The three lines of defense model is a framework that defines the roles and responsibilities of different functions in an organization for managing risks and ensuring effective internal control1. The three lines of defense are:
The first line of defense: the operational management and staff who are responsible for implementing and maintaining the internal control system and managing the risks within their areas of activity
The second line of defense: the oversight functions, such as risk management, compliance, and quality assurance, who provide guidance, support, and monitoring to the first line of defense and ensure that the internal control system is designed and operating effectively
The third line of defense: the internal audit function, who provides independent and objective assurance to the board and senior management on the adequacy and effectiveness of the internal control system and the performance of the first and second lines of defense2
The three lines of defense model facilitates a completely independent review of test results for evaluating control effectiveness, because it ensures that the internal audit function, as the third line of defense, has the authority, independence, and competence to conduct objective and unbiased assessments of the internal control system and report its findings and recommendations to the board and senior management3. The internal audit function can also use the test results from the first and second lines of defense as inputs for its own audit planning and testing, and verify their validity and reliability4.
References = The Three Lines of Defense in Effective Risk Management and Control - IIA, The Three Lines Model - IIA, The Role of Internal Audit in the Three Lines of Defense - IIA, Evaluating and Improving Internal Control in Organizations - IFAC
Submit