ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Internal audit: three lines of defence model explained

Audit building
  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Steve Bruce CA

6 November 2017

Key points:

  • Guidance for Boards, Audit Committees, executive management and Internal Audit on establishing a Three Lines of Defence model for effective and efficient governance, risk management and control has been issued by the IIA.
  • The model is not simple to implement ideally requiring vision and ongoing support at Board level.
  • Significant benefit to all type and size of organisation can be achieved by implementing the model although common pitfalls should be considered.

The ins and outs of the Three Lines of Defence model and the benefits and challenges of implementation.

The Institute of Internal Auditors (IIA) published a global position paper in 2013, titled: The Three Lines of Defense in Effective Risk Management and Control.

The concept has remained sufficiently important that a further position paper was published in June 2017 by the Chartered Institute of Internal Auditors, titled: The Three Lines of Defence, hereafter the 2017 paper.

The 2017 paper stated:

‘Applying the three lines of defence model in an organisation is not a silver bullet for achieving effective internal audit.

‘Much also depends for example on the standing, scope and resourcing of the internal audit function.

‘However, if the positioning and governance structure for internal audit are wrong, its ability to support the board or audit committee in their challenging of management can be fatally undermined’.

What is the Three Lines of Defence model?

The IIA and the Institute of Directors endorse the 'Three Lines of Defence' model as a way of explaining the relationship between these functions and as a guide to how responsibilities should be divided:

Three lines of defence in internal audit
Source: CIAA website

Three lines of defence

  1. The first line of defence (functions that own and manage risks)

    This is formed by managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. This requires an understanding of the company, its objectives, the environment in which it operates, and the risks it faces.

  2. The second line of defence (functions that oversee or who specialise in compliance or the management of risk)

    This provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.

  3. The third line of defence (functions that provide independent assurance)

    This is provided by internal audit. Sitting outside the risk management processes of the first two lines of defence, its main roles are to ensure that the first two lines are operating effectively and advise how they could be improved. Tasked by, and reporting to the board / audit committee, it provides an evaluation, through a risk-based approach, on the effectiveness of governance, risk management, and internal control to the organisation’s governing body and senior management. It can also give assurance to sector regulators and external auditors that appropriate controls and processes are in place and are operating effectively.

Is the model applicable to any organisation?

In short, yes.

The 2013 paper stated that the three lines of defence model is ‘appropriate for any organisation – regardless of size or complexity.  Even in organizations where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems’.

The IIA position papers are part of their ‘Strongly Recommended’ category of guidance and compliance is not mandatory.

The key benefits of implementing an effective model

To implement an effective and efficient model across an organisation is not simple and requires vision and ongoing support from the Board and executive management in terms of direction and resources. Benefits are:

  • Improved coverage of risks and controls by identifying and refining where necessary the population of risks and controls, and appropriately allocating the ownership and performance of these risks and controls across the lines of defence.  Consequently, any unintended risks and gaps in controls may be avoided, and unnecessary duplication of work should be avoided by removing layers of redundant controls;
  • Improved control culture across the organisation by enhancing the understanding of risks and controls.  For example, potential conflicts of interest or incompatible responsibilities may be more readily identified and challenged with those risks then either removed or mitigated; and
  • Improved reporting to the Board and executive management through a coordinated approach to providing timely and insightful reporting avoiding potentially duplicative and irrelevant information.

When implementation of the model fails

The Financial Stability Institute published Occasional Paper No 11 ‘The four lines of defence model’ for financial institutions in December 2015.

The paper included a root cause analysis of how the implementation of the lines of defence model arguably failed in practice during significant banking scandals with the following key findings:

  • Misaligned incentives for risk-takers in the first line of defence – management may have put greater emphasis on and set compensation [or career progress] based on the achievement of financial objectives rather than control-orientated objectives;
  • Lack of organisational independence of functions in second line of defence;
  • Lack of skills and expertise in second line functions; and
  • Inadequate and subjective risk assessment performed by internal audit. Failure by Internal Audit to identify high-risk areas or processes will lead to audits focussing on the wrong areas therefore undermining the effectiveness of the third line of defence.

Three lines of defence in depth

For an explanation of the role of Internal Audit in the three lines of defence model and some of the practical day-to-day challenges of implementation under an often-ongoing climate of ‘doing more with less’ watch our for the second article on this topic ‘Internal audit: challenges of implementation'.

2022-11-mitigo 2022-11-mitigo
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: