Beruflich Dokumente
Kultur Dokumente
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
LEVERAGING COSO
ACROSS THE THREE
LINES OF DEFENSE
By
The Institute of Internal Auditors
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered a substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Authors
The Institute of Internal Auditors
Acknowledgements
We would like to recognize Richard J. Anderson, Richard Chambers, Sally Dix, Jim DeLoach,
Hal Garyn, and Paul Marshall for their help and support in the preparation of this document.
Mitchell A. Danaher
Financial Executives International
Douglas F. Prawitt
American Accounting Association
Charles E. Landes
American Institute of CPAs (AICPA)
Richard F. Chambers
The Institute of Internal Auditors
Sandra Richtermeyer
Institute of Management Accountants
Preface
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
American Accounting Association (AAA)
American Institute of CPAs (AICPA)
Financial Executives International (FEI)
The Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
LEVERAGING COSO
ACROSS THE THREE
LINES OF DEFENSE
Research Commissioned by
July 2015
www.co s o.o rg
ii | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Copyright 2015, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 198765432
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions please contact the
American Institute of Certified Public Accountants licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7077.
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
Contents
iii
Page
Introduction
Executive Summary
10
10
11
13
IV. Conclusion
14
Key Observations
14
Appendix
15
23
About COSO
24
24
Graphics sourced from The Three Lines of Defense in Effective Risk Management and Control,
The Institute of Internal Auditors, January 2013.
www.co s o.o rg
iv | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
Introduction
This paper is a collaboration between the Committee of Sponsoring Organizations (COSO) and The Institute of Internal
Auditors, Inc. The purpose of this paper is to help organizations enhance their overall governance structures by providing
guidance on how to articulate and assign specific roles and responsibilities regarding internal control by relating the COSO
Internal Control Integrated Framework1 to the Three Lines of Defense Model.2
Executive Summary
Every organization has objectives it strives to achieve. In
pursuit of these objectives, the organization will encounter
events and circumstances which may threaten the
achievement of these objectives. These potential events and
circumstances create risks an organization must identify,
analyze, define, and address. Some risks may be accepted
(in whole or in part) and some may be fully or partially
mitigated to a point where they are at a level acceptable to
the organization. There are a number of ways to mitigate risks,
with one key method being the design and implementation of
effective internal control.
The COSO Internal Control Integrated Framework (the
Framework) outlines the components, principles, and factors
necessary for an organization to effectively manage its risks
through the implementation of internal control. However, it is largely
silent regarding who is responsible for specific duties outlined in
the Framework. Clear responsibilities must be defined so that each
group understands their role in addressing risk and control,
the aspects for which they are accountable, and how they will
coordinate their efforts with each other. There should be
Sets Organizations
Objectives
Framework
used to manage
risk and control
to accomplish
objectives
Financial Control
Security
Management
Controls
Internal Control
Measures
Risk Management
Quality
Inspection
Internal
Audit
Organizational
structure to
execute risk
and control
duties
Compliance
Internal Control Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission
(Jersey City, NJ: American Institute of Certified Public Accountants, May 2013. Available at coso.org.
The Three Lines of Defense in Effective Risk Management and Control, (Altamonte Springs, FL: The Institute of Internal
Auditors Inc, January 2013). Available at: 3LinesofDefenseinEffectiveRiskManagementandControl.
www.co s o.o rg
2 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Financial Control
Security
Management
Controls
Internal Control
Measures
Risk Management
Quality
Internal
Audit
Inspection
Compliance
Consistent with other COSO publications, this document uses the term board of directors to refer to governing bodies
such as boards of directors, boards of trustees, general partners, owners, or supervisory boards.
www.co s o.o rg
Regulator
External Audit
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
www.co s o.o rg
4 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Roles of Senior Management and the Board of Directors in the Three Lines of Defense Model
Senior management and the board of directors have integral
roles in the Model. Senior management is accountable for
the selection, development, and evaluation of the system
of internal control with oversight by the board of directors.
Although neither senior management nor the board of
directors is considered to be part of one of the three lines,
these parties collectively have responsibility for establishing
an organizations objectives, defining high-level strategies
to achieve those objectives, and establishing governance
structures to best manage risk. They are also the parties
best positioned to make certain the optimal organizational
structure for roles and responsibilities related to risk and
control. Senior management must fully support strong
governance, risk management and control. In addition, they
have ultimate responsibility for the activities of the first and
second lines of defense. Their engagement is critical for
success of the overall model.
www.co s o.o rg
Oversight
4 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
Roles of Senior Management and the Board of Directors in the Three Lines of Defense Model
Risk Assessment
Control Environment
Oversight
Management
Controls
Internal Control
Measures
www.co s o.o rg
www.co s o.o rg
6 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Risk Management
Each second-line function has
Information Security
some degree of independence from
The composition of the
Financial Control
activities constituting first line of
second line can vary
Physical Security
defense, but they are by nature, still
significantly depending on
Quality
management functions. SecondHealth and Safety
line functions may directly develop,
the organizations size
Inspection
implement, and/or modify internal
and industry.
