INTERNAL AUDIT: THE THIRD LINE OF DEFENSE
As proposed by The Institute of Internal Auditors, “The Three Lines of Defense” model provides a simple and effective way of explaining risk management and internal control by clarifying essential roles and duties and guides how responsibilities should be divided.
In this model, the first line of defense refers to management control, the second line of defense refers to the various risk control and compliance oversight functions established by management and the third line of defense refers to the independent assurance. Each of these three “lines” plays a distinct role within the organization’s wider governance framework.
The Three Lines of Defense model is best implemented with the active support and guidance of the organization’s governing body and senior management. This model distinguishes among three groups (or lines) involved in effective risk management:
- Functions that own and manage risks i.e. Operational Management:- 1st Line of Defense
- Functions that oversee risks i.e. Risk Management & Compliance Functions:- 2nd Line of Defense
- Functions that provide independent assurance i.e. Internal Audit:- 3rd Line of Defense
Internal audit forms the organization’s third line of defense and provides the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. This high level of independence is not available in the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. Internal audit is a cornerstone of an organization’s corporate governance.
The scope of this assurance usually covers:
- A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts.
- All elements of the risk management and internal control framework, which includes: internal control environment; all elements of an organization’s risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring.
- The overall entity, divisions, subsidiaries, operating units, and functions including business processes, such as sales, production, marketing, safety, customer functions, and operations as well as supporting functions (e.g., revenue and expenditure accounting, human resources, purchasing, payroll, budgeting, infrastructure and asset management, inventory, and information technology).
Establishing a professional internal audit activity should be a governance requirement for all organizations. This is not only important for larger and medium-sized organizations but also may be equally important for smaller entities, as they may face equally complex environments with a less formal, robust organizational structure to ensure the effectiveness of its governance and risk management processes.
One way of coordinating the three lines of defense: