Auditing the National HR Standards for sound governance: The three lines of risk defence


Auditing the National HR Standards for sound governance:
The three lines of risk defence
by Michael Robbins & Marius Meyer

Having developed the first National HR Standards in 2013, the SA Board for People Practices (SABPP), in association with HR Future, the first HR Standard Audit Framework was developed and implemented in South Africa in 2014 and 2015.   Hence, this article outlines the three lines of defence risk management model which underpins the National HR standards while aligning the audit with the general spirit and approach of integrated reporting.  At the heart of integrated reporting is the growing realisation that a wide range of factors determine the value of an organisation – some of these are financial or tangible in nature and are easy to account for in financial statements (e.g. property, cash), while others are not (e.g. people, natural resources, intellectual capital, market and regulatory context, competition).

Over 100 global businesses and 50 institutional investors are directly involved in the International Integrated Reporting Council work. This includes some of the world’s top brands, such as Coca-Cola, Microsoft, Hyundai, Tata, Unilever, Marks & Spencer and SAP.  Integrated reporting results in the concise communication of value.  Furthermore, it promotes integrated thinking and the breakdown of silos within the organisation.

SABPP wishes to empower all HR professionals to engage in the development of integrated reporting specifically in the people space although HR management activities have a clear influence on other business management areas.

With the recently published National HR management system standards and the new HR Audit management system standard, SABPP will enable all HR professionals to internalise the three lines of defence model. The audit model underpins the National HR management system standards together with the integrated reporting philosophy to ensure human capital management is aligned to organisational objectives.

The Three Lines of Defence model adopted from CRD in the UK distinguishes among three groups in the organisational structure involved in effective risk management.  The first line of defence is the operational management who operate

  • Functions that own and manage risks
  • Functions that oversee risks
  • Functions that provide independent assurance



As the first line of defence, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.

Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives.  Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.


Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defence controls. The specific functions will vary by organisation and industry sector, but typical functions in this second line of defence include risk, compliance and control functions.

A risk management function (and/or board committee) facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure (risk appetite) and reporting adequate risk-related information throughout the organisation.

A compliance function monitors various specific risks such as non-compliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organisation, with responsibility for specific types of compliance monitoring, such as HR management, health and safety, supply chain, environmental, or quality monitoring.  A control function monitors financial risks and financial reporting issues.   The responsibilities of these functions vary on their specific nature, but can include:

  • Supporting management policies, defining roles and responsibilities, and setting goals for implementation.
  • Providing risk management frameworks.
  • Identifying known and emerging issues.
  • Identifying shifts in the organisation’s implicit risk appetite.
  • Assisting management in developing processes and controls to manage risks.


Internal auditors provide senior management with comprehensive assurance based on the highest level of independence and objectivity within the organisation. This high level of independence is not available in the second line of defence. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives. The scope of this assurance, which is reported to senior management and to the Board or Governing body, usually covers:

  • A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts.
  • All elements of the risk management and internal control framework, which includes: internal control environment; all elements of an organisation’s risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring.
  • The overall entity, divisions, subsidiaries, operating units, and functions — including business processes, such as sales, production, marketing, safety, customer functions, and operations, as well as supporting functions (e.g., HR, payroll, IT, budgeting, infrastructure and asset management).

Internal audit actively contributes to effective governance providing certain conditions – fostering its independence and professionalism — are met. Best practice is to establish and maintain an independent, adequately, and competently staffed internal audit function, which includes:

  • Acting in accordance with recognised international standards for the practice of internal auditing.
  • Reporting to a sufficiently high level in the organisation to be able to perform its duties independently.
  • Having an active and effective reporting line to the governing body.

External auditors, regulators, and other external bodies reside outside the organisation’s structure, but they can have an important role in the organisation’s overall governance and control structure.  External audit findings enable an organisation to set requirements intended to strengthen the controls in an organisation and on other occasions perform an independent and objective function to assess the whole or some part of the first, second, or third line of defence with regard to those requirements. When coordinated effectively, external auditors, regulators, and other groups outside the organisation can be considered as additional lines of defence, providing assurance to the organisation’s stakeholders, including the board and senior management.  Now that the SABPP has trained 128 external auditors to audit HR functions against the National HR Standard, these auditors are ready to provide the third line of defence for HR Directors. This will give confidence to Boards and Excos that HR’s house is in order.

Drawing from the knowledge of our professional colleagues in auditing and risk management, the three lines of defence provide HR professionals with a robust risk-based framework for ensuring an integrated, aligned and well governed approach to auditing the National HR Standard.  Approaching HR standards from a risk and audit perspective will ensure that HR controls quality and consistency in accordance with the spirit of good governance as documented in King III.  Moreover, the different lines of defence involve all key stakeholders and thus focus on strengthening the HR business partner philosophy, without compromising the principles of quality and independence.

Dr Michael Robbins is MD of IMOR (UK), and Marius Meyer is CEO of SABPP. For more information, visit or blog

More details about HR Audits will be shared at the 3rd Annual HR Standards Roll-out in Sandton on 17 September.  Book your seat at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s