Explained: The new Three Lines Model

The Three Lines of Defence Model has been an influential and invaluable tool for governing bodies and the internal audit profession since it was adopted in 2013. Since then, however, risk management has evolved, and in July this year IIA Global published a refinement of the model with an aim of fostering closer collaboration between business functions and internal audit.

The changes are not radical, but the new terms and language are intended to enhance clarity and purpose. So what are the key changes and what do UK and Irish internal auditors need to know?

The role of internal auditors has not changed, but the new model reinforces this role as being more strategic and operational rather than tactical. It emphasises that an effective internal audit function will:

• Have strong working relationships with colleagues in first- and second-line functions and will work collaboratively with them – independence does not imply isolation

• Lead by example and support its governing body – the model stresses alignment, collaboration and coordination

• Provide risk-based assurance focusing on the achievement of strategic objectives, operational imperatives and legal/regulatory requirements.

An effective risk-management framework that is embedded in the culture and day-to-day operations of an organisation can be achieved by measures such as including responsibility for risk management in job profiles, developing performance metrics related to unexpected events or losses, and effective risk reporting processes.

The new model is a useful tool for providing assurance over risk management. It should help to make it clear to governing bodies that management, not internal audit, is responsible for managing risk. It also emphasises alignment, collaboration and coordination – internal audit has the skills and corporate knowledge to deliver insight to help the governing body establish an appropriate risk management and assurance framework so that it can discharge its duties in line with its risk appetite.

Although the definition of the third-line role specifically relates to internal audit, the model acknowledges that other third-line roles may also exist (such as oversight, inspection, investigation, evaluation and remediation). In these cases, internal audit should provide assurance that it is truly independent of management.

The changes

The model is principles-based and focuses on roles rather than structure. It aims to be realistic about roles and responsibilities. In some sectors the first two lines may be blended to support the governance model within the organisation. This is a practical improvement for many internal auditors in SMEs. However, in others, the first- and second-line roles will be separate, for example in the financial services sector where regulators require a clear delineation of first and second lines.

The fact that the model is principles-based makes it easier to communicate the purpose and requirements of the model to stakeholders. It supports the language and content of the Supplemental guidance - Core Principles for Internal Audit, which defines the internal audit mission. The principles focus on the role of the governing body, management and internal audit.

The model introduces the term “governing body” to describe the single point of accountability. Governing bodies in the UK are defined in the UK Corporate Governance Code, the Wates Corporate Governance Principles for Large Private Companies and in central government and local authority standards. Typically, the term refers to the board and its sub-committees, allowing for differences in sectors.

This does not imply any change to the reporting line or independence of internal audit as set out in the International Professional Practices Framework, Internal Audit Code of Practice, Financial Services Code and Public Sector Internal Audit Standards.

Principle 5 of the 3 Lines Model also clearly defines the independence of internal audit and removes reference to an ambiguous layer of “senior management” that previously existed between internal audit and the governing body while clarifying reporting lines and accountability.

The Three Lines Model sets out:

• Expectations of different groups in the organisation

• Accountability of the governing body (the board and its sub-committees) to stakeholders for oversight

• Actions – management is responsible for managing risks

• Assurance – an independent internal audit function that reports directly to the governing body and supports it with advice, insight and continuous improvement

• Purpose – the three lines exist to create and to protect value

• Language – it removes the word “defence” from the model to remove connotations of controlling and avoiding risk

• Collaboration – success stems from the alignment and coordination of, and communication between, roles

This article was first published in November 2020.