Le modele des trois lignes (de défense) - Rejoignez une équipe engagée et ambitieuse

The various ‘defenders’ are categorized into three lines:

The front line: operational management;
The second line: the control, risk management and compliance function
The third line: internal audit

Control bodies and external auditors would constitute a fourth line. The roles and responsibilities of each line are described below.

1. The front line: management and line managersManagement sets objectives and course, and identifies the risks associated with achieving these objectives. It steers performance and reports to the Board on management and the achievement of objectives.
It manages risks and ensures that operations run smoothly. In these cases, the front line carries out operational controls: checking the available budget before commitment, verifying the existence of credit, compliance with procedures relating to contracts, compliance with budget preparation deadlines, etc.
These first-line controls must be traceable and auditable. They must also be subject to hierarchical validation. These controls must be documented in procedures or in a controls manual.
In public-sector establishments, the front line is provided by general management, department heads and all employees.
Controls generally exist, but are rarely documented in procedures.

2. The second line: Internal control and risk management
Second-line staff provide support to operational managers in designing and implementing internal control and risk management systems.

2.1 The internal controller (internal control coordination)
In this capacity, he/she assists (but does not carry out) the operational managers in drawing up the procedures and controls manual. In particular, he must ensure that the description of procedures and documents used is complete, and that the controls to be carried out are properly integrated.
It also assists operational managers in setting up the controls to be carried out (control activities), by designing a control manual, for example. For each process (or area), a control manual sets out :

Requirements to be met (e.g. keeping a cash register for expenses or receipts)
Checks to be carried out and their frequency (expenditure, periodic or unannounced checks)
The inspection procedure (how the inspection is to be carried out, documents to be consulted, files to be used, etc.).
The control manager and the supervisor
Formalizing control (documents)
Archiving proof of control (to be produced in the event of a control or audit)

These control activities are carried out by designated operational managers and must be supervised to ensure their effectiveness.
At least once a year, the internal controller carries out an assessment of these controls to ensure that they have been carried out in accordance with the control manual, and may be required to redo the controls (tests on controls).
Under the Act, this function no longer exists in public and parapublic sector establishments.

2.2 The risk manager
The risk manager, like the internal controller, provides methodological support to operational managers in the identification, assessment and treatment of risks. Management is responsible for risk management, and the risk manager, where present, provides support.

It organizes identification and assessment workshops, and assists with the implementation of risk mitigation measures and action plans. It monitors the implementation of actions and assists in updating risk mapping.

It assists management in monitoring risks to the achievement of corporate objectives, and ensures that risk culture is present throughout the company and integrated into all management decisions and major projects.
When the size of the company does not justify it, the internal controller can assume this risk management function.

This function is not provided for in the Act. In the absence of precision, this function could be entrusted to a manager who has no operational functions, with the exception of the internal auditor. If the function were to be entrusted to the internal auditor, given his size and skills, his role would be that of coordinator, facilitator, trainer... but under no circumstances should he assess risks in place of operational managers.

2.3 The compliance officer
In certain regulated sectors (banking, insurance, microfinance, etc.), the compliance officer continuously ensures that operations and procedures comply with the laws and regulations in force (and not with procedures within the company). These actions are carried out on an ongoing basis before transactions are authorized or settled (for example, checking that a customer or supplier is not subject to sanctions in the banking sector).

3. The third line: internal audit
As mentioned above, internal audit is the third line of responsibility, assessing the effectiveness of internal control and risk management systems, and providing assistance in achieving the company's objectives.
Internal audit plans its assignments on the basis of a risk-based approach, and must provide assurance that objectives are being met.

This function is provided for in the law. However, the Act does not specify how it is to be attached, in order to guarantee the necessary independence of this function; nor does it specify the interactions between internal audit and other control bodies (internal control, external control).
The law specifies that the entity must put in place an ‘internal audit policy’ to assess the proper control of risks. We believe that the term ’internal audit policy‘ is not very appropriate.

Instead, we propose a ‘risk management and internal control policy’. Internal audit is a function for which the roles and responsibilities are clearly defined in the international auditing standards issued by the IIA.

The organization must draw up an internal audit charter, which must be signed by the Chairman of the Board of Directors. The charter specifies, among other things, the function and scope of the internal auditor's missions.

4. External insurance providers
These include statutory auditors and government audit bodies (Cour des Comptes, Inspection Générale d'Etat, etc.).

The law requires the statutory auditor to draw up a report on corporate governance. However, the content and form of this report are not specified.

Conclusion
The provisions contained in the law are not yet very explicit, in the absence of decrees, circulars, etc. clarifying the understanding of certain terms and the operating principles of governance bodies. In any case, the benchmarks and best practices observed internationally should help to kick-start the implementation of this important governance and risk management mechanism.
The IIA's three-line model should help clarify the roles and responsibilities of the various players involved in governance, risk management and internal control.

About Moore Senegal
We support private and public sector entities in the implementation of governance, risk and compliance by training stakeholders, providing management tools and supporting performance.