ERICKA FEYNE R.

BARAÑAO
Mindanao State University
BS Accountancy
ACT 140
ASSIGNMENT NO. 2

THE THREE LINE OF DEFENSE

The Three Lines of Defense model provides a valuable framework that describes the role of
the internal audit in ensuring effective risk management and how important it is to deliver its position
and function in the governance structure of companies.
Various parts and levels of an organization have different roles in risk management and the
interplay between these parts determines the effectiveness of the whole organization in managing risk.
The unique role of internal audit is to assure the board of directors that the risk management controls
are objective and independent.
Regular and ongoing dialog through internal auditing with the defense line 1 and 2 must be
carried out in order to provide the function with a more timely perspective on management and
business issues. Internal audit may thus be of use to the manager, in the form of advice, facilitation
and training, in order to improve the second line of defense processes. Internal audit can also
determine where the first two defense lines have gaps and advise how they can be connected.
Internal audit may also play a valuable part in ensuring that the Board is able to efficiently
identify and managed governance structures for broader strategic and internal risks.

GOVERNING BODY/AUDIT COMMITTEE

SENIOR MANAGEMENT

EXTERNAL
REGULATOR
AUDIT
1ST LINE OF DEFENSE 2ND LINE OF DEFENSE 3RD LINE OF DEFENSE

FINANCIAL CONTROLLER

MANAGEMENT SECURITY
CONTROLS
RISK MANAGEMENT INTERNAL AUDIT
INTERNAL QUALITY
CONTROL
MEASURE INSPECTION

COMPLIANCE

1ST LINE OF DEFENSE 2ND LINE OF DEFENSE 3RD LINE OF DEFENSE

Manager and personnel The second line of defense (functions Internal audit is the third line of defense
responsible for identification and that oversee or specialize in risk (functions that provide independent
management of risk as part of management or compliance) assurance). Its major tasks are to ensure
their responsibilities for achieving
objectives form the first line of
defense (functions that control
and manage risk). The relevant
risk control policies and
procedures should collectively be
provided with the necessary
knowledge, skills, information
and authority to conduct. This
requires a knowledge of the
company, its goals, its operational
environment and its risks.
provides the policies, frameworks,
tools, techniques, and support that
enable risk and compliance to be
managed in the first line, conducts
monitoring to see how well they're
doing it, and assists in ensuring
consistency of risk definitions and
measurement.
that the first two lines of defense are
operating well and to advise on how they
might be improved. It sits outside the risk
management processes of the first two
lines of defense. It provides an appraisal
of the efficacy of governance, risk
management, and internal control to the
organization's governing body and senior
management, using a risk-based approach.
It is tasked by, and reports to the board /
audit committee. It can help reassure
industry regulators and external auditors
that proper controls and processes are in
place and functioning properly.

Bruce, S.,CA. (2017), “Internal audit: three lines of defense model explained”. Retrieved at
http://www.icas.com/professional-resources/audit-and-assurance/internal audit/inter
nal-audit-three-lines-of-defense-model-explained

Chartered Institute of Internal Auditors, (2017). “The Three Lines of Defense”. Retrieved at
https://www.iia.org.uk/policy-and-research/position-papers/the-three-lines-of-defense