1.

0 INTRODUCTION

According to past research (Vousinas, G.L. (N.D). Beyond the three-lines-of-defense: The five
lines of defense model for financial institutions.), this article has provided an understanding on
the needs to apply the three lines of defense model for regulated financial institutions.

The Three Line of Defense model distinguishes among three lines involved in effective risk
management: a) First line of defense: Functions that own and manage risks; b) Second line
of defense: Functions that oversee risks; and c) Third line of defense: Functions that provide
independent assurance. Regardless of the size and sophistication of the organization, the
application of the three lines of defense should be the first requirement of an efficient risk
management system. Risk regulation in each line of defense, in order to sustain and supervise
the risk control framework, must be assisted. Risk management involved with the business
development and operation of the business.

In addition, this article has helped us to recognize the issues faced by each line of defense
and focused for financial institutions. There are numerous reasons and ways on how to solve
the risks faced by designing and implementing an accurate and reliable internal control system
that can help financial institutions manage risks and effectively operate in an ever-changing
environment. The issues that occur in the line of defense have made management and the
position of the internal auditor become more important and relevant.

The focus of the first line of defense is on the workers of the financial institution engaging in
the manufacture and selling of goods and services or in the corporate support of customers,
goods and services. The second line of defense is the position of the financial institution in
terms of enforcement and risk. They are responsible for providing guidance and oversight to
the first line of defense. Finally, the third line of defense is the external and internal auditors
who independently assess the threats of execution and the safeguards. They are also
responsible for reports to the Board and for the supervision of senior management.

Further discussions were conducted in this report regarding the line of defense issues, the
reason for the presence of the issues, the internal audit function towards the issues, the role
of internal auditors in reviewing and investigating the issues and other relevant matters relating
to this line of defense.

1
2.0 DEFINITION OF THE ISSUE SELECTED

The Three Lines of Defense model presents a clear, straightforward and efficient approach to
risk assessment and control by clarifying key functions and responsibilities. It offers a
convincing explanation of operations, helps ensure the continued efficacy of risk management
initiatives and is relevant for every organization, regardless of scale or complexity. Even in
organizations where there is no structured risk management framework or system, the Three
Lines of Defense model will reinforce risk and control clarity and help improve the efficacy of
risk management systems.

While the original concept behind Three Line of Defense was to establish a model of general
applicability for all forms of organizations, it did not consider the particularities of specific
industries, such as financial institutions and, more specifically, banks. Banks are dynamic,
highly regulated financial institutions operating in an ever-changing business environment and
coping with high levels of risk.

Therefore, there are numerous issues by analyzing the line of defense in the financial industry:

1. First line of defense: Conflict of interest among control duties and generating
revenues responsibilities

In the first line of defense, operating management owns and manages risks while at
the same time being responsible for initiating corrective measures to remedy process
and control defects. Operational management is responsible for providing effective
internal monitoring and for carrying out risk and control operations on a routine basis,
and naturally serves as the first line of defense, as controls are designed for structures
and procedures under their operational management direction. Essentially, the
purpose of the first line of defense is to delegate specific control and risk management
roles to workers and managers employed in revenue-generating business units.

Issue that usually arises in the first line of defense in financial institutions is conflict of
interest among control duties and generating revenues responsibilities. It is typical in
the first line that there is misunderstanding between the primary goal of meeting the
profit goals and risk management – the objectives of internal control. It demonstrates
that organizations frequently place greater focus on achieving financial goals rather
than control-oriented, thereby undermining the first line of defense, allowing the
various threats to reach the company and slipping through existing safeguards.

2
 According to the research, companies that has failure in the first line of defense is as
follows:

a) Societe Generale that took place in 2008. The case involved fraud where the
employer had held a number of unauthorized speculative positions for more
than a year without them being detected.
b) Swiss bank UBS that took place in 2011. The issue arose as a result of two
control deficiencies identified, which are control requiring confirmation of
transactions with counterparties and controls the relationship between different
trading desks.

2. Second Line of Defense: Inadequate monitoring, lack of resources and properly

skilled staff

In this second line of defense, it lays out policy, frameworks, resources, strategies and
assistance to allow compliance with policies to be managed in first-line, tracks how
well they do so, and helps ensure that concepts and risk measurements are consistent.
If the first line of defense is unable to deal with the threats, the second line of defense
will be upgraded automatically. Management shall develop separate risk management
and compliance roles in the second line to assist in the first line of controls.

The functions of this second line of defense (which often refer to financial institutions)
are as follows:

a) A risk management role that facilitates and tracks the execution of appropriate
risk management practices to help risk owners to define, analyses, monitor and
minimize risks inherent in an organization's operations.
b) A compliance role responsible for the identification and prevention of threats
resulting from non-compliance with the rules of the legislative and regulatory
system.
c) A controller role that monitors financial risks and problems related to financial
reporting.

Issue that commonly arises in the second line of defense in financial institutions is
inadequate monitoring, lack of resources and properly skilled staff. Inadequate
monitoring issues typically arise due to the need to be designed to suit the particular

3
 needs of the organization, especially the diverse needs of banks. In fact, these
operations are dispersed throughout the organization and the monitoring tasks are
often restricted to a single or a few areas, causing discrepancies. In addition, the
resources (human and non-human i.e. IT) employed in risk assessment and second-
line regulatory roles are often inadequate to help the internal control mechanism and
to minimize the multiple risks to an acceptable level. Such resource and budget
limitations do not encourage managers and other stakeholders to carry out their own
assessments and help to resolve existing deficiencies. Lastly is there may be a
shortage of the expertise needed to assess processes and internal controls in the first
line in an appropriate manner. As a result, the opportunity to pull together and retain a
workforce with the best combination of expertise and knowledge becomes a must.

3. Third Line of Defense: Ineffectiveness of the Internal Audit function

The third line of defense is the Internal Audit role, where its key role is to ensure that
the first-two lines defense operate effectively and provide direction on how they might
be improved. It also offers assurance that the organizational controls and risk reduction
procedures adopted by all units are effective and relevant to the type and scope of
risk-taking activities.

According to the common banking IA procedure, there is a well-established audit plan

focused on an annual risk evaluation that is systematic, analytical and carried out by
workers with a thorough knowledge of the organization's risk profile. The primary
purpose of these risk evaluations is to identify areas with high risk or procedures that
involve more regular and more scholastic audits.

Issue that arises in this final line of defense in financial industry is the ineffectiveness
of the internal audit function. As a result of these internal weaknesses, the role of
external auditors is becoming increasingly important in the structure of the internal
management mechanism of financial institutions, helping to resolve the inadequacies
of the classic three line of defense model and to deter fraud. Such failures have been
found in the cases of Societe Generale and Swiss Bank UBS.

4
3.0 WHY IS THERE AN ISSUE IN THE LINE OF DEFENSE?

Generally, we know that the framework of three lines of defense is a key aspect of corporate
structure and have been established by most financial regulators and the institutions they
monitor. Even though the framework is useful in providing a guideline to an organization to
effectively control their risk management, there are some issues that commonly arise during
the implementation of the framework. Why is there an issue in the line of defense? The
explanation is as follows:

1. First Line of Defense: Conflict of interest among control duties and generating
revenues responsibilities.

It is true that the framework itself does not detail out the job description that can be
easily understood by everyone within the organization across the three lines. This
matter will bring the confusion to the employees on their job scope based on the line
of defense in which they might follow their individual accountability that might lead to
wrong perception of security for the organization. Other than that, the uncertainty of
responsibilities would negatively affect the reputation of the organization and also
might result in paying fines for breach of legal and regulatory requirements.

To be clear, the issue in the first line arises in Societe Generale because lack of
sufficient understanding of the possibility of fraud focuses on ensuring that transactions
are properly carried out only from an operational perspective. This created
inconsistency between the performance of controls and the resolution of discrepancies
to verify the consistency of the given explanations and corrections in place. In addition,
the problem arises in Swiss bank UBS due to insufficient controls and an inadequate
system of financial reporting in which it needs to control these items;

a) Control requiring confirmation of trades with counterparties within the sector of

investment banking equities; and
b) Control relationships between various trading desks within the equities of the
investment bank and fixed income, currencies and commodity enterprises, in
order to ensure that internal transactions are true and correctly documented in
UBS books and records.

5
2. Second Line of Defense: Inadequate monitoring, lack of resources and properly
skilled staff

Lack of knowledge, skills and information in the first line would result in bigger
problems in the second line in which the second line has to take more responsibilities
than the first line. Every line has to be balanced in performing their functions.
Management control and internal control in every line has to determine the relevant
policies and procedures of risk control in order to manage the risks effectively and be
able to achieve the organization’s objectives.

To conclude the issue stated, it arises due to the activities of the organization dispersed
throughout the organization and the monitoring function limited to a single area has
resulted in creating gaps. Moreover, management functions in the second line are
insufficient to control and mitigate various risks to an acceptable level. The limitation
of resource and budget has led to the inability of the supervisors and other
stakeholders to help in addressing the deficiencies. Other than that, lack of skills in the
first line to evaluate the effective procedures and internal controls. The first line should
in the strict sense invest in compliance resources since it is regularly being the focus
of review by the regulators.

