Understanding the Three Lines Model: A Modern Framework for Governance
How the IIA's Three Lines Model reshapes the relationship between management, risk functions, and internal audit.
From Three Lines of Defense to Three Lines
The IIA updated its governance model in 2020, moving from the "Three Lines of Defense" to the "Three Lines Model." This was more than a name change — it represents a fundamental shift in how organizations think about governance, risk management, and internal audit.
What Changed?
The old model focused on defense — protecting the organization from threats. The new model focuses on value creation — enabling the organization to achieve its objectives while managing risks appropriately.
First Line: Management owns risk and control. They make decisions, take risks, and implement controls in pursuit of organizational objectives.
Second Line: Risk management and compliance functions provide expertise, guidance, monitoring, and challenge to the first line. They help ensure risks are managed within acceptable tolerances.
Third Line: Internal audit provides independent, objective assurance to the governing body on the adequacy and effectiveness of governance and risk management.
Why It Matters for Certification Candidates
The Three Lines Model appears on multiple certification exams, including the CIA, CRMA, and CISA. Understanding not just the structure but the principles behind it is essential:
- No "first line of defense" terminology — focus on roles and responsibilities
- Emphasis on coordination and collaboration between lines
- The governing body's role in ensuring the model works effectively
- Internal audit's unique position of independence and objectivity
Exam Tips
Expect questions that test your understanding of the relationships between lines, particularly scenarios where the lines overlap or conflict. Focus on the principles rather than memorizing rigid definitions.