The four lines of defence
Assurance can come from many sources. The ‘four lines of defence’ model is a concept for helping to identify and understand the different contributions the various sources can provide. ICAEW's Audit and Assurance Faculty provides this definition of the model to help practitioners.
The 'four lines of defence' model is essentially the same as the ‘three lines of defence’ model, but adds in a fourth line: the external assurances provided by the external auditor, regulators and other external bodies.
By defining the sources of assurance in four broad categories, the model helps users to understand how each contributes to the overall level of assurance provided and how best they can be integrated and mutually supportive.
- First line: the way risks are managed and controlled day-to-day. Assurance comes directly from those responsible for delivering specific objectives or processes. It may lack independence but its value is that it comes from those who know the business, culture and day-to-day challenges.
- Second line: the way the organisation oversees the control framework so that it operates effectively. The assurance provided is separate from those responsible for delivery, but not independent of the management chain, such as risk and compliance functions.
- Third line: objective and independent assurance, e.g. internal audit, providing reasonable (not absolute) assurance of the overall effectiveness of governance, risk management and controls. The level and depth of assurance provided will depend on the size and focus of the internal audit function and management’s appetite for internal audit assurance.
- Fourth line: assurance from external independent bodies such as the external auditors and other external bodies. External bodies may not have the existing familiarity with the organisation that an internal audit function has, but they can bring a new and valuable perspective. Additionally, their outsider status is clearly visible to third parties, so that they can not only be independent but be seen to be independent.
Each line of defence has a purpose and can provide robust assurance. There is no one line which provides better quality assurance than any of the others. A range of assurance activities from across all lines of defence will provide a rich and value add assurance picture.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.