Internal Audit: The New Three Lines Model

(First published in the Internal Auditor Magazine, December 2020 issue as “The New Three Lines Model” by The Institute of Internal Auditors, Inc.)

The IIA released its Three Lines Model in July 2020 as an update to the highly-regarded Three Lines of Defence Model promulgated in 2013. Many practitioners either love it or hate it, while others (including this author) vacillate between the two states.

A coffee table debate of the updates aside, many auditors have asked what the new model means and what are the changes (if any) required of them. Rather than to discuss the required changes, the new model entails many opportunities for the auditor to move up the value chain.

Naming Convention

For a start, removing the rather archaic term “of defence” from the namesake appears to be long overdue. A three lines of defence title suggested a sequential management of risks and placed internal audit as the third fiddle. However, all true blood internal control aficionados know that these lines are frequently criss-crossed and intertwined. There has been significant increase in the value enhancement role of internal audit and the updated and simpler “three lines” convention serves well to do it justice.

In this regard, the internal audit team should review its position in the organisation and what it should do to bring itself up the value chain and earlier upstream in the management of risk and provision of value. Depending on the complexity and maturity of the organisation’s corporate governance structure, possible options may include the internal audit function leading the way in understanding emerging risks such as the latest digital advancements and providing training to the first two lines on the relevant internal controls.

Where this has already been achieved, the internal audit function can also straddle the fine line between independence and be pro-active by engaging in more consultancy projects. These can include sharing key risk considerations in a process reengineering exercise or the implementation of a new IT system; it could also simply be having a seat in regular management meetings dealing with daily risks.

Management Structure

The view of management roles has also evolved. The previous segregation of management into the first two lines of defence reporting to senior management is subsumed into a single tier of management overseeing the first two lines. This is a pivotal change as many businesses are eschewing a hierarchical operating model in favour of a functional reporting matrix which is an arguably more responsive operating structure. The internal auditor’s mental construct of risk management responsibilities must similarly evolve. In his/her daily work, the internal auditor should re-examine established internal controls and the assigned controls owners and evaluate if such structures are still optimal, cost-effective and adequately responsive to the organisation’s risk landscape.

Just as the internal auditor rethinks the roles of the first two lines, he/she should also rethink the provision of value protection and enhancement vis-a-viz the first two lines to ensure that there is no unnecessary overlap or duplication of efforts. This is well encapsulated by the new model which highlights that “there is a need for collaboration and communication across both the first and second line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.”

In the new model, internal audit is also no longer subjugated to senior management. The age-old focus on reporting to management should be substituted with a more balanced conversation of “alignment, communication coordination, and collaboration” where internal audit can finally play a well-placed role of partnering with, rather than reporting to management.

To carry out its partnership role in risk management well, the internal audit function should not be awaiting instructions or suggestions from management, and be perpetually playing catch up to the organisation’s business and risks. While management will rightfully be more attuned to business risks, a progressive internal audit function can do its part to be ahead of management in compliance or finance risks, such as forthcoming laws and regulations or accounting rules, and take the initiative in preparing the organisation for them.

External Parties

Another axiomatic update is the amalgamation of external auditor, regulator and various previously unnamed external parties into a single group of “external assurance providers.” This is a far more encompassing simulacrum of the real-world scenario where numerous other external parties such as the ISO auditor, certification auditors, business improvement consultants, etc, come in play to assist the organisation to achieve its objectives. The internal auditor would do well to inventorise a comprehensive list of external assurance providers, the types of assurances provided, and to consider them in its internal audit plan. It is seldom that the internal audit function will be fully sufficient or cost effective in having the full suite of competencies needed for the organisation’s needs. Where there can be learning from or leveraging upon these external sources, the efficacy and efficiency of the internal audit function can be greatly enhanced.

A Constant Evolution

As its role continuously evolves, the internal audit function must engage in effective communications with the stakeholders as it exploits the opportunities offered by the new model.

A suitable start may be a series of focus group discussions within the internal audit team on their thoughts of the new model and the changes that they would like to see being implemented in their organisation. These views can then be discussed and agreed with management before they are succinctly feedback to the governing body (aptly defined in the new model as individuals who are accountable to stakeholders for the success of the organisation) for their inputs and affirmation.

Once the final blessings are obtained, the internal audit team should review and update its mandate and work activity documents. These are likely to be the IA charter, opening and closing slides templates, training materials for auditors, training materials for management, audit surveys and annual surveys.

The updated mandate and documents can then be formally rolled out as a series of trainings to the management team and internal audit team. As with all evolutions and changes, the internal audit team should periodically seek feedback from its stakeholders on the changes made and whether further fine-tuning is required.

Overall, the new model presents a much better depiction of the real-world progression of our profession, but it remains a theoretical construct until the astute internal auditor capitalises on the update for the better good of governance.

DISCLAIMER: All opinions, conclusions, or recommendations in this article are reasonably held by Baker Tilly at the time of compilation but are subject to change without notice to you. Whilst every effort has been made to ensure the accuracy of the contents in this article, the information in this article is not designed to address any particular circumstance, individual or entity. Users should not act upon it without seeking professional advice relevant to the particular situation. We will not accept liability for any loss or damage suffered by any person directly or indirectly through reliance upon the information contained in this article.