The Three Lines of Defense Model has long been a standard for internal auditors, and the recent update from the IIA brings the model forward to meet the current risk environment. Refresh your memory of the Three Lines model with this breakdown that uses football to describe internal audit’s role to non-auditors.
What Are the Three Lines of Defense?
The Three Lines of Defense Model (also referred to as 3 Lines Model, 3 Lines of Defense, and 3LOD) is a guide to help organizations organize risk and control responsibilities. In the model, the roles for the governing body (i.e. the board of directors), management, and internal audit are clearly defined. The Three Lines of Defense Model was recently updated to remove ambiguity in the relationship between internal audit and management responsibilities.
In the model, the focus across the organization is on risk management. The governing body assumes responsibility for organizational oversight, defines objectives, and sets the tone for management. Management owns the control functions to mitigate risks to the organization from meeting its objectives. Finally, internal audit provides independent assurance that the control structure works as intended.
How to Explain the Three Lines of Defense Model to Non-Auditors?
Have you ever found yourself struggling to explain that internal audit is more than just a policing function? Are you tired of watching people glaze over when you describe what internal audit actually does? The audit department can have a negative connotation as a cost center in the business, but we know audit activities should be designed to add value to an organization and protect its operations. So, how can we communicate internal audit’s important role to someone within the business or outside it who doesn’t understand?
Let’s turn to sports! Just like football, most organizations have three lines of defense that comprise their risk management system. A football team’s defense protects against a touchdown by the opposing team. Similarly, every organization has employees defending the company against a risk event. When we break down risk management from a football perspective, perhaps internal audit’s crucial role will be easier for others to grasp.
Organizational Hierarchy and Risk Management Strategy
Like football teams, all organizations have a head coach (the CEO) and an owner (the Board) who set the broad strategy. The head coach then hires an offensive coordinator (COO) and a defensive coordinator (CRO), who are expected to execute on the head coach and owner’s objectives. They do so by hiring specific position coaches like the quarterback coach, offensive line coach, linebacker coach, and so on. Just like a line of business leaders, these position coaches are responsible for the tactical execution of the offensive and defensive coordinators’ plan.
Along with a hierarchy, every organization has a playbook. In football, the position coaches are responsible for putting together plays to accomplish their specific mission. In a business, these plays are policies and procedures, and in this case, the mission is to identify and mitigate risk. The position coaches teach their direct reports all of the plays, and then expect them to execute on those plays. For the defensive players, executing plays means blocking, tackling, and running interceptions to stop the ball from crossing the goal line. This, essentially, is what a business’s defense does when it works to stop a risk event from getting past its safeguards and being discovered by external assessors such as investors, regulatory agencies, and rating agencies. But not all eleven defensive players on the field are alike — let’s take a closer look at the characteristics and responsibilities of the three lines of defense.
The First Line of Defense
5 Defensive Linemen (Business Operations)
In a typical football defense structure, the first line of defense consists of five defensive linemen who are there primarily to block and tackle. This front line has a lot of people who work to prevent a touchdown either by proactively thwarting a play by running a blitz, or by stopping the ball at the line of scrimmage. But these guys are so tied up dealing with their normal activity—wrestling with the offensive linemen—that they perform their plays without getting a good look at where the ball is going. If the quarterback pulls a fake play or calls an audible to change the play call at the line of scrimmage, the ball will probably get by the linemen.
In an organization, business operations make up the first line of defense. These business leaders and day-to-day employees are responsible for creating policies and procedures, identifying risks, and making sure there are controls in place. However, they are so close to the action that they don’t have a view of the larger risk context. Like a trick play getting past the linemen, an unexpected risk or change in risk conditions might make it past the business operations line of defense.
The Second Line of Defense
2 Linebackers and 2 Cornerbacks (Business Support Functions)
The second line of defense includes two linebackers and two cornerbacks. These four players are positioned behind the linemen, so they have a broader field of view. They can see a play develop, and can either proactively tell the first line of defense to modify their play or react to attempt to capture the ball themselves.
In a company, the second line of defense may be the legal team, third-party oversight, accounting, the risk management team, or another business support function. As in football, this line of defense is important because they have a wider field of view of risk. In a real-life example, the CRO may become aware of a new potential cyber attack. He can proactively tell the IT team (the first line of defense) to change their procedures to guard against the new risk. In another scenario, an issue may be brought to light by accounting when a flux analysis suggests the company didn’t meet expected numbers, and the root cause is that a process is broken. In this case, accounting can take action themselves to “break up the play” and prevent the risk event.
The Third Line of Defense
2 Safetys (Internal Audit)
The third and final line of defense consists of two safetys who line up behind all the other players as the last option to stop a play if it gets past the first two lines of defense. A safety is fast, agile, and nimble, and has the biggest field of view in the entire organization. The safety can see the quarterback call an audible, and can proactively tell the first or second lines of defense to change their approach. Or, the safety can run an interception himself to catch the ball before it makes it into the endzone for a touchdown.
Internal audit is this nimble third line of defense. We have the broadest view of organizational risk, but we also have the most ground to cover because there are few of us and the field is huge. Internal audit is here to help the other lines mitigate risk and to be the last line of defense that catches a risk event before it crosses the line to be detected by external assessors. We have to be smart and analytical people who create effective audit plans, but we must also be agile enough to constantly adjust our coverage to protect the organization from emerging risks. Forming a crucial final line of defense, internal audit works with business operations and business support functions in a successful compliance risk management system.
Final Thoughts on the Third Line of Defense
The next time someone demonstrates some misconceptions about internal audit, use the three lines of defense to set them straight. Internal auditors aren’t just looking for a “gotcha” moment. Internal audit isn’t the only department guarding against risk. Internal audit shouldn’t just be performing the same old boilerplate audits year over year. Instead, internal audit is the final line of defense with the broadest view of organizational risk and the agility to react to emerging conditions to prevent a risk event — just like a safety intercepting the football before it can make it into the endzone. When you’re ready to take your organization’s risk management game to the next level, get a free demo of AuditBoard’s integrated Risk Management Software, RiskOversight.
Chris Patrick, CIA, is the Head of Internal Audit and Sarbanes-Oxley (SOX) at Sunlight Financial, and previously led audit teams at Figure and RoundPoint Mortgage Servicing Corporation. He is currently a member of the Board of Governors with the Charlotte Chapter of the IIA, and has served as President of the Northern Virginia Chapter of the IIA. Connect with Chris on LinkedIn.