With the disruption of the pandemic potentially impacting the key assurance providing mechanisms within your organisation – do you have clear view of what these are and exactly who is responsible for the respective internal controls and risks within your organisation?
Audit Committees are at the centre of providing detailed scrutiny over the assurance and risk mechanisms in their organisations. However, how well do you understand your risk, internal control and assurance landscape? Does your Board, Audit Committee and Executive team understand where its assurance comes from, assessed its sufficiency and thought about whether there is any duplication of effort, particularly where resources are scarce? The Three Lines of Defense model has traditionally been used by organisations to help navigate this territory.
There can be some misunderstanding as to what the model actually is and how it can be applied. In our article, we set out the key principles of the model, its challenges and the impact of its recent revamp. The article explains the basic principles and terminology to help you consider whether you understand where your assurance comes from or whether you would benefit from an assurance mapping exercise to better understand your assurance landscape.
In this article, we set out the key principles of the model, its challenges and what has changed.
Published by the Institute of Internal Auditors, the Three Lines of Defense (3LOD) model’s aim was to provide a comprehensive framework to consider the overall arrangements for managing risk and exercising control within an organisation and to address a concern that many organisations had not adopted a structured approach to this. It helped to ensure that the work of internal audit is aligned to the objectives of the organisation and that duplication, overlap and gaps in assurance are minimised.
Since its development in 2013, the model has been commonly adopted for modelling and clarifying control and risk management responsibilities. However, some confusion pervaded as to its application and the development and ongoing use of associated tools, such as assurance maps. The ACCA noted in 2019, that organisations “struggle to reconcile the theoretical idea of a three lines approach with the practical realities of implementing one”.
In July 2020, amid “rapid change, new risks and the growing complexity of organisations”, the Institute of Internal Auditors (IIA) updated their Three Lines of Defense model – now known as the ‘Three Lines Model.
Back to top
What are the key principles of the model?
The most simplistic way to explain the model is to use an ‘onion’ analogy. In the same way that an onion has different layers, there are different layers of assurance within organisations that effectively wrap around each other; which collaboratively and cumulatively provide assurance to the organisation’s decision makers.
Governing bodies and senior management: The Board and senior management sit above the three lines. As an organisation’s decision makers, they collectively have responsibility for setting organisational objectives, defining strategies to achieve them and establishing the necessary governance risk management and control frameworks to manage the risks to their achievement.
First line: Primary responsibility for managing organisational risks, through designing and implementing appropriate mitigating controls rests with operational management who own and manage risks.
Second line: Reporting to senior management, the second line comprises risk management and compliance functions to help build and/or monitor the first line of defence controls.
Risk management functions are designed to facilitate and monitor the implementation of effective risk management practices by management throughout the organisation, assisting risk owners in defining target risk exposure and providing adequate risk reporting. The principal purpose of compliance functions is to monitor compliance with applicable laws and regulations. It is common for multiple compliance teams to operate within an organisation, with responsibility in areas such as health & safety, human resources, legal, supply chain, environmental or quality.
Third line: The principal function of the third line is to provide risk assurance. Internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including first and second line controls. Internal audit is independent of management with a direct reporting line to the Governing body/ Audit Committee.
External auditors/ regulators: Although they sit outside the organisation, external auditors can play an important role through their considerations of the governance and control structure where this is relevant to financial reporting.
Back to top
What are the challenges in applying the model?
Whilst the model has been widely adopted, it does present some challenges.
- The model assumes that there are distinct lines and that the execution of risk management and controls is vertical and linear. If the model is applied rigidly, this can create silos. The consequence of this is that those responsible for activity within each line view the management of risk and the provision of assurance solely from the perspective of their respective line, with a high potential for duplication and inefficiency. This may also create gaps in coverage between the lines with important risks not being managed effectively.
- In practice, the first and second line functions are not clearly defined within many organisations. Therefore, operational management (considered to be a segregated first line in the model) perform compliance and risk management activities in the absence of a separate second line function.
- The model has also been criticised for placing too much emphasis on defence and embracing a cautious view of risk as something that needs to be mitigated, ignoring the need for organisations to take risks, seize opportunities and innovate in order to create value and succeed. Exploiting risks has proved to be significant for many organisations as they navigate the challenges presented by COVID-19.
Back to top
The Three Lines Model- what has changed?
