Cursus internal and external control_GDR.docx

# Internal control framework This topic outlines the fundamental principles and components of a robust internal control system, often aligning with frameworks like COSO, covering integrity, oversight, objective setting, risk assessment, control activities, information and communication, and monitoring. ### 1.1 The COSO framework for internal control The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework provides a widely recognized structure for designing, implementing, and evaluating internal control systems. It is a private-sector initiative sponsored by several leading accounting and finance organizations: the American Accounting Association (AAA), the American Institute of CPAs (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). The framework is structured around five integrated components that interact with an entity's operating units and legal structure at various levels (entity, division, business unit, subsidiary, third party). ### 1.2 Components of internal control The COSO framework identifies five interconnected components of internal control: #### 1.2.1 Control environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It encompasses the following principles: 1. **Commitment to integrity and ethical values:** The organization demonstrates a commitment to integrity and ethical values. 2. **Board of directors' independence and oversight:** The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. **Management's establishment of structures, authorities, and responsibilities:** Management, with board oversight, establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. **Commitment to competent individuals:** The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. **Individual accountability for internal control:** The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. > **Tip:** The control environment is foundational; a weak control environment can undermine the effectiveness of all other components, regardless of how well they are designed. #### 1.2.2 Risk assessment Risk assessment involves identifying and analyzing risks to the achievement of objectives, providing a basis for determining how these risks should be managed. Key principles include: 6. **Specification of objectives with sufficient clarity:** The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. **Identification and analysis of risks:** The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. **Consideration of fraud risks:** The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. **Identification and assessment of changes impacting internal control:** The organization identifies and assesses changes that could significantly impact the system of internal control. > **Tip:** Risk assessment should consider both external and internal factors that could prevent the organization from achieving its objectives. #### 1.2.3 Control activities Control activities are the policies and procedures that help ensure management directives are carried out. They are implemented to mitigate identified risks. These include: 10. **Selection and development of control activities:** The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. **Selection and development of general IT controls:** The organization selects and develops general control activities over technology to support the achievement of objectives. 12. **Deployment of control activities through policies and procedures:** The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. > **Example:** A control activity to mitigate the risk of unauthorized disbursements might be a policy requiring supervisor approval for all payments over ten thousand dollars. Procedures would detail how this approval is documented and processed. #### 1.2.4 Information and communication Information and communication systems are essential for internal control, enabling the flow of information necessary to carry out responsibilities. This component covers: 13. **Obtaining and using quality information:** The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14. **Internal communication:** The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. **External communication:** The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. > **Tip:** Effective communication ensures that all relevant personnel understand their roles and responsibilities in maintaining internal controls and are aware of potential risks and control procedures. #### 1.2.5 Monitoring activities Monitoring activities assess the quality of internal control performance over time. This ensures that controls continue to operate effectively and are adjusted as necessary. Key principles include: 16. **Ongoing and separate evaluations:** The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. **Evaluation and communication of deficiencies:** The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. > **Example:** A separate evaluation could be an internal audit review of the procurement process to assess adherence to control activities. Ongoing evaluations might be daily reconciliations performed by accounting staff. ### 1.3 Fraud risk management Fraud risk management is a crucial aspect of internal control, focusing on preventing and detecting fraudulent activities. The COSO framework outlines specific principles for managing fraud risk: 1. **Fraud Risk Management Program:** The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. 2. **Fraud Risk Assessments:** The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. 3. **Preventive and detective fraud control activities:** The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. 4. **Fraud communication and investigation process:** The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. 5. **Ongoing evaluation of fraud risk management:** The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. > **Tip:** The "Fraud Triangle" (Opportunity, Pressure, Rationalization) is a useful model for understanding the conditions that can lead to fraud and for identifying areas where controls may be needed. ### 1.4 Risk management concepts Internal control is closely linked to broader risk management principles. Key concepts include: * **Inherent Risk:** The risk that exists before any controls are applied. * **Controls:** The measures implemented to mitigate risks. * **Residual Risk:** The risk that remains after controls have been implemented. The goal of internal control is to reduce residual risk to an acceptable level. > **Example:** The inherent risk of financial loss from unauthorized disbursements is high. Implementing controls like requiring multiple signatures on checks and segregation of duties reduces this risk to a residual level that the organization deems acceptable. ### 1.5 Risk assessment tools and techniques Organizations employ various tools and techniques for risk assessment, often visualized through: * **Risk Matrices/Heat Maps:** These tools plot risks based on their likelihood (probability) and impact (consequences). This helps prioritize risks for management attention. * **Likelihood categories:** Insignificant, Likely, Moderate, Unlikely, Rare. * **Consequence categories:** Minor, Moderate, Significant, Major, Catastrophic. * **Impact levels:** Risk impacts can be assessed based on financial loss thresholds (e.g., less than 500,000 dollars, between 500,000 and 5 million dollars) and their effect on stakeholder faith, operations, or legal standing. > **Example:** A risk with a "High" likelihood and "High" impact would appear in the upper-right quadrant of a risk matrix, indicating it requires significant management attention and action. ### 1.6 The Three Lines of Defense Model The Three Lines of Defense Model is a framework for managing risk and ensuring accountability within an organization, providing a clear structure for how different functions contribute to risk management and control. * **First Line of Defense:** Operational management responsible for owning and managing risks. This includes day-to-day activities and implementing controls. * **Second Line of Defense:** Functions that oversee risk and compliance, such as risk management, finance, and compliance departments. They develop frameworks, policies, and provide guidance. * **Third Line of Defense:** Internal Audit, which provides independent assurance on the effectiveness of the first and second lines of defense and the overall governance and risk management framework. External audit and regulators are also considered external assurance providers. This model ensures that risk management and internal controls are embedded throughout the organization, from front-line operations to independent assurance. --- # Enterprise risk management principles Enterprise risk management (ERM) principles provide a structured framework for organizations to identify, assess, and manage risks that could impact the achievement of their objectives. ## 2. Enterprise risk management principles Enterprise Risk Management (ERM) establishes a comprehensive approach for an organization to achieve its objectives by systematically identifying, assessing, and managing potential risks. This framework is built upon several core components that work in concert to embed risk awareness and management into the fabric of the organization. ### 2.1 Internal environment The internal environment sets the foundation for ERM by establishing the organization's risk culture and outlining the commitment to integrity and ethical values. It encompasses the oversight exercised by the board of directors, the structures and responsibilities defined by management, and the commitment to attracting, developing, and retaining competent individuals. Accountability for internal control responsibilities is also a critical aspect, ensuring that individuals are held responsible for their roles in managing risks. ### 2.2 Objective setting Objective setting is crucial for ERM as it involves clearly defining the organization's objectives. This clarity enables the identification and assessment of risks that could hinder their achievement. This component emphasizes the need for well-defined objectives to serve as a basis for risk management activities. ### 2.3 Event identification Event identification involves systematically identifying potential events that could affect the entity's objectives. This includes considering a broad range of internal and external factors that might have a positive or negative impact. ### 2.4 Risk assessment Risk assessment involves evaluating identified risks based on their likelihood of occurrence and their potential impact on the organization's objectives. This process helps prioritize risks, allowing management to focus resources on those with the greatest potential to affect the achievement of objectives. #### 2.4.1 Assessing fraud risks A key aspect of risk assessment is the consideration of the potential for fraud. Organizations must perform comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. This includes establishing and communicating a Fraud Risk Management Program that demonstrates the commitment of the board of directors and senior management to high integrity and ethical values concerning fraud risk