IIA proposes update to Three Lines of Defense audit model

The Institute of Internal Auditors is asking for input on a proposed update to its Three Lines of Defense (3LOD) model for the internal audit function.

The 3LOD is a standard for internal auditors, but after 20 years, the IIA has decided it’s to update the model to reflect changing practices in governance, risk and compliance. The IIA is asking for public comments on its proposed changes from June 20 through Sept. 19, 2019.

The Three Lines of Defense model discusses the various roles of the board, governing body, senior and operational management, risk and compliance functions, and internal auditing. The current model has some benefits, the IIA noted, including its simplicity and ease of communication. The model helps organizations avoid confusion, gaps and overlaps when they assign responsibilities for various risk management and control activities. In addition, the model highlights the influence of external audit and regulators.

But despite its widespread acceptance, the existing 3LOD model has received some criticism for being too restrictive and limiting. The model stresses defensive actions, but doesn’t address the need to take a proactive approach to opportunities and threats. It also recommends rigid requirements and could lead to ineffective organizational silos.

“The Three Lines of Defense has been a valuable tool for risk and control for more than two decades,” said IIA president and CEO Richard Chambers in a statement. “Changes proposed by a task force representing audit practitioners, risk and compliance executives, stakeholders, and others are designed to help modernize and strengthen the model to ensure its sustained usefulness and value.”

To access a review copy of the exposure draft of the revised Three Lines of Defense model and to be part of a public survey, visit www.theiia.org/3LOD.

Institute of Internal Auditors headquarters in Florida

For reprint and licensing requests for this article, click here.