In 2013, The IIA issued The Three Lines of Defense in Effective Risk Management and Control Position Paper to address the number and complexity of potential risks in today’s businesses. The paper detailed a streamlined approach to risk management and control built on three layers — operational management, risk management and compliance functions, and internal audit.
Today, the Three Lines of Defense model is used throughout the world. According to a recent Global Internal Audit Common Body of Knowledge (CBOK) report from The IIA Research Foundation, 55 percent of respondents from publicly traded organizations, 43 percent from the public sector, 41 percent from not-for-profit organizations, and 40 percent of respondents from privately held companies (all excluding the financial sector) around the globe say they are using the model.
As might be expected because of the intense regulatory oversight of financial services, the financial sector is by far the biggest user of the model, with 78 percent of financial services respondents saying their company uses the model with internal audit as the third line of defense. However, an additional 3 percent of respondents in this industry report internal audit is considered the second line of defense, and 10 percent say the distinction between the second and third lines is unclear.
According to the CBOK report, A Global View of Financial Services Auditing, “internal auditors in financial institutions are challenged with finding ways to effectively implement this model in a way that works for their organization.” In some small and midsize organizations, the lines between the second and third lines of defense can become blurred and the roles blended.
As chief internal audit and risk officer with Community Trust Bank in Pikeville, Ky., Steve Jameson knows the blurring lines challenge well. “Independence is managed by established safeguards that are documented and reviewed annually with both the audit committee and the board, and both bodies formally approve this framework and my role,” he tells author Jane Seago in “Defense in Depth.” Jameson is a co-author of the financial services auditing report.
As Seago explains, the Three Lines of Defense model’s structure is specifically defined; however, it is still flexible, and it is adaptable to support organizations of various sizes, structures, and complexity. “Ultimately, regardless of how the model is implemented, the key is ensuring that all functions are operating in concert to achieve organizational objectives, avoiding gaps in coverage and duplication of effort,” she tells readers. In her article, Seago defines the model in detail and looks at the many ways it is being used in practice.