management. #### 2.4.2 Assessing changes Organizations must also identify and assess changes that could significantly impact the system of internal control. This proactive approach ensures that the ERM framework remains responsive to evolving internal and external environments. > **Tip:** When assessing risks, consider both inherent risk (the risk in the absence of controls) and residual risk (the risk remaining after controls are implemented). The goal of ERM is to reduce residual risk to an acceptable level. #### 2.4.3 Likelihood and impact matrix A common tool for risk assessment is a likelihood and impact matrix, which visually represents risks based on their probability of occurrence and the severity of their consequences. > **Example:** A matrix might categorize likelihood as "Almost certain," "Likely," "Moderate," "Unlikely," and "Rare," while impact could range from "Insignificant" to "Catastrophic." Risks falling into the "Extreme" or "High" categories typically require more robust management attention. The document provides an example of such a matrix with qualitative descriptions for likelihood (e.g., "e.g. >90% chance!") and impact (e.g., "Minor problem easily handled by normal day to day processes" to "Business survival is at risk damage equal to 25 Million dollars"). It also shows a corresponding risk heat map with categories like "Low," "Medium," "High," and "Very High" for both vertical (probability) and severity, leading to risk levels that dictate management action. ### 2.5 Risk response Risk response involves evaluating and selecting appropriate strategies to manage identified risks. These responses aim to reduce the likelihood or impact of negative events, or to capitalize on opportunities. > **Tip:** Common risk responses include risk avoidance, reduction, sharing, and acceptance. The chosen response should align with the organization's risk appetite and the cost-benefit analysis of the mitigation strategy. ### 2.6 Control activities Control activities are the policies and procedures that help ensure management directives are carried out and that risks are mitigated to acceptable levels. These activities can be preventive (designed to stop an unwanted event from occurring) or detective (designed to identify an unwanted event once it has occurred). #### 2.6.1 General IT controls General control activities over technology are essential to support the achievement of objectives, ensuring the reliability and integrity of information systems. #### 2.6.2 Deployment of controls Control activities are deployed through policies that establish expectations and procedures that put those policies into action. > **Example:** A policy might state that all purchase orders require authorization. The procedure would detail who can authorize them, the thresholds for different levels of authorization, and the documentation required. ### 2.7 Information and communication Effective information and communication are vital for ERM. This component ensures that relevant, quality information is obtained, generated, and used to support the functioning of other ERM components. Internally, information about objectives and responsibilities for internal control must be communicated to support the ERM framework. Externally, communication regarding matters affecting ERM is also essential. ### 2.8 Monitoring activities Monitoring activities involve ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning as intended. Deficiencies in internal control are then evaluated and communicated in a timely manner to those responsible for taking corrective action, including senior management and the board of directors. > **Tip:** Continuous monitoring can be integrated into regular operational activities, while separate evaluations might include internal audits or periodic assessments. ### 2.9 Three lines of defense model The document also references the "Three Lines of Defense Model" for internal control, which structures responsibilities for risk management and oversight. This model typically involves: * **First Line of Defense:** Operational management who own and manage risks. * **Second Line of Defense:** Functions that oversee risk, such as risk management, compliance, and finance. * **Third Line of Defense:** Internal Audit, which provides independent assurance. The Governing Body/Board/Audit Committee and Senior Management are positioned at the highest level of oversight, guiding and directing the three lines of defense. --- # Fraud risk management This topic focuses on establishing and operating a robust program to manage fraud risks within an organization. ### 3.1 Establishing a fraud risk management program An effective fraud risk management program demonstrates a commitment from the board of directors and senior management to high integrity and ethical values concerning fraud risk. This commitment sets the tone for the entire organization. ### 3.2 Conducting fraud risk assessments Organizations must perform comprehensive fraud risk assessments. This involves: * **Identifying specific fraud schemes and risks:** Understanding the various ways fraud could occur. * **Assessing likelihood and significance:** Evaluating how probable each fraud scheme is and its potential impact. * **Evaluating existing fraud control activities:** Reviewing current measures in place to prevent or detect fraud. * **Implementing actions to mitigate residual fraud risks:** Taking steps to address any remaining risks after current controls are considered. ### 3.3 Implementing fraud control activities Once risks are assessed, organizations need to select, develop, and