Most of us will also remember the distinct step that the International Institute of Internal Auditors took to move from a reference to lines of “defence” to simply three lines, representing the fact that this is about enabling organisations to take risk with confidence, as opposed to simply limiting it.
It’s a construct that has existed for many years. And yet it's one that is subject to many fundamental debates and misunderstanding. In financial services, the regulators drive for a highly differentiated approach, with clear rules about how individuals and functions can interact with, and rely on, each other.
The external audit profession has developed its own understanding and rules, particularly in relation to the (very limited) ways in which it can place reliance on internal audit. Some organisations have gone beyond three lines. Unilever, for example, has local audit teams across its jurisdictions that deliver audit programmes to a local level of materiality and significance – known as the third line. Corporate Audit is then a fourth line, taking a more risk-based approach.
Should it be acceptable to have this variation?
The Three Lines model fundamentally enables separation of activities to create an effective system of control:
- The first line performs the activities.
- The second line establishes standards and expectations and then monitors compliance.
- The third line independently assesses the risks and performs audit work to evaluate the level of risk is in accordance with risk appetite.
We believe that this model represents discreet activities that need to be performed by individuals who understand their role in the organisation. In each line, individuals must be familiar with the risks that the organisation chooses to take to be successful, as well as the causes and consequences of those risks that must be reduced to an acceptable level. Further, there will be risks outside the organisation’s control where an appropriate response plan must be in place and tested, to achieve operational resilience.
How these individuals are organised is less important than their understanding of their roles and their capability to fulfil them. Ultimately, in an organisation of sufficient scale, an independent third line should be delivering risk-based audits following professional standards. It is the Internal Audit Standards, containing ethical expectations for auditors, alongside the Code of Practice for Internal Audit in the UK, that differentiates the third line from the second. The independence and objectivity of the third line must not be compromised.
However, it may still be appropriate and acceptable for the third line to periodically assess compliance with standards. Or to provide professional insight and advice in setting appropriate standards and expectations. But only if the right safeguards are in place.
Emerging technologies and the Three Lines
As organisations increasingly integrate automation and data-driven tools into their operations, the Three Lines model is evolving. Compliance activities within the second line are now often automated and performed alongside the first line on a continuous or real-time basis. For example, AI-powered monitoring tools can identify anomalies or breaches more effectively by processing vast volumes of data. These technologies, while promising heightened assurance, require robust safeguards to make them reliable and avoid unintended consequences.
Similarly, data analytics is transforming the third line’s ability to conduct audits. By leveraging predictive analytics and advanced modelling, internal auditors can focus on high-risk areas with greater precision, enhancing both efficiency and effectiveness.
Evolving skill sets
This shift requires an evolution in the skill sets of internal auditors. Beyond traditional auditing skills, internal auditors now need proficiency in data analytics, understanding of AI systems, and the ability to interpret complex data sets. Moreover, soft skills like communication and adaptability are essential to navigate the increasing complexity of stakeholder expectations and regulatory requirements.
Regulatory alignment
We believe that boards must intentionally design the Three Lines as a set of activities rather than as functions. They must determine what activities provide the necessary level of comfort and who is most able to perform them with the right level of objectivity and independence. This approach aligns with regulatory frameworks such as the UK Corporate Governance Code 2024, which requires boards of listed companies to attest to the effectiveness of their organisation’s system of control.
Global regulatory expectations also emphasise the importance of transparency in roles and responsibilities within the Three Lines model. Organisations that clearly articulate and document their approach are better positioned to meet these expectations.
Addressing common challenges
Implementing the Three Lines model is not without challenges. Resistance to change, overlapping roles, and resource constraints can hinder its effectiveness. Solutions include:
- Phased adoption: gradually implementing the model to ensure a smooth transition.
- Clear role definitions: avoiding ambiguity in responsibilities by mapping out distinct activities.
- Training programs: equipping teams with the necessary skills and understanding to perform their roles effectively.
The future of the Three Lines Model
Looking ahead, the Three Lines model is likely to become more dynamic, reflecting the growing integration of ESG (environmental, social, and governance) factors into organisational risk management. The model may evolve to include additional layers or hybrid functions, particularly as technology blurs traditional boundaries between the lines.
While there is no single answer that applies to all organisations, one principle remains constant: directors must be able to describe how their system of control works and the principles that underpin it. Only then can the Three Lines enable organisations to take risk with confidence.