance oversight for board members and audit committee members. Now is an opportune time to stand back and re-think how risk management activities combine within the wider system of internal control as part of an efficient, effective, integrated assurance framework. Questions which can be asked: Do you have clearly defined oversight structures with roles, responsibilities and accountability? Is risk and risk management used to drive strategic alignment, business unit performance and accountability? Does your governance and assurance add value to the organisation? Do risk and assurance providers share risk profiles, definitions and technology, and rely on each other s work, map sources of assurance over key risks and controls, and streamline their activities? Do you receive coordinated reporting on total assurance activities, emerging risks and themes in issues across the business? Review of policy frameworks assures that the right policy owners are keeping policies up-to-date, responding to new strategic priorities and risks, and that the monitoring mechanisms are working to ensure compliance with the updated policies. Third line of defence: independent assurance providers internal audit and other independent assurance providers The internal auditor s role is to provide independent, objective assurance and consulting activities designed to add value and improve a company s operations. They help the company to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The third line of defence entails independent challenge, audit of key controls, formal reporting on assurance, and audit of assurance providers and entity level controls assurance. In view of this independent challenge, appropriate reporting lines for the internal auditors (best practice is directly to the audit committee) are critical if they want to achieve their independence and objectivity, while effectively assessing the organisation s internal control, risk management and governance processes. The head of audit should meet regularly with the audit committee to discuss any assurance issues, but the meeting should not be limited should either party want to bring other issues to the table. Audit committee s role As indicated in the model, all three lines of defence have specific tasks in the internal control governance framework. It is the audit committee s role to maintain oversight and to monitor the effectiveness of internal controls and risk management processes, as well as the internal audit activities. To allow the audit committee to monitor and render opinions on the effectiveness of the company s internal controls and risk management, there is a need for a clear overview of the company s risk and control framework. A close working relationship and enhanced communication is also crucial between management, the risk function, internal audit and the audit committee. This relationship is essential for each to fulfil its responsibilities to management, the board, shareholders and other stakeholders.
The three lines of defence 3 To allow the audit committee to monitor and render opinions on the effectiveness of the company's internal controls and risk management, there is a need for a clear overview of the company's risk and control framework. The three lines of defence: First Line 1st 2nd Business operations: Oversight functions: finance, HR, Quality, and Risk Management An established risk and control environment Strategic management Policy and procedure setting Functional oversight Board, Excom & Audit Committee The first level of the control environment is the business operations which perform day to day risk management activity Second Line Oversight functions in the company, such as Finance, HR and Risk Management set directions, define policy and provide assurance Third Line Internal and external audit are the third line of defence, offering independent challenge to the levels of assurance provided by business operations and oversight functions 3rd Independent assurance: Internal Audit, external Audit and other independent assurance providers Provide independent challenge and assurance Audit Committee Institute KPMG in Belgium
kpmg.ru Êîíòàêòû: Contact us: Q25 Audit Committee Institute in Russia Boris Lvov Corporate Governance, Performance and Compliance Tel: +7 937 4477 E-Mail: aci@kpmg.ru This text is an unaccredited and adapted by KPMG in Russia and the CIS version of "The three lines of defence" text, prepared by Audit Committee Institute sponsored by KPMG. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2009 ZAO KPMG, a company incorporated under the Laws of the Russian Federation and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.