Many organizations have implemented a three lines of defense model with each line performing risk monitoring and testing activities. As described in The IIA's Position Paper: The Three Lines of Defense in Effective Risk Management and Control, front-line unit management is the first line of defense, risk and compliance functions are the second line of defense, and internal audit is the third line of defense. In many cases those monitoring and testing activities overlap, which can cause audit fatigue within the business units. It also takes time away from serving customers. Or in some cases, there could be gaps in coverage that expose the organization to unnecessary risks.
Each line of defense has its own monitoring and oversight responsibilities, but in many cases there are areas where the testing activities to achieve these responsibilities overlap. In these instances, organizations can benefit from ensuring each line of defense coordinates with the others to avoid performing duplicate testing or monitoring activities. Coordinating the three lines of defense can minimize audit fatigue and maximize efficiency.
If the testing or monitoring activities performed by the first line are well-designed and executed, the second and third lines can validate and rely on what the first line does. Similarly, if the testing performed by the second line is well-designed and executed, the third line can validate and rely on the second-line testing. Benefits an organization can realize from ensuring its three lines of defense are well-coordinated include greater efficiency, cost savings, alignment with best practices, enhanced productivity, improved consistency and quality, standardized testing methodologies, and leveraging the "right" skills for specific products or lines of business. Moreover, all three lines can use software to automate the monitoring and testing of key controls and risks.
Organizations also need to be aware of challenges they may encounter when coordinating testing across the three lines. Bringing together people with the right skills, providing necessary training, and identifying technical solutions are challenges, as is ensuring the process has appropriate quality controls. Another challenge is ensuring the appropriate service-level agreements are in place so each group is clear about its roles and responsibilities, particularly with respect to a centralized testing unit.
Coordination among the three lines of defense should enable the organization to design testing activities so that controls can be tested once and relied on by other groups to meet various regulatory requirements and needs. Organizations can leverage a shared service model to perform testing activities based on detailed test scripts. A centralized testing approach needs to reflect the roles, responsibilities, and accountabilities for each line of defense.
The "Centralized Testing Model" (see right) can be used as a framework to implement more effective testing activities. Subject matter experts in each line of defense would be responsible for the more complex activities and designing the test scripts. Centralized testing groups would be responsible for conducting the detailed testing in accordance with the test scripts designed by the subject matter experts.
This model emphasizes communication, collaboration, and reliance among all three lines of defense. Organizations also should consider automating testing as much as possible and providing integrated reporting of test results. Senior management should receive consistent reporting regarding the strength of the control environment.
When considering a centralized testing model, maintaining the independence of the third line of defense is critical. Depending on the organization's structure, it may make sense to have one testing team for the first two lines, as depicted in the model, and a separate team for internal audit.
Finally, cultural maturity should be considered because organizations with more mature cultures tend to have better collaboration among business units, be proactive rather than reactive, think more strategically, and have increased consistency.
An incremental approach to implementing centralized testing across the three lines of defense may allow the organization to see benefits more quickly. Standardizing processes can lead to lower organizational costs and greater predictability.
Starting with cross-functional areas, such as third-party risk, complaint handling, credit quality, payment systems, or data quality can yield quick wins and demonstrate the value of a centralized testing function. As the approach is implemented in the various risk domains, it is important to use a consistent methodology. The "Three Lines Implementation Methodology" (see below) can be applied to any risk domain to evaluate testing across the three lines of defense. This evaluation can identify areas where testing can be streamlined and made more efficient as well as reveal any gaps in testing.
The first step is to develop and document the risk framework based on regulatory requirements and guidance, as well as best practices. From there, the testing performed in each line of defense can be mapped to the risk framework, which can enable the organization to identify gaps and overlaps in testing.
Once the gaps are identified, the organization can determine where the testing should take place and implement the appropriate testing or monitoring. In addition, the analysis will show areas where multiple lines of defense are performing testing or monitoring activities. These are areas where the organization can focus to optimize testing and improve efficiencies to minimize audit fatigue. The organization should analyze whether testing conducted by the first or second line can be refined so it can be relied on by the second or third line of defense. Using a consistent methodology can help ensure the implementation process is repeatable.
Best Testing Practices
Organizations that are thinking about implementing a centralized testing model should leverage lessons learned by others who have gone down this path. Some of the leading practices for coordinating or centralizing testing in the three lines of defense include:
- Use subject-matter experts to support risk identification, assessment of control design, and development of test scripts.
- Leverage automation through continuous monitoring routines that run regularly.
- Use advanced data analytics to identify patterns and trends.
- Empower small, nimble teams with advanced testing capabilities and tools to perform targeted reviews in high-risk areas in off-cycle periods.
- Coordinate acquisition of data among the three lines of defense to reduce the impact on internal resources within the business lines.
- Leverage the organization's off-shore resources to perform routine, high-volume testing, subject to appropriate oversight.
- Leverage contingent staff and consultants to supplement the testing staff when special reviews or seasonal spikes demand increased testing efforts.
Although adopting these practices to coordinate testing activities across the three lines of defense may take considerable effort, they may yield great rewards. This effort can help the organization validate that key controls are being tested and streamline testing across the three lines. Such gains can reduce audit fatigue on the front-line units so they can focus on serving customers and improve efficiencies in second- and third-line units. This can allow internal audit to provide broader, more in-depth, and complete coverage of risks and controls.