Perspectives

Modernising the three lines of defence model

An internal audit perspective

September 2020

Businesses are continuing to evolve out of necessity, responding to an onslaught of disruption, new business models, and technology. This continuous change affects business operations at all levels, with customers demanding real-time interactions, regulators applying increasing levels of scrutiny, and governance stakeholders requiring assurance in this complex and dynamic risk environment. The result has exposed weaknesses in the traditional three lines of defence (3LOD) framework.

Overview

Is the 3LOD framework still relevant and efficient in its current form? As the risk landscape becomes more complex and fast-moving, it is critical for organisations to identify and respond to emerging risk events quickly and effectively. We believe that internal audit (IA) should play a key role in this evolution.

Our key findings

Current-state challenges - While the 3LOD framework is widely acknowledged and understood by a range of industries as the governance model for risk, its implementation varies in form and maturity across