Three Lines Model

Internal Auditors have a key role to ensure the success of the new model

Introduction

This summer the Global Institute of Internal Auditors published its new Three Lines model, updating the Three Lines of Defence (or Three Lines of Defense for readers on the other side of the Atlantic). 

As an internal auditor, I welcome much of the content of the new model, and the steps that have been taken to clarify roles within the framework. However, I worry who else is interested in the model and, if it is just the realm of internal audit, that the model may not gain the recognition of the previous Three Lines of Defence. Additionally many organisations will describe a 'three lines of defence' approach within an assurance framework, risk management framework or approach to governance, but could think harder about what those three lines mean. Certainly I have seen a number of organisations using the Three Lines of Defence model who struggle to clearly describe their second line. 

The update should be an opportunity for boards, senior management and their assurance teams to sense-check their current arrangements.

The Three Lines Model shown graphically

Key changes

There are a few changes in particular that I think are an excellent change or clarification, and I welcome these. 

• I was pleased to see the word defence dropped, with greater focus on achievement of organisation objectives and outcomes (I would like to see more internal auditors linking to these in their plans and reports).
• Linked to the shift away from defence, one of the really important points that the paper makes (and it links back to removal of defence from the title) is that “ All roles operate concurrently ” . However this is tucked away in a footnote on page 3, and it could have been emphasised more (both to help understanding for those outside of the IA profession and also to promote proactive rather than reactive internal audit). 
• “Independence does not imply isolation” is a great phrase and reinforces the role that internal auditors must play to ensure they keep relevant to the business, have good engagement with the board and other Lines while maintaining independence and objectivity.
• It is positive to reiterate through the new model that management (First Line) manages risk, and the Second Line helps management and the organisation to manage risk. This feels a simple way of reminding organisations that management are responsible for control and taking action, but that this cannot be done alone. It may also help companies who have adopted, but struggled with, the three lines concept, to revisit which functions they consider to be part of their first and second lines.

What I liked less

• I'm not a fan of the description of the relationship between internal audit and the governing body.  Internal audit being “the eyes and ears” of the governing body feels like a throwback to an outdated view of internal audit (next we’ll be talking about the policemen of the organisation!)
  
• I worry that bodies and institutes representing professionals in the Second Line may feel the updated model underplays what they do. 

What next?

It is interesting to read some of the language used, and to compare that with language in the International Professional Practices Framework (IPPF), particularly the Standards. We may be seeing the start of some changes that will filter through to future updates to the IPPF. For example the scope of assurance and advice for internal audit is described in a couple of places as governance and risk management (including internal control). 

In conclusion

In writing this, I realise I have seen little mention of the new Three Lines Model anywhere other than from the IIA and internal auditors. The success of the model will be measured by how well it is understood and adopted by organisations, and not just by their internal audit functions. I hope to see audit colleagues and IIA chapters reaching out to colleagues across various professions, and across their businesses to promote and explain the model.