Home > Audit, COSO, Governance, GRC, Risk, Sarbanes, SOX > Reflections on the Third Line of Defense Model

Reflections on the Third Line of Defense Model

People are talking about the third line of defense model for internal audit.

–          The IIA has a Position Paper

–          KPMG wrote a paper

–          PwC has made its contribution

–          Protiviti extended the model to 5 lines of defense

–          Not to be left out, EY published a thoughtful piece

–          and Deloitte has a PowerPoint

I even did a webinar on the model (I don’t have link to the recording).

I think the model has some value in explaining how internal audit is not the primary player when it comes to risk or compliance – management is the primary player, assisted by organizations in the second line of defense such as the compliance function, physical security department, risk management, and so on – all part of management.

Internal audit can place some level of reliance on these “other assurance providers” in the second line of defense by assessing how well they monitor management performance of controls.

My problem with the model is that it is all about defense.

Organizations (and sports team) rarely succeed by only playing defense. (When the defense scores a touchdown, that is because they have become the offense after a turnover.)

Organizations (and sports teams) win through a combination of offense, defense, and (perhaps) special teams.

Internal audit can and should have a key role in all three elements of the business game: offense, defense, and special teams.

Internal audit exists not only to protect value, but to help organizations create value.

Too much focus on the Third Line of Defense model relegates us to the traditional policeman role, and sitting on the bench when the offense is on the field.

I welcome your comments.

  1. May 24, 2014 at 6:22 AM


    I completely agree. I recently presented the Third Line of Defense Model to our audit committee as part of the company’s evolving Governance, Risk and Compliance model. I say “part” because – as you indicate – it is really a defensive model. It does not really address strategy setting and taking risks within an acceptable “appetite” or “tolerance.”

    My concern with this model is that it puts internal audit into more of a detective, after the fact kind of role. This gets into the challenges the profession is currently undergoing as we strive to have a bigger seat at the table, be more progressive, and be more valued. In my opinion, internal audit needs to be more present on the front end, providing consultation and guidance. Perhaps, we need a model or framework that more fully addresses Governance, Risk, and Compliance lifecycle, if you will. From my perspective, I want to be much more involved in helping the company evaluate and understand risks as part of the strategy setting process. So, yes, the Third Line of Defense is a good model, but let’s not put all our eggs in one basket or we may find ourselves excluded from those discussions we should be having with management.

  2. May 24, 2014 at 2:18 PM

    Once again, you’re right on, Norman. The first time I heard one of the big 4 speak about the 3 lines of defense, I had the same reaction as you. There is a horrible enemy out there (called risk?). Lets dig ourselves down in trenches and get ready to fight.
    Many internal and external auditors need instead to come out of their trenches. There’s no war going on. It’s just a question of making wise business decisions (setting goals and strategies) and most importantly, acting on them. We’re talking about quality assurance – of the organization’s resources and processes. Fit for purpose, efficient and delivering on objectives?
    The use of words is so important. It’s fundamental for the mind-set of an organization. I even dislike the expression Internal Control. Self-centered and inward looking? The biggest risk to modern organizations is failure to adapt to a changing world. It is the outside world that calls the shots. Who’s responsible for external controls?
    I partly like Protiviti’s 5 lines model, though, because it looks at the organization from the shareholder’s perspective, and thus brings in the board’s responsibility for risk oversight. The external auditor has been lost somewhere. No longer any role in relation to the shareholders?
    Why not call it “X Lines of Responsibility” instead?
    Finally, I’m appalled at the speed which regulators have taken the 3 LoD model to their chests. Basel 3 and Solvency 2 are stifling banks and insurance companies. Has anybody heard of Daniel Kahneman?
    Just found some thoughts along these lines by Peter Bonisch; elegantly expressed in his blog. http://paradigmrisk.wordpress.com/2013/03/18/excuse-me-how-many-lines-of-defence-the-new-financial-maginot-lines/
    Keep up your Evangelist work. It refreshes management thinking.

  3. May 24, 2014 at 4:53 PM

    Walk softly and carry a big stick. If you want to play in the value creation space, prove a bit at a time to get further funding and trust. Value creation/preservation is about attitude. It is not what could go wrong, but rather, what needs to go right (at first). I think internal audit budgets (post SOX) are so thin it consumes the defense needs. And probably, 2013 will be no different with 17 principles and cyber-security top of mind. As a CEO of Fortune 100 company I worked at told all employees but in particular the internal audit department in 1995, “Be ambitious for the business”. We have been discussing this for a few years now on several other sites.

  4. Marcel
    May 25, 2014 at 11:51 AM

    Norman, I can see the direction you are coming from and following the symantics I agree with your point. When only defence exists there will not be any winning team…
    Though when taking the word ‘defence’ out of the three lines model I would believe that the concept still is applicable and provides insight in the various roles played. Defence to my view also sounds like there is only reactive response possible instead of pro-active thinking on how to protect the business and use the opportunites out there.
    Trying to find a different name for the model it sounds to easy to call it the three lines of responsibility model, though nothing else comes to mind.

