Like football teams, all organizations have a head coach (the CEO) and an owner (the Board) who set the broad strategy. The head coach then hires an offensive coordinator (COO) and a defensive coordinator (CRO), who are expected to execute on the head coach and owner’s objectives. They do so by hiring specific position coaches like the quarterback coach, offensive line coach, linebacker coach, and so on. Just like a line of business leaders, these position coaches are responsible for the tactical execution of the offensive and defensive coordinators’ plan.
Along with a hierarchy, every organization has a playbook. In football, the position coaches are responsible for putting together plays to accomplish their specific mission. In a business, these plays are policies and procedures, and in this case, the mission is to identify and mitigate risk. The position coaches teach their direct reports all of the plays, and then expect them to execute on those plays. For the defensive players, executing plays means blocking, tackling, and running interceptions to stop the ball from crossing the goal line. This, essentially, is what a business’s defense does when it works to stop a risk event from getting past its safeguards and being discovered by external assessors such as investors, regulatory agencies, and rating agencies. But not all eleven defensive players on the field are alike — let’s take a closer look at the characteristics and responsibilities of the three lines of defense.
In a typical football defense structure, the first line of defense consists of five defensive linemen who are there primarily to block and tackle. This front line has a lot of people who work to prevent a touchdown either by proactively thwarting a play by running a blitz, or by stopping the ball at the line of scrimmage. But these guys are so tied up dealing with their normal activity—wrestling with the offensive linemen—that they perform their plays without getting a good look at where the ball is going. If the quarterback pulls a fake play or calls an audible to change the play call at the line of scrimmage, the ball will probably get by the linemen.
In an organization, business operations make up the first line of defense. These business leaders and day-to-day employees are responsible for creating policies and procedures, identifying risks, and making sure there are controls in place. However, they are so close to the action that they don’t have a view of the larger risk context. Like a trick play getting past the linemen, an unexpected risk or change in risk conditions might make it past the business operations line of defense.
The second line of defense includes two linebackers and two cornerbacks. These four players are positioned behind the linemen, so they have a broader field of view. They can see a play develop, and can either proactively tell the first line of defense to modify their play or react to attempt to capture the ball themselves.
In a company, the second line of defense may be the legal team, third-party oversight, accounting, the risk management team, or another business support function. As in football, this line of defense is important because they have a wider field of view of risk. In a real-life example, the CRO may become aware of a new potential cyber attack. He can proactively tell the IT team (the first line of defense) to change their procedures to guard against the new risk. In another scenario, an issue may be brought to light by accounting when a flux analysis suggests the company didn’t meet expected numbers, and the root cause is that a process is broken. In this case, accounting can take action themselves to “break up the play” and prevent the risk event.
The third and final line of defense consists of two safetys who line up behind all the other players as the last option to stop a play if it gets past the first two lines of defense. A safety is fast, agile, and nimble, and has the biggest field of view in the entire organization. The safety can see the quarterback call an audible, and can proactively tell the first or second lines of defense to change their approach. Or, the safety can run an interception himself to catch the ball before it makes it into the endzone for a touchdown.
Internal audit is this nimble third line of defense. We have the broadest view of organizational risk, but we also have the most ground to cover because there are few of us and the field is huge. Internal audit is here to help the other lines mitigate risk and to be the last line of defense that catches a risk event before it crosses the line to be detected by external assessors. We have to be smart and analytical people who create effective audit plans, but we must also be agile enough to constantly adjust our coverage to protect the organization from emerging risks. Forming a crucial final line of defense, internal audit works with business operations and business support functions in a successful compliance risk management system.
The next time someone demonstrates some misconceptions about internal audit, use the three lines of defense to set them straight. Internal auditors aren’t just looking for a “gotcha” moment. Internal audit isn’t the only department guarding against risk. Internal audit shouldn’t just be performing the same old boilerplate audits year over year. Instead, internal audit is the final line of defense with the broadest view of organizational risk and the agility to react to emerging conditions to prevent a risk event — just like a safety intercepting the football before it can make it into the endzone. When you’re ready to take your organization’s risk management game to the next level, get a free demo of AuditBoard’s integrated Risk Management Software, RiskOversight.