Compliance
control and risk processes of the
Legal
organization. They may also take
Environmental
a decision-making role for certain
Supply chain
operational activities. To the extent that the role of secondOther (depending upon industry-specific or
line functions require them to be directly involved in a firstcompany-specific needs)
line activity, that function may not be fully independent from
that first line of defense activity.
www.co s o.o rg
6 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
Risk Management
Each second-line function has
Information Security
some degree of independence from
The composition of the
Financial Control
activities constituting first line of
second line can vary
Physical Security
defense, but they are by nature, still
signicantly depending on
Quality
management functions. SecondHealth and Safety
line functions may directly develop,
the organizations size
Inspection
implement, and/or modify internal
and industry.
Compliance
control and risk processes of the
Legal
organization. They may also take
Environmental
a decision-making role for certain
Supply chain
operational activities. To the extent that the role of secondOther (depending upon industry-specific or
line functions require them to be directly involved in a firstcompany-specific needs)
line activity, that function may not be fully independent from
that first line of defense activity.
Risk Management
Quality
Inspection
Compliance
www.co s o.o rg
International Professional Practices Framework (IPPF), (Altamonte Springs, FL: The Institute of Internal Auditors Inc, 2013), 2.
Also available at na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx.
www.co s o.o rg
8 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls
over IT
12. Deploys through policies and procedures
Control Environment
1. Demonstrates commitment to integrity
and ethical values
2. Exercise oversight responsibility
3. Establishes structure, authority and
responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Assurance on
Effectiveness
3rd Line of Defense
Internal
Audit
www.co s o.o rg
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
www.co s o.o rg
10 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Assurance
Operating Management
Limited Independence
Reports Primarily to Management
Internal Audit
Greater Independence
Reports to Governing Body
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
11
5
International Professional Practices Framework (IPPF), (Altamonte Springs, FL: The Institute of Internal Auditors Inc, 2013).
Also available at na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx.
www.co s o.o rg
12 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
13
www.co s o.o rg
14 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
IV. Conclusion
Every organization should clearly define responsibilities
related to governance, risk and control to help minimize
gaps in controls and unnecessary duplications of
assigned duties related to risk and control. The Three Lines
of Defense Model provides an effective way to enhance
communications regarding risk and control by clarifying
essential roles and duties. The Model can be useful for
clarifying how responsibilities regarding risk and control
might be coordinated across an organization.
The underlying premise of the Model is that, under the
oversight and direction of senior management and the
board, three separate groups (or lines of defense) are
necessary for effective management of risk and control.
The three groups:
Own and manage risk and control (operating
management).
Monitor risk and control in support of management
(risk, control, and compliance functions put in place by
management).
Provide independent assurance about effectiveness
of risk management and control to the board and senior
management (internal audit).
Each of the three lines has a distinct role within the
organizations wider governance framework, and when
each performs its assigned role effectively, the likelihood of
a significant control breakdown is reduced. This structure
also supports the board of directors in receiving impartial
information about the organizations most significant risks
and about how management is responding to those risks.
The Model can be used in conjunction with the COSO
Internal Control Integrated Framework to help ensure
individuals within each line of defense understand the full
extent of their responsibilities regarding risk and control, and
how their duties fit into the organizations overall risk and
control structure.
www.co s o.o rg
Key Observations
1. Senior management and the board of directors have
ultimate responsibility for ensuring the efficiency and
effectiveness of governance, risk management, and
control processes.
2. Risk management is strongest when there are three
separate and clearly identified lines of defense. All
three lines of defense should exist in some form at every
organization, regardless of size or complexity.
3. Each group within the three lines of defense should
have clearly defined roles and responsibilities that are
supported by appropriate policies, procedures, and
reporting mechanisms.
4. Information should be shared and activities coordinated
among each of the lines of defense to improve efficiency
and avoid duplication of effort while ensuring all
significant risks are addressed appropriately.
