The Three Lines of Defence Model has been updated- what does this mean for Internal Audit?

The Three Lines of Defence Model has been updated- what does this mean for Internal Audit?

What are the Three Lines of Defence?

In January 2013, the Three Lines of Defence model was published by the Institute of Internal Auditors. Its aim was to provide a comprehensive framework to consider the overall arrangements for managing risk and exercising control within an organisation. 

The Three Lines of Defence are: 

First – Operational Management control of organisational risks
Second – Risk management and compliance functions, reporting to senior management
Third – Internal audit to provide assurance.

The Three Lines of Defence address a concern that many organisations had not adopted a structured approach to this - resulting in gaps in risk management and unnecessary duplication of risk coverage. Since that time it has become the most commonly adopted method for modelling and clarifying control and risk management responsibilities.

The main features of the model are as follows:

Governing bodies and senior management: The Board and senior management sit above the three lines.  They collectively have responsibility for setting organisational objectives, defining strategies to achieve them and establishing the necessary governance risk management and control frameworks to manage the risks to their achievement.

First line: Primary responsibility for managing organisational risks through designing and implementing appropriate mitigating controls rests with operational management who own and manage risks.

Second line: Reporting to senior management, the second line comprises risk management and compliance functions to help build and/or monitor the first line of defence controls. 

Risk management functions are designed to facilitate and monitor the implementation of effective risk management practices by management throughout the organisation, assisting risk owners in defining target risk exposure and providing adequate risk reporting.  The principal purpose of compliance functions is to monitor compliance with applicable laws and regulations.  It is common for multiple compliance teams to operate within an organisation, with responsibility in areas such as health & safety, human resources, legal, supply chain, environmental or quality.

Third line: The principal function of the third line is to provide risk assurance. Internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including first and second line controls. Internal audit is independent of management with a direct reporting line to the Governing body/ Audit Committee.

External auditors/ regulators: Although they sit outside the organisation external auditors can play an important role through their considerations of the governance and control structure where this is relevant to financial reporting. For regulated entities, specific governance and risk management requirements are often set by the regulators who may also undertake their own independent controls assessment, which can be a useful source of assurance.

Back to top

Implementation challenges

The model has been widely adopted. However, over the years since its publication various academic and professional practitioner reviews of its effectiveness have highlighted some important areas where it could be improved.

The main challenge has been that the model assumes that there are distinct lines and that the execution of risk management and controls is vertical and linear. If the model is applied rigidly, this can create silos with the consequence that those responsible for activity within each line view the management of risk and the provision of assurance solely from the perspective of their respective line with a high potential for duplication and inefficiency. This may also create gaps in coverage between the lines with important risks not being managed effectively. 

Furthermore, in practice the first and second line functions are not clearly defined and in many organisations operational management (considered to be a segregated first line in the model) perform compliance and risk management activities in the absence of a separate second line function. The ACCA report Risk and Performance: Embedding Risk Management 2019 noted that organisations “struggle to reconcile the theoretical idea of a three lines approach with the practical realities of implementing one”.

The model has also been criticised for placing too much emphasis on defence, embracing a cautious view of risk as something that needs to be mitigated, ignoring the need for organisations to take risks, seize opportunities and innovate in order to create value and succeed.

Finally, it has been argued that since financial services institutions - such as banks - have specific regulatory requirements and features, the three lines of defence model is insufficient. The Financial Stability Institute December 2015 paper - The four lines of defence model for financial institutions - concluded that some high profile banking scandals exposed a lack of independence of the second line and specialist technical skill gaps in the second line and third line.

For these entities, a four lines model is proposed with the regulator and the external auditors playing a more active role, to provide specialist support to organisations and protect stakeholders by setting standards, supervising and monitoring control issues.

Back to top

The Three Lines Model - What has changed?

In July 2020 an updated version of the Three Lines Model was published by the IIA. It sets out three key areas of responsibility and six principles:

  1. Accountability: The Governing body is accountable to stakeholders for oversight.  Principles 1 and 2 confirm that governance of an organisation requires appropriate structures and processes that enable accountability, action and assurance.  It is the role of the Governing body to ensure appropriate structures and processes are in place for effective governance.
  2. Actions: Management is responsible for taking actions (including risk management) including designing and implementing the controls and procedures necessary to achieve organisational objectives. Principle 3 states that Management's responsibility to achieve organisational objectives comprises both first and second line roles. First line roles are most directly aligned with the delivery of products and/or services to clients of the organisation, and include the roles of support functions. Second-line roles provide assistance with managing risk.
  3. Assurance: and advice by an independent internal audit function to provide insight, confidence and encouragement for continuous improvement.  Principle 4 requires that in its third-line role, internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider assurance from other internal and external providers. Principle 5 reiterates that the independence of internal audit from the responsibilities of management is critical to its objectivity, authority, and credibility.

