Skip to main content Skip to navigation


Controls is the third pillar of the Compliance & Assurance Framework. Having policies, processes, and training documented and disseminated means we have clearly articulated and communicated what we need to be doing to be compliant, but it doesn’t assure us of compliance in and of itself. It is an important step, but subsequently monitoring how well all of this is working can provide the more formal assurance of being compliant, so that we can demonstrate both that we know what we should be doing and that we are actually doing it effectively. It consists of:

  • processes for checking compliance with our articulated policies/processes/guidelines etc.
  • processes for monitoring training and re-training.
  • clearly articulated lines of defence for assurance.
  • drawing upon data for assurance (where are we reviewing this and how often?).

What are three lines of defence?

  • The First line of defence is normally those 'doing the doing', with managers in that department/ business area undertaking first line controls.

  • The Second line of defence is generally another department or business area, one step removed from those carrying out first line checks e.g. if an academic department is first line, a central professional services team could form the second line.

  • The Third line of defence is a department or business area not involved in first or second line checks. For many areas, the third line of defence may be the Internal Audit function.