RSM Australia

The IIA's Three Lines Model (An update of the Three Lines of Defense)

Technology Insights

The new IIA Three Lines Model provides businesses with a reminder that in decision making, upside risk should be considered alongside those negative risk factors. 

The three lines model of the Institute of Internal Auditors (IIA) focuses an organisation’s attention on risk management and governance structures, accountabilities, and relationships that drive decision making that makes the most of opportunities, instead of the traditional emphasis on defensive decision making.

internal auditThe IIA model provides a framework that supports organisations in expanding value to stakeholders and enhancing outcomes rather than simply protecting value.  This model supports the evolution of internal audit beyond risk management and control assurance to a more active role in supporting the achievement of strategic and operational objectives. 

The updated model provides overall principles with respect to governance, roles and responsibilities, and the independence of the internal audit function.  Through appropriate communication, co-operation, and collaboration, all three lines should work together to create and protect value. This new model is also more pragmatic than its predecessor.  It recognises that roles are often blurred or overlapping and don’t always align perfectly within the three lines. It is emphatic though that the responsibility for managing risk sits within the first line, being management.

RSM welcomes the new model and looks forward to robust discussions with our clients on its application, challenges, and benefits.

Click here to download the report

This report was published in July 2020 by The Institute of Internal Auditors Global.


If you have questions about the Three Lines Model or would like to learn more about it, you can get in touch with your local RSM adviser.

Pippa Hobson has over 20 years of internal and external audit and risk consulting experience, as well as gaining commercial experience as finance manager of a large fund’s management organisation. She has worked extensively with clients in both the public and private sectors, providing audit, enterprise risk management and governance services, internal controls reviews and process redesign, regulatory and financial targeted reviews, and Sarbanes Oxley control reviews. Click here to view Pippa's profile


Pippa Hobson
Partner - Perth

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.