C.3 Combined Assurance—Three Lines of Defence Matrix
| First Line of Defence | Second Line of Defence | Third Line of Defence |
|---|---|---|
|
Management (Risk Owner) |
Management Support and Oversight |
Independent Assurance |
|
Nature of Assurance: Line management is accountable and responsible for the management of risk and performance. A key element of this activity is the extent of management reviews and the actions that follow. Management establishes systems of self- assessments/monitoring to inform it on the adequacy of risk management activities. |
Nature of Assurance: Corporate functions provide support to line management in executing its duties. These include functions such as human resources; legal services; risk management; information technology; health and safety, environment; forensic (fraud risk management) |
Nature of Assurance: Internal audit, certifications (e.g., International Organization for Standardization [ISO]), regulator reviews, external audit, technical audit, forensic investigations, external reviews. |
|
Reporting Lines: Service Leaders, Executive Committee, committees providing direction, guidance and oversight over the focus areas (e.g., unit managers and service leader teams). |
Reporting Lines: Assistant Audit General of Corporate Services, Executive Committee, Audit Committee, and other committees. |
Reporting Lines: Auditor General, Executive Committee, Audit Committee. |
|
Assurance Provided: Management is evidenced through the management reports, review meetings, and forums. Reporting on the results of self-assessments. Special projects that assess the operating effectiveness/efficiencies that can be internally sourced. The assurance is reported to line management. |
Assurance Provided: Reports to Executive Committee and the Audit Committee. Reports to external agencies. Risk management profiles. |
Assurance Provided: Reports to Executive Committee and to Service Leaders, as well as to the Audit Committee. Special projects that assess the operating effectiveness/efficiencies that can be externally sourced. |
- Last modified:
- 2018-02-02