A new document from The Institute of Internal Auditors takes the COSO Internal Control - Integrated Framework and maps it to the Three Lines of Defense Model.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework has gained widespread acceptance as a tool to help organizations manage risks through effective internal controls.
The framework has gained near universal support since its introduction in 1992 and subsequent update in 2013 because it clearly outlines the components, principles and factors necessary for effective risk management. However, the framework has little to say about who should be responsible for specific duties that it outlines.
A new whitepaper from COSO offers one possible answer by turning to another tried and true model familiar to those who work with risk management.
In ‘Leveraging COSO Across the Three Lines of Defense’, authors Douglas J. Anderson and Gina Eubanks make a strong case for using the Three Lines of Defense Model, which addresses how specific duties related to risk and control should be assigned and coordinated.
"This white paper does more than just answer the question of where risk management duties and responsibilities should lie within an organization," said Robert B. Hirth Jr., COSO chairman. "It effectively and eloquently breaks down those duties within the context of the COSO framework's five components and 17 principles."
The benefits of clearly defining responsibilities related to governance, risks, and control are that gaps in controls and duplication of duties related to risk and control are minimized.
Succinctly, The Three Lines of Defense model advocates for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Respectively, functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.
The new white paper breaks down each of the three lines and assigns the corresponding framework principles.