The Three lines of Defence model for global assurance … Three is a big number.

18 Jun

The IIA and the ECIIA (Corporate Governance Insights | May 2012) position Internal Audit as the third line of defence. According to the widely known model, operational management represents the first line of defence. Functions like compliance, risk management, quality and other control departments are viewed as second line of defense. The 3rd line of defense shall be Internal Audit …

I have some doubts whether this is truly the best way of positioning Internal Audit. I see the risk that three may be regarded too big a number. I wonder, whether this model may be potentially confusing in the eyes of governance stakeholders, and might contribute to marginalize Internal Audit going forward. Is that what Senior Management and the Governing Body want/need?

I would value perspectives and re-assurance from peers in Internal Audit that the three line of defence model is the best way to communicate the value proposition of Internal Audit. What actually could an alternative positioning look like?

2 Responses to “The Three lines of Defence model for global assurance … Three is a big number.”

  1. drrainerlenz June 19, 2013 at 4:57 pm #

    There were three comments within 24 hours:

    Comment 1:

    Michael Corcoran, CPA • Rainer, my observation is that the IIA perhaps unconsciously almost exclusively focuses on Internal Audit’s assurance role. The 3 lines of defense is a good example. I do not see Internal Audit advisory responsibilities mentioned at all. This is like missing half of the opportunity? When you are proactive and show leadership, likely to viewed in more positive, business person light.

    Same holds true with the recent Practice Advisory 2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives. Focus is on the assurance role with a passing mention of advisory role. Should be written the other way around to emphasize the need to proactively engage in strategic risk identification, prioritization and mitigation diagnostic process. Not own but actively engaged.

    A good balance of offense and defense is a winning formula.

    Comment 2:

    Sean Lyons • Rainer,

    In answer to your question, in my opinion the best way to communicate the value proposition for Internal Audit is in its third line of defence role. This however is best communicated within the context of an extended Five Lines of Defence model which also includes the Board and Senior Management as additional lines of defence which stakeholders also rely on to safeguard their interests.

    My concern with the Three Lines of Defence model is that it does not consider the Board and Senior Management as additional lines of defence and therefore their own roles in relation to Internal Audit become much less clear. I believe that the best way to communicate the value proposition for Internal Audit to the Board (and to a lesser extent Senior Management) is in the context of a Five Lines of Defence model whereby the roles of the Board and Senior Management are also clearly outlined.

    I have addressed this very issue in more detail in my paper entitled “Defending Our Stakeholders: Corporate Defence Management Explored” which I think may be of interest.

    In my opinion Internal Audit need to promote a such a holistic view of assurance in order to help strengthen its relationship with the Board and to help ensure that their own value proposition is in fact appreciated at all levels within the organisation.


    Sean Lyons

    Selected Corporate Defence Publications:

    Comment 3:

    Michael Corcoran, CPA • The SEC in USA uses a five line defense. I agree with Sean the three is a defective product. But I also think as do many others, you need an offense otherwise no one will play.


  2. anthonyoreilly June 23, 2013 at 11:18 pm #


    This is a very important topic you are raising here. In my experience, only controls and assurance professionals are really talking about “lines of defense” and “models” are the stuff of consultantspeak. We need to get to Audit Committees, and fast. What I see is that the Big Four are already out there promoting the ‘three lines of defense’ model and it will therefore soon come into general acceptance. What we need to do is make sure that Audit Committees understand one thing very clearly: no matter how many defenses you have, you need your internal auditor to test them. No-one else can do this because no-one else has the depth we do nor the operational independence. So, bring it on !




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: