Key point 1 — Three Lines Model

1st line: operational management — owns and manages risks day-to-day

Key point 2 — Three Lines Model

2nd line: risk and compliance functions — oversees, advises, and sets policies

Key point 3 — Three Lines Model

3rd line: internal audit — independent assurance to the board and senior management

Key point 4 — Three Lines Model

The 2020 model replaces the old '3 lines of defense' — emphasis on collaboration

Key point 5 — Three Lines Model

The board of directors sits above all three lines

Back to Glossary

Term DefinitionFrameworks

Three Lines Model

A governance framework distributing control responsibilities across three levels.

The IIA's Three Lines Model (2020) defines: 1st line = operational management owning risks and controls, 2nd line = risk, compliance and control functions that supervise and advise, 3rd line = internal audit providing independent assurance. It clarifies roles for effective governance and avoids overlaps or coverage gaps. The 2020 revision emphasizes collaboration between the three lines rather than strict separation, and reaffirms the central role of the board of directors.

📌 Key points

1st line: operational management — owns and manages risks day-to-day
2nd line: risk and compliance functions — oversees, advises, and sets policies
3rd line: internal audit — independent assurance to the board and senior management
The 2020 model replaces the old '3 lines of defense' — emphasis on collaboration
The board of directors sits above all three lines

Related certifications

These certifications cover the concept of "Three Lines Model" in depth.

CRMA· IIA

Certification in Risk Management Assurance (IIA)

IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.

See CRMA prep Try the preview

CIA· IIA

Certified Internal Auditor (IIA, 3 Parts)

The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.

See CIA prep Try the preview

🔗 Related concepts

Audit

Internal Audit

An independent, objective assurance and consulting activity to add value to operations.

Risk

Enterprise Risk Management (ERM)

An integrated, holistic approach to identifying and managing all organizational risks.

Frameworks

IPPF (International Professional Practices Framework)

The IIA's global framework of standards and guidance for internal audit.

Audit

Audit Universe

A comprehensive inventory of auditable processes and entities in an organization.

Controls

Control Objective

A statement of what a control aims to ensure.

📖 Related articles

Understanding the Three Lines Model: A Modern Framework for Governance

6 min read·industry news

CIA Part 1: Essentials of Internal Auditing — Complete Deep Dive (2026)

13 min read·certification guides

Master this concept and more

Start your GRC certification journey today.

Explore Academy

View all 31 glossary terms

Back to Glossary

Term DefinitionFrameworks

Three Lines Model

A governance framework distributing control responsibilities across three levels.

📌 Key points

1st line: operational management — owns and manages risks day-to-day
2nd line: risk and compliance functions — oversees, advises, and sets policies
3rd line: internal audit — independent assurance to the board and senior management
The 2020 model replaces the old '3 lines of defense' — emphasis on collaboration
The board of directors sits above all three lines