Audit Ownership and Key Responsibilities

Who Really Owns the Controls? Understanding the Roles of Risk, Audit, Compliance, Governance & Internal Control 📄 In many organizations, confusion over “who should handle controls” creates gaps, duplication, and even conflicts. But strong institutions follow a clear model where each function plays a unique, non-overlapping role. Here’s the simplest framework to understand how controls should work inside any organization: ⸻ ✅ 1. First Line of Defense – They OWN the Controls The business units (operations, sales, settlements, IT ops, finance, etc.) are fully accountable for: • Designing and running controls • Maintaining documentation and evidence • Reporting incidents and control failures • Ensuring activities stay within approved limits If a control fails, responsibility starts here. ⸻ ✅ 2. Risk Management – They Challenge & Improve Controls Risk does NOT operate controls — it builds discipline. Their role is to: • Perform RCSA, KRIs, and risk assessments • Challenge control design and coverage • Identify weaknesses and emerging risks • Monitor exposure vs. risk appetite • Recommend enhancements Risk ensures the control environment is strong, not emotional or reactive. ⸻ ✅ 3. Compliance – They Ensure Controls Meet Regulations Compliance protects the organization from regulatory breaches by: • Interpreting laws and regulatory guidelines • Ensuring controls meet legal requirements • Conducting monitoring and compliance testing • Reporting regulatory breaches and violations They keep the organization within the regulatory playing field. ⸻ ✅ 4. Governance – They Set Structure, Authority & Accountability Governance provides the umbrella that holds everything together: • Approves policies, frameworks, and reporting lines • Ensures independence of risk & compliance • Establishes committees and oversight mechanisms • Builds a culture of accountability Governance is the architecture that makes controls possible. ⸻ ✅ 5. Internal Control – They Validate Control Effectiveness This function sits between risk and audit and adds discipline through: • Ongoing control testing • Reviewing evidence, documentation & exceptions • Monitoring corrective actions • Supporting frameworks like ICFR/SOX They make sure controls actually work day-to-day. ⸻ ✅ 6. Internal Audit – They Independently Assure All Controls Internal Audit gives the Board confidence by: • Evaluating all three lines • Auditing risk, compliance, and governance effectiveness • Reporting directly to the Audit Committee • Issuing independent, objective assurance Audit is the final line — the guardian of integrity. ⸻ ✅ The Golden Rule Controls belong to the First Line — everyone else supports, challenges, oversees, or assures. A strong control environment is not built by one department, but by a synchronized system where each role is respected. #Governance #RiskManagement #Compliance #InternalAudit #InternalControl #ThreeLinesModel #OperationalRisk

DORA isn’t failing because of controls. It’s failing because ownership is unclear. Do you agree? 💁🏻♀️ Over the past year, many financial institutions have built solid DORA programs on paper: ✔ Policies approved ✔ Gap assessments completed ✔ Tools selected ✔ Vendor inventories documented Yet in supervisory reviews and internal audits, the same question keeps surfacing: “Who actually owns this when something breaks?” Not who drafted the policy. Not who runs the tool. Not who approved the budget. But who is accountable when: - A critical ICT vendor has a major outage - An incident crosses regulatory reporting thresholds - A subcontractor introduces hidden concentration risk Exit plans need to be executed under pressure That’s where a well-designed RACI becomes operational, not theoretical. ✅ What a DORA-ready RACI actually needs to do A RACI for DORA isn’t a spreadsheet exercise. It should: 1️⃣ Anchor accountability at the right level Regulators expect ultimate accountability to sit with the Board and senior risk leadership, not buried inside IT or vendor teams. If accountability is fragmented, escalation breaks down when speed matters. 2️⃣ Give the Third-Party Risk Manager true execution ownership The TPRM lead should be: - Responsible for lifecycle execution - Driving assessments, monitoring, remediation, exit planning - Coordinating across IT, legal, procurement, and business owners - Maintaining audit-ready evidence TPRM should not be a coordinator without authority. 3️⃣ Separate technical truth from governance ownership Best practice clearly separates: - IT / CISO → Responsible for technical security, resilience testing, detection - Risk / TPRM → Accountable for risk decisions, escalation, regulatory alignment Blurring this line creates blind spots during incidents and supervisory reviews. 4️⃣ Treat contracts as a regulatory control, not procurement admin Under DORA, contractual clauses are enforceable controls: - Audit and access rights - Subcontracting visibility - Exit and portability - Incident cooperation Legal must remain accountable, but TPRM must ensure clauses are operationally usable, not just legally compliant. 5️⃣ Build RACIs around operational scenarios, not departments Strong RACIs map ownership across real situations: - Vendor outage - Data breach - Cloud concentration risk - Failed exit test - Regulatory notification - Subcontractor failure If your RACI only reflects org charts, it won’t hold up during stress. Below is a practical DORA-aligned RACI visual for Third-Party Risk Managers in financial entities, designed to reflect how programs actually operate under regulatory pressure. If you’re building or refreshing your DORA operating model, this is a good place to start. #DORA #ThirdPartyRisk #OperationalResilience #ICTRisk #VendorRisk #RiskGovernance #FinancialServices #TPRM #RegulatoryCompliance #ResilienceEngineering

Dear IT Auditors, The Forgotten Step in IT General Controls (ITGC) Reviews Every IT auditor can list the core ITGCs, access management, backups, change management, and job scheduling. These are the foundation of assurance work. But here’s the trap: many ITGC reviews fail, not because the controls are missing, but because accountability is missing. You can perform flawless testing of access rights, backup restores, and system changes. But if no one truly owns the control, your results are only temporary. The moment something breaks, there’s no one accountable to fix it. In ITGC audits, some auditors may skip validating control ownership by not asking questions such as: 📌 Who owns the control, and do they actually know they own it? 📌 Is ownership documented in policies, procedures, or job descriptions? 📌 When failures occur, is there a clear escalation path? 📌 Do control owners receive automated alerts or dashboards to monitor effectiveness? 📌 When staff turnover happens, is ownership reassigned formally? 📌 Are control owners trained regularly so accountability isn’t just “on paper”? A strong ITGC environment isn’t only about design and operation. It’s about execution, which depends entirely on people. Systems don’t keep themselves secure. People do. And when ownership is unclear, every test result is just a snapshot of temporary success. That’s why, in my ITGC reviews, I don’t just ask “Is the control effective?” I ask “Who’s responsible, and are they equipped to own it?” Because in the end, control ownership may the difference between resilience and failure. #ITGC #ITAudit #AccessControls #ChangeManagement #RiskOwnership #ControlEffectiveness #AuditExecution #CyberGRC #CyberYard #CyberVerge

The Three Lines of Defense in IT Audit Think of your company’s IT security like a fortress. To protect it from cyber threats, compliance risks, and operational failures, you need three layers of defense working together. This structured approach ensures effective risk management while maintaining strong governance and compliance. 1st Line – The Warriors (Business & IT Teams) The first line of defense consists of IT administrators, business process owners, and security teams responsible for implementing controls and managing daily IT risks. Key Responsibilities ✔ Managing access controls and system security ✔ Implementing ITGCs and ITACs to maintain compliance ✔ Monitoring cyber risks, security logs, and incident response ✔ Ensuring data protection and regulatory compliance Example: A DBA ensures only authorized employees access financial data, monitoring logs for suspicious activity. 2nd Line – The Strategists (Risk & Compliance Teams) The second line of defense consists of risk management and compliance teams that enforce policies and monitor risks. Key Responsibilities ✔ Defining IT security policies and frameworks ✔ Monitoring compliance with SOX, GDPR, ISO 27001, PCI DSS ✔ Conducting risk assessments and security monitoring ✔ Ensuring proper reporting and mitigation of security incidents Example: An IT risk team enforces MFA after identifying weak login security. 3rd Line – The Watchmen (Internal & External Auditors) The third line of defense provides independent assurance through IT audits, ensuring the first two lines function effectively. Key Responsibilities ✔ Auditing IT System and cybersecurity controls ✔ Evaluating compliance with SOX, SOC 1, and data privacy laws ✔ Identifying security weaknesses and recommending improvements Example: An IT auditor finds that former employees still have ERP system access, highlighting a security gap. How the Three Lines of Defense Work Together During a ransomware attack: 1st Line (IT Teams) isolates infected systems and restores data. 2nd Line (Risk Teams) updates policies and strengthens security. 3rd Line (Auditors) assesses control failures and recommends fixes. Case Study: ITGC Failure and the Three Lines of Defense in Action Background During a SOX compliance audit, an internal auditor at a financial services company found that terminated employees still had access to critical financial systems, posing a security risk. What Went Wrong? 1st Line (IT Teams): Failed to revoke access promptly. 2nd Line (Risk Teams): Had policies but lacked monitoring. 3rd Line (Auditors): Discovered the issue and reported it. How They Fixed It ✔ IT Teams: Disabled old accounts and strengthened role-based access controls (RBAC). ✔ Risk Teams: Implemented automated alerts for access anomalies. ✔ Auditors: Recommended quarterly access reviews to prevent recurrence. Outcome The company avoided regulatory penalties, improved ITGC controls, and enhanced security monitoring.

The first governance failure in a Fabric rollout is almost always the same: Capacity is configured, pipelines run, monitoring dashboards are live... ...and nobody wrote down who owns what. Six months in, a key person leaves. Three workspaces go unmanaged. Refresh schedules break. Teams rebuild assets that already exist because they can't find the originals. Fabric surfaces usage data. It has no policy for the gaps. The ownership model we put in place before go-live assigns three roles per workspace or domain: • Owner → accountable for the assets inside. Accuracy, refresh schedule, and lifecycle decisions. When something breaks: fix or decommission. • Steward → accountable for the domain. Runs a quarterly ownership review. Flags orphaned assets. Governs; doesn't build. • Fallback → assigned at the start of the project, not after the first departure. Steps into the Owner role when the original Owner leaves the tenant. Without all three defined, every personnel change creates a gap that compounds. Governance lives in the ownership structure. Write the rules before the first report goes live.

Who Really Does What in Risk Management? 👉GOVERNANCE – BOARD & COMMITTEES (Oversight Role) -Board of Directors Approves risk appetite Oversees enterprise risk strategy Holds management accountable for risk management effectiveness -Board Risk Committee Proposes risk appetite for Board approval Aligns risk strategy with business objectives Consolidates and reviews risk reports from management and risk functions 👉LEADERSHIP & OVERSIGHT – SECOND LINE (Risk & Compliance Functions) Develop risk management frameworks, policies, and methodologies Provide guidance and challenge to the first line Monitor adherence to risk appetite and regulatory requirements Consolidate and escalate significant risks to leadership and the Board 👉OPERATIONAL EXECUTION – FIRST LINE (Business & Control Owners) -Business Unit Leaders Own risks within their areas of responsibility Ensure that risk controls are designed and operating effectively Embed risk awareness in daily decision-making -Control Owners Maintain and operate specific controls Monitor control effectiveness and remediate weaknesses Keep proper risk and control documentation for transparency and auditability 👉INDEPENDENT ASSURANCE – THIRD LINE (Internal Audit) -Chief Audit Executive (CAE) Reports independently to the Audit Committee Oversees internal audit strategy, planning, and reporting -Internal Audit Teams Test the effectiveness of controls Evaluate the overall governance, risk management, and control framework Recommend improvements to strengthen processes and resilience ✅ This layout makes it crystal clear: Board → Oversight Second Line → Design & Monitor First Line → Own & Operate Third Line → Assure & Improvea #RiskManagement #Governance #Compliance #Audit #CyberSecurity #OperationalRisk #RiskCulture #BusinessResilience #GRC