In a perfect world, internal controls would be 100% effective once implemented. In reality, organizations needs multiple lines of defense or barriers to guard against the risk that they will not achieve their objectives. The internal audit function is the last of three lines of defense recommended by the Institute of Internal Auditors (IIA) in its Three Lines of Defense Model.
As a precursor to the three lines of defense, boards govern and determine strategy. Senior management operationalizes the strategy and selects, develops and evaluates internal controls, with board oversight.
Against this backdrop, operational management is the first line of defense. It supervises and manages operations to ensure compliance with risk and internal control systems. Risk and compliance functions are the second line of defense, monitoring the adequacy and effectiveness of internal controls, reporting, compliance, and remediation of deficiencies. Both lines are accountable to senior management.
The third and … Continue reading “Internal audit is your third line of defense”