three lines of defense assurance mapping
play

THREE LINES OF DEFENSE & ASSURANCE MAPPING IIA Ottawa April 8, - PowerPoint PPT Presentation

Nov 17, 2023 •964 likes •1.3k views

THREE LINES OF DEFENSE & ASSURANCE MAPPING IIA Ottawa April 8, 2015 Sharon M. Messerschmidt, CPA, CMA, CIA Outline 2 This presentation will bring together: Three Lines of Defense: A tool for dialogue and understanding

  1. THREE LINES OF DEFENSE & ASSURANCE MAPPING IIA Ottawa April 8, 2015 Sharon M. Messerschmidt, CPA, CMA, CIA

  2. Outline 2 ¨ This presentation will bring together: ¤ Three Lines of Defense: A tool for dialogue and understanding ¤ Assurance Mapping : A complete view of organizational assurance ¨ Opportunity to share knowledge: ¤ How the two were used together successfully in the international public sector ¤ Lessons for the Canadian public sector

  3. Why Three Lines of Defense? 3 ¨ Financial Crisis ¤ Something went wrong with risk management… ¨ Proliferation of Assurance Providers ¤ Means to identify and assign responsibilities ¨ Defines Management’s Role in Assurance ¤ Clarifies responsibilities ¨ Three Lines of Defense as a dialogue on assurance ¤ Opportunity for organizational learning

  4. IIA’s Position Paper 4 Useful and frequently quoted publication Internal Audit’s role in the Three Lines of Defense

  5. Line 1: Operational Management 5 ¨ Management’s responsibility ¤ Within a defined area; risks are owned ¤ To manage risk to achieve objectives through effective control systems ¨ This includes: ¤ Design and implementation of policies, procedures, systems and controls ¤ Managerial and supervisory review

  6. Line 2: Management Oversight 6 ¨ Ensure first line controls are properly designed, in place and operating as intended ¨ Typically Include: ¤ Enterprise Risk Management ¤ Internal Control Assurance Processes (COSO/SOX) ¤ Controllership for Financial Risks and Reporting ¤ Others…

  7. Line 2: Management Oversight 7 Many 2 nd lines will be unique by organization: ¨ Oversight over regional or field based operations ¨ Program Audits of grants and contributions ¨ Payment gating and sampling reviews ¨ Specialized or Regulated Quality Control functions ¨ Management oversight committees (IT, HR, Program)

  8. Line 2 Management Oversight 8 Features of 2nd Line assurance processes: ¨ Separate from first line chain of command ¨ Reliance is placed on this oversight ¨ Are not completely independent…still management ¨ There won’t always be a second line… ¨ Wide variance in degree of maturity of oversight provided.

  9. Line 3: Independent Oversight 9 ¨ Internal Audit is the focal or coordination point ¨ There may be others… ¤ Independent Evaluation ¤ External Audit in some cases ¤ Ethics, Investigations, Whistleblower etc. ¨ Key is independence and reporting lines ¤ Must report internally to governing body ¨ Recognized professional standards

  10. IIA’s Three Lines of Defense Model 10

  11. Model with Advisory Audit Committee: 11

  12. Why Assurance Maps? 12 Assists understanding of assurance processes: ¨ Provides a visual and informative summary for governing bodies and senior executive ¨ Categorizes and assesses assurance processes ¨ Identifies gaps and overlaps in assurance ¨ Promotes collaboration and opportunities for reliance on other assurance providers

  13. Assurance Maps Key Elements 13 ¨ Quantitative: requires a framework to support identification of assurances: ¤ For Risk Management - key corporate risks ¤ For Internal Audit - Audit Universe, Business Process, Functional Areas… ¨ Qualitative: requires a means to assess the strength of the assurances provided ¤ Simple (R-Y-G) ¤ Maturity Model/COSO elements

  14. Assurance Map – Text Based 14 http://www.anao.gov.au/html/Files/BPG%20HTML/BPG_PublicSectorAuditCommittees/app_3.html

  15. Assurance Maps - Visual 15 http://www.bakertilly.co.uk/SiteCollectionDocuments/Social housing/Assurance Web Presentation.pdf

  16. Assurance Map – By Functional Area 16

  17. Assurance Maps 17 ¨ Can be complicated… ¨ Need to suit your purpose and your organization ¨ Challenge to describe simply but with enough information to be useful. ¨ Assessing the strength of the 2 nd lines is important ¤ Consider doing with management ¤ A maturity model provides good structure

  18. COSO-based Maturity Template 18

  19. Step 1- Do your Homework… 19 ¨ Consider your framework – how detailed? ¨ Start to fill in what you know…1 st and 2 nd lines ¤ Determine your approach (risk, function, process etc.) ¨ You know a lot about the 3 rd line… ¤ What will you include? ¤ To what extent can IA rely on this work?

  20. Step 2: Dialogue, Dialogue, Dialogue.. 20 ¨ Meet with Management ¤ Explain model and their role in assurance ¤ Confirm mutual understanding of 2 nd lines. ¨ Do you want to assess the 2 nd lines with management? ¤ Is identification enough… ¤ Maturity Model, options here… ¤ Current and Future States

  21. Maturity Assessment by Function 21

  22. Step 3: Prepare and Share 22 ¨ How you will portray this will depend on your purpose… ¤ Expectations of Senior Mgmt and Audit Committee ¤ Culture and appetite of organization ¨ Sharing is important, will help determine next steps ¤ Will IA need to validate 2 nd line effectiveness? ¤ Impact on Audit Plan….

  23. Second Line Assessment by Function 23

  24. What you might learn… 24 ¨ There can be a lot of traffic in high risk areas… ¤ What can IA use from 2 nd and other 3 rd line reviews ¨ Importance of looking at “low risk” areas ¤ Are there gaps? Are things as low risk as you think? ¨ What 2 nd lines does management rely on? ¤ Have these been tested? ¤ There can be a lot of value in auditing second lines...

  25. Detailed Assurance Map for IA 25

  26. Criticisms of the Model 26 ¨ As an ERM tool seen as promoting risk aversion ¤ Should be a way of stating how risks will be taken… ¤ As an audit tool is an aid in supporting risk assurance ¨ Felt to not appropriately take into account external regulators and governing bodies ¤ The “Five” Lines of Defense*… ¤ Governance and Tone at the Top are considered in audit planning and risk assessments *Protiviti Bulletin

  27. When 2 nd and 3 rd Lines Intersect… 27 ¨ Can’t compromise the effectiveness of 3 rd Line ¨ Clearly communicate the impact and get approval ¨ No management responsibility ¨ Formalize in audit charter ¨ Some roles may be temporary ¨ Outsource audits in these areas ¨ Ensure Duties are segregated. Source: IIA Netherlands White Paper

  28. Canadian Public Sector 28 ¨ ERM and ICFR are key second lines ¤ Are there others? ¨ What second lines are institutionalized? ¤ Program audits, payment controls, ¨ External Audits, Special Examinations ¤ Audits directed to your department ¨ Other Department and Agency Audits ¤ Central Agency, Shared Services etc.

  29. Key Takeaways 29 ¨ Dialogue with management; enhance their understanding of their role in assurance ¨ Mapping of all key assurance activities; opportunity to clarify roles and responsibilities ¨ Understand the assurances that management relies on; identify gaps and overlaps in audit coverage ¨ More complete audit universe and synergy with other assurance providers

  30. Three Lines of Defense and Assurance Mapping 30 Sharon M. Messerschmidt, CPA, CMA, CIA sharon.messerschmidt@sympatico.ca +1 613 816 5777

  31. 2 nd Line Maturity Model - Example 31

  32. Other Sources of Information 32 ¨ IIA Netherlands, Combining Internal Audit and Second Line of Defense Functions? , 2014 White Paper ¨ HM Treasury, Assurance Frameworks, December 2012 ¨ IIA Audit Executive Center, Assurance Mapping – Charting the Course for Effective Risk Oversight , 2012 ¨ Protiviti, Applying the Five Lines of Defense in Managing Risk , The Bulletin, Volume 5 Issue 4, 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof. Paul A. Strassmann George Mason University, March 27, 2007 1 Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY Elements of

662 views • 49 slides
FY 2013 Statement of Assurance (SoA) / Managers Internal Control Program (MICP) for AT&L and

FY 2013 Statement of Assurance (SoA) / Managers Internal Control Program (MICP) for AT&L and

