Three Lines of Defense is an effective internal auditing model designed to offer a framework for improved control across an organization by developing a greater understanding of the risks and controls. This identifies and articulates the collection of risks and controls, and appropriately allocates the ownership and performance to these across various ‘lines of defense’, thus ensuring unintended risks and gaps in controls can be avoided. The model outlines three lines of defense:
The first line of defense relates to functions that own and manage risks within the organization. It concerns managers and colleagues being responsible for identifying and managing risk as part of their objectives, and having the requisite knowledge and policies and procedures to accomplish this.
The second line of defense covers functions that oversee or specialize in compliance or the management of risk, and is about all the tools, policies, practices and frameworks that enable the first line to function readily, ensuring consistency, and ultimately, how well they are achieving this.
The third line of defense centers around functions that provide independent assurance through internal audit. Independent of the first and second, it’s remit is to ensure that the first two lines are operating effectively and to itemize potential improvements. This reports to the board and the audit committee.