Lines of Defense
First Line of Defense – Management The first line of defense lies with the business and process owners. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. This consists of identifying and assessing controls and mitigating risks. Additionally, business and process owners guide the development and implementation of internal policies and procedures and ensure activities are consistent with University goals and objectives. Mid-level managers may design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees. Second Line of Defense – Risk Management and Compliance The second line supports management to help ensure risk and controls are effectively managed. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defense controls. Typical functions in this second line of defense include: Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. The second line of defense serves an important purpose but because of their management function, they cannot be completely independent. Third Line of Defense – Internal Audit The third line of defense provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. The main difference between this third line of defense and the first two lines is its high level of organizational independence and objectivity. Internal Audit may not direct or implement processes, but they can provide advice and recommendations regarding processes. Additionally, Internal Audit may support enterprise risk management but may not implement or perform risk management other than inside of its own function. Internal auditors accomplish their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
