​​Focusing on the Wrong Line of Defense

Comments Views

​Note: this p​ost is my personal view and not the official position, in any way, of The IIA.


The discussion of a three lines of defense model can (and I believe does) lead board members, executives, and consultants to the wrong idea of the roles of management, risk and compliance, and internal audit.

This is what they should understand.

Management, with oversight and approval from the board, runs the business. They are responsible and accountable for all the decisions, actions, and results.

The risk management and compliance functions assist management, but do not relieve them of responsibility and accountability for being in compliance and taking the right level of the right risks.

The internal audit function provides assurance, advice, and insight on the systems of risk management and internal control. They help the board and management with assurance that these systems are designed and operating as desired. They do not have responsibility for the actions taken and decisions made by management.

When we look at failures of risk management and internal controls, we should look at management first and foremost. We need to hold them to account. Risk management and compliance professionals within the organization should also be held to account, but only to the extent that they failed to provide the support and assistance management needed.

Don't blame risk and compliance professionals for failures of management.

Internal audit should be held to account when they failed to perform quality work and effectively assess the adequacy of risk management and internal controls.

But internal audit is blamed last, after fault has been found with management and then with risk and compliance.

Now let's contrast that with what is implied by a three lines of defense model.

Think of a castle, like the one pictured below.


There are multiple lines of defense.

Attackers have to get across the moat after the bridge has been removed.

Then they have to scale or breach the walls.

Should that happen, the defenders will retreat to the castle keep, where they have more walls for the attackers to overcome.

This is a true three lines of defense model.

If one is overcome, a second one still represents a level or protection. If the second is overcome, the third comes into play.

That is not how management, risk and compliance, and internal audit interact.

There is only one line of defense and that is management. They are supplied and supported by risk and compliance and inspected by internal audit.

Focus on that single line and hold them responsible and accountable.

Make sure, as best we can, that they make informed and intelligent decisions.

Some talk about lines of assurance. How does that work? It doesn't. The objective of all of these groupings is to run the organization and deliver value while remaining in compliance. It is not to provide assurance. Internal audit (and external audit) do that.

So, let's discard the three lines of defense model. It is deceptive.

Instead, let's talk about enabling management to take the right level of the right risks by making intelligent and informed decisions.

Risk and compliance functions assist and internal audit inspects (assurance, advice, and insight).


I welcome your thoughts.

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • IIA Bookstore_IAO_Mar2018_ Blog 1
  • IIA Quality_IAO_Mar2018_Blog 2
  • IIA QIAL_Feb2018 IAO_Blog 3