As part of a series debunking internal audit terminology, we're looking at the three lines of defence.
The Chartered Institute of Internal Auditors defines the second line of defence as functions overseeing, or specialising in, compliance and risk management.
Essentially, this is a monitoring and oversight function that owns aspects of the risk management process. It provides the policies, frameworks, tools, techniques and support to enable the first line of defence to manage risk.
Second line functions will monitor the effectiveness of this and ensure a consistent approach to risk management.
The second line of defence will typically incorporate:
- A risk management function that facilitates and monitors the implementation of effective risk management. The function would also help with setting acceptable levels of risk and reporting this throughout the organisation. A committee with responsibility for risk oversight is an example of this..
- A compliance function that monitors specific risks. For example, financial regulations may stipulate that invoices have to be paid within 30 days of receiving goods/services. A data analytics system would monitor payments made within the required timeline. Data could be used by management to review compliance as part of their role in the first line defence.
- A financial control function that monitors financial risks and financial reporting issues. This function monitors financial risks and financial reporting issues. An example of this is an internal control group with financial expertise. This would enable department spending controls to be monitored with a corporate oversight.
The second line has a crucial role in monitoring the compliance of the first line and assisting in identifying risks. They set the best practice and help design and develop the key controls discussed in article one.
However, as the first and second lines of defence are closely linked, the third line of defence provides a crucial outside perspective.