The ‘three lines of defence model’ is one approach to safeguarding the internal control framework. Our colleagues in the financial services industry will be familiar with it because it is the Financial Services Authority’s (FSA) preferred approach.
The model is not prescribed, but is implied as part of the functional segregations and reporting structures that the FSA looks for when undertaking its risk assessment (ARROW) visits.
Let’s look in more depth at how this model is typically applied.
The framework in practice
1st line of defence
This describes the controls an organisation has in place to deal with the day-to-day business. Controls are designed into systems and processes and assuming that the design is sound to appropriately mitigate risk, compliance with process should ensure an adequate control environment. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequacy of process and unexpected events.
2nd line of defence
This describes the committees and functions that are in place to provide an oversight of the effective operation of the internal control framework. These committees review the management of risk in relation to the particular risk appetite of the business, as determined by the board. The effectiveness of the 2nd line is determined by the oversight committee structure, their terms of reference, the competence of the members and the quality of the management information and reports that are considered by these oversight committees.
The 2nd line is re-enforced by the advisory and monitoring functions of risk management and compliance. Risk management defines and prescribes the financial and operational risk assessment processes for the business; maintains the risk registers and undertakes regular reviews of these risks in conjunction with line management. Compliance advises on all areas of regulatory principles, rules and guidance, including leading on any changes, and undertakes monitoring activity on key areas of regulatory risk.
One would expect these functions to report upon their work undertaken and significant findings to the appropriate executive risk oversight committees in the 2nd line. These functions may also report to the board’s audit committee or a board risk committee in the 3rd line (depending upon the committee structures of the organisation).
3rd line of defence
This describes the independent assurance provided by the board audit committee, a committee of non-executive directors chaired by the senior independent director, and the internal audit function that reports to that committee.
Internal audit undertakes a programme of risk based audits covering all aspects of both 1st and 2nd lines of defence. Internal audit may well take some assurance from the work of the 2nd line functions and reduce or tailor its checking of the 1st line.
Clearly the level of assurance taken will depend on the effectiveness of the 2nd line, including the oversight committees, and internal audit will need to coordinate its work with compliance and risk management as well as assessing the work of these functions. The findings from these audits are reported to all three lines, i.e. accountable line management, the executive and oversight committees and the board audit committee.
This 3rd line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (1st line) and the defence (2nd line) fails to pick up the opposition’s attack, it is left to the goalkeeper (3rd line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both 1st and 2nd lines and failure to do so may lead to significant loss to the organisation.
The FSA and internal audit
The FSA, as regulator to the financial services industry, has four statutory objectives:
- market confidence: maintaining confidence in the financial system
- public awareness: promoting public understanding of the financial system
- consumer protection: securing the appropriate degree of protection for consumers
- reduction of financial crime: reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime.
The FSA places significant reliance on the work of internal audit when assessing the risk that individual organisations present to achieving the above objectives. The FSA places internal audit under regular close scrutiny as part of its risk assessment visits. It is particularly concerned with internal audit’s independence, its standing with the board and senior executive management and the influence it exercises across the organisation.
Although the above model has been described above as typically applied in a financial services organisation, it is equally relevant to other sectors and industries. The model of management control in the 1st line, oversight challenge in the 2nd and independent assurance in the 3rd is universal in application and one well worth considering.
Paul Burden – Head of Audit, Liverpool Victoria