Building a successful compliance testing programme is a crucial component of a financial institution's risk management programme. Regulatory requirements and industry best practices dictate that the three lines of defence model be built and implemented to manage risk through policies, processes, procedures, systems, testing and documentation. This paper will explore the fundamentals of each of the lines of defence, testing within the lines of defence, and foundational elements that assist in developing, implementing and improving a compliance testing programme. It is important to note that testing should be conducted in all three lines of defence including, but not limited to, peer reviews, quality control, quality assurance, business risk and controls testing, compliance testing, transaction testing and testing by internal audit. The best way to be assured as to whether controls are working is through testing. Testing across the three lines of defence should be developed and implemented in accordance with the size and complexity of each financial institution. Testing should be risk-based and result in reporting and action performed by the institution. There is little point in testing if results are not acted upon.