In July 2020, an updated version of the Three Lines Model was published by the IIA. It sets out three key areas of responsibility and six principles:
- Accountability: The Governing body is accountable to stakeholders for oversight. Principles 1 and 2 confirm that governance of an organisation requires appropriate structures and processes that enable accountability, action and assurance. It is the role of the Governing body to ensure appropriate structures and processes are in place for effective governance.
- Actions: Management is responsible for taking actions (including risk management) including designing and implementing the controls and procedures necessary to achieve organisational objectives. Principle 3 states that Management's responsibility to achieve organisational objectives comprises both first and second line roles. First line roles are most directly aligned with the delivery of products and/or services to clients of the organisation, and include the roles of support functions. Second line roles provide assistance with managing risk.
- Assurance: Requires advice from an independent internal audit function to provide insight, confidence and encouragement of continuous improvement. Principle 4 requires that in its third-line role, internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider assurance from other internal and external providers. Principle 5 reiterates that the independence of internal audit from the responsibilities of management is critical to its objectivity, authority, and credibility.
Finally, Principle 6 recognises that all roles working collectively, contribute to the creation and protection of value when they are aligned with each other and with the prioritised interests of stakeholders.
The new model also introduces the following features:
- The adoption of a principles based approach. The aim of this change is to provide greater flexibility in applying the model and to recognise that, in practice, Governing bodies, management and internal audit do not simply fit into the rigid lines and roles that the original model appeared to suggest. The emphasis is upon collaboration and communication across the “lines” with the collective aim of the achievement of business objectives.
- The new model recognises that what was described as the second line is part of management, removing an artificial rigid distinction and accepting that, in practice, there is often considerable fluidity between first and second line activities. It is also stressed that activities are not undertaken in linear sequence, but the roles of each ‘line’ operate concurrently.
- The roles of the key participants are defined more clearly. Two of the six principles relate to governance and specifically the role of the Governing body in overseeing the organisation’s risk management and control framework and its accountability to stakeholders for ensuring that appropriate structures and processes are in place for effective governance.
- The emphasis of the new model is upon the contribution that risk management makes to the achievement of objectives and value creation. ’Defense’ has been removed from the title and the focus is upon the creation as well as the protection of value to shareholders and stakeholders. This will be welcomed by those that criticised the previous model for its over-cautious view of risk.
- Regulators and external auditors have not been included as a distinct fourth line. This may not fully address the concerns of those arguing for greater emphasis on the role of external assurance providers. However, the new model still recognises this role as being important, especially when the distinct scope and mission of regulators and external auditors is fully understood and co-ordinated effectively with the principal source of assurance - the third line.
Back to top
What the changes mean for Audit Committees?
The most typical way in which the Three Lines Model is adopted by organisations is through assurance mapping. Audit Committees (and the Governing bodies to which they are accountable) which use assurance maps as a management tool, will wish to understand the impact of the new model on their approach to considering their overall arrangements for managing risk and exercising control.
For those organisations where the model has not previously been used, Audit Committees should give consideration to assessing their current approach to fulfilling their oversight duties in respect of risk and control within the framework of the model. This would support a more detailed understanding of the strengths and weaknesses of the various components of the organisation’s risk and controls structure and how they interact. Your internal audit function can facilitate this exercise.
The model explicitly states that “independence does not imply isolation”. There is an expectation that there will be regular interaction and communication between management (first and second lines) and internal audit, to ensure that the work of internal audit is aligned to the objectives of the organisation and that duplication, overlap and gaps in assurance are minimised. This would seem to encourage the further, tactical engagement between internal audit and the organisations they serve, without compromising independence.
Richard Chambers was quoted in a recent article in Accounting Today as saying, “it’s important for internal auditors to work across the various lines of the organisation and not just stay within a set role. We have an obligation to have regular interactions with management and to ensure internal audit’s work is relevant and helps the organisation both strategically and operationally.”
Internal audit is an important component of your assurance armoury. Tap into the un-accessed potential in the relationship with your internal auditors.
For more information or to discuss an assurance mapping exercise for your organisation, contact your usual BDO adviser or contact Lea John, Senior Manager, Risk and Advisory Services.
Back to top
This article has been updated for an audit committee audience from an article originally written by Nigel Burbidge and Tim Foster. The Three Lines of Defence Model (3LOD) has been updated - what does this mean for Internal Audit?