Skip to main content

Modernising the three lines of defence model

An internal audit perspective

September 2020


Businesses are continuing to evolve out of necessity, responding to an onslaught of disruption, new business models, and technology. This continuous change affects business operations at all levels, with customers demanding real-time interactions, regulators applying increasing levels of scrutiny, and governance stakeholders requiring assurance in this complex and dynamic risk environment. The result has exposed weaknesses in the traditional three lines of defence (3LOD) framework.


Is the 3LOD framework still relevant and efficient in its current form? As the risk landscape becomes more complex and fast-moving, it is critical for organisations to identify and respond to emerging risk events quickly and effectively. We believe that internal audit (IA) should play a key role in this evolution.

Our key findings

  • Current-state challenges - While the 3LOD framework is widely acknowledged and understood by a range of industries as the governance model for risk, its implementation varies in form and maturity across the spectrum. Traditionally, one of the roles of the IA function is to provide assurance while maintaining objectivity and independence; however, its mandate should continue to evolve as the need to adapt to a business-focused, technology driven, advisory mindset is amplified.
  • Future state and opportunities - IA functions with the strongest impact in their organisations are those which are adapting to change; collaborating and making investments in digital assets, analytics, and automation. New technologies have created new opportunities for IA by enabling techniques to improve efficiency and insight from assurance activities.

Looking ahead

IA is at the cusp of innumerable possibilities to collaborate with the other lines, develop roadmaps, and help lead improvement to optimise governance across the organisation. Our point of view represents fulfilling assurance responsibilities with combined core assurance spread throughout the lines of defence, rather than just through IA, but also includes the imminent need for IA to advise the business with anticipation and measurement of risk.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey