The IIA’s Three Lines Model

An update of the Three Lines of Defense

Contents

Introduction .................................................................................................................................................................... 1

Principles of the Three Lines Model ......................................................................................................................... 2

Principle 1: Governance ............................................................................................................................................... 2
Principle 2: Governing body roles ............................................................................................................................. 2
Principle 3: Management and first and second line roles ................................................................................... 2
Principle 4: Third line roles .......................................................................................................................................... 1
Principle 5: Third line independence ......................................................................................................................... 1
Principle 6: Creating and protecting value .............................................................................................................. 1

Key roles in the Three Lines Model ........................................................................................................................... 3

The governing body ...................................................................................................................................................... 3
Management .................................................................................................................................................................. 3
Internal audit ................................................................................................................................................................. 4
External assurance providers..................................................................................................................................... 4

Relationships among core roles ................................................................................................................................ 5

Between the governing body and management (both first and second line roles) ...................................... 5
Between management (both first and second line roles) and internal audit ................................................. 5
Between internal audit and the governing body ................................................................................................... 6
Among all roles .............................................................................................................................................................. 6

Applying the model ...................................................................................................................................................... 7

Structure, roles, and responsibilities ....................................................................................................................... 7
Oversight and assurance ............................................................................................................................................ 7
Coordination and alignment ...................................................................................................................................... 8

theiia.org
Introduction

Organizations are human undertakings, operating in an

increasingly uncertain, complex, interconnected, and volatile world. Key terms
They often have multiple stakeholders with diverse, changeable, Organization - An organized group of
and sometimes competing interests. Stakeholders entrust activities, resources, and people working
organizational oversight to a governing body, which in turn toward shared goals.
delegates resources and authority to management to take Stakeholders - Those groups and
appropriate actions, including managing risk. individuals whose interests are served or
impacted by the organization.
For these reasons and more, organizations need effective
Governing body - Those individuals who are
structures and processes to enable the achievement of
accountable to stakeholders for the
objectives, while supporting strong governance and risk
success of the organization.
management. As the governing body receives reports from
Management - Those individuals, teams,
management on activities, outcomes, and forecasts, both the
and support functions assigned to provide
governing body and management rely on internal audit to provide
products and/or services to the
independent, objective assurance and advice on all matters and organization’s clients.
to promote and facilitate innovation and improvement. The
Internal audit - Those individuals operating
governing body is ultimately accountable for governance, which is
independently from manage-ment to
achieved through the actions and behaviors of the governing body
provide assurance and insight on the
as well as management and internal audit. adequacy and effectiveness of governance
and the management of risk (including
The Three Lines Model helps organizations identify structures and
internal control).
processes that best assist the achievement of objectives and
The Three Lines Model - The model
facilitate strong governance and risk management. The model
previously known as the Three Lines
applies to all organizations and is optimized by:
of Defense.

Internal control - Processes designed to

provide reasonable confidence over the
• Adopting a principles-based approach and adapting the
achievement of objectives.
model to suit organizational objectives and circumstances.

• Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters
of “defense” and protecting value.

• Clearly understanding the roles and responsibilities represented in the model and the relationships among them.

• Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.

1 —theiia.org
Principles of the Three Lines Model

Principle 1: Governance
Governance of an organization requires appropriate structures
Key terms
and processes that enable:
Risk-based decision-making - A considered
• Accountability by a governing body to stake-holders for process that includes analysis, planning,
organizational oversight through integrity, leadership, and action, monitoring, and review, and takes
transparency. account of potential impacts of
uncertainty
• Actions (including managing risk) by manage-ment to
on objectives.
achieve the objectives of the organiza-tion through risk-
based decision-making and application of resources. Assurance - Independent confirmation and
confidence.
• Assurance and advice by an independent internal audit
function to provide clarity and
confidence and to promote and facilitate
continuous improvement through rigorous
inquiry and insightful communication.

Principle 2: Governing body roles

The governing body ensures:

• Appropriate structures and processes are in place for effective governance.

• Organizational objectives and activities are aligned with the prioritized interests of stakeholders.

The governing body:

• Delegates responsibility and provides resources to management to achieve the objectives of the organization while
ensuring legal, regulatory, and ethical expectations are met.

• Establishes and oversees an independent, objective, and competent internal audit function to provide clarity and
confidence on progress toward the achievement of objective,

2 —theiia.org
Principle 3: Management and first and second-line roles
Management’s responsibility to achieve organizational objectives comprises both first and second-line roles. 1 First-line
roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the
roles of support functions 2. Second-line roles provide assistance with managing risk.

First and second-line roles may be blended or separated. Some second-line roles may be assigned to specialists to provide
complementary expertise, support, monitoring, and challenge to those with first-line roles. Second-line roles can focus on
specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical behavior;
internal control; information and technology security; sustainability; and quality assurance. Alternatively, second-line roles
may span a broader responsibility for risk management, such as enterprise risk management (ERM). However, responsibility
for managing risk remains a part of first-line roles and within the scope of management.

Principle 4: Third line roles

Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance
and risk management. 3 It achieves this through the competent application of systematic and disciplined processes,
expertise, and insight. It reports its findings to management and the governing body to promote and facilitate continuous
improvement. In doing so, it may consider assurance from other internal and external providers.

Principle 5: Third line independence

Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and
credibility. It is established through: accountability to the governing body; unfettered access to people, resources, and data
needed to complete its work; and freedom from bias or interference in the planning and delivery of audit services.

Principle 6: Creating and protecting value

All roles working together collectively contribute to the creation and protection of value when they are aligned with each
other and with the prioritized interests of stakeholders. Alignment of activities is achieved through communication,
cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-
based decision making.

1. The language of “first line,” “second line,” and “third line” is retained from the original model in the interests of familiarity. However, the
“lines” are not intended to denote structural elements but a useful differentiation in roles. Logically, governing body roles also constitute a
“line” but this convention has not been adopted to avoid confusion. The numbering (first, second, third) should not be taken to imply
sequential operations. Instead, all roles operate concurrently.
2. Some consider the roles of support functions (such as HR, administration, and building services) to be second line roles. For clarity, the
Three Lines Model regards first line roles to include both “front of house” and “back office” activities, and second line roles to comprise
those complementary activities focused on risk-related matters.
3. In some organizations, other third line roles are identified, such as oversight, inspection, investigation, evaluation, and remediation,
which may be part of the internal audit function or operate separately.

1 —theiia.org
The IIA’s Three Lines Model

GOVERNING BODY

EXTERNAL ASSURANCE PROVIDERS

Accountability to stakeholders for organizational oversight

Governing body roles: integrity, leadership, and transparency

MANAGEMENT INTERNAL AUDIT

Actions (including managing risk) to Independent assurance
achieve organizational objectives

First line roles: Second line roles: Third line roles:

Provision of Expertise, support, Independent and
products/services monitoring and objective assurance
to clients; challenge on and advice on all
managing risk risk-related matters matters related to
the achievement
of objectives

KEY: Accountability, reporting Delegation, direction, Alignment, communication

resources, oversight coordination, collaboration

2 —theiia.org
Key roles in the Three Lines Model

Organizations differ considerably in their distribution of responsibilities. However, the following high-level roles serve
to amplify the Principles of the Three Lines Model.

The governing body

• Accepts accountability to stakeholders for oversight of the organization.

• Engages with stakeholders to monitor their interests and communicate transparently on the achieve-ment of
objectives.

• Nurtures a culture promoting ethical behavior and accountability.

• Establishes structures and processes for governance, including auxiliary committees as required.

• Delegates responsibility and provides resources to management for achieving the objectives of
the organization.

• Determines organizational appetite for risk and exercises oversight of risk management (including internal control).

• Maintains oversight of compliance with legal, regulatory, and ethical expectations.

• Establishes and oversees an independent, objective, and competent internal audit function.

Management
First-line roles
• Leads and directs actions (including managing risk) and application of resources to achieve the objectives of the
organization.

• Maintains a continuous dialogue with the governing body, and reports on: planned, actual, and expected outcomes
linked to the objectives of the organization; and risk.

• Establishes and maintains appropriate structures and processes for the management of operations and risk (including
internal control).

• Ensures compliance with legal, regulatory, and ethical expectations.

Second-line roles
• Provides complementary expertise, support, monitoring, and challenge related to the management of risk, including:
o The development, implementation, and continuous improvement of risk management practices (including
internal control) at a process, systems, and entity level.

o The achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable
ethical behavior; internal control; information and technology security; sustainability; and quality assurance.

• Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).

3 —theiia.org
Internal audit
• Maintains primary accountability to the governing body and independence from the responsibilities of management.

• Communicates independent and objective assurance and advice to management and the governing body on the
adequacy and effectiveness of governance and risk management (including internal control) to support the
achievement of organizational objectives and to promote and facilitate continuous improvement.

• Reports impairments to independence and objectivity to the governing body and implements safeguards as required.

External assurance providers

• Provide additional assurance to:
o Satisfy legislative and regulatory expectations that serve to protect the interests of stakeholders.

o Satisfy requests by management and the governing body to complement internal sources of assurance.

4 —theiia.org
Relationships among core roles

Between the governing body and Key term

management (both first and Chief Executive Officer (CEO) - The most
second-line roles) senior individual in the organiza-tion with
responsibility over operations.
The governing body typically sets the direction of the
organization by defining the vision, mission, values, and
organizational appetite for risk. It then delegates responsibility for the achievement of the organization’s objectives to
management, along with the necessary resources. The governing body receives reports from management on planned,
actual, and expected outcomes, as well as reports on risk and the management of risk.

Organizations vary as to the degree of overlap and separation between the roles of the governing body and management.
The governing body can be more or less “hands on” with respect to strategic and operational matters. Either the governing
body or management may take the lead in developing the strategic plan, or it may be a shared undertaking. In some
jurisdictions, the Chief Executive Officer (CEO) may be a member of the governing body and may even be its chair. In all
cases, there needs to be strong communication between management and the governing body. The CEO is typically the
focal point for this communication, but other senior managers may have frequent interactions with the governing body.
Organizations may wish, and their regulators may require, leaders of second-line roles such as a Chief Risk Officer (CRO)
and a Chief Compliance Officer (CCO) to have a direct reporting line to the governing body. This is fully consistent with the
Principles of the Three Lines Model.

Between management (both first and second-line roles) and

internal audit
Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the
carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable
to the governing body. However, independence does not imply isolation. There must be regular interaction between
internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and
operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of
the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. There
is a need for collaboration and communication across both the first and second-line roles of management and internal
audit to ensure there is no unnecessary duplication, overlap, or gaps.

5 —theiia.org
Between internal audit and the governing body
Internal audit is accountable to, and sometimes described as
being the “eyes and ears” of, the governing body. Key term
The governing body is responsible for oversight of internal audit, Chief Audit Executive (CAE) - The most
which requires: ensuring an independent internal audit function is senior individual in the organization with
established, including the hiring and firing of the Chief Audit responsibility for internal audit services,

Executive (CAE); serving as the primary report-ing line for the CAE 4; often known as the Head of Internal Audit
or similar title.
approving and resourcing the audit plan; receiving and considering
reports from the CAE; and enabling free access by the CAE to the
governing body, including private sessions without the presence
of management.

Among all roles

The governing body, management, and internal audit have their distinct responsibilities, but all activities need to be aligned
with the objectives of the organization. The basis for successful coherence is regular and effective coordination,
collaboration, and communication.

4. For administrative purposes, the CAE may also report to an appropriately senior level of management.

6 —theiia.org
Applying the model

Structure, roles, and responsibilities

The Three Lines Model is most effective when it is adapted to align with the objectives and circumstances of the
organization. How an organization is structured and how roles are assigned are matters for management and the governing
body to determine. The governing body may establish committees to provide additional oversight for particular aspects
of its responsibility, such as audit, risk, finance, planning, and compensation. Within management, there are likely to be
functional and hierarchical arrangements and an increasing tendency toward specialization as organizations grow in size
and complexity.

Functions, teams, and even individuals may have responsibilities that include both first and second-line roles. However,
direction and oversight of second-line roles may be designed to secure a degree of independence from those with first-line
roles — and even from the most senior levels of management — by establishing primary accountability and reporting lines
to the governing body. The Three Lines Model allows for as many reporting lines between management and the governing
body as required. In some organizations, most notably regulated financial institutions, there is a statutory requirement for
such arrangements to ensure sufficient independence. Even in these situations, those in management with first-line roles
remain responsible for managing risk.

Second-line roles may include monitoring, advice, guidance, testing, analyzing, and reporting on matters related to the
management of risk. Insofar as these provide support and challenge to those with first-line roles and are integral to
management decisions and actions, second-line roles are part of management’s responsibilities and are never fully
independent from management, regardless of reporting lines and accountabilities.

A defining characteristic of third-line roles is independence from management. The Principles of the Three Lines Model
describe the importance and nature of internal audit independence, setting internal audit apart from other functions and
enabling the distinctive value of its assurance and advice. Internal audit’s independence is safeguarded by not making
decisions or taking actions that are part of management’s responsibilities (including risk management) and by declining to
provide assurance on activities for which internal audit has current, or has had recent, responsibility. For example, in some
organizations, the CAE is asked to assume additional decision-making responsibilities over activities utilizing similar
competencies, such as aspects of statutory compliance or ERM. In such circumstances, internal audit is not independent
of these activities or of their results, and therefore, when the governing body seeks independent and objective assurance
and advice relating to those areas, it is necessary for its provision to be undertaken by a qualified third party.

Oversight and assurance

The governing body relies on reports from management (comprising those with first and second-line roles), internal audit,
and others in order to exercise oversight and achievement of its objectives, for which it is accountable to stakeholders.
Management provides valuable assurance (also referred to as attestations) on planned, actual, and forecast outcomes, on
risk, and on risk management by drawing upon direct experience and expertise. Those with second-line roles provide
additional assurance on risk-related matters. Because of internal audit’s independence from management, the assurance
it provides carries the highest degree of objectivity and confidence beyond that which those with first and second-line
roles can provide to the governing body, irrespective of reporting lines. Further assurance may also be drawn from external
providers.

7 —theiia.org
Coordination and alignment
Effective governance requires appropriate assignment of responsibilities as well as strong alignment of activities through
cooperation, collaboration, and communication. The governing body seeks confirmation through internal audit that
governance structures and processes are appropriately designed and operating as intended.

8 —theiia.org
About The IIA
The Institute of Internal Auditors (IIA) is the internal audit profession’s most widely recognized advocate, educator, and provider of standards,
guidance, and certifications. Established in 1941, The IIA today serves more than 200,000 members from more than 170 countries and territories.
The association’s global headquarters is in Lake Mary, Fla., USA. For more information, visit www.theiia.org.

Disclaimer
The IIA publishes this document for informational and educational purposes. This material is not intended to provide definitive answers to specific
individual circumstances and as such is only intended to be used as a guide. The IIA recommends seeking independent expert advice relating
directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this material.

Copyright
Copyright © 2019 The Institute of Internal Auditors, Inc. All rights reserved. For permission to reproduce, please contact [email protected].

July 2020