Debunking terminology: the three lines of defence in internal audit
As internal auditors, we can be guilty of using our own specialist terminology. To those outside the field can be seen as technical jargon. Over a series of short articles we’re be attempting to debunk one of the most important audit ideas – the three lines of defence.
You may have heard this term being talked about by your auditors or others. But, as with many audit terms, it’s likely to be familiar but not fully understood!
Simply put, the three lines of defence is a simple and effective approach to ensuring risk assurance.
Again, ‘risk assurance’ may be another piece of audit jargon. In plain terms, risk assurance is how confident you can be that appropriate processes are in place and are operating effectively. This helps risks to be managed and objectives to be achieved.
The three lines of defence model outlines the roles and responsibilities of parties to increase the effective management of risk and control.
First line of defence: functions that own and manage risk (for example, managers with specific roles and responsibilities to provide services, manage resources or deliver projects).
Second line of defence: functions that oversee or specialise in risk management and compliance (for example, individuals or teams established to verify and monitor service performance or adherence to quality standards).
Third line of defence: functions that provide independent assurance, above all internal audit.
The three lines work collectively to support the governing body and senior management. All three should share the same objective: to help the organisation to achieve its objectives by the effective management of risk.
If responsibilities are clearly defined, each line can understand the boundaries of its responsibilities and how its position fits with the overall organisational risk management structure.