FY 2013 Statement of Assurance (SoA) / Managers Internal Control Program (MICP) for AT&L and Defense Agencies Training Session Rosie Heraud / Freddie Anderson Office of the Under Secretary of Defense Acquisition, Technology and Logistics

1.41k views • 91 slides
Mapping OCL as a Query and Constraint Language Carolina Ins Dania Flores PhD defense

Mapping OCL as a Query and Constraint Language Carolina Ins Dania Flores PhD defense

Mapping OCL as a Query and Constraint Language Carolina Ins Dania Flores PhD defense Supervisors: Manuel Garca Clavel - Marina Egea Gonzlez Universidad Complutense de Madrid, Madrid, Spain 30th of June, 2017. Outline Motivation

694 views • 65 slides
Parallel lines They are lines whose distance between then does not change along their

Parallel lines They are lines whose distance between then does not change along their

D AY 4 P ARALLEL LINES I NTRODUCTION We see electric cables hanging between poles, athletic track lines and so many other similar features. Have we ever asked ourselves about a special feature about the lines that are identified with these

348 views • 12 slides
Probabilistic Mission Defense and Assurance NATO STO IST-148 Symposium on Cyber Defence Situation

Probabilistic Mission Defense and Assurance NATO STO IST-148 Symposium on Cyber Defence Situation

INSTITUTE OF INFORMATION SYSTEMS Probabilistic Mission Defense and Assurance NATO STO IST-148 Symposium on Cyber Defence Situation Awareness Alexander Motzek Ralf Mller Universitt zu Lbeck Institute of Information Systems

605 views • 28 slides
the National Defense Business Operations Plan Enable greater efficiency through more agile

the National Defense Business Operations Plan Enable greater efficiency through more agile

Great power competition , characterized by increased complexity, interdependence, and Aligns to the National Defense uncertainty Strategy lines of effort (Restore Readiness, Strengthen Alliances, Unprecedented rate of technological

368 views • 11 slides
MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

Luanna Cambas, P.E. LADOTD District 02 Lab Engineer Jason Davis, P.E. LADOTD Field Quality Assurance Administrator MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &

1.01k views • 63 slides
Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of captured and coded data Quality assurance of downstream processes (including data security and integrity) Quality assurance of population counts,

129 views • 12 slides
yxwvutsrponmlkihgfedcbaYWUTSRPONMLKIHFEDCBA How Big is Your Digital Footprint? Can U Help?

yxwvutsrponmlkihgfedcbaYWUTSRPONMLKIHFEDCBA How Big is Your Digital Footprint? Can U Help?

yxwvutsrponmlkihgfedcbaYWUTSRPONMLKIHFEDCBA How Big is Your Digital Footprint? Can U Help? FISSEA Mark Loepker Defense-wide Information Assurance Program Office of the DoD Chief Information Officer Office of the Secretary of Defense

435 views • 27 slides
TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment

TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment

TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment Mapping Bump Mapping Basic mapping strategies Forward vs backward mapping Point sampling vs area averaging Introduce

775 views • 25 slides
V 3 lines maximum size of equi lines in IR Question 23 41 42 6 7 14 3 4 5 2 h 6 10 16 28

V 3 lines maximum size of equi lines in IR Question 23 41 42 6 7 14 3 4 5 2 h 6 10 16 28

Equiangular lines with a fixed angle Joint with Alexandr Polyanskii, Jonathan Tidor, Yuan Y ao, Shengtong Zhang and Yufei Zhao arxiv arxiv 1708.02317 1907.12466 through 0 pairwise separated by same angle Lines in IR rt IRB blines V 3 lines

470 views • 4 slides
Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping -

Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping -

Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping - Disadvantages Example Forward Mapping Original Rotated Zoom In Backward Mapping The Problem: (u,v) are not integers! "# Nearest Neighbor

715 views • 49 slides
Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Software Assurance Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable,

561 views • 18 slides
Product Lines that supply Product Lines that supply other Product Lines: other Product Lines: A

Product Lines that supply Product Lines that supply other Product Lines: other Product Lines: A

Product Lines that supply Product Lines that supply other Product Lines: other Product Lines: A Service- -Oriented Approach Oriented Approach A Service Salvador Trujillo Christian Kstner Sven Apel IKERLAN Research Center University of

