Internal auditors are buffing up their longstanding Three Lines of Defense model for how to provide organizations with optimal coverage of risk and control functions.
The Institute of Internal Auditors has issued an exposure document to propose updates to the three lines model intended to modernize and strengthen the model to extend its utility. The proposed updates are meant to address some of the criticisms of the model that have surfaced over the years, mainly that it is too restrictive or too limiting.
The three lines model outlines the roles that should be played by various leaders in organizations—such as the board or governing body, senior management, operational leaders, risk and compliance staff, and internal auditing—to establish an effective risk and control environment. The model generally describes the independent internal audit function as the third line of defense, or the final stop within organizations for catching problems, before external auditors or regulators would step in.
While the concept has existed for roughly two decades, the IIA formally adopted the model in a 2013 position paper. Amid rapid change in recent years and the growing complexity of organizations, the IIA deemed it time to revisit the model and make some tweaks to address some of its criticisms. “Changes proposed by a task force representing audit practitioners, risk and compliance executives, stakeholders, and others are designed to help modernize and strengthen the model to ensure its sustained usefulness and value,” said IIA President and CEO Richard Chambers in a statement.
The proposal seeks to broaden the scope of the model by adding notions of creating value rather than focusing exclusively on protecting value, the IIA says. The model leaves room for organizations to exercise their own flexibility and choice, the proposal says, including how to assign, separate, and combine roles. The proposal also emphasizes, however, the need for close coordination among the various contributors to avoid silos.
Acknowledging potential concerns that such an approach can lead to “blurring of the lines” among roles, the IIA says the model emphasizes that concern must be considered to assure conflicting roles are not combined. “Given the importance of its independence, great care must be taken when responsibilities of internal auditing are extended beyond providing credible, objective assurance of the effectiveness and adequacy of governance, risk management, and control,” the proposal says.
The IIA is inviting comments on the proposal through Sept. 19, 2019.