IIA Review the Three Lines of Defense

The “Three Lines of Defense” model is widely used throughout industry as a framework for addressing risks in today’s increasingly complex world.  Originally proposed in a position paper from the Institute of Internal Auditors in 2013, the model proposes a “streamlined approach to risk management and control built on three layers — operational management, risk management and compliance functions, and internal audit. ”

Writing in Internal Audit Magazine, Anne Millage offers a quick review in Three Lines, One Objective.

Today, the Three Lines of Defense model is used throughout the world. According to a recent Global Internal Audit Common Body of Knowledge (CBOK) report from The IIA Research Foundation, 55 percent of respondents from publicly traded organizations, 43 percent from the public sector, 41 percent from not-for-profit organizations, and 40 percent of respondents from privately held companies (all excluding the financial sector) around the globe say they are using the model.

She notes that the financial sector provides some additional challenges

According to the CBOK report, A Global View of Financial Services Auditing, “internal auditors in financial institutions are challenged with finding ways to effectively implement this model in a way that works for their organization.” In some small and midsize organizations, the lines between the second and third lines of defense can become blurred and the roles blended.

SVA fully supports the three lines model and believes that the independence of internal auditors is of paramount importance.  In addition, we believe that the three lines model is the most effective when financial processes are well documented and continuously improved.  We have frequently referred to continuous process improvement as “the most effective method of compliance” and a “Pre-Line” of defense.

Read the whole article, let us know what you think.