What are the three lines of defence?

Back to news

What are the three lines of defence?

18 January 2020

Three lines of defence infographic - Veritau

Debunking terminology: the three lines of defence in internal audit

As internal auditors, we can be guilty of using our own specialist terminology. To those outside the field can be seen as technical jargon. Over a series of short articles we’re be attempting to debunk one of the most important audit ideas – the three lines of defence.

You may have heard this term being talked about by your auditors or others. But, as with many audit terms, it’s likely to be familiar but not fully understood.

Simply put, the three lines of defence is a simple and effective approach to ensuring risk assurance.

Again, ‘risk assurance’ may be another piece of audit jargon. In plain terms, risk assurance is how confident you can be that appropriate processes are in place and are operating effectively. This helps risks to be managed and objectives to be achieved.

The three lines of defence model outlines the roles and responsibilities of parties to increase the effective management of risk and control.

First line of defence:

Functions that own and manage risk (for example, managers with specific roles and responsibilities to provide services, manage resources or deliver projects).

Second line of defence:

Functions that oversee or specialise in risk management and compliance (for example, individuals or teams established to verify and monitor service performance or adherence to quality standards).

Explore the second line of defence