As part of a series debunking internal audit terminology, we're looking at the three lines of defence. 

The third line of defence is defined by the Chartered Institute of Internal Auditors as functions providing independent assurance - "above all internal audit". 

Examples of providers of independent assurance include:

  • Internal audit  
  • External audit 
  • Inspection and regulatory activity e.g. CQC’s inspections of health and social care services
  • External peer review
  • External quality assurance e.g. ISO

Internal audit is seen as one of the main components of this as it provides independent assurance to the governing body and senior management on the effectiveness of governance, risk management and internal controls.

As well as assessing the effectiveness of the first and second lines of defence, internal audit provides advice on improvements that could be made. 

Areas reviewed by internal auditors when providing independent assurance include:

  • Efficiency and effectiveness of operations
  • Compliance with laws, regulations, policies and procedures
  • Identification, assessment and response to risks
  • Business functions such as production, safety, customer functions, and operations
  • Supporting functions such as HR, payroll, asset management, IT and finance

In order to provide assurance, internal audit services need to maintain independence from the first and second lines of defence. This independence is obtained by reporting to a suitably high level in an organisation, typically though an organisation’s audit committee. 

At the same time, internal audit should not be relied upon to detect every control failure, error or deficiency. It should not be regarded as a control measure, rather its role is largely ‘detective’ and ‘corrective’ and in order to work effectively, all three lines in the defence model need to work together. 

Recap this series: Overview of the three lines of defence | The first line of defence | The second line of defence | The third line of defence

Sign up for the Veritau Alerts Click subscribe to receive the monthly bulletin