![Page 1: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/1.jpg)
THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH
![Page 2: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/2.jpg)
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
![Page 3: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/3.jpg)
THREE LINES OF DEFENSE MODEL
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 4: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/4.jpg)
FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 5: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/5.jpg)
OPERATIONAL MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective controls
![Page 6: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/6.jpg)
SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 7: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/7.jpg)
RISK MANAGEMENT & COMPLIANCE
• Help build and monitor first line of defense
• Ensure compliance with regulations
• Financial risks and reporting requirements
• Identify changes in risk appetite
![Page 8: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/8.jpg)
THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 9: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/9.jpg)
INTERNAL AUDIT
• Provide senior management with assurance
• Monitor the effectiveness of the first and second lines of defense
• Independent
![Page 10: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/10.jpg)
COORDINATING THE THREE LINES
First Line of Defense Second Line of Defense Third Line of Defense
Risk Owners/Managers Risk Control and Compliance Risk Assurance
• Operating management
• Limited independence• Reports primarily to
management
• Internal audit• Greater independence• Reports to governing
body
![Page 11: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/11.jpg)
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
![Page 12: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/12.jpg)
VISION FOR CCM
• Know the state of any control in the business• Resolve identified breaches before impact• Provide an unparalleled ROI
![Page 13: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/13.jpg)
THE IMPORTANCE OF MONITORING
COSO Guidance (effective controls
systems must include monitoring)
![Page 14: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/14.jpg)
ROLE OF CCM
• Independent monitoring of automated and partially automated controls
• Continuous detection of breaches• Transparency in detection and remediation• Address IT concerns• Collaborative approach to timely remediation
![Page 15: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/15.jpg)
EXAMPLERisk: Invoices may not be valid and/or properly authorized
Control Activity: Matching invoices to goods receipt
Owner: Category Management
Method: Partially automated
Type: Preventative
Frequency: Recurring
COSO Component: Control activities
![Page 16: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/16.jpg)
PROPERTIES OF CCM TESTINGFrequency: Daily
Detect: Any non-compliance over and below the threshold
Assignment: Category Management
Deadline: Resolve same day
Evidence: Due diligence performed on those over the threshold and any other exceptions detected
Value: Ensure that control effectiveness is sustained at a high level
![Page 17: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/17.jpg)
CCM AT EACH LINE OF DEFENSE
• Effectively monitor internal controls at the first and second lines of defense
• Allow the third line of defense to be confident in its assurance role
• Create a remediation process that minimizes the impact of a control breakdown
• Provide evidence of due diligence for external auditors and regulators
![Page 18: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/18.jpg)
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
![Page 19: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/19.jpg)
FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 20: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/20.jpg)
ENERSOURCE
• Canadian Energy Company since 1917• Third largest in Ontario• Over 200,000 residential and commercial customers• Provides electrical infrastructure design, construction,
operations support, and maintenance
![Page 21: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/21.jpg)
REPUTATIONAL RISKS
![Page 22: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/22.jpg)
FINANCIAL RISKS
![Page 23: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/23.jpg)
VERIFICATION OF BILLS
• Reputational risk is the primary concern• Was using an in-house MS Excel system to verify the
accuracy of bills• Upgraded to smart meters in 2009• Challenges
• Took 5 hours to process a batch of bills
• Exceptions manually circulated by email
• Impossible to track resolution
• Labor intensive to make changes
![Page 24: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/24.jpg)
THE CCM SOLUTION
• Independently calculate bills and identify inaccuracies• Extract data from other sources—not just billing system• Sent exceptions in XML format to bill print system for those
bills not to be printed• Engaged users in the Billing Department to resolve issues• Validate corrections made in core systems• Maintain history of exceptions and actions taken to resolve
them
![Page 25: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/25.jpg)
RESULTS
• Has not had a single public incident• Accuracy of billing improved significantly• Billing anomalies automatically distributed • Bills verified in less than 5 minutes (not 5 hours)• Bills sent out same day—improving cash flow• Evidence retained for regulators/auditors• Labor-intensive manual reviews were eliminated
![Page 26: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/26.jpg)
SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 27: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/27.jpg)
CHRISTIES AUCTION HOUSE
• Founded in 1766 by James Christie• 53 offices in 32 countries • Prices range from $200 to $80 million
![Page 28: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/28.jpg)
CHALLENGES
• Risk and compliance group mandated to review 100% of transactions
• Primary area of concern is client accounting• Need to ensure that fees and charges are accurate• Need to involve the business in timely remediation
![Page 29: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/29.jpg)
THE CCM SOLUTION
• Implemented for 40 key controls• Monitor transactions near real time• Covering multiple locations (UK and New York)• Phase I started in risk and compliance then rolled out to
the business
![Page 30: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/30.jpg)
PHASE II—CUSTOMER SCREENING
• Important to meet regulatory requirements• AML and KYC compliance• Integrate with World-Check sanction list data for screening
![Page 31: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/31.jpg)
THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 32: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/32.jpg)
METCASH
• A leading marketing and distribution company• Operating in the grocery, liquor, and hardware
wholesale industries• Turnover of $12 billion• 5,000+ employees • Market cap $3.2 billion
![Page 33: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/33.jpg)
CHALLENGES
• Several disparate systems• Many audit scripts • Emailing exceptions in Excel• SAP generating many exception reports• Business struggling to cope
![Page 34: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/34.jpg)
THE CCM SOLUTION
• All analytics built in-house by CM Team• Covered 30 key controls to start• CCM implemented for Purchase to Payment in Phase I• Expanded to the retail business processes in Phase II• Adopted as central exception management system
(including SAP reports)
![Page 35: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/35.jpg)
RESULTS
• Started in internal audit • Rolled out to business users• Use action/reason codes to facilitate root cause analysis• Daily examination of processes• First-year results:
• 5.5 billion transaction covered
• $1.8 million in savings
![Page 36: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/36.jpg)
CONCLUSION
• Internal control effectiveness is positively impacted by collaboration
• That covers collaboration at all three levels• CCM is a compelling vehicle to facilitate a collaborative
process
![Page 37: The Three Lines of Defense Model & Continuous Controls Monitoring](https://reader035.vdocuments.net/reader035/viewer/2022062823/5876bb8c1a28abad1a8b6e6b/html5/thumbnails/37.jpg)
THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH
Visit casewareanalytics.com Email [email protected]