The Three Lines of Defense - Office of Internal Audit
The three lines of defense model offers a framework for effective risk management and governance within an organization's control environment. Each line plays a distinct role:
First Line of Defense: Management
- Role: Handled by business and process owners.
- Responsibilities:
- Maintain effective internal controls.
- Execute risk and control procedures daily.
- Identify, assess, and mitigate risks.
- Develop and implement internal policies and procedures.
- Ensure alignment with university goals.
- Mid-level management designs detailed control procedures and supervises their execution.
Second Line of Defense: Risk Management and Compliance
- Role: Supports management to ensure effective risk and control management.
- Functions:
- Risk Management Function:
- Facilitates and monitors risk management practices.
- Assists in defining risk exposure and reporting risk-related info.
- Compliance Function:
- Monitors noncompliance risks with laws and regulations.
- Reports directly to senior management.
- Controllership Function:
- Monitors financial risks and reporting issues.
- Purpose:
- Ensures the first line is effectively designed and operational.
- Although supportive, lacks full independence.
Third Line of Defense: Internal Audit
- Role: Provides assurance to senior management and board of alignment with expectations.
- Characteristics:
- High level of organizational independence and objectivity.
- Cannot direct or implement processes, but advises and recommends.
- Evaluates and improves risk management, control, and governance processes.
External Auditors
- Responsibility:
- Express opinion on financial statements' fairness.
- Provide assurance on institutional compliance (e.g., Title IV funding).
Additional Information
References:
- COSO's Take on the Three Lines of Defense.
- "Leveraging COSO across the Three Lines of Defense", July 2015.