The Three Lines of Defence Model was developed in 2008-10 by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) as a guidance for the 8th EU Directive Art. 41 2b.
It is also adopted in the IIA position paper “The Three Lines of Defense in Effective Risk Management and Control, 2013” and IIA position paper: “Leveraging COSO across the Three Lines of Defense, 2015”
In essence, the model is trying to illustrate a few things:
- Everyone in the organisation plays a part of the internal control system, internal control is not just the work for the internal audit department or the statutory auditor.
- All three lines needs to work together and feedback information to the senior management.
Whether you are the front-line, the risk management department, compliance department, quality assurance department, or in the internal audit department of a corporation, it is important to look at the bigger picture (i.e. three-lines of defence model), look at where you play the part in the corporate internal control system. in order that you work may be able to better contribute to it.
