Office of Auditor General - Audit Buzz, February 2025 Issue

Fairfax County Public Schools sent this bulletin at 02/10/2025 04:00 PM EST

Having trouble viewing this email? View it as a Web page.

Audit Buzz Newsletter

February 2025

Engagement and Office Updates

In this issue of the Audit Buzz, we provide an update on current engagements; assist with Understanding the Three Lines of Defense in the Knowledge Hive; and offer a training opportunity for Fairfax County Public Schools (FCPS) employees.

Prior editions of Audit Buzz are archived here on Office of Auditor General (OAG) website.

As always, we appreciate the cooperation and courtesies extended to our staff by FCPS management and staff during all past, current, and future audit engagements.

Here is a challenge to test your audit knowledge, before we begin this issue:

Say What You See

*Hint: this is three words

Current Engagement Update

The February 10 Audit Committee meeting was cancelled. OAG has completed the Student Disciplinary Process and Procurement Process audits. These audits will be presented at the March 17 Audit Committee meeting.

Knowledge Hive

Understanding the Three Lines of Defense

Abstract: The Three Lines of Defense model is a structured approach to risk management that divides responsibilities into three layers: operational management, risk oversight, and internal audit. The first line involves day-to-day operations, the second provides guidance and monitoring, and the third offers independent assurance on risk management effectiveness. This framework clarifies roles, encourages collaboration; improves compliance; and helps prevent financial and operational risks, ultimately enhancing governance and accountability within organizations.

Organizations face various risks, including financial mismanagement, regulatory non-compliance, cybersecurity threats, and operational inefficiencies. Effective risk management is crucial to ensure a safe, financially stable, and well-functioning environment for achieving mission objectives.

A widely recognized framework for risk management is the Three Lines of Defense model. Developed in the early 2000s by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA), this model has been adopted by the International Institute of Internal Auditors (IIA) and across various industries, including education, finance, healthcare, and government. It provides a clear structure for risk management, internal control, and governance, ensuring that risks are identified, monitored, and mitigated efficiently.

What is the Three Lines of Defense Model?

The Three Lines of Defense model is a structured approach to risk management that allocates responsibilities for managing risks into three layers:

First Line of Defense – Day-to-day operational management.
Second Line of Defense – Oversight functions that monitor compliance and risk management.
Third Line of Defense – Internal audit, providing assurance on risk management effectiveness.

Each line has a distinct role, but together they create a comprehensive risk management system that enhances organizational integrity and accountability.

The first line of defense comprises administrators, staff, and managers who perform the organization’s daily operations. They are responsible for implementing policies, following procedures, and managing risks at the operational level. Their key responsibilities include adhering to financial and administrative policies (e.g., budget management, procurement procedures), ensuring safety and regulatory compliance, maintaining accurate records and documentation, and identifying and addressing risks before escalation. For example, if a school implements a new attendance tracking system, teachers and administrative staff must ensure its correct use to reduce errors and prevent potential data manipulation. This layer is critical as most risks originate at the operational level. Properly managed, these risks can be mitigated before necessitating higher-level intervention.

It is essential not to conceptualize lines of defense in terms of front, middle, or back-office - a common corporate language used to describe organizational structures by function. All divisions act as the first line of defense as they perform their daily functions and exercise control over risks related to these functions.

The second line of defense consists of risk oversight and support functions, such as risk management teams and compliance officers. Their role is to provide guidance, monitoring, and control to help the first line manage risks effectively. Key responsibilities include developing policies and procedures to mitigate risks, monitoring compliance with regulatory requirements, providing training and guidance on risk management, and supporting management in detecting inefficiencies or non-compliance. Unlike the first line, which executes policies, the second line oversees and supports risk management efforts, ensuring controls are properly designed and applied.

The third line of defense is the internal audit function, operating independently to assess and provide assurance on the effectiveness of risk management and internal controls. Internal auditors do not directly manage risks but evaluate whether the first and second lines are doing so effectively. Their key responsibilities include conducting audits to evaluate compliance with internal and external policies and regulations, identifying weaknesses in controls and recommending improvements, providing an unbiased assessment of financial and operational processes, and communicating findings to senior leadership and the board. For instance, an internal auditor may review a procurement process and discover purchases being made without competitive bidding, increasing financial risk. Their role is to highlight these issues and recommend solutions, helping the organization enhance its financial efficiency. This independent assurance strengthens governance and accountability, ensuring management adheres to best practices.

Why This Matters?

The Three Lines of Defense framework provides clarity on how different teams contribute to a safe, compliant, and well-managed organization. Understanding this model helps to:

Clarify responsibilities – Clearly define individual roles in risk management.
Encourage teamwork – Foster cooperation between departments, strengthening internal controls.
Improve compliance – Increase awareness of oversight functions, aiding staff in following policies more effectively.
Prevent financial and operational risks – Enable early detection and reduction of long-term damage.

Every employee plays a role in strengthening internal controls and protecting the institution. The Three Lines of Defense is a proven framework that enhances risk management, accountability, and governance within organizations. Each layer—from daily operations to oversight and independent audit—plays a vital role in ensuring an organization functions efficiently, ethically, and in compliance with regulations. Understanding how risk management works within an organization helps strengthen its overall integrity. By working within this framework, you contribute to a more secure, transparent, and well-governed environment.

Did You Know?

OAG Outreach and Education: Continuing Professional Education (CPE) Opportunity

OAG is registered with the National Association of State Boards of Accountancy (NASBA) and serves as the sponsor for the FCPS Continuing Professional Education (CPE) programs, dedicated to support FCPS employees with complimentary CPE credits required by various certification agencies. OAG is pleased to offer a new NASBA training opportunity for FCPS employees to earn up to 3 CPE credits:

Course: Bridging Payroll and Audit: Tools for Excellence

Date: March 7, 2025

Time: 9:00 AM - 12:00 PM

Do you know that approximately 89% of FCPS annual budget is spent on salary? In this training, Office of Payroll Management and Office of Auditor General, will co-present topics related to payroll compliance, regulations and internal controls, timekeeping and attendance, reconciliation etc. We will also cover topics of fraud prevention and detection related to payroll, time and attendance – including common payroll fraud schemes, red flags to look for, and how to use audits to detect and prevent payroll fraud.

FCPS employees may sign-up for the training on MyPDE.

Upcoming Events

Next Audit Committee Meeting

The next Audit Committee meeting is scheduled for March 17, 2025 at 4:30 PM. Please refer to BoardDocs for meeting information once it becomes available.

Fraud, Waste, and Abuse Hotline:
(571) 423-1333 (anonymous voicemail)
InternalAudit@fcps.edu (email is not anonymous)

Online Submission Form

[Answer: OAG Audit Process]

Office of Auditor General Website | Audit Buzz Archive

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit subscriberhelp.govdelivery.com.