Is it time to redefine the Three Lines of Defense?

Daniel A. Clark

Daniel A. Clark

Director, Internal Audit, Washington Trust Bank

Should internal audit remain independent or get more integrated into the first two lines of defense? It might be time to rethink the model.

For years, those of us on the control side of business have explained the Three Lines of Defense model to business leadership and other interested parties. For those who don’t know, that model states that the business is responsible for the first two lines of defense against risk, and internal audit is the third line. There are many reasons and good arguments for this segmentation.

I would suggest that perhaps it’s time to let the model evolve into its destined form.

“It’s no longer an advantage to have internal audit stand alone as the final stopgap for risk management.”

We should all be smart enough to realize that holding internal audit separately is just an excuse to not have them involved where they can provide the most—and the best—value.

The integration of internal audit with the first two lines of defense has the potential to truly improve risk management. It could be the thing that links real-time application to the organization’s governance, risk, and compliance (GRC) vision and ERM expectations. In football, sometimes the best defense is a good offense, and the time has come to bring internal audit to the offensive side of the ball.

Let’s explore some ways to do that while also making sure internal audit maintains its necessary independence:

Review of business controls: The first line of defense

An independent assessment on the effectiveness of controls is a basic practice of internal audit. There’s nothing wrong with having auditors review controls while processes are being revised or developed—or even during the implementation stages of process redesign. This provides the business with a real-time review of the proposed control structure in a way that allows changes to be made before controls are even implemented.

A side benefit of early control review? Getting rid of redundant controls, or confirming that several controls working together actually mitigate the risk in the way the business expects.

Review of control functions: The second line of defense

One of the premises of the Three Lines of Defense model is that internal audit could rely on various internal control functions implemented by management. If we hold that belief to be true—and we should—then why does internal audit not support management by suggesting the proper organization, skills, and processes needed to achieve that goal?

Internal audit will review any control function (compliance testing, quality control, credit risk review, etc.) against standards to support full reliance. Internal audit should undertake this review during the creation of these control functions, assuring stronger and more sustainable processes. This saves the business money and also strengthens the second line of defense.

Integrated GRC: The lifeblood of ERM

Finally, GRC is a shared repository of information. Internal audit should actively participate in the successful implementation and exploitation of GRC for ERM purposes. Results of audit tests, audit risk assessment, and audit monitoring can provide the business with independent confirmation that controls and risk management efforts are effective.

With internal audit populating the business’s GRC tool, management would have a more complete vision of risk and controls at their fingertips. Internal audit then becomes a partner in risk management by providing independent confirmation that controls are effective. For management, this means “one-stop shopping.” For internal audit, it means auditors are on the path to becoming trusted advisors.

The days of separation must end. Internal audit and the rest of the business can become close allies in the battle against risks. ERM and the use of GRC tools have made this easier than ever. We should all make it happen.


Don’t Navigate Risks Without Internal Auditors

This eBook highlights:

  • How to assess low, medium, and high risk using the Risk Assessment Process
  • Ways to prioritize risk using scorecards and heat maps
  • Best practices for risk-based audit planning, while staying current to changing risk profiles
  • Examples of analytics for identifying risk and case studies from public and private sectors
  • 6 steps of applying analytics for risk assessment.

Download eBook

Related Articles