What is compliance?

The Three Lines of Defense

The model shows three boxes that contain different groups labeled as 1st, 2nd and 3rd line of defense. The three boxes point up to 2 rectangles labeled senior management and governing body. To the right there are two sideways rectangles, regulator and external auditor. The first box or first line of defense includes management controls and internal control measures. The line of defense includes financial control, security, risk management, quality, inspection, and compliance. The third box includes internal audit.

This image is from The Institute of Internal Auditors January 2013 position paper called "The Three Lines of Defense in Effective Risk Management and Control."  

The First Line of Defense - Management

"Management is responsible for identifying and managing the performance and risks resulting from practices and systems for which they are accountable (processes to meet objectives and internal controls to manage risk).  The first line [of defense] is also responsible for the risks inherent to the strategy and business objectives.  As the principal owners of risk, they set business objectives, establish acceptable variation in performance, train personnel and reinforce risk responses.  In short, the first line [of defense] implements and executes the day-to-day tasks to manage performance and risks taken to achieve strategy and business objectives."

- Enterprise Risk Management - Aligning Risk with Strategy and Performance, June 2016 

The Second Line of Defense - Risk Management & Compliance

Risk management and compliance functions are members of management who monitor processes and the internal control environment to identify risk that exceeds risk tolerances, evaluate adherence to defined standards, and work alongside the first line of defense to implement process improvements and improve internal controls.  Second line of defense responsibilities often include:

  1. Implementing and performing enterprise risk management with the first line of defense.
  2. "Supporting management policies, defining roles and responsibilities and setting targets for implementation."
  3. Assisting management in developing processes and risk responses to manage risks and issues (occurrences)."
  4. Monitoring the adequacy and effectiveness of risk responses, accuracy and completeness of financial reporting and timely remediation of deficiencies (occurrences)."
  5. Identifying emerging or escalating risk exposures to management and the Board of Trustees for awareness and potential action. 

- Enterprise Risk Management - Aligning Risk with Strategy and Performance, June 2016 

The Third Line of Defense - Internal Audit

Internal Audit independently and objectively provides assurance to the Board of Trustees regarding the effectiveness of governance, risk management and internal control including the manner in which the first and second lines of defense achieve their risk management and control objectives.  Internal Audit is not a member of management and may not direct or implement processes.  As a member of the governance function, Internal Audit may however, provide advice and recommendations regarding processes, so long as it is not so prescriptive as to be perceived as direction.  Internal Audit may guide and support enterprise risk management, but may not implement or perform risk management other than inside of its own function.  Internal Audit may identify issues, opportunities for improvement and keep executive management and the Board of Trustees up-to-date on matters requiring resolution and risks inappropriately accepted by management.

External Auditors

External auditors express an opinion on the fairness (accuracy within a degree of materiality) of the financial statements in conformity with Generally Accepted Accounting Principles (GAAP).  External auditors may provide assurance to the Board of Trustees regarding institutional compliance requirements (such as Title IV funding of financial aid).