The Role of the Internal Auditor

The Role of the Internal Auditor

The original ‘Three Lines of Defence’ Internal audit model has been transitioning to a 'Six-Principle' approach. 

In light of the advances and general prioritisation afforded to risk management practices across recent years (especially due to the impositions of national regulating bodies governing stricter markets), the ‘Three Lines of Defence’ model originally issued by the Institute of Internal Auditors in January 2013 has been thoroughly enhanced and updated in July 2020, transitioning to a six-principle approach which is centred around incorporating value-safeguarding and value-adding practices within entities’ core functions.


The three-line defence model suggested the optimal governance and organisational structures for implementing effective risk management and control measures within an operational environment.  


Three lines of defence Internal Audit

Fig 1: Three Lines of Defence Model, 2013


The evolved six-principle defence model focuses on:


Establishing adequate governance structures and processes targeted at safeguarding accountability, risk-based decision making and independent assurance


Governing Body Roles

The clear definition of roles, responsibilities, reporting lines and communication onuses within the governance structures implemented to ascertain optimal risk mitigation practices


Management (1st and 2nd Line) Roles

With the 2nd line of defence now portrayed as being under the direct control and responsibility of senior management and somewhat amalgamated with the established 1st line, the two lines may either be blended together or maintained separate and supplemented by specialised professionals harbouring supervisory and monitoring roles


Internal Audit (3rd Line) Role

The provision of independent and objective assurance through the execution of risk-based internal audit procedures strategically designed to evaluate internal control frameworks


Internal Audit (3rd Line) Independence

Where the comprehensive independence and autonomy of the internal audit function is accentuated to highlight the importance of attaining objective assurance on the implemented controls


Creating and Protecting Value

Whereby all established roles and structures align with the purpose of safeguarding stakeholder value.


The updated model reinforces the concept of internal audit as being the primary independent function capable of providing objective assurance on the status of the internal control frameworks to both senior management and the regulating bodies themselves, working to identify and address risk deficiencies whilst maintaining flowing communication lines. Moreover, whilst the use of “lines” was maintained in the updated interpretation, they are to be construed as a tool for role distinction rather than structural differentiation.


Internal Audit Third Line of Defence

Fig 2: Six Lines of Defence Model, 2020


Despite the model’s holistic restructuring, the principal role of the Internal Auditor was observed to remain fundamentally undifferentiated from the original interpretation, being further accentuated as having a crucial collaborating link to senior management in holistic strategy alignment, standard setting and to-and-fro communication between the regulating bodies and their regulated counterparts. This new approach is highly adaptable, whereby tailored and effective internal control frameworks can be put into practice to enhance holistic risk mitigation.  


Want to know more? Contact our Internal Audit Team

Get in touch