deploy specific control activities. These controls are designed to: * **Prevent fraud events from occurring:** These are detective controls. * **Detect fraud events in a timely manner:** These are detective controls. ### 3.4 Communication and investigation processes A crucial element of fraud risk management is establishing a clear communication process. This process should: * **Facilitate the reporting of potential fraud:** Providing channels for employees and others to report suspicious activities. * **Deploy a coordinated approach to investigation:** Outlining how suspected fraud will be investigated thoroughly. * **Implement corrective action:** Defining how to address confirmed fraud appropriately and in a timely manner. ### 3.5 Monitoring fraud risk management Just like other internal control components, the fraud risk management program requires ongoing evaluation. Organizations must: * **Perform ongoing evaluations:** Regularly assess whether the five principles of fraud risk management are present and functioning effectively. * **Communicate deficiencies:** Report any identified weaknesses or deficiencies in the Fraud Risk Management Program to responsible parties, including senior management and the board of directors, in a timely manner. #### 3.5.1 Principles of fraud risk management The document implies five core principles for fraud risk management: 1. Commitment to integrity and ethical values regarding fraud risk. 2. Performance of comprehensive fraud risk assessments. 3. Selection, development, and deployment of preventive and detective fraud control activities. 4. Establishment of a communication process for potential fraud and a coordinated approach to investigation and corrective action. 5. Ongoing evaluation of the fraud risk management program's presence and functioning. #### 3.5.2 The fraud triangle The document references the "Fraud Triangle," which outlines three conditions often present when fraud occurs: * **Opportunity:** A perceived chance to commit fraud. * **Pressure:** A perceived need or incentive to commit fraud. * **Rationalization:** The ability to justify the fraudulent behavior. > **Tip:** Understanding the fraud triangle helps in identifying and assessing fraud risks, as it provides insight into the motivations and circumstances that can lead to fraudulent activity. #### 3.5.3 Risk assessment matrix (Likelihood and Consequences) A common tool for evaluating risks is a matrix that combines the likelihood of an event occurring with its potential consequences (impact). The document provides examples of scales for both: * **Likelihood:** * Almost certain (e.g., >90% chance) * Likely (e.g., between 50% and 90% chance) * Moderate (e.g., between 10% and 50% chance) * Unlikely (e.g., between 3% and 10% chance) * Rare (e.g., < 3% chance) * **Consequences:** * Insignificant (Minor problem easily handled by normal day-to-day processes) * Minor (Some disruption possible, e.g., financial damage equal to 500,000 dollars) * Moderate (Significant time/resources required, e.g., financial damage equal to 1 million dollars) * Major (Operations severely damaged, e.g., financial damage equal to 10 million dollars) * Catastrophic (Business survival is at risk, e.g., financial damage equal to 25 million dollars) This matrix can be used to map risks into categories such as "Low," "Moderate," "High," and "Extreme," guiding management's attention and required actions. #### 3.5.4 Risk management actions based on impact Based on the assessed impact of risks, organizations can categorize required management actions: * **Significant Impact:** Requires management and monitoring of risks. Examples include financial loss exceeding 5 million dollars, stakeholder faith impacted for more than 18 months, isolated or multiple loss of life, complete system crash with loss of critical data. * **Considerable Management Required:** Extensive management is essential. Examples include financial loss less than 5 million dollars, stakeholder faith impacted for 6-12 months, significant injury, system crash during a peak period. * **Moderate Impact:** Management effort is required. Examples include financial loss less than 500,000 dollars, stakeholder faith impacted for less than 6 months, isolated injury, system off-line periodically during non-peak periods. * **Minor Impact:** Risks may be worth accepting with monitoring. #### 3.5.5 Heat map for risk and control planning A heat map is a visual tool that displays risks based on their severity (impact) and probability (likelihood). This visualization helps prioritize risks and understand the overall risk landscape. The output often includes a legend indicating different risk levels (e.g., "Low," "Medium," "High," "Very High"). For each identified risk, a plan and actual control measures can be outlined. #### 3.5.6 Three lines of defense model The three lines of defense model provides a framework for managing risks and controls: * **First Line of Defense:** Operational management responsible for identifying, assessing, managing, and mitigating risks within their day-to-day activities. This includes financial control, security management, and internal control measures. * **Second Line of Defense:** Functions that oversee risk management and compliance. This typically includes risk management, compliance, and quality assurance departments. * **Third Line of Defense:** Independent assurance over the effectiveness of risk management and internal control. This is usually the internal audit function, which provides objective assurance to the governing body and senior management. The governing body, board, or audit committee provides oversight for all three lines of defense. > **Tip:** The three lines of defense model promotes a culture of risk awareness and accountability throughout the organization, ensuring that risk management is integrated into all levels of operation. --- # Risk assessment and impact analysis Risk assessment and impact analysis is a critical component of enterprise risk management, focusing on evaluating the potential for risks to materialize and the severity of their consequences. ### 4.1 The risk assessment process Risk assessment involves identifying risks to the achievement of objectives and analyzing these risks as a basis for determining how they should be managed. This process considers the potential for fraud and assesses changes that could significantly impact the system of internal control. #### 4.1.1 Identifying and analyzing risks The organization identifies risks across the entity and analyzes them based on their likelihood and impact. * **Likelihood:** This refers to the probability of a risk event occurring. It can be categorized using terms such as: * Almost certain (e.g., greater than 90% chance) * Likely (e.g., between 50% and 90% chance) * Moderate (e.g., between 10% and 50% chance) * Unlikely (e.g., between 3% and 10% chance) * Rare (e.g., less than 3% chance) * **Impact (Consequences):** This refers to the severity of the outcome if the risk event occurs. It can be categorized as: * Insignificant (Minor problem easily handled by normal day-to-day processes) * Minor (Some disruption possible, e.g., damage equal to 500,000 dollars) * Moderate (Significant time/resources required, e.g., damage equal to 1 million dollars) * Major (Operations severely damaged, e.g., damage equal to 10 million dollars) * Catastrophic (Business survival is at risk, e.g., damage equal to 25 million dollars) #### 4.1.2 Fraud risk assessment A specific focus within risk assessment is the evaluation of fraud risks. Organizations perform comprehensive fraud risk assessments to: * Identify specific fraud schemes and risks. * Assess their likelihood and significance. * Evaluate existing fraud control activities. * Implement actions to mitigate residual fraud risks. > **Tip:** A thorough fraud risk assessment should consider the "Fraud Triangle," which includes Opportunity, Pressure, and Rationalization as key drivers for fraudulent behavior. ### 4.2 Evaluating risk responses Following the assessment of risks, the organization evaluates possible responses to these risks. This step is crucial in determining how to manage identified risks effectively. > **Tip:** The goal of risk response is to reduce the risk to an acceptable level, considering the costs and benefits of implementing controls. ### 4.3 Tools for risk assessment: Heat maps A common tool used for visualizing and prioritizing risks is a heat map. Heat maps combine the likelihood and impact of risks to provide a visual representation of their severity. #### 4.3.1 Components of a heat map A typical heat map displays risks on a grid where one axis represents likelihood and the other represents impact. Risks are often color-coded to indicate their severity level (e.g., low, medium, high, extreme). #### 4.3.2 Interpreting a heat map By plotting risks on a heat map, organizations can easily identify: * **High-priority risks:** Those falling in the "extreme" or "high" categories, requiring immediate attention and robust management actions. * **Moderate risks:** Those requiring careful monitoring and management. * **Low risks:** Those that may be accepted with minimal oversight. ##### 4.3.2.1 Risk management actions based on severity The level of management intervention is determined by the risk's severity: * **Significant/High Impact:** Requires extensive management and monitoring. This includes managing financial losses above 5 million dollars, significant stakeholder faith impact lasting over 18 months, isolated or multiple loss of life, multiple instances of fines/fraud/legal action, complete system crashes with critical data loss, or inability to recruit/retain staff. * **Considerable Management Required/Moderate Impact:** Requires dedicated management and monitoring. This might involve financial losses below 5 million dollars, stakeholder faith impact lasting 6-12 months, significant injury, isolated incidents of fines/fraud/legal action, system crashes during peak periods, or difficulties in recruiting/retaining staff. * **Moderate Impact:** Management effort is worthwhile. This includes financial losses below 500,000 dollars, stakeholder faith impact lasting less than 6 months, isolated injuries, threatened civil or criminal action, or periodic system downtime during non-peak periods. * **Minor/Low Impact:** Risks may be worth accepting with monitoring. ##### 4.3.2.2 Example of a heat map entry A heat map might show a risk such as "Unauthorized or incorrect changes are made to the vendor master file" as a "High" risk, requiring specific control activities. > **Example:** A heat map might visually represent the risk of "Unauthorized access granted to individuals" as falling into the "Extreme" impact category with "Likely" likelihood, thus demanding the highest level of risk mitigation strategies. ### 4.4 Risk and control plans Risk assessment informs the development of risk and control plans. This involves identifying specific risks, assessing their severity, and then defining and implementing controls to mitigate them. #### 4.4.1 Inherent risk versus residual risk * **Inherent Risk:** The risk that exists before any controls are