This document discusses the three lines of defense model for risk management and internal controls. The first line of defense comprises operational management who implement controls on a daily basis. The second line involves risk management and compliance functions that assess risks and monitor control implementation. The third line provides independent assurance through internal audit functions on the effectiveness of governance, risk management and controls, including the work of the first two lines. The document also notes challenges in aligning risk, control and assurance practices in Indonesia and how COBIT 5 can provide frameworks to address these challenges.