What is compliance?

The Institute of Internal Auditors Three Lines Model

20200720 New Three Lines Model Image

This image is from The Institute of Internal Auditors July 2020 position paper called "The IIA's Three Lines Model - An update of The Three Lines of Defense."  

"Management’s responsibility to achieve organizational objectives comprises both first and second line roles. First line roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the roles of support functions. Second line roles provide assistance with managing risk.  First and second line roles may be blended or separated. Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles. Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance. Alternatively, second line roles may span a broader responsibility for risk management, such as enterprise risk management (ERM). However, responsibility for managing risk remains a part of first line roles and within the scope of management."

First Line Roles - Management & Support

"Management is responsible for identifying and managing the performance and risks resulting from practices and systems for which they are accountable (processes to meet objectives and internal controls to manage risk).  The first line is also responsible for the risks inherent to the strategy and business objectives.  As the principal owners of risk, they set business objectives, establish acceptable variation in performance, train personnel and reinforce risk responses.  In short, the first line implements and executes the day-to-day tasks to manage performance and risks taken to achieve strategy and business objectives."

- Enterprise Risk Management - Aligning Risk with Strategy and Performance, June 2016 

Second Line Roles - Risk Management & Compliance

Risk management and compliance functions are members of management who monitor processes and the internal control environment to identify risk that exceeds risk tolerances, evaluate adherence to defined standards, and work alongside the first line to implement process improvements and improve internal controls.  Second line responsibilities often include:

  1. Implementing and performing enterprise risk management with the first line.
  2. "Supporting management policies, defining roles and responsibilities and setting targets for implementation."
  3. Assisting management in developing processes and risk responses to manage risks and issues (occurrences)."
  4. Monitoring the adequacy and effectiveness of risk responses, accuracy and completeness of financial reporting and timely remediation of deficiencies (occurrences)."
  5. Identifying emerging or escalating risk exposures to management and the Board of Trustees for awareness and potential action. 

- Enterprise Risk Management - Aligning Risk with Strategy and Performance, June 2016 

Third Line Role - Internal Audit

Internal Audit independently and objectively provides assurance to the Board of Trustees regarding the effectiveness of governance, risk management and internal control including the manner in which the first and second lines achieve their risk management and control objectives.  Internal Audit is not a member of management and may not direct or implement processes.  As a member of the governance function, Internal Audit may however, provide advice and recommendations regarding processes, so long as it is not so prescriptive as to be perceived as direction.  Internal Audit may guide and support enterprise risk management, but may not implement or perform risk management other than inside of its own function.  Internal Audit may identify issues, opportunities for improvement and keep executive management and the Board of Trustees up-to-date on matters requiring resolution and risks inappropriately accepted by management.

External Auditors

External auditors express an opinion on the fairness (accuracy within a degree of materiality) of the financial statements in conformity with Generally Accepted Accounting Principles (GAAP).  External auditors may provide assurance to the Board of Trustees regarding institutional compliance requirements (such as Title IV funding of financial aid).