implemented. * **Residual Risk:** The risk that remains after controls have been implemented and are operating effectively. > **Tip:** The ultimate goal of risk assessment and control implementation is to reduce inherent risk to an acceptable level of residual risk. #### 4.4.2 Control activities examples Controls are developed to mitigate identified risks. Examples include: * Requiring specific authorizations for transactions. * Implementing system checks to prevent duplicate entries. * Limiting access to sensitive data and functions. * Processing financial transactions through integrated systems. --- # Lines of defense model The three lines of defense model provides a strategic framework for managing risks and controls within an organization by establishing distinct layers of oversight and assurance. ### 5.1 Overview of the model The three lines of defense model categorizes organizational functions based on their roles in risk management and control assurance. It clarifies responsibilities, enhances coordination, and ensures that risks are managed effectively across different organizational levels. The model typically involves: * **The First Line of Defense:** These are the operational management and staff who own and manage risks. They are responsible for identifying, assessing, and controlling risks in their day-to-day activities. * **The Second Line of Defense:** This line provides oversight and expertise in risk management and compliance. It includes functions such as risk management departments, compliance officers, and information security. They develop policies, provide guidance, and monitor the effectiveness of the first line's controls. * **The Third Line of Defense:** This is the independent assurance function, typically internal audit. Its role is to provide objective assurance to the governing body and senior management on the effectiveness of the first and second lines of defense, as well as the overall governance, risk management, and control processes. The model is supported by a strong **Governing Body / Board / Audit Committee** and **Senior Management** who are ultimately responsible for the organization's risk appetite and the effectiveness of the internal control framework. > **Tip:** The effectiveness of the three lines of defense model relies heavily on clear communication, defined roles and responsibilities, and a strong ethical culture throughout the organization. ### 5.2 Key components and responsibilities The model delineates specific responsibilities across different levels: #### 5.2.1 Governing Body / Board / Audit Committee * Establishes the entity's risk culture and commitment to integrity and ethical values. * Exercises oversight of the development and performance of internal control. * Ensures appropriate structures, reporting lines, authorities, and responsibilities are in place. #### 5.2.2 Senior Management * Sets enterprise risk objectives. * Leads the implementation of risk management strategies. * Ensures competent individuals are attracted, developed, and retained. * Holds individuals accountable for their internal control responsibilities. #### 5.2.3 First Line of Defense: Operational Management and Staff * **Own and manage risks:** Directly responsible for identifying, assessing, and controlling risks within their operational areas. * **Implement internal controls:** Establish and execute control activities as defined by policies and procedures. * **Day-to-day risk management:** Integrate risk management into daily operations. #### 5.2.4 Second Line of Defense: Risk Management, Compliance, Security, etc. * **Oversight and expertise:** Provide specialized knowledge and guidance on risk management, compliance, and security. * **Policy development:** Develop and refine risk management and control policies. * **Monitoring and reporting:** Monitor the effectiveness of controls implemented by the first line and report on risk exposures. * **Assistance in risk assessments:** Support management in conducting comprehensive risk assessments. #### 5.2.5 Third Line of Defense: Internal Audit * **Independent assurance:** Provides objective and independent assurance on the design and operating effectiveness of the entire risk management and internal control framework. * **Evaluation of ERM program:** Assesses the effectiveness of the Enterprise Risk Management (ERM) program. * **Communication of deficiencies:** Timely communicates internal control deficiencies to senior management and the board. * **Follow-up on corrective actions:** Ensures that identified deficiencies are addressed. ### 5.3 Supporting Functions and Concepts The three lines of defense model operates within a broader internal control framework, often referencing components from frameworks like COSO. Key supporting elements include: * **Internal Environment:** Fosters a commitment to integrity, ethical values, and competence. * **Objective Setting:** Clearly defines objectives to enable effective risk identification and assessment. * **Event Identification:** Identifies potential events that could affect the achievement of objectives. * **Risk Assessment:** Analyzes risks based on their likelihood and impact. This involves considering the potential for fraud and changes that could impact the control system. * **Risk Response:** Evaluates and selects appropriate responses to identified risks. * **Control Activities:** Designs and implements control activities (including general IT controls) through policies and procedures to mitigate risks. * **Information & Communication:** Ensures relevant, quality information is obtained, generated, and communicated internally and externally to support internal control functioning. * **Monitoring Activities:** Continuously evaluates the presence and functioning of internal control components through ongoing and separate evaluations. > **Example:** In a financial institution, a loan officer (1st line) assesses a loan application. The credit risk department (2nd line) provides guidelines on credit assessment and monitors portfolio risk. Internal Audit (3rd line) periodically reviews the effectiveness of the loan approval process and credit policies. ### 5.4 Relationship with other concepts * **Inherent Risk vs. Residual Risk:** The model helps manage the gap between inherent risk (risk before controls) and residual risk (risk after controls are applied). * **Fraud Risk Management:** The three lines of defense are crucial for implementing and overseeing a Fraud Risk Management Program, which includes fraud risk assessments and the deployment of preventive and detective fraud control activities. * **COSO Framework:** The principles and components of the three lines of defense model align with the objectives and components of widely accepted internal control frameworks like COSO (Committee of Sponsoring Organizations of the Treadway Commission). The model, when effectively implemented, ensures that risk management is embedded throughout the organization, from strategic objectives down to daily operations, with appropriate levels of oversight and independent assurance. --- ## Common mistakes to avoid - Review all topics thoroughly before exams - Pay attention to formulas and key definitions - Practice with examples provided in each section - Don't memorize without understanding the underlying concepts

| Term | Definition | |------|------------| | Internal Environment | This component establishes the tone of an organization, influencing the awareness of control consciousness of its people. It comprises the integrity and ethical values and the competence of the entity's people. It also includes the philosophy and operating style of management. | | Objective Setting | This component involves the establishment of objectives in clear terms, enabling the identification of risks and risk responses relating to those objectives. It ensures that objectives are aligned with the entity's strategy and business model. | | Event Identification | This process involves identifying potential events that may affect the entity's ability to achieve its objectives. These events can be internal or external and require consideration of their potential impact. | | Risk Assessment | This involves a dynamic and iterative process for identifying and analyzing risks to the achievement of objectives across the entity. It includes assessing the likelihood and impact of identified risks. | | Risk Response | This component involves the selection and development of appropriate responses to risks, which may include risk avoidance, reduction, sharing, or acceptance. The response should align with the entity's risk appetite. | | Control Activities | These are the policies and procedures that help ensure management directives are carried out. They are designed to help mitigate risks to acceptable levels and include actions such as authorization, reconciliation, and segregation of duties. | | Information & Communication | This component involves the identification, capture, and exchange of information in a form and timeframe that enable people to carry out their responsibilities. Effective communication is crucial for the functioning of internal control. | | Monitoring Activities | These are processes used to assess the quality of internal control performance over time. Ongoing evaluations and separate evaluations are conducted to determine if controls are present and functioning effectively. | | Enterprise Risk Management (ERM) | ERM is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite. | | Control Environment | This refers to the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization's activities. It includes the commitment to integrity and ethical values, and the oversight by the board of directors. | | Fraud Risk Management Program | A program designed to identify, assess, and manage the risks of fraud. It demonstrates the commitment of senior management and the board to high integrity and ethical values regarding fraud risk. | | Residual Risk | The risk remaining after risk control measures have been implemented. It is the level of risk an entity is exposed to after considering the effectiveness of its controls. | | Inherent Risk | The risk to an entity in the absence of any controls. It represents the gross risk that exists before any management action is taken to alter the risk's trajectory. | | Likelihood | The probability or chance that a particular risk event will occur. It is often categorized qualitatively (e.g., rare, unlikely, moderate, likely, almost certain) or quantitatively. | | Consequences (Impact) | The effect or outcome of a risk event if it occurs. It can be measured in terms of financial loss, reputational damage, operational disruption, or other significant factors. | | Heat map | A visual tool used in risk management to represent the relative significance of risks by plotting likelihood against impact. It helps prioritize risks based on their severity. | | Three Lines of Defense Model | A framework that delineates three distinct levels within an organization responsible for managing and overseeing risks: the operational management (1st line), risk management and compliance functions (2nd line), and internal audit (3rd line). |