top of page

How does internal control work? - Introduction to the 'COSO' and '3 lines of defence' models

Updated: Oct 13, 2021

How do internal controls work? And what are the 'COSO' and the '3 lines of defence' models all about? In our blog below, we discuss in detail the two most common ways of implementing internal controls within organisations.

How does internal control work - Banner

What are internal controls?

Simply put, internal controls are all the processes, tools and policies organisations use to maintain their financial stability and integrity, and protect them from financial, strategic and reputational risk. Implementing an effective internal control framework can also help organisations improve their overall operational efficiency, governance and sustainability.


Stay on top of the latest governance, regtech and innovation trends and insights!


The 'COSO' control management framework

There are many ways to implement internal controls within an organisation, but probably the most popular one is the 5-component control management framework by the US Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO framework provides a solid foundation for the effective management of internal controls by following 5 key components:

1) Control environment

This component covers key strategic business fundamentals like a company’s leadership team, mission, goals and objectives. It also includes core operational elements like ethics, integrity and corporate social responsibility policies.

The structure of every control environment varies, but it usually includes the board of directors, management team, and HR. Having the right people in the right roles is

key to the success of any organisation.

2) Risk assessment

How exposed an organisation is to both internal and external risks. Risk assessment is essential to identifying and tackling a company’s threats and weaknesses.

Depending on the type of business and industry, the process usually involves examining a company’s level of resistibility, efficiency and discovering any potential drawbacks. Risks can range from fraud, cyber-attacks and manual or technical errors to regulatory and financial risks.

3) Control activities

This component covers all policies and procedures an organisation has implemented to ensure its continuity in the case of an emergency. Being proactive and having a robust control system is crucial for achieving both an organisation’s short and long-term objectives.

Control activities may be preventive or detective in nature and may be performed at all levels of the organisation.

4) Information and communications

Corporate communications and the level of information shared both internally and externally play an integral part in an organisation’s effective task delegation and smooth operations. A failure in communications can be detrimental to a company’s profitability and ROI.

5) Monitoring

Whilst assessing, identifying and rectifying any operational inefficiencies and risks lay the foundations for success, the ongoing monitoring and regular reporting ensures its realisation in the long-term and keeps an organisation on track with its objections and goals.

The COSO internal control framework - table
The COSO internal control framework

The '3 lines of defence' model

The COSO Internal Control Integrated Framework has proven to be an effective way for establishing and managing a comprehensive control environment and mitigating organisational risks, but it fails to outline the relevant roles and actual responsibilities for each component of the COSO model. In order to ensure accountability and avoid any effort duplication and operational costs, organisations should have clear role specifications and task delegations.

The '3 lines of defence' model aims to tackle just that. At the core of the model is the idea that “under the oversight and direction of senior management and the board of directors, three separate groups (or lines of defence) within the organisation are necessary for effective management of risk and control”.

Each group has the following core responsibilities:

  1. Own and manage risk and control environment (frontline operating management)

  2. Monitor the risk and control environment to support the overall management (risk, control and compliance departments)

  3. Provide independent assurance to the board and senior management that risk and controls are managed effectively (internal audit)

Whilst the structure of the 3 responsible groups might differ between organisations, there are a number of critical principles that are equally implicit for each company:

  1. The first line of defence lies with the business and process owners who are responsible for managing the risks that can affect the company’s operations and prevent it from achieving its objectives. This group is also usually tasked with the development and execution of a comprehensive internal control system.

  2. The second line of defence is placed to support the management and its major goal is to make sure that all risks and controls are managed appropriately and effectively. Essentially, this is an oversight function that owns a large aspect of the management of risk within organisations.

  3. In contrast to the second line of defence, the third line is usually not a management role and is solely appointed to provide assurance to senior management and the board of an organisation. Its main responsibility is to offer an independent and objective evaluation, reporting and recommendations to the board, and is served by internal auditors.

The 3 lines of defence model - Graph


How to manage internal controls - Whitepaper Banner


Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?

ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.


Recent Posts

See All


bottom of page