The Three Lines of Defense (TLD) Model provides a framework to clarify the involvement and alignment of multiple assurance providers acting on behalf of their client organizations. It has become increasingly common to have various risk and control professionals working side by side to help their organizations manage risk and increase the likelihood of achieving strategic and operational goals.
Coordination between internal audit and other assurance providers is essential to make sure the organization benefits from the best level of overall assurance. Standard 2050 - Coordination and Reliance, states that the head of internal audit should share information, coordinate activities and consider relying upon the work of other internal and external assurance service providers to ensure proper coverage and minimize duplication of effort.
These assurance providers include risk management, corporate compliance, quality control, fraud investigations, internal and external auditors, inspectors and regulators. Each group has its perspective and skillset, operates within different areas of the organization, reports into different sections of management and are accountable to diverse stakeholders. So, it is not enough to have these units within the corporate umbrella. They must have clearly defined roles, coordinate their duties effectively, and make concerted efforts to minimize overlap and avoid gaps in coverage because together they play a pivotal role in supporting the organization’s governance framework.
The Elements of the TLD Model
The First Line of Defense
The first line of defense consists of management controls. These are the controls embedded in everyday programs and processes and are typically performed during the ordinary course of business. These controls are performed, owned and overseen at the program and transaction levels by operational employees and their managers.
Internal auditors have historically spent most of their time reviewing these risks, controls, and operating practices. Audit reports generally focus on the work done examining activities at the first line of defense.
The Second Line of Defense
The second line of defense consists of the various risk, control, and compliance functions established by management. These are units that help build, review and monitor risks and controls at the first line of defense level within the organization. They report to senior management, but in some cases may also report to the governing body (e.g., the board of directors, the board of trustees). The second line of defense includes units such as risk management, corporate and regulatory compliance, quality control, IT and physical security, health and safety, and financial reporting.
While the second line of defense is essential for the establishment and operation of effective internal controls, it cannot provide genuinely independent analysis and assurance to the board because it reports directly to management. However, they support, monitor and help to enforce adherence to management policies and procedures. They alert management to emerging issues and help to develop effective business practices.
The following are some of the critical responsibilities of the second line of defense:
• Support management policies
• Identify current and emerging issues
• Help to develop processes and controls
• Identify shifts in the risk appetite
• Facilitate, guide and train others on risk management processes
• Monitor the adequacy and effectiveness of internal controls
• Monitor the remediation of identified deficiencies
The Third Line of Defense
The third line of defense consists of the internal audit function as an independent and objective assurance provider. The goal of internal audit is to assure the effectiveness of governance, risk management, and internal controls. It also includes the evaluation of the effectiveness of the first and second lines of defense.
The following list shows the key responsibilities of the third line of defense:
• Evaluate the activities that support the achievement of strategic objectives
• Examine the efficiency, effectiveness, and economy of operations
• Verify the safeguarding of assets
• Assess the reliability and integrity of financial and operational reporting processes
• Verify compliance with applicable laws, regulations and other obligations
• Assess the organization’s internal control environment
• Audit essential functions, programs, units, processes, and systems of the organization
• Evaluate the effectiveness of the first and second lines of defense
All organizations, regardless of their size, location, industry or complexity, should have some form of the three lines of defense. While it is best when each line is separate and operates with clearly defined roles, some organizations find it advantageous to combine some of these lines of defense. In some instances, internal audit also performs compliance and risk management activities, and its Chief Audit Executive (CAE) also serves as the Chief Compliance Officer (CCO) and the Chief Risk Officer (CRO). In these cases, internal audit should communicate the implications of this action to the board and senior management to avoid compromising its independence and objectivity.
Regulators, external auditors, and other parties are outside the organization’s structure, yet they play an essential role in supporting the organization’s corporate governance, risk management, and control activities. They set requirements and review compliance by the three lines of defense through various types of reviews. While they are not considered a line of defense on their own, they also assure shareholders and other stakeholders.
The Three Lines of Defense Model
An opportunity for improvement for many internal audit departments to increase the coordination with the second line of defense. By discussing their respective annual review plans, review topics, depth of the examination, documentation protocols and monitoring practices, each will avoid duplicating efforts, over-burdening operating units, wasting limited resources, and provide a more comprehensive assurance picture to the board and senior management. This practice will also minimize the likelihood of “blind spots,” where each unit believes the other is examining a particular area, when in fact it is not being reviewed satisfactorily by either of them or at all.
The Three Lines of Defense model is a useful framework to raise awareness among management and employees, who sometimes misunderstand the roles and responsibilities of the various parties involved. It also encourages collaboration among the multiple groups overseeing the organization’s governance, risk management, and control activities. The model also shows that everyone in the organization plays a role in managing risks and controls.
It includes the governing body because as the highest authority, it has final oversight over the activities of the organization and it is ultimately accountable to the various stakeholders. The model also includes senior management, since it has the authority and responsibility of setting structures, expectations and the operating tone, providing needed resources, establishing the scope of work, and overseeing the activities of organizational units.
The comprehensive nature of The Three Lines of Defense Model helps various parties understand the role they and others related to the organization play, setting and pursuing business objectives, managing risks and performing control activities. Every line of defense provides an additional level of protection, and by working together, they give greater assurance to stakeholders that organizational value will be protected and enhanced.
Interested in learning more about this and other tools and techniques? Join Dr. Murdock when he teaches Lean Six Sigma Skills for Auditors, Internal Audit School, and High-Impact Skills for Developing and Leading Your Audit Team.