The Three Lines of defence (TLD) Model provides a framework to clarify the involvement and alignment of multiple assurance providers acting on behalf of their client organisations. It has become increasingly common to have various risk and control professionals working side by side to help their organisations manage risk and increase the likelihood of achieving strategic and operational goals.
Coordination between internal audit and other assurance providers is essential to make sure the organisation benefits from the best level of overall assurance. Standard 2050 - Coordination and Reliance, states that the head of internal audit should share information, coordinate activities and consider relying upon the work of other internal and external assurance service providers to ensure proper coverage and minimise duplication of effort.
These assurance providers include risk management, corporate compliance, quality control, fraud investigations, internal and external auditors, inspectors and regulators. Each group has its perspective and skillset, operates within different areas of the organisation, reports into different sections of management and are accountable to diverse stakeholders. So, it is not enough to have these units within the corporate umbrella. They must have clearly defined roles, coordinate their duties effectively, and make concerted efforts to minimise overlap and avoid gaps in coverage because together they play a pivotal role in supporting the organisation’s governance framework.
The Elements of the TLD Model
The First Line of defence
The first line of defence consists of management controls. These are the controls embedded in everyday programs and processes and are typically performed during the ordinary course of business. These controls are performed, owned and overseen at the program and transaction levels by operational employees and their managers.
Internal auditors have historically spent most of their time reviewing these risks, controls, and operating practices. Audit reports generally focus on the work done examining activities at the first line of defence.
The Second Line of defence
The second line of defence consists of the various risk, control, and compliance functions established by management. These are units that help build, review and monitor risks and controls at the first line of defence level within the organisation. They report to senior management, but in some cases may also report to the governing body (e.g., the board of directors, the board of trustees). The second line of defence includes units such as risk management, corporate and regulatory compliance, quality control, IT and physical security, health and safety, and financial reporting.
While the second line of defence is essential for the establishment and operation of effective internal controls, it cannot provide genuinely independent analysis and assurance to the board because it reports directly to management. However, they support, monitor and help to enforce adherence to management policies and procedures. They alert management to emerging issues and help to develop effective business practices.
The following are some of the critical responsibilities of the second line of defence:
• Support management policies
• Identify current and emerging issues
• Help to develop processes and controls
• Identify shifts in the risk appetite
• Facilitate, guide and train others on risk management processes
• Monitor the adequacy and effectiveness of internal controls
• Monitor the remediation of identified deficiencies
The Third Line of defence
The third line of defence consists of the internal audit function as an independent and objective assurance provider. The goal of internal audit is to assure the effectiveness of governance, risk management, and internal controls. It also includes the evaluation of the effectiveness of the first and second lines of defence.
The following list shows the key responsibilities of the third line of defence:
• Evaluate the activities that support the achievement of strategic objectives
• Examine the efficiency, effectiveness, and economy of operations
• Verify the safeguarding of assets
• Assess the reliability and integrity of financial and operational reporting processes
• Verify compliance with applicable laws, regulations and other obligations
• Assess the organisation’s internal control environment
• Audit essential functions, programs, units, processes, and systems of the organisation
• Evaluate the effectiveness of the first and second lines of defence
All organisations, regardless of their size, location, industry or complexity, should have some form of the three lines of defence. While it is best when each line is separate and operates with clearly defined roles, some organisations find it advantageous to combine some of these lines of defence. In some instances, internal audit also performs compliance and risk management activities, and its Chief Audit Executive (CAE) also serves as the Chief Compliance Officer (CCO) and the Chief Risk Officer (CRO). In these cases, internal audit should communicate the implications of this action to the board and senior management to avoid compromising its independence and objectivity.
Regulators, external auditors, and other parties are outside the organisation’s structure, yet they play an essential role in supporting the organisation’s corporate governance, risk management, and control activities. They set requirements and review compliance by the three lines of defence through various types of reviews. While they are not considered a line of defence on their own, they also assure shareholders and other stakeholders.
The Three Lines of defence Model
An opportunity for improvement for many internal audit departments to increase the coordination with the second line of defence. By discussing their respective annual review plans, review topics, depth of the examination, documentation protocols and monitoring practices, each will avoid duplicating efforts, over-burdening operating units, wasting limited resources, and provide a more comprehensive assurance picture to the board and senior management. This practice will also minimise the likelihood of “blind spots,” where each unit believes the other is examining a particular area, when in fact it is not being reviewed satisfactorily by either of them or at all.
The Three Lines of defence model is a useful framework to raise awareness among management and employees, who sometimes misunderstand the roles and responsibilities of the various parties involved. It also encourages collaboration among the multiple groups overseeing the organisation’s governance, risk management, and control activities. The model also shows that everyone in the organisation plays a role in managing risks and controls.
It includes the governing body because as the highest authority, it has final oversight over the activities of the organisation and it is ultimately accountable to the various stakeholders. The model also includes senior management, since it has the authority and responsibility of setting structures, expectations and the operating tone, providing needed resources, establishing the scope of work, and overseeing the activities of organisational units.
The comprehensive nature of The Three Lines of defence Model helps various parties understand the role they and others related to the organisation play, setting and pursuing business objectives, managing risks and performing control activities. Every line of defence provides an additional level of protection, and by working together, they give greater assurance to stakeholders that organisational value will be protected and enhanced.