The second line of defense involved with risk management includes both a risk management function as well as a compliance function. Both of these functions are established by management to help mitigate risk. According to the IIA, the risk management function helps to “facilitate and monitor the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization.”(IIA) The compliance function works to “monitor various specific risks such as noncompliance with applicable laws and regulations.”(IIA) Internal auditors can work directly with these two functions when conducting compliance risk assessments in many ways.
Internal auditors can work with the risk management function by analyzing and assessing the effectiveness of risk management practices that management has put into place. By doing so, they can determine whether or not the practices are effective in preventing risk and reporting the adequate information throughout the organization. If a certain area of risk has not been covered by the risk management practices implemented by management, internal auditors can then ascertain that all adequate risk-related information pertaining to that particular area has not been reported, and can notate to test the area on their compliance risk assessment.
Internal auditors can also work with the compliance function of the second line of defense while performing their compliance risk assessment. The compliance department will work with the internal auditors performing the compliance risk assessment to help determine where risks are located throughout the company and how management is addressing them. Using that information, the internal auditors will build testing procedures into their assessment based off of the information gathered from the compliance department. The compliance department will have the most knowledge of what risks present the most danger to the company and will give the internal auditors the best and most reliable information available.
Working with both functions of the second line of defense makes the internal auditors’ job easier when it comes to performing the compliance risk assessment. The most helpful function is the compliance department. Working together with them will yield the most useful information to the auditors. Utilizing information from both the risk management and compliance functions will create a more in depth risk assessment and a better understanding of the risks that companies face.
The Three Lines of Defense in Effective Risk Management and Control