Reflections on the Third Line of Defense Model
People are talking about the third line of defense model for internal audit.
– The IIA has a Position Paper
– PwC has made its contribution
– Protiviti extended the model to 5 lines of defense
– Not to be left out, EY published a thoughtful piece
– and Deloitte has a PowerPoint
I even did a webinar on the model (I don’t have link to the recording).
I think the model has some value in explaining how internal audit is not the primary player when it comes to risk or compliance – management is the primary player, assisted by organizations in the second line of defense such as the compliance function, physical security department, risk management, and so on – all part of management.
Internal audit can place some level of reliance on these “other assurance providers” in the second line of defense by assessing how well they monitor management performance of controls.
My problem with the model is that it is all about defense.
Organizations (and sports team) rarely succeed by only playing defense. (When the defense scores a touchdown, that is because they have become the offense after a turnover.)
Organizations (and sports teams) win through a combination of offense, defense, and (perhaps) special teams.
Internal audit can and should have a key role in all three elements of the business game: offense, defense, and special teams.
Internal audit exists not only to protect value, but to help organizations create value.
Too much focus on the Third Line of Defense model relegates us to the traditional policeman role, and sitting on the bench when the offense is on the field.
I welcome your comments.