Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging COSO across the three lines of defense

Published byἈριστοτέλης Βασιλείου Modified over 5 years ago

Similar presentations

Presentation on theme: "Leveraging COSO across the three lines of defense"— Presentation transcript:

1 Leveraging COSO across the three lines of defense
Jean-Pierre Garitte Tbilisi, 29 October 2018

2 Remember the three lines of defense
Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines. The Three Lines of Defense in Effective Risk Management and Control, (Altamonte Springs, FL: The Institute of Internal Auditors Inc, January 2013.

3 Remember the COSO principles
Control activities: Most people spend their time in their silo doing their tasks. Ideally control activities are preventive and timely. You many have informal control activities, but typically these are monitoring activities. Monitoring happens based upon your experience and gut filling. You know it when you see it. Information and Communication – No one likes to deliver bad news. Sometimes people are not good communication good news. Only when necessary, reactionary and sometimes too late. Ideally, you have control in periodic reporting complements reporting. Other is thresholds with timeliness associated to address the problems. Risk Assessment - I did this 10 years ago when I started my business during the SWOT analysis. Control Environment – Follow the leader. Ideally, leaders demonstrate and inspire desired behavior. Enforces accountability. Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (Jersey City, NJ: American Institute of Certified Public Accountants, May 2013.

4 Who is mainly responsible for the control environment?
Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

5 Control environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability

6 Who is mainly responsible for risk assessment?
Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

7 Risk assessment Specifies suitable objectives
Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change

8 Who is mainly responsible for control activities?
Risk Assessment Control Activities Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

9 Control activities Selects and develops control activities
Selects and develops general controls over IT Deploys through policies and procedures

10 Who is mainly responsible for information and communication?
Risk Assessment Control Activities Information & Communication Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

11 Who is mainly responsible for information and communication?
Information & Communication Risk Assessment Control Activities Information & Communication Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

12 Information & Communication
Uses relevant information Communicates internally Communicates externally

13 Who is mainly responsible for monitoring?
Risk Assessment Control Activities Information & Communication Monitoring Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

14 Who is mainly responsible for monitoring?
Risk Assessment Control Activities Information & Communication Monitoring Monitoring Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

15 Who is mainly responsible for monitoring?
Information & Communication Monitoring Risk Assessment Control Activities Information & Communication Monitoring Monitoring Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

16 Who is mainly responsible for monitoring?
Information & Communication Monitoring Risk Assessment Control Activities Information & Communication Monitoring Monitoring Monitoring: Assurance Reassurance Models for assurance – Various models: 5 lines of defense, 3 lines of defense, movement to use the term lines of assurance. The foundation and principles behind these models are all the same. It is a matter of choosing the terms that resonate with your organization and leadership. First important to understand who is doing what. Regulators in UK expect told implemented and demonstrated How many have heard of 3LOD? “The premise of the Three Lines of Defense model is that: Each area within a company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminshes.” The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control. Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.

17 Monitoring Conducts ongoing and/or separate evaluations
Evaluates and communicates deficiencies

18 Leveraging COSO across the three lines of defense
Control activities: Most people spend their time in their silo doing their tasks. Ideally control activities are preventive and timely. You many have informal control activities, but typically these are monitoring activities. Monitoring happens based upon your experience and gut filling. You know it when you see it. Information and Communication – No one likes to deliver bad news. Sometimes people are not good communication good news. Only when necessary, reactionary and sometimes too late. Ideally, you have control in periodic reporting complements reporting. Other is thresholds with timeliness associated to address the problems. Risk Assessment - I did this 10 years ago when I started my business during the SWOT analysis. Control Environment – Follow the leader. Ideally, leaders demonstrate and inspire desired behavior. Enforces accountability. Adapted from the Leveraging COSO Across the Three Lines of Defense, commissioned by The Committee of Sponsoring Organizations of the Treadway Committee (Lake Mary, FL: The Institute of Internal Auditors Inc and, July 2015).

19  Questions?

Download ppt "Leveraging COSO across the three lines of defense"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.

Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Updated COSO Framework & Green Book

Updated COSO Framework & Green Book
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Government Auditing Standards

Government Auditing Standards
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
Under the Microscope Business Officers Meeting March 7, 2006 Presented by Randy Van Dyke Internal Control.

Under the Microscope Business Officers Meeting March 7, 2006 Presented by Randy Van Dyke Internal Control.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
COSO Framework Update IIA Columbus Chapter May 17, 2013

COSO Framework Update IIA Columbus Chapter May 17, 2013
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Internal Control and Control Self-Assessment

Internal Control and Control Self-Assessment
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Chapter 9: Introduction to Internal Control Systems

Chapter 9: Introduction to Internal Control Systems
Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.

Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.

Similar presentations

Ads by Google