The Three Lines of Defence model has played a key role in internal audit assurance since its release in 2013. It helped to define roles, responsibilities and relationships between internal audit and operational management, risk management and compliance functions.
While the new model maintains the fundamental premise of three organisational lines for effective assurance, it has evolved to explicitly recognise:
The new Three Lines Model now makes explicit this evolution, with three changes to its guidance.
One of the most significant changes to the updated model is the removal of ‘defence’ from its title. This aligns with other recent guidance from the IIA intended to shift the perception of assurance and risk management activity. Instead of purely value-protection and risk-reduction based, assurance and risk management is now about value creation and contributing to the achievement of strategic objectives.
This change reflects a trend in leading internal audit and risk teams to focus their efforts on the key objectives of their organisations. They now provide assurance, not only against what could go wrong in the pursuit of these objectives, but also what needs to go right.
Internal audit functions must find ways of operating at the speed of the business to provide insight into the risks it faces. Leading functions are already utilising agile techniques and adopting ongoing assurance and programme assurance, where appropriate.
The adoption of these has accelerated during the lockdown. Maintaining them will help continuously adapt to changing risk and control landscapes, ensuring resources are appropriately focused and prioritised.
Agility must also extend beyond audit delivery approaches. Traditional multi-year or cyclical audit plans are increasingly replaced by flexible agendas. These can align with and fulfil the value-added role of internal audit, signposting emerging risk areas.
Approaches like these enable teams to promptly answer key assurance questions posed by audit committees and senior management, and provide timely insight into new and changing risks.
Another key change in the new model is the definition of internal audit’s role.
Internal audit functions often aim to establish themselves as trusted business advisers. This has traditionally been purely in relation to assurance on familiar areas of risk management, governance and internal control.
The updated Three Lines Model extends this to also providing assurance-focused advice on all matters related to the achievement of objectives and to facilitate continuous improvement. However, to provide meaningful and insightful advice, internal audit will require a breadth of skills and experience that stretches beyond the profession’s core competencies. Still, they must still take care to maintain independence.
In-house functions are continuing to explore innovative ways to partner and collaborate with co-sourcers. This gives flexible access to deep and specialised resource pools to complement their own skills and business knowledge.
The old Three Lines of Defence model was prescriptive and rigid with regards to the unique roles and responsibilities for each line and how they were expected to interact.
The updated Three Lines Model intentionally blurs the delineation between first-line operational management and second line risk and compliance support roles. This change results in the Three Lines Model being more-widely applicable to organisations of different scale, maturity and sector.
The Three Lines Model refreshes the IIA’s conceptual framework for assurance activity. Importantly, it highlights the opportunity for internal audit functions to assume a more influential role.
The onus is now on internal audit functions to move out of their comfort zones and innovate in ways that will enable them to achieve the IIA's new intent.
For support in adapting to the new Three Lines Model, contact Eddie Best.