The original ‘Three Lines of Defence’ Internal audit model has been transitioning to a 'Six-Principle' approach.
In light of the advances and general prioritisation afforded to risk management practices across recent years (especially due to the impositions of national regulating bodies governing stricter markets), the ‘Three Lines of Defence’ model originally issued by the Institute of Internal Auditors in January 2013 has been thoroughly enhanced and updated in July 2020, transitioning to a six-principle approach which is centred around incorporating value-safeguarding and value-adding practices within entities’ core functions.
The three-line defence model suggested the optimal governance and organisational structures for implementing effective risk management and control measures within an operational environment.
Fig 1: Three Lines of Defence Model, 2013
The evolved six-principle defence model focuses on:
Establishing adequate governance structures and processes targeted at safeguarding accountability, risk-based decision making and independent assurance
Governing Body Roles
The clear definition of roles, responsibilities, reporting lines and communication onuses within the governance structures implemented to ascertain optimal risk mitigation practices
Management (1st and 2nd Line) Roles
With the 2nd line of defence now portrayed as being under the direct control and responsibility of senior management and somewhat amalgamated with the established 1st line, the two lines may either be blended together or maintained separate and supplemented by specialised professionals harbouring supervisory and monitoring roles
Internal Audit (3rd Line) Role
The provision of independent and objective assurance through the execution of risk-based internal audit procedures strategically designed to evaluate internal control frameworks
Internal Audit (3rd Line) Independence
Where the comprehensive independence and autonomy of the internal audit function is accentuated to highlight the importance of attaining objective assurance on the implemented controls
Creating and Protecting Value
Whereby all established roles and structures align with the purpose of safeguarding stakeholder value.
The updated model reinforces the concept of internal audit as being the primary independent function capable of providing objective assurance on the status of the internal control frameworks to both senior management and the regulating bodies themselves, working to identify and address risk deficiencies whilst maintaining flowing communication lines. Moreover, whilst the use of “lines” was maintained in the updated interpretation, they are to be construed as a tool for role distinction rather than structural differentiation.
Fig 2: Six Lines of Defence Model, 2020
Despite the model’s holistic restructuring, the principal role of the Internal Auditor was observed to remain fundamentally undifferentiated from the original interpretation, being further accentuated as having a crucial collaborating link to senior management in holistic strategy alignment, standard setting and to-and-fro communication between the regulating bodies and their regulated counterparts.
This new approach is highly adaptable, whereby tailored and effective internal control frameworks can be put into practice to enhance holistic risk mitigation.
For more information, get in touch with our Internal Audit Team: