Auditing the application of the National HR Standards for sound HR governance: Three lines of risk defence – by Michael Robbins & Marius Meyer

Having developed the first National HR Standards in 2013, the SA Board for People Practices (SABPP), in association with HR Future, the scene is set to create the first HR Standard Audit Framework for South Africa.   Hence, this article outlines the three lines of defence risk management model which underpins the National HR standards while aligning the audit with the general spirit and approach of integrated reporting. At the heart of integrated reporting is the growing realisation that a wide range of factors determine the value of an organisation – some of these are financial or tangible in nature and are easy to account for in financial statements (e.g. property, cash), while others are not (e.g. people, natural resources, intellectual capital, market and regulatory context, competition).

Over 100 global businesses and 50 institutional investors are directly involved in the International Integrated Reporting Council work. This includes some of the world’s top brands, such as Coca-Cola, Microsoft, Hyundai, Tata, Unilever, Marks & Spencer and SAP. Integrated reporting results in the concise communication of value. Furthermore, it promotes integrated thinking and the breakdown of silos within the organisation.

SABPP wishes to empower all HR professionals to engage in the development of integrated reporting specifically in the people space although HR management activities have a clear influence on other business management areas.

With the recently published National HR management system standards and the new HR Audit management system standard, SABPP will enable all HR professionals to internalise the three lines of defence model. The audit model underpins the National HR management system standards together with the integrated reporting philosophy to ensure human capital management is aligned to organisational objectives.

The Three Lines of Defence model adopted from CRD in the UK distinguishes among three groups in the organisational structure involved in effective risk management. The first line of defence is the operational management who operate

  • Functions that own and manage risks
  • Functions that oversee risks
  • Functions that provide independent assurance

Screen Shot 2014-06-26 at 8.19.34 PM


As the first line of defence, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.

Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.



Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defence controls. The specific functions will vary by organisation and industry sector, but typical functions in this second line of defence include risk, compliance and control functions.

A risk management function (and/or board committee) facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure (risk appetite) and reporting adequate risk-related information throughout the organisation.

A compliance function monitors various specific risks such as non-compliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organisation, with responsibility for specific types of compliance monitoring, such as HR management, health and safety, supply chain, environmental, or quality monitoring. A control function monitors financial risks and financial reporting issues.   The responsibilities of these functions vary on their specific nature, but can include:

  • Supporting management policies, defining roles and responsibilities, and setting goals for implementation.
  • Providing risk management frameworks.
  • Identifying known and emerging issues.
  • Identifying shifts in the organisation’s implicit risk appetite.
  • Assisting management in developing processes and controls to manage risks.



Internal auditors provide senior management with comprehensive assurance based on the highest level of independence and objectivity within the organisation. This high level of independence is not available in the second line of defence. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives. The scope of this assurance, which is reported to senior management and to the Board or Governing body, usually covers:

  • A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts.
  • All elements of the risk management and internal control framework, which includes: internal control environment; all elements of an organisation’s risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring.
  • The overall entity, divisions, subsidiaries, operating units, and functions — including business processes, such as sales, production, marketing, safety, customer functions, and operations, as well as supporting functions (e.g., HR, payroll, IT, budgeting, infrastructure and asset management).

Internal audit actively contributes to effective governance providing certain conditions – fostering its independence and professionalism — are met. Best practice is to establish and maintain an independent, adequately, and competently staffed internal audit function, which includes:

  • Acting in accordance with recognised international standards for the practice of internal auditing.
  • Reporting to a sufficiently high level in the organisation to be able to perform its duties independently.
  • Having an active and effective reporting line to the governing body.

External auditors, regulators, and other external bodies reside outside the organisation’s structure, but they can have an important role in the organisation’s overall governance and control structure. External audit findings enable an organisation to set requirements intended to strengthen the controls in an organisation and on other occasions perform an independent and objective function to assess the whole or some part of the first, second, or third line of defence with regard to those requirements. When coordinated effectively, external auditors, regulators, and other groups outside the organisation can be considered as additional lines of defence, providing assurance to the organisation’s stakeholders, including the board and senior management.

Drawing from the knowledge of our professional colleagues in auditing and risk management, the three lines of defence provide HR professionals with a robust risk-based framework for ensuring an integrated, aligned and well governed approach to auditing the National HR Standard. Approaching HR standards from a risk and audit perspective will ensure that HR controls quality and consistency in accordance with the spirit of good governance as documented in King III. Moreover, the different lines of defence involve all key stakeholders and thus focus on strengthening the HR business partner philosophy, without compromising the principles of quality and independence. More than 20 auditors have been trained to conduct the first round of HR audits against the National HR Standard. The HR auditing framework will be launched at the 2nd Annual HR Standards Roll-out on 28 August at Sandton Convention Centre.


Dr Michael Robbins is MD of IMOR (UK), and Marius Meyer is CEO of SABPP. They can be reached on or twitter @SABPP1. For more information, visit or blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s