Application of the Three Lines Model

This guidance helps internal auditors in the UK and Ireland apply the updated Three Lines Model (previously known as the Three Lines of Defence) published on 20 July 2020 by IIA Global. 


Time for change

Since its adoption in 2013 the original Three Lines of Defence Model (3LOD) has been an influential and invaluable tool for governing bodies and the internal audit profession. In that time, risk management has and continued to evolve within organisations; refinement of the model reflects this evolution and aims to foster closer collaboration between business functions including internal audit. It is not a radical change, more of a subtle shift of language to enhance clarity and purpose.

 

 


Key messages

The model clearly sets out the expectations of different groups within the organisation.

Accountability – the governing body; typically, the board and its sub-committees ie audit committee is accountable to stakeholders for oversight.

Actions – management; first and second line are responsible for managing risks.

Assurance – internal audit; independent function reporting directly to the highest point of authority in the organisation - the governing body (audit committee) – providing advice, insight, and continuous improvement, but at the same time supporting management in their role.

The purpose of the three lines is to create and protect value.

No longer use the word ‘defence’ as some perceive this as controlling and avoiding risk.

Success requires effective alignment, communication, coordination, and collaboration, with all roles operating concurrently. 


The changes and their impact

The model adopts the principles-based approach found in many other key governance documents; there are also three key changes to note:

  1. A focus on roles rather than structure.
  2. A shift from defence to more constructive language. 
  3. The introduction of ‘governing body’ terminology. 

The roles and responsibilities are very much real world; in reality in some sectors the two lines may be blended to support the governance model within the organisation, which is a practical improvement for many internal auditors working in large organisations, because both lines are required to help management achieve organisational objectives through delivery, support and challenge. 

At the same time recognising that in some organisations the first- and second-line roles will be separate, ensuring the model also retains relevance to financial services where delineation between the first and second line is of regulatory importance.   


Principles

Internal auditors will find the use of a principle-based model makes it easier to communicate the purpose and requirements of the model to stakeholders. It supports the language and content of the Supplemental guidance - Core Principles for Internal Audit which defines the internal audit mission. The principles focus on the role of the governing body, management, and internal audit. 


Governing body

A refinement in terminology, is the sole use of ‘governing body’ as the point of accountability. This is terminology that sits well with the desire for chief audit executives to partner with governance leaders.  

Governing bodies in the UK are clearly defined in the UK Corporate Governance Code, the Wates Corporate Governance Principles for Large Private Companies and central government and local authority standards. Typically, this equates to the board and its sub-committees, allowing for differences in sectors. 

It does not imply any change to the reporting line or independence of internal audit as set out in the International Professional Practices Framework and the Internal Audit Code of Practice/Financial Services Code/Public Sector Internal Audit Standards. Principle 5 (3 Lines Model) also clearly defines the independence of internal audit.

Internal audit also benefits from the removal of ‘senior management’ as a box below the governing body. This presented a degree of ambiguity in respect of reporting lines and accountability which has been clarified. The role of executive management is clearly in the first and second lines and a recipient and stakeholder in the assurance and insight provided by internal audit.


Working within the model

The Model presents no change to the role of internal auditors although it does add weight to its remit being more strategic and operational rather than tactical.

An effective internal audit function will:

  • have strong working relationships with colleagues in first- and second-line functions and work collaboratively with them – independence does not imply isolation
  • lead by example and support its governing body - the Model puts great emphasis on alignment, collaboration, and coordination
  • provide risk-based assurance focusing on the achievement of strategic objectives, operational imperatives, and legal/regulatory requirements; in doing this it will help the organisations continuously improve.

An effective risk management framework will be embedded into the culture and day to day operations of an organisation. This can be achieved by including responsibility for risk management in job profiles, developing performance metrics related to surprise events or loss, and effective risk reporting processes etc.

The Model is a useful tool when providing assurance over risk management, it is presented in a language that is often familiar to governing bodies. Internal audit should be able to observe the application of the Model and evidence that it is management’s responsibility not that of oversight functions or internal audit, to manage risk.

The Model puts great emphasis on alignment, collaboration, and coordination. Internal audit has the skills, competency, and corporate knowledge to deliver insight to help the governing body establish a risk management and assurance framework appropriate for it to discharge its duties in line with its risk appetite. This short piece of guidance and examples may be of use.

Although the narrative for the third line role specifically relates to internal audit, the Model recognises that in some organisations, third line roles other than internal audit may exist, such as oversight, inspection, investigation, evaluation, and remediation. In such circumstances, internal audit should provide assurance that they are truly independent of management so as not to compromise the integrity of the Model. 

LINE

FUNCTIONS/INDIVIDUALS

RESPONSIBILITY

ROLES

First

Management

Operational functions and
support functions such as HR and Finance

Action
  • to achieve organisational objectives
  • delivery of products and/or services
  • manage risk
  • directly support activities of the organisation
Second

Management

eg Legal, Information Security, Quality Assurance, Health & Safety, ERM/Risk
Action
  • to achieve organisational objectives
  • provide assistance with managing risk
  • provide complementary expertise, support, monitoring, and challenge to those with first line roles

First and second line roles may be blended or separated

Third  Internal audit  Assurance
  • provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management
Governing Body Accountability
  • ensures appropriate structures and processes are in place for effective governance (delegates responsibility and provides resource)
  • ensures organisational objectives and activities are aligned with the prioritised interests of stakeholders
  • establishes and oversees an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives

 

Content reviewed: 17 August 2021