IIA updates Three Lines Model to stress risk management and governance
The Institute of Internal Auditors has updated its Three Lines of Defense Model to emphasize more active forms of risk management and governance that go beyond merely defensive moves by the internal audit function.
In line with the revised approach, the IIA has shortened the name to the Three Lines Model to de-emphasize the defensive approach. The new emphasis is an acknowledgement that risk-based decision-making is as much about seizing opportunities as it is about defensive moves. The new Three Lines Model unveiled Monday by the IIA aims to help organizations better identify and structure the interactions and responsibilities of the key players in a company so they can achieve more effective alignment, collaboration, accountability and objectives.
“The original Three Lines of Defense Model had been adopted in the early 2000s,” IIA president and CEO Richard Chambers told Accounting Today. “It played a very useful role in helping people understand internal audit’s role and a good risk management and control framework. But a lot of people were expressing concerns that it was all about defense and value protection, which is an important role for the auditors and risk managers, but it isn’t the reason why organizations exist. They don’t exist just to protect value. They exist to grow value or to enhance and expand value to the stakeholders and shareholders that they serve. I think one of the things that we’ve been able to do with the new Three Lines Model is to emphasize that the role of management, the board and the internal auditors is to enhance the value to organizations, not just protect it. While as internal auditors we still have responsibilities for providing assurance on the effectiveness of risk management and controls, we also should be lending a hand in helping our organizations better understand the opportunities.”
The document discusses the roles of various leaders within an organization, including oversight by a board or governing body; management and operational leaders, including risk and compliance (the first and second lines) and independent assurance through internal audit (the third line). It also deals with the role of external assurance providers. The model is supposed to apply to all types of organizations, of different sizes and complexities.
The IIA began working on the update about a year ago, but Chambers sees even more relevance in light of the ongoing COVID-19 pandemic.
“I think the pandemic has presented enormous risks for organizations, a lot of which organizations were not prepared for,” he said. “It’s one of the reasons why we’ve been talking for a couple of years at the IIA about the importance of being able to identify emerging risks far enough out so that the organization can be prepared to mitigate or address them. This pandemic, when it hit earlier this year, a lot of people — even when they realized the pandemic had presented itself — still weren’t thinking through what it was going to present in terms of health and safety, the supply chain and cybersecurity. The pandemic itself has spawned an entire portfolio of risks, and I think it’s incumbent on the internal auditors to be able to look far enough out there to help organizations address them.”
He thinks it’s important for internal auditors to work across the various lines of the organization and not just stay within a set role. “Another key complaint that led up to this refresh was a concern on the part of many that the three lines of defense were very rigidly drawn,” he said. “The expectation was that everybody stayed in their lane and there was not a lot of collaboration between the lines. So, there was a lot of criticism, and people saw internal audit not helping management out. But the new Three Lines Model emphasizes the importance of communication and collaboration. A lot of people have always argued internal audit must be independent and therefore we really can’t get our hands dirty. We really can’t help management. What this document recognizes is that independence doesn’t mean isolation and that we have an obligation to have regular interactions with management and to ensure internal audit’s work is relevant and helps the organization both strategically and operationally.”