The correct answer isAbecause in thethree lines model,internal auditorsprovide independent and objective assurance to senior management and the governing body. Their role is separate from operational risk ownership and from second-line oversight functions.

The other options are not correct:

B. Risk ownersare part of the first line and manage risk, but do not provide independent assurance.

C. Regulatorsmay perform external reviews, but they are not part of the organization’s three lines model.

D. Risk management functionsare typically part of the second line and provide oversight, not independent assurance.

Exact Extracts supporting the answer:

“The MOST significant benefit of using the three lines of defense model in a risk management framework of an enterprise is that it clarifies essential roles of the key stakeholders.”

“One of the MAIN purposes of the first line of defense in the three lines of defense model is to ensure control deficiencies are addressed.”

“Establishing a risk management framework is a direct responsibility of the second line of defense.”

“An internal audit function is best positioned to leverage the work performed in monitoring evaluating examining and reporting on controls as part of an ERM program.”

“Evaluating the effectiveness of existing internal information security controls within an enterprise is the responsibility of the system auditor.”

These extracts support that independent and objective assurance in the three lines model is provided byinternal auditors.