3. Third Line of Defense: Ineffectiveness of the Internal Audit function

As an objective assurance and independent provider, the third line of defense consists
of the function of internal audit. The purpose of an internal audit is to ensure that risk
management, governance and internal controls are successful. It also requires the
assessment of the effectiveness of the first line and second line of defense.

In relation to the case in Societe Generale, The procedures did not reflect the need to
evaluate the accuracy of risk outcomes and roles, while the internal control system
responded very slowly in terms of monitoring and resolved the most sensitive issues
immediately. Meanwhile, in the case of UBS, only a review of the vital trading desk for
US mortgage-backed derivatives was carried out by the IA department and, although
control vulnerabilities were found, the audit reports were not finalised and checked in
due time, causing significant delays that undermined the report's accuracy and
ultimately allowed the risk of fraud to occur.

6
4.0 DISCUSS HOW THE ISSUES ARE RELATED TO INTERNAL AUDIT FUNCTION

The last line of defense is referring to the Internal Audit Function that provides independent
assurance by an Internal Auditor of the organizations. The internal audit provides an
assurance to senior management and the governing body on both the first and second lines
of work in accordance with the needs of the board of directors and the senior management.
Internal audit also provides an assurance on internal controls and risk management practices
associated by all units are sufficient and appropriate for the type and complexity of risk-taking
activities. The Internal audit will oversee the risk assessment process of the first two lines of
defense and plays a role in ensuring the first two lines operate effectively and provide
assistance and recommendations on how they could be improved.

The issues that arise from each of Line of Defense are mentioning risk management issues
from Societe Generale and Swiss bank UBS real cases which were audited by the PwC firms.
The issue of Societe Generale was a fraud case where an employer had unauthorized
speculative positions for more than a year. The issue of Swiss bank UBS, a rogue trader
scandal which has led to a loss of more than US$2 billion and it was due to lack of controls
and inadequate financial reporting. These issues are closely related to the Internal Audit
Function since they have roles in managing the risk and controls of the organizations and were
designed to reduce or eliminate the risk that are impacting the business.

Besides the duties of an Internal Auditor of being objective and independent in the evaluations
of a company's financial and operational activities, Internal Audit also enhances internal audit
efforts in the area of risk management. They must manage and review every risk in the
organizations, provide consulting and advice on risk management practices, encourage the
viability of the company's control environment while making sure that there is an effective
coordination of controls and risks in meeting its objectives. Internal auditors also carry out
forensic audits where there are wrongful, deceitful and unlawful acts reported.

In Societe Generale case, there is a failure of internal audit in detecting the right high-risk
areas and the focus is shifted to low risk profile only. Hence, they must make a Follow Up
Audit Execution where it will be conducted with the management to take all audit issues to be
reviewed and facilitate the key risks and control weaknesses were addressed effectively and
timely for corrective action. Then, the internal audit must provide assurance through a written
audit report on the management key risk, the risk management process and also the corrective
actions that are identified and evaluated. The internal audits must present their reports to the

7
Audit Committee on a basis to execute its oversight function by reviewing, deliberating the
audit issues and raising the issues to the management to establish necessary steps to
strengthen the system of internal control.

8
5.0 HOW CAN INTERNAL AUDITORS HELP TO INVESTIGATE/SOLVE THE ISSUES?

Internal audit functions involved in the third line of defense that acts as an independent and
objective assurance provider. The goal of internal audit is to assure the effectiveness of
governance, risk management, and internal controls. There are some activities should be
conducted by an internal auditor in investigating or solving any issue that arises related to line
of defense.

1. Assess the organization’s internal control environment (internal control)

Internal controls relates to the activities and actions taken by the management,
governing body and other parties to manage risks so that can increase the likelihood
objectives and goals of organization will be achieved. Usually, organizations will
establish policies and procedures as well as processes to be part of control that
required all parties to follow. Therefore, it is important for internal auditors to evaluate
the effectiveness and efficiency of control and determine whether the controls are
adequate to mitigate any risks that potentially threaten the organizations. In addition,
internal auditors shall assess the internal control to ensure they are functioning as
designed.

2. Verify compliance with applicable laws, regulations and other obligations.

Compliances related to conformity in fulfilling obligations. Every organization will be

bound to comply with various laws, regulations and other obligations that have been
established by various parties. Management is responsible to adopt and maintain the
implementation of all obligations. Internal auditors shall review how well the
management meets the organization’s compliance responsibility. The internal auditor
will highlight any areas that do not comply with policies and procedures.

3. Verify the safeguarding of assets

Safeguarding of assets related to the prevention or timely detection of unauthorized

acquisition, use or disposition of company’s assets that could have a material effect
on the financial statements. Assets need to be safeguard against waste, loss and
misuse. Therefore, internal auditors shall investigate if there is any inappropriate
conduct related to assets that may affect the reliability of financial statements.

9
4. Assess the reliability and integrity of financial and operational reporting
processes

One of areas that internal auditors should evaluate is the organizations’ financial and
operational reporting processes. These two elements are actually related to each
other. These audits are essential to maintain accurate and timely financial reporting
and data collection and also will provide necessary tools in identifying any problems
and correcting lapses that might affect the operational efficiency which will affect the
integrity of financial statements.

5. Cooperate with external auditor

The fact that forming cooperation with external auditors, it provides additional defense
in solving any issue lines of defense. There will be active in supervising and monitoring
control issues within the organization. This calls for close interaction among the internal
and external auditors in designing and implementation of an efficient and effective
control system aiming to strengthen the existing framework regarding the governance
of modern financial institutions, which operate in a highly demanding regulated
environment.

10
6.0 WHAT IS THE INTERNAL AUDITOR’S ROLE AND CONTRIBUTION IN EXAMINING
OR INVESTIGATING THE ISSUES

Internal auditor is directly involved in the third line of defense. There are a few roles that an
internal auditor should take when examining the line of defense issue which are:

1. Providing assurance to the senior management and the governing body

Internal auditor will give assurance to the board which claims that one is objective and
independent of management about the controls in place to manage risk. Some of the
examples that internal auditors will give assurance on are on the internal control and
the risk management. In this third line of defense, the internal auditor will apply the
highest level of independence and objectivity which differs them with other lines of
defense. They will give an opinion on whether the risk mitigation practices and internal
control is appropriate and sufficient. Internal auditor has the responsibility to report to
the senior management and governing body on certain issues such as the efficiency
and effectiveness of operation, compliance with laws and regulations and on the
business processes. This is also important to ensure that the efforts from the first and
second lines are at par with the expectation from both BOD and senior management.

2. Regular and continuous communication between the internal auditor with the
first and second lines of defense

It is important for the internal auditor to always keep in contact and stay updated to the
progress made in the first and second line of defense. Some of the ways to ensure that
these two lines of defense are in line with the internal auditor is by providing guidelines,
knowledge and building awareness to them. It is important that the first and second
line of defense understand their purpose and contribution in ensuring proper control
exists. In addition, internal auditors may also hold meetings to investigate how they
play their responsibilities and to work closely with them. This is to examine whether
the efforts made by them are in line with the objective set by the BOD and senior
management. Thus, it can be seen that the internal auditor certainly has a vital role in
actively participating in this line of defense model to ensure that the three lines of
defense coordinate and contribute to the efficiency and effectiveness of the
organization.

11
3. Assess the risk management and planning

One of the other roles of internal auditor is in assessing the effectiveness of the risk
management that has been applied by the organization. Risk management can be
defined as the processes of identifying, analyzing, responding, collecting data and
monitoring the strategic risk. Internal auditors should assist companies to establish and
maintain Enterprise Risk Management processes as this ensures that quality and
professional standards are met. For example, it has been mentioned that in the
banking practices, internal auditors will do an annual risk assessment and will identify
the business units or processes that portrays a large amount of residual risk. From this
assessment, internal audit may plan out efforts or suggestions on how the risk is
suggested to be tackled and potentially reduced or eliminated.

4. Investigate any occurrence of fraud, embezzlement or theft

Internal auditors should always maintain adequate awareness to identify any

possibilities on activities of fraud that may exist in the firm. Internal auditors should be
able to recognize any signs of red flags that may alarm the occurrence of fraud in the
organization. If such irregularities are perceived to occur, the internal auditor would
then need to further investigate the characteristics, techniques and fraud schemes
used. If fraud is detected, it should be assessed if further action such as investigation
should be taken. Such occurrence should also be brought to the attention of the BOD
and senior management and suggest solutions that can be made. Internal audit will
also make a decision on assessing the effectiveness of existing control in the
organization.

5. Highlight any weakness found

Even after the first and second line of defense, it is possible for errors and mistakes to
occur during these two stages. This may happen due to the many risks involved such
as integrity risk and human risk. Thus, it is the role of the internal audit to highlight or
look into if such errors exist. It is crucial for internal audit to play their role in identifying
weaknesses in the line of defense. If such weaknesses are identified by the internal
audit, feedback or suggestions can be given to the management to improve the
outcome. Feedback or corrective action during the earlier stages are beneficial as it
can prevent bigger losses or disadvantages to happen to the firm.

12
7.0 ANY OTHER RELATED MATTERS THAT IS SUITABLE FOR THE WRITE UP OF
THIS PROJECT

1. Emerging of ecommerce

Due to the rising ecommerce business and economic downturn, there are many
creative crimes revolving around the people on a daily basis. Many businesses are
venturing to ecommerce and investing in their own AI (artificial intelligence) as they
offer many advantages especially in cost saving efforts and operation efficiency. Thus
business should stricten their security to ensure intellectual property is protected. In
this case, first line defense such as IT employees and developers plays a vital role in
securing the business firewalls from being hacked and causing harm to the
stakeholders. Without proper security, there risk information leakages involving
customers and employees information which will be used for improper purposes.
Employees should actively update themselves to the latest types of cyber-attacks that
might occur and defend the system according to the policies and with adequate training
despite the employees need to work remotely at home. This can be done through
adequate training, lectures and sharing experiences between colleagues in the same
industry. Both internal and external defense should engage in the current technological
advancement to maximize the defense wall of the organization. Outdated technology
leaves many black holes for the outsiders.

2. Confidentiality of information

Disseminating the information enables the external auditor and regulators to closely
monitor the organizations response towards the risk and initiatives taken to mitigate
the risk. To support this additional line of defense, management needs to design a new
set of procedures regarding the sharing of the information to external parties to ensure
the integrity and confidentiality of the information shared. This is where the IT
department in the first lines of defense plays their role in filtering the information by
using the firewall. Information is one important asset (intellectual property) to the
organizations thus, protecting the information from outsiders included in the defense
operations in the organizations. Defending the asset not only meaning to be taken
away physically but also protected from being manipulated by intruders. Manipulated
information will lead to wrong judgment in decision making and result in business
losses. Internal should closely communicate to external defense to ensure the
compliance towards the policies and procedures using the organization's information.

13
 These policies and procedures should not only govern to those involved in lines of
defense but also govern to external parties such as suppliers or when the companies
involved in outsourcing activities.

3. Towards the future

Advancement of Artificial Intelligence (AI) plays a critical factor in internal audit function
in an organization especially in managing risk. All layers of defense should embrace
the AI technology, study their function and use them appropriately according to the
organization’s needs. In order to reap the benefits of AI management need to actively
involve monitoring AI functions and identify and loopholes for problems or risk to
happen. Readiness of the management towards the risk by research the AI’s cost and
benefits will reduce the loss and strengthen the internal control of the organization.
One of the benefits of AI is it can reduce human error in information processing and
analyzing while the drawback is lack of professional judgment that can be done by
humans based on their skills and experience. Management should supervise the AI
operation on an ongoing basis to detect risk at an early stage and conduct proper
investigations regarding the risk associated with AI such as hacking, inefficient use of
AI and lack of skills of the staff that are responsible for AI. Proper governance regarding
the management of AI is also important as AI can improve the efficiency and
effectiveness such as regulatory compliance, information protection and any matters
that give significant impact to the financial statements.

14
8.0 CONCLUSION

To put in a summary, Line of Defense should be put in place in every type of organization
regardless of its size and complexity. This will allow opportunity for the organization to
enhance its risk management and risk mitigation according to the company's uniqueness and
varieties of specific situations that the organization may be held. Besides, it may be helpful for
each group to know their underlying roles in the risk management process especially when
assigning to various tasks and coordinating between risk management functions.

Furthermore, it has been proven based on the real case study mentioned above, which is from
the case of Societe Generale and Swiss Bank UBS. The case showed that the organizations
with no implementation or insufficient understanding on each of Line of Defense will be dealing
with a higher level of risk affecting the existing process to accessing more complex risk hence,
resulting in an ineffective control measure and resolutions made. The case demonstrates that
there is always an issue occurring in each of the lines of defense where corrective action must
be taken up through its Internal Audit Function significantly.

Altogether, it should be noted that the three Lines of Defense primarily needs to be revised
and implemented appropriately to be effectively practiced by the organization. Control issues
within the organization should be regularly reviewed and monitored, in close cooperation with
internal lines. This calls for closer interaction between internal auditors, management and
regulators in the development and design of an effective and efficient internal control system
that will help to minimize the risks and better operate on a regular basis.

15