1.13k views • 17 slides
SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance Lab Centrally manage browsers & mobile devices (physical/emulated), and allow your team to remotely access them from anywhere at anytime Run

534 views • 17 slides
If two lines are parallel then they have the same slope. Consider the figure below. Line MN has

If two lines are parallel then they have the same slope. Consider the figure below. Line MN has

D AY 27 S LOPE CRITERIA OF SPECIAL LINES I NTRODUCTION Two lines which intersect at a right angle are said to be perpendicular. If two or more lines on the same plane do not meet, they are said to be parallel. The slopes of parallel are

171 views • 13 slides
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Standards 1300 1322 Presentation by SBAs Office

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Standards 1300 1322 Presentation by SBAs Office

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Standards 1300 1322 Presentation by SBAs Office of Internal Audit Topic pics Introduction 1. Quality Assurance & Improvement Program 2. Internal Assessments-Ongoing Monitoring 3.

851 views • 55 slides
UNITED NATIONS NATIONS UNIES Statement by Francis M Deng Special Adviser on the Prevention of

UNITED NATIONS NATIONS UNIES Statement by Francis M Deng Special Adviser on the Prevention of

UNITED NATIONS NATIONS UNIES Statement by Francis M Deng Special Adviser on the Prevention of Genocide Informal Interactive Dialogue of the United Nations General Assembly Early Warning, Assessment and the Responsibility to Protect 9

387 views • 4 slides
GHS implementation (and GHS- like implementation) in the rest of Asia September, 30, 2014;

GHS implementation (and GHS- like implementation) in the rest of Asia September, 30, 2014;

GHS implementation (and GHS- like implementation) in the rest of Asia September, 30, 2014; Washington, DC Dr. Piyatida Pukclai 1 Agenda Thailand: Hazardous Substance Act Malaysia: Occupational Health and Safety Act, CLASS and EHSNR

953 views • 51 slides
Global Systemic Crisis and Semiperipheral Countries Marilyn Grell-Brisk, University of

Global Systemic Crisis and Semiperipheral Countries Marilyn Grell-Brisk, University of

Global Systemic Crisis and Semiperipheral Countries Marilyn Grell-Brisk, University of Neuchtel Working paper presented at the FLACSO-ISA Conference, Quito, Ecuador July 27, 2018 Helpful Readings On the method and logic of global economic

448 views • 23 slides
1 The 39 Assurances 1. General Federal Requirements 2. Responsibility/Authority of the Sponsor

1 The 39 Assurances 1. General Federal Requirements 2. Responsibility/Authority of the Sponsor

Airport Sponsor Assurances Background on Assurances To secure Airport Improvement Program ( AIP ) grant funds, an airport sponsor is required to give certain assurances to the FAA known as the Airport Sponsor Assurances . In essence, airport

609 views • 25 slides
Pre-RFP Meeting San Antonio District Owner Verification Testing and Inspection IH 35 NEX: IH

Pre-RFP Meeting San Antonio District Owner Verification Testing and Inspection IH 35 NEX: IH

Pre-RFP Meeting San Antonio District Owner Verification Testing and Inspection IH 35 NEX: IH 410 N. to FM 3009 Request for Proposal No.: 15-0SDP5001 Solicitation No. 601CT0000004399 June 29, 2020 @ 2:00 pm Building the Texas Transportation

2.71k views • 23 slides
A Model Management Approach for Assurance Case Reuse due to System Evolution Sahar Kokaly, Rick

A Model Management Approach for Assurance Case Reuse due to System Evolution Sahar Kokaly, Rick

A Model Management Approach for Assurance Case Reuse due to System Evolution Sahar Kokaly, Rick Salay Valentin Cassano, Tom Maibaum and Marsha Chechik kokalys@mcmaster.ca 2 3 4 5 Standards are documented agreements containing technical

837 views • 39 slides
The Value of Internal Audit: Insight from Agency Leadership and Chief Audit Executives I

The Value of Internal Audit: Insight from Agency Leadership and Chief Audit Executives I

The Value of Internal Audit: Insight from Agency Leadership and Chief Audit Executives I nternal Audit Leadership Developm ent Program I ALDP Cohort VI I I May 2 0 1 7 Introduction IALDP Background Project Objective

272 views • 15 slides

More recommend