The Three Lines model has served us well. But for the internal audit profession to mature beyond simply protecting value to also becoming value creators, we need to build collaborative relationships with our fellow assurance professionals. The risk bedlam of 2022 demands it.
The concepts behind the three lines model haven’t changed much since it was first introduced as the Three Lines of Defense model 20 years ago. Management assesses risks and designs and implements controls in the first line, monitoring and oversight of risk and control effectiveness exists as a second line, and internal audit provides independent assurance as the third line.
As we look forward, it’s time to acknowledge the model’s limitations and set a clearer course for correcting them. The IIA refreshed the model in 2020, and the new version emphasizes the need for “alignment, communication, coordination, and collaboration” between audit and management — yet the emphasis on the word “lines’’ still evokes images of silos. Only by embracing our roles as collaborative internal assurance and advisory functions will we be able to address the complexities introduced by today’s chaotic environment of increasing risk velocity and risk volatility, and the toll that emerging risks can take on our organizations.