Defining Testing of Controls – Third Line Responsibility?
The roles and responsibilities of the three lines of defense in governance, risk, and compliance (GRC) are crucial for maintaining a practical risk management framework. The first line of defense comprises frontline managers responsible for owning and managing risk. They are closest to the business processes and are ideally positioned to design and implement controls that mitigate identified risks. The second line consists of risk management and compliance functions, while the third is internal audit, which provides independent assurance.
However, a notable concern arises when control test design, which is typically associated with the first line, becomes the responsibility of the third line. This shift raises questions about the effectiveness and appropriateness of such an arrangement. When an internal audit takes on control design responsibility, it can lead to a disconnect between control design and operational realities. This misalignment can result in overly complex controls or controls irrelevant to the organization's actual risks.
Auditors might design controls with a focus on compliance rather than operational efficiency, leading to cumbersome and resource-intensive processes. Furthermore, there is a crucial need to maintain the independence of the third line which slips away the more involved Audit is with the business activities. This dual role can compromise the integrity of the assurance it provides to senior management and the board.
The shift of control test design to Audit might be due to a perceived lack of capability or capacity within the first line, prompting the auditors to step in. Or the business teams evaluate their time and focus and deprioritize documenting the testing methodologies by the control teams. It could also be a response to increasing regulatory pressures, where organizations seek to leverage the expertise of internal auditors to ensure compliance. However, these reasons do not justify the departure from established best practices in risk management.
After talking with many second line teams about this, they all agree that with the right amount of time and investment in resources, they could realign roles and responsibilities and ensure that each line of defense operates within its intended scope. The problem often turns to a lack of investment by leaders in the value of what GRC can bring to their organizations – the documentation of controls alone becomes a burden on the business, let alone designing and validating testing is effective for their activities.