The third line of defence in internal audit
21 January 2020
The three lines in internal audit: the third line of defence
The third line of defence is defined by the Chartered Institute of Internal Auditors as functions providing independent assurance – “above all internal audit”.
Examples of providers of independent assurance include:
- Internal audit
- External audit
- Inspection and regulatory activity e.g. CQC’s inspections of health and social care services
- External peer review
- External quality assurance e.g. ISO
Internal audit is seen as one of the main components of this. It provides independent assurance to the governing body and senior management on the effectiveness of governance, risk management and internal controls.
As well as assessing the effectiveness of the first and second lines of defence, internal audit provides advice on improvements that could be made.
Areas reviewed by internal auditors when providing independent assurance include:
- Efficiency and effectiveness of operations
- Compliance with laws, regulations, policies and procedures
- Identification, assessment and response to risks
- Business functions such as production, safety, customer functions, and operations
- Supporting functions such as HR, payroll, asset management, IT and finance
In order to provide assurance, internal audit services need to maintain independence from the first and second lines of defence. This independence is obtained by reporting to a suitably high level in an organisation, typically though an organisation’s audit committee.
At the same time, internal audit should not be relied upon to detect every control failure, error or deficiency. It should not be regarded as a control measure, rather its role is largely ‘detective’ and ‘corrective’. In order to work effectively, all three lines in the defence model need to work together.