5. Lines of defense should not be combined or coordinated
in a manner that compromises their effectiveness. Each
line of defense has unique positioning in the organization
and unique responsibilities. Particular care should be
taken if the organization combines functions across the
three lines of defense. The effectiveness of the second
or third line of defense can be adversely affected if the
combination injures the uniqueness of that line. Capability
and efficiency are not the only criteria; independence and
objectivity are also essential elements to consider.
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
15
Appendix
Principle 1. The organization demonstrates a commitment to integrity and ethical values.
1st Line of Defense
(Risk Owners/ Managers)
Other
All lines of defense should be expected to demonstrate through their directives, actions, and behavior the importance of integrity and ethical values.
Leads by example in
implementing values, a
philosophy and an operating
style for the organization.
Implements ethics-related
objectives, programs and
activities.
Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance
of internal control.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
16 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
As delegated by management,
individuals in the second line of
defense monitor and report on
fulfillment of specific internal
control responsibilities.
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
17
Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
All individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization.
Setting objectives is a key part of
the management process related to
strategic planning.
With board oversight, sets entity-level
objectives that align with the
organizations mission, vision, and
strategies.
Specifies suitable objectives in
adequate detail so that risks to
achievement of objectives can be
identified and assessed.
Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining
how the risks should be managed.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
18 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
1st Line of Defense
(Risk Owners/ Managers)
Other
Because change can arise from a wide variety of internal and external sources, individuals within all three lines of defense should be alert for emerging issues that could
significantly impact the system of internal control.
Has primary responsibility for the system
of internal control and for identification
and assessment of changes that could
significantly impact the system of internal
control.
Communicates information regarding
changes that could significantly impact
the system of internal control to the board
in sufficient detail to enable the board to
fulfill its oversight responsibilities.
Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
As assigned by management,
individuals in the second line of
defense may also participate in
the selection and development of
specific controls; however,
management retains
responsibility for the system of
internal controls.
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
19
Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
20 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to
support the functioning of internal control.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
21
Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
1st Line of Defense
(Risk Owners/ Managers)
Other
Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal
control are present and functioning.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
22 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of directors, as appropriate.
1st Line of Defense
(Risk Owners/ Managers)
Other
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
23
Gina Eubanks, CIA, CISA, CRMA, CCSA, is the vice president of Professional
Services at The IIA, where she leads the Quality, Chief Audit Executive, and
Industry Services programs. She has more than 20 years of experience in
internal auditing, including 15 years with a Big 4 firm in global enterprise risk
services. Eubanks experience has been both within the United States and
abroad, having spent significant time in India. She has also been a practitioner
and director in the retail and financial services sectors. Eubanks also is a
member of the audit committee of a local financial institution and was a
volunteer leader with The IIA for almost 15 years.
www.co s o.o rg
24 | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
About COSO
Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control,
and fraud deterrence. COSOs supporting organizations are the Institute of Internal Auditors (IIA), the American Accounting
Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI),
and the Institute of Management Accountants (IMA).
The Institute of Internal Auditors (The IIA) is the internal audit professions most widely recognized advocate, educator,
and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 180,000
members from 170 countries. The associations global headquarters are in Altamonte Springs, Fla. For more information,
visit theiia.org.
The Institute of Internal Auditors Audit Executive Center is the essential resource to empower CAEs to be more
successful. The Centers suite of information, products, and services enables CAEs to respond to the unique challenges
and emerging risks of the profession. For more information on the Center, visit theiia.org/cae.
This publication contains general information only and none of COSO, any of its constituent organizations or any of the
authors of this publication is, by means of this publication, rendering accounting, business, financial, investment, legal, tax or
other professional advice or services. Information contained herein is not a substitute for such professional advice or services,
nor should it be used as a basis for any decision or action that may affect your business. Views, opinions or interpretations
expressed herein may differ from those of relevant regulators, self-regulatory organizations or other authorities and may
reflect laws, regulations or practices that are subject to change over time.
Evaluation of the information contained herein is the sole responsibility of the user. Before making any decision or taking any
action that may affect your business with respect to the matters described herein, you should consult with relevant qualified
professional advisors. COSO, its constituent organizations and the authors expressly disclaim any liability for any error,
omission or inaccuracy contained herein or any loss sustained by any person who relies on this publication.
www.co s o.o rg
The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense |
G ove r n a n c e a n d I n t e r n a l C o n t r o l
www.co s o.o rg
www.co s o.o rg
Z | Leveraging COSO Across the Three Lines of Defense | The Institute of Internal Auditors
G ove r n a n c e a n d I n t e r n a l C o n t r o l
L E V E R A G I N G
A C R O S S
L I N E S
T H E
O F
C O S O
T H R E E
D E F E N S E
www.co s o.o rg
www.co s o.o rg