Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorNewsBreadcrumb SeparatorNew White Paper Explains How to Leverage COSO Framework, 3 Lines of Defense

Best of Both Worlds

White paper explains how to leverage COSO framework, 3 Lines of Defense

VANCOUVER, B.C. (7 July 2015) — The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework has gained widespread acceptance as a tool to help organizations manage risks through effective internal controls.

The framework has gained near universal support since its introduction in 1992 and subsequent update in 2013 because it clearly outlines the components, principles and factors necessary for effective risk management. However, the framework has little to say about who should be responsible for specific duties it outlines.

A new whitepaper from COSO, released today at The IIA's 74th International Conference, offers one possible answer by turning to another tried and true model familiar to those who work with risk management.

In Leveraging COSO Across the Three Lines of Defense, authors Douglas J. Anderson and Gina Eubanks make a strong case for using the Three Lines of Defense Model, which addresses how specific duties related to risk and control should be assigned and coordinated.

“This white paper does more than just answer the question of where risk management duties and responsibilities should lie within an organization,” said Robert B. Hirth Jr., COSO chairman. “It effectively and eloquently breaks down those duties within the context of the COSO framework’s five components and 17 principles.”

The benefits of clearly defining responsibilities related to governance, risks, and control are that gaps in controls and duplication of duties related to risk and control are minimized.

Succinctly, The Three Lines of Defense model advocates for clearly defining responsibilities for three aspects of risk: risk ownership, risk monitoring, and risk assurance. Respectively, functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. Internal audit, which provides independent assurance on the effectiveness of control and compliance functions, is the third line.

The new white paper breaks down each of the three lines and assigns the corresponding framework principles. For example, the first line of defense — primarily front-line and mid-line managers who have day-to-day ownership and management of risks and controls — is assigned the 12 COSO principles listed under risk assessment, control activities, information and communications, and monitoring.

Leveraging COSO Across the Three Lines of Defense is available for download at the COSO website.

About COSO

Originally formed in 1985, COSO is a voluntary private sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. COSO is jointly sponsored by the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants, and The IIA.