Audit Committee defence 1
The three lines of Institute
The three lines of defence
Audit committees these days are burdened with a lengthy list of mandatory agenda items,
and must find the time to address these and other topics. The following article summarises
some practical hints to help you focus your audit committee agendas.
The challenges arising from the
current economic situation, and
potential changes in legislation,
will increase the pressure for
companies to adopt a robust
governance framework, and for the
need to sustain a good relationship
and communication between
management, internal audit and the
audit committee.
The three lines of defence
How can companies and financial
institutions strengthen these
relationships? The three lines of
defence model can be used as the
primary means to demonstrate and
structure roles, responsibilities and
accountabilities for decision making,
risk and control to achieve effective
governance risk management and
assurance.
First line of defence:
business operations – risk and
control in the business
Businesses are responsible for
ensuring that a risk and control
environment is established as part of
day-to-day operations. Line
management should thus be
adequately skilled to create risk
definitions and make risk
assessments. The risk profile needs
to be proactively reviewed, updated
Sponsored by KPMG
and modified for changes to the
business environment and emerging
risk changes. Active risk management
and periodic reporting on risks is
crucial to quick identification and
response, and will allow the company
to have a strategic advantage on
competitors.
Ensure the risk framework is able to
respond quickly – management must
make best use of early warning
indicators to identify, evaluate and
respond to changes quickly. And, with
quick identification and response, it
may be possible to discern new
strategic opportunities before they are
discovered by the competition.
The first line of defence provides
management assurance, and informs
the audit committee by identifying
risks and business improvement
actions, implementing controls, and
reporting on progress.
Second line of defence:
the oversight functions
These responsibilities set company
boundaries by drafting and
implementing policies and
procedures. They are also responsible
for guidance and directions for
implementing their policies and for
monitoring their proper execution.
They provide oversight over business
processes and risks.
2 The three lines of defence
Align strategy, risk and policies –
these oversight functions are thus
responsible for designing policies,
setting direction, introducing best
practice, ensuring compliance and
providing assurance oversight for
board members and audit committee
members. Now is an opportune time
to stand back and re-think how risk
management activities combine
within the wider system of internal
control as part of an efficient, effective,
integrated assurance framework.
Questions which can be asked:
z Do you have clearly defined
oversight structures with roles,
responsibilities and accountability?
z Is risk and risk management used
to drive strategic alignment,
business unit performance and
accountability?
z Does your governance and
assurance add value to the
organisation?
z Do risk and assurance providers
share risk profiles, definitions and
technology, and rely on each
other’s work, map sources of
assurance over key risks and
controls, and streamline their
activities?
z Do you receive coordinated
reporting on total assurance
activities, emerging risks and
themes in issues across the
business?
Review of policy frameworks assures
that the right policy owners are
keeping policies up-to-date,
responding to new strategic priorities
and risks, and that the monitoring
mechanisms are working to ensure
compliance with the updated policies.
Third line of defence:
independent assurance providers –
internal audit and other independent
assurance providers
The internal auditor’s role is to
provide independent, objective
assurance and consulting activities
designed to add value and improve a
company’s operations. They help the
company to accomplish its objectives
by bringing a systematic, disciplined
approach to evaluate and improve the
effectiveness of risk management,
control and governance processes.
The third line of defence entails
independent challenge, audit of key
controls, formal reporting on
assurance, and audit of assurance
providers’ and entity level controls
assurance. In view of this
independent challenge, appropriate
reporting lines for the internal
auditors (best practice is directly to
the audit committee) are critical if they
want to achieve their independence
and objectivity, while effectively
assessing the organisation’s internal
control, risk management and
governance processes. The head of
audit should meet regularly with the
audit committee to discuss any
assurance issues, but the meeting
should not be limited should either
party want to bring other issues to the
table.
Audit committee’s role
As indicated in the model, all three
lines of defence have specific tasks in
the internal control governance
framework. It is the audit committee’s
role to maintain oversight and to
monitor the effectiveness of internal
controls and risk management
processes, as well as the internal
audit activities.
To allow the audit committee to
monitor and render opinions on the
effectiveness of the company’s
internal controls and risk
management, there is a need for a
clear overview of the company’s risk
and control framework. A close
working relationship and enhanced
communication is also crucial
between management, the risk
function, internal audit and the audit
committee. This relationship is
essential for each to fulfil its
responsibilities to management, the
board, shareholders and other
stakeholders.
 The three lines of defence 3

To allow the audit committee to monitor

and render opinions on the effectiveness
of the company's internal controls and
risk management, there is a need for
a clear overview of the company's risk
and control framework.

The three lines of defence:

First Line
RISK & CONTROL z The first level of the control
environment is the business
operations which perform day
1st Business operations: z An established risk and
control environment to day risk management activity

Board, Excom & Audit Committee

Second Line
z Oversight functions in the
company, such as Finance,
HR and Risk Management set
RISK & CONTROL
directions, define policy and
provide assurance
2nd Oversight functions: z Strategic management
finance, HR, Quality, and Risk z Policy and procedure Third Line
Management setting
z Internal and external audit
z Functional oversight are the third line of defence,
offering independent challenge
to the levels of assurance provided
by business operations and
RISK & CONTROL
oversight functions

3rd Independent assurance: z Provide independent

Internal Audit, external Audit challenge and
and other independent assurance
assurance providers

Audit Committee Institute

KPMG in Belgium
kpmg.ru

Êîíòàêòû:
Contact us:

Q25 Audit Committee Institute in Russia

Boris Lvov
Corporate Governance,
Performance and Compliance
Tel: +7 937 4477
E-Mail: aci@kpmg.ru

This text is an unaccredited and adapted by KPMG in Russia and the CIS version of "The three lines of defence" text, prepared by © 2009 ZAO KPMG, a company incorporated under the Laws of
Audit Committee Institute sponsored by KPMG. the Russian Federation and a member firm of the KPMG network
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual of independent member firms affiliated with KPMG International,
or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is a Swiss cooperative. All rights reserved. Printed in Russia.
accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information KPMG and the KPMG logo are registered trademarks of KPMG
without appropriate professional advice after a thorough examination of the particular situation. International, a Swiss cooperative.