FROM THE ‘THREE LINES OF DEFENSE’ TO THE THREE LINES OF ASSURANCE – A REFRESHED PARADIGM
The ‘Three Lines of Defense’ model adopted by the Institute of Internal Auditors (IIA) has shaped corporate governance and accountability for decades, defining business and operational functions as the first line, compliance and risk management as the second, and internal audit as third line of ‘defense’.
In September 2024, the IIA published a position paper updating the original system to a ‘Three Lines Model’, dropping the term ‘Defense’. In its reasoning for the change, the IIA argues for a “principles-based approach that focuses on the contribution risk management makes to achieving objectives and creating value, as well as to matters of ‘defense’ and protecting value”.
In other words, the IIA strengthens the role of risk management as a proactive element within its model, moving beyond a more reactive ‘defense’ approach. Furthermore, the IIA clarifies that while maintaining the language of ‘Three Lines’, these are not intended to “denote structural elements” but rather all roles should “operate concurrently”.The new approach is convincing and aligns with a more holistic understanding of modern governance in corporations. However, simply dropping the word ‘Defense’ does not answer the fundamental question: three lines of what? This is somewhat surprising, as the IIA itself provides a convincing lead in its description of ‘assurance’ in the new position paper.
According to the IIA, assurance increases the level of stakeholder confidence about an organisation’s governance, risk management and control processes. While the IIA narrowly applies the term ‘assurance’ as a statement regarding specific audit activities, we should understand ‘assurance’ more broadly: as the systematic theme which connects governance, risk management, compliance and internal controls into one integrated system.
Apr-Jun 2026 Issue
Klaus Moosmayer