Having originated in the financial services sector in the late 1990s and early 2000s, 3LOD has been widely adopted across all industries, albeit to varying degrees, since the Institute of Internal Auditors (IIA) formally adopted the model in 2013 and revisited in 2023, being now called the Three Lines Model. The level of adoption broadly correlates to the strength of regulatory pressure. In most industries, smaller or emerging organisations typically lack the three defined and distinct lines, with overlapping first- and second-line roles or overlapping second- and third-line functions, whereas heavily regulated industries, such as financial services or pharmaceuticals, have established formalised clear lines of defence. Regardless of how mature and integrated the 3LOD model is within organisations, there are a number of challenges that limit its effectiveness.
The Three Lines of Defence (3LOD) framework is a governance model for risk that is widely acknowledged and understood across various industries. It involves different groups within organisations playing distinct roles, from business units to compliance, audit, and other risk management personnel.
While the 3LOD framework is widely acknowledged and understood by a range of industries as the governance model for risk, its implementation varies in form and maturity across the spectrum. Traditionally, the role of IA functions is to provide assurance while maintaining objectivity and independence; however, its mandate should continue to evolve as the need to adapt to a business-focused, technology-driven, advisory mindset is amplified.
Regardless of how mature and integrated the three lines of defence model is within organisations, there are a number of challenges that limit its effectiveness:
IA functions that have the strongest impact on their organisations are those that adapt to change, collaborate, and invest in digital assets, analytics, and automation. New technologies provide opportunities for IA to improve efficiency and insight from assurance activities, including 100% assurance coverage, automation of assurance tasks, and real-time insight into emerging risks via data-led, continuous monitoring. To take advantage of these changes and disruptions, auditors need to rethink their role by adapting to and embracing change, enabling the IA function to become more agile, nimble, and forward-looking, thus driving change through the 3LOD. Effective IA functions with a dynamic and forward-looking mindset are likely to be viewed positively by key stakeholders. To strengthen its impact and mobilise itself for future challenges and opportunities, IA needs to elevate itself to become a more strategic and holistic assurance provider and risk advisor, collaborating with the other lines and having a seat at the table. Innovation should extend beyond technology, including coordination, communication, audit and risk assessment methodology, and elevating engagement connection with first- and second-line stakeholders.
Assure. Advise. Anticipate. Accelerate. The Internal Audit 4.0 framework is designed to help internal audit departments lead in providing core assurance, advising the business, and helping the business anticipate risk and accelerate organisational learning.
*The “Four A’s” are the heart of our AI methodology. They will support the organisation to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
IA is at the cusp of innumerable possibilities to collaborate with the other lines in the three lines of defence model, develop roadmaps, and help improve governance across the organisation. Here is a great opportunity for the profession to redefine itself and cement its position as not only a provider of assurance, but also a function that assures, advises, and anticipates. Our point of view represents fulfilling assurance responsibilities with combined core assurance spread throughout the lines of defence, rather than just through IA, but also includes the imminent need for IA to advise the business with anticipation and measurement of risk. These are the critical elements of the IA of the future (see Deloitte POV: Internal Audit 4.0), which will create capacity for IA to focus on the truly most relevant and impactful risks to the organisation.