    Any other thoughts?

  5. May 26, 2014 at 5:04 AM


    I agree that in the 21st century we need to develop a more holistic perspective, whereby offense (value creation) and defense (value preservation) are seen as two-sides of the same coin which cannot and should not be considered in isolation. Rather they need to be integrated, aligned, and be operating in unison towards common objectives. Long term sustainability requires a blending of the two and this must occur at strategic, tactical, and operational levels.

    It is for this reason that I have been proposing an extended Five Lines of Defense oversight framework which includes Executive Management and the Board as additional lines of defense. From a strategic perspective these two are the most important lines of defense. I have addressed this issue in more detail my 2011 Conference Board paper entitled “Corporate Oversight and Stakeholder Lines of Defense”


    A short YouTube video also helps to visualize these workings:

    In my opinion if Internal Audit is to truly contribute at a strategic level surely it must begin by ensuring that their organization recognize and determine the critical oversight roles, responsibilities, and accountabilities of Executive Management and the Board in their organization’s Lines of Defense framework.

  6. Hui Nee
    May 26, 2014 at 9:06 PM

    I agree with your thoughts on the reactive role played by IA in the 3rd line defense model. In fact, I was stunned to learn about this model a couple of years ago in a seminar. Not being one to speak out all the time in public, I kept the dissapointment to myself. This concept has since then affected my views on the extent of my role as an internal auditor. Thank you so much for bringing this out for discussion.

  7. Karl Hutchinson
    May 28, 2014 at 12:35 PM

    Every team needs good stay-at-home defensemen, so I don’t think we internal auditors need to take issue with this role. It’s important and adds value, although perhaps not as directly as the various consulting roles. Preventing and detecting errors adds value. Recommending process control changes adds value. Explaining this in our reports is paramount. The key is to use language that management understands. I’ve found the most effective way to do this is to ALWAYS link the control recommendation (or risk treatment) to the organization’s business objectives. Management and executives are looking for us to answer the question, “so what?”. If you can do that, you’ll have everyone’s respect.

    Having said that, there are many consulting roles, as outlined by the IIA, that provide more direct value-add, and by taking on these consulting roles, the stigma of being a reactive, defensive minded group, is overcome.

  8. David Williamson
    May 28, 2014 at 1:59 PM

    One of my long term concerns with this model is that in the eyes of many it takes responsibility for risk management and compliance away from the front line operators to a background big ‘C’ compliance function. In my view, part of the problem in the financial crisis was that too many on the front line were taking the stance that so long as they were not caught out by Compliance, they could go on taking bigger and wilder risks without taking accountability for their actions.

  9. Abid
    June 1, 2014 at 11:24 AM

    I understand your Norman concerns with this model and I have consensus on it. However, I have different opinion, which means that
    3 lines of defence model provides structure how responsibilities are distributed in the organization. As we know that Management are responsible for the internal control environment and auditor role is to independently evaluate and add value on it…..
    Therefore, I think that this model is not created to change the definition of internal audit which we have arrived after years of efforts. Instead, this model provide some structural clarification to highlight management role in a complex environment where number of related services are exist to improve internal control, identify and measure risks. Such as Internal control, risk management, compliance and etc… So that all related services understand the roles and somewhat provide clarity on perpetual discussion of difference among these related services and provide efficiency in the system to reduce overlapping activities.

  10. Carol Ann Northcott
    June 8, 2014 at 4:49 AM

    I completely agree that it should be about the upside as well as the downside. I’ve been using a variant of the 3 lines of defense (expanded to include the Board, regulators and stakeholders) and have found it extremely useful and not inconsistent with my philosophy of upside/downside.

    This post made me ask myself why the “defense” language hadn’t bothered me previously.

    I think the answer is that my over-riding objective isn’t to “defend” against risk, but to achieve the firm’s strategic objectives. If this is your goal, than “defense” is both upside and downside. A legitimate finding in the lines of defense is that one needs to take on more risk (or realize opportunities) in order to achieve strategic objectives.

    Like so many things in life, it depends on your definition of success. Whether the “defense” model is useful depends on how you define the ultimate goal. In this case, the ultimate goal isn’t to “defend” against risk, but to “defend” against not achieving strategic objectives.

  11. June 14, 2014 at 1:13 PM

    Good point. Maybe “third line of oversight”? My experience with many of the 2LODs is that they are limited in their perspectives, and continue with same-old same-old practices year after year, while the world (and organization) has changed around them. Internal Audit can provide substantial value by helping 2LODs raise their game. To continue Norman’s sports analogy: how about calling a time out, and mix it up with some offense?

  12. June 26, 2014 at 8:01 AM

    The link for the kpmg paper is wrong

    • Norman Marks
      June 26, 2014 at 9:50 AM

      Thanks, Luis. I corrected the link to KPMG.

  13. Wassim
    January 21, 2016 at 12:26 PM

    The “four lines of defence model” for financial institutions (Bank for International Settlements: Financial Stability Institute : december 2015)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: