The Three Lines Model defines responsibilities for risk management and control across different organizational functions:
First Line: Operational management (owns and manages risks).
Second Line: Risk and compliance functions (monitors and facilitates risk management).
Third Line: Internal audit (provides independent assurance).
Why Third-Party and Supplier Assessments Are Shared Across All Three Lines:
First Line (Operational Teams & IT Security): Ensures that vendors comply with security standards.
Second Line (Risk & Compliance Teams): Conducts due diligence and ensures compliance with cybersecurity regulations.
Third Line (Internal Audit): Independently evaluates supplier risk management processes.
Why Other Options Are Less Relevant:
B. Recruitment and retention of certified IT talent – Primarily a first-line management responsibility (HR and IT departments).
C. Classification of data and design of access privileges – Typically a first-line IT security function, with oversight from the second line.
D. Creation and maintenance of secure network configurations – Falls under first-line IT operations with oversight but not shared by all three lines.
IIA’s Three Lines Model (2020 Update): Emphasizes shared responsibilities in areas like third-party risk.
IIA Practice Guide on Third-Party Risk Management: Internal audit must assess supplier security and compliance.
COSO ERM Framework: Highlights vendor risk management as a cross-functional responsibility.
Relevant IIA References:✅ Final Answer: Assessments of third parties and suppliers (Option A).
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit