Four lines of defence and assurance mapping
The four lines of defence framework helps organisations analyse the overall strength of their control, supervision and review processes. It enables management to ascertain the level of comfort each stage provides and also determine what should be included at later stages to remedy limitations of earlier controls.
Assurance mapping, linking principal risks to control processes and key performance indicators, and seeing what assurance is provided against the risks materialising, can be an important part of the four lines of defence.
Assurance mapping and the four lines of defence are included in the SBL syllabus.
First line of defence: Control frameworks and day-to-day controls
The first line of defence includes the overall risk management systems and control frameworks. It also incorporates the controls over operational processes and outputs. This stage includes controls over day-to-day transactions and periodic controls, for example cut-off procedures at the month or year-end, as well as procedures such as quality control if they are a regular part of operations. Day-to-day management supervision, for example approval of large transactions, is also part of this stage.
Assurance is given by the knowledge and commitment of the staff operating the controls.
The benefits provided by the first line of defence are that the staff operating the controls know the business and workflow, and may be aware of where controls are potentially weak. Building more controls in at this stage can also mean that mistakes are less likely to happen and can be more easily corrected. Strong day-to-day controls relating to information provision should mean that the information provided in external reports and to external auditors is likely to be more reliable.
The main weakness of the first line of defence is lack of independence, that the controls are being implemented by the same staff who are responsible for the operations to which the controls relate. They are effectively certifying their own work (self-review).
Second line of defence: Management review
The second line of defence relates to review by management or specialists that is separate from day-to-day operations. It includes risk and compliance reviews, financial controls over operational departments and oversight of operations by the board. It can also include quality control reviews that are additional to day-to-day quality checks, for example one-off checking of a range of items where there have been customer complaints.
The second line of defence introduces a degree of independence and objectivity, as the reviewers are not staff and managers who are operationally responsible for the areas being reviewed. However, the reviewers are still part of the same management team, working with those being reviewed.
Other problems at this stage are that the effectiveness of the reviews depends upon the reviewers’ expertise. Ensuring that the reviews have a clear purpose and that the purpose is reflected in selecting what is reviewed may also prove difficult.
Third line of defence: Internal audit
Internal audit is the third line of defence. The effectiveness of internal audit will depend on the extent of its terms of reference. These could be wide-ranging, covering operational efficiency and effectiveness, safeguarding of assets and reliability of reporting. As well as looking at systems overall, internal audit can also focus on specific risks, particularly risks which the first two lines of defence may not have completely countered. Internal audit’s role is also likely to be valuable if there are changes affecting the first two lines of defence, or changes in organisational structures, reporting processes and information systems. The effectiveness of internal audit is also determined by the reliability of its risk assessment and linkage between the risk assessment and work done. Assurance mapping (discussed below) can be particularly useful for internal audit.
Internal audit work has the significant benefit of being done by staff who are independent and separate from line management, who are not involved in operational work and whose remuneration is not dependent upon operational results. Internal auditors’ independence can be strengthened by being able to report directly to the board and audit committee, and being able to discuss issues with the board and audit committee without operational management being present.
However, internal audit still has the drawback of the earlier stage that its staff are employees. They can never therefore be completely independent of the organisation and may be influenced by internal politics. Internal factors may also limit the scope of internal audit’s work. Its effectiveness will be weakened if there are ‘no-go’ areas which internal audit cannot review. Whilst internal audit can make recommendations, it cannot ensure the recommendations are carried out, due to internal audit staff not being involved in operations. Internal audit effectiveness therefore depends on the willingness of the board and senior management to insist that internal audit recommendations are implemented.
Fourth line of defence: External audit
External audit can look at any aspects of a business’s processes and results that are relevant to the audit assignment.
External audit’s main advantage is the impartial assurance it provides, as external staff are not employees of the organisation. As such they are seen to be independent. External auditors can also bring a wider perspective to their work and recommendations, based on their knowledge of other organisations.
External auditors may however be disadvantaged by the lack of knowledge they have of the organisation, resulting from only seeing it once a year as opposed to being continuously employed in it. External audit’s work will also concentrate on providing sufficient assurance to give a reliable audit report on the financial statements. This will mean a focus on areas connected with the accounting systems and less emphasis on other areas of the risk and control systems. Additional work to the audit work on the financial statements may be required to give assurance on the other areas.
Assurance mapping links with the four lines of defence approach by considering individual risks and the extent to which each risk has been mitigated by each of the four lines of defence. It also links the risks with key performance indicators (KPIs) and other means of reporting, thus helping the organisation report reliably on risks and risk management.
Let’s take a risk relating to computer security, as an example:
|Unauthorised access to computer systems
|Risk assessment if no controls in place
|• Impact: High
• Likelihood: High
Control systems and controls
|• Control frameworks – computer systems manual, staff training, firewalls, hierarchy of passwords, up-to-date virus protection, back-ups
• Day-to-day controls – staff keep passwords and computers secure
|• Review by IT specialists of failed attempts to access system
• Management seeking evidence of back-ups being taken
|Risk assessment after first two lines
|• Impact: Moderate/High
• Likelihood: Low
Although the controls cannot prevent illicit attempts at gaining access and cannot do much to limit the impacts of sensitive information being accessed, they can give significant assurance that attempts will not be successful, hence the reduction in likelihood
|• Attempting to enter system using unauthorised passwords
• Seeking evidence that management reviews are carried out regularly
• Seeking evidence that all computers have up-to-date virus protection software
|• Reporting on weaknesses spotted in the course of audit work on financial statements and the accounting systems
KPIs associated with this risk would include the number of successful attempts to gain unauthorised access to the system (hopefully zero!) and number of failed attempts. Other reporting would be regular reporting to the board on any IT issues that had recently come up and any need to update or strengthen controls in the light of new threats.
Quantitative KPIs will be important in other areas, for example those included in the financial statements or relating to environmental impacts. The assurance given by auditors or independent reviewers on these figures and the procedures used to arrive at them will enhance their credibility if they are reported externally.
Advantages of assurance mapping
Assurance mapping can provide a clear link between risks which require management and the elements of control systems used to manage them. It enables the organisation to see if there are any risks where there is limited assurance that controls are effectively operating. Having the information provided by assurance mapping enables stronger and more certain reporting on internal control. It also enables the organisation to manage controls more efficiently and effectively, directing staff’s work so that gaps in control are filled and overlap of staff’s responsibilities are avoided. The assessment of the risk reduction and the assurance given from the first two lines of defence enables the organisation to see what assurance is required from the internal audit function and therefore decide its resourcing and scope of work.
This article has discussed how assurance mapping can link with the four lines of defence to show clearly what is being done to manage risks and the assurance given by the controls and reviews undertaken. This systematic approach can give directors comfort that they are discharging their responsibilities to design and operate effective risk management and control systems and use the organisation’s resources effectively. It also enables them to report, with more certainty, to external stakeholders on internal controls, strengthening stakeholders’ confidence.
Written by a member of the SBL examining team