Finally, Principle 6 recognises that all roles working collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritised interests of stakeholders.

The biggest change is the adoption of a principles based approach.  The aim of this change is to provide greater flexibility in applying the model and to recognise that in practice, Governing bodies, management and internal audit do not simply fit into the rigid lines and roles that the original model appeared to suggest. The emphasis is upon collaboration and communication across the “lines” with the collective aim of the achievement of business objectives.

The new model recognises that what was described as the second line is part of management, removing an artificial rigid distinction and accepting that in practice there is often considerable fluidity between first and second line activities. It is also stressed that activities are not undertaken in linear sequence but the roles of each “line” operate concurrently.

The new model also defines the roles of the key participants more clearly. It is notable that two of the six principles relate to governance and specifically the role of the Governing body in overseeing the organisation’s risk management and control framework and its accountability to stakeholders for ensuring that appropriate structures and processes are in place for effective governance.

The emphasis of the new model is upon the contribution that risk management makes to the achievement of objectives and value creation.  “Defence” has been removed from the title and the focus is upon the creation as well as the protection of value to shareholders and stakeholders.  This will be welcomed by those that criticised the previous model for its over-cautious view of risk.

Regulators and external auditors have not been included as a distinct fourth line. This may not fully address the concerns of those arguing for greater emphasis of the role of external assurance providers. However, the new model still recognises this role as being important, especially when the distinct scope and mission of regulators and external auditors is fully understood and co-ordinated effectively with the principal source of assurance- the third line.

Back to top

What this means for Heads of Internal Audit

The new Three Lines Model has been widely publicised and will be an area of interest for Audit Committees. Heads of Internal Audit are therefore likely to be asked for their views.

For those organisations where the 3LOD model has been adopted extensively - for example through assurance mapping – Audit Committees (and the Governing bodies to which they are accountable) will wish to understand the impact of the new model on the organisation’s approach to considering its overall arrangements for managing risk and exercising control.

For those organisations where such a model has not previously been used, the publication of the Three Lines Model may encourage Audit Committees to reassess their current approach to fulfilling their oversight duties in respect of risk and control. They may also conclude that they require a more detailed understanding of the strengths and weaknesses of the various components of the organisation’s risk and controls structure and an explanation of how they interact. Heads of Internal Audit may be asked to lead on providing this.

Heads of Internal Audit will be encouraged to note that the importance of the independence of internal audit is reiterated in Principle 5 and that the value of its advice and assurance is strongly emphasised throughout the model. However, the model explicitly states that “independence does not imply isolation” and that there is an expectation that there will be regular interaction and communication between management (first and second lines) and internal audit to ensure that the work of internal audit is aligned to the objectives of the organisation and that duplication, overlap and gaps in assurance are minimised. 

As Richard Chambers was quoted in a recent article in Accounting Today “it’s important for internal auditors to work across the various lines of the organisation and not just stay within a set role. We have an obligation to have regular interactions with management and to ensure internal audit’s work is relevant and helps the organisation both strategically and operationally.”  Expectations have been raised and Audit Committees may now begin to require Heads of Internal Audit to demonstrate more clearly how this has been achieved.

Back to top

For more articles please visit our Index here


IIA (Institute of Internal Auditors), Position Paper, The three lines of defence in effective risk management and control, January 2013

IIA (Institute of Internal Auditors), the IIA’s Three Lines Model- an update of the Three Lines of Defense

ACCA - Risk and Performance: Embedding Risk Management 2019

The Financial Stability Institute - Occasional Paper No 11 ‘The four lines of defence model’ for financial institutions - December 2015

ICAEW Audit and Assurance Faculty- The Four Lines of Defence September 2018

Richard Chambers blog- IA Online July 2020 – New IIA Three Lines Model

Norman Marks on Governance Risk Management and Audit:
The three lines of defense model is the wrong model
The three lines of defense model is no more

Accounting Today- IIA updates Three Lines Model to stress risk management and governance - July 2020


Heads of Internal Audit Newsletter

Every quarter, experts from our Risk and Advisory Services team write on issues affecting internal audit professionals. The articles provide Heads of Internal Audit as well as Internal Auditors with relevant insight covering topics such as risk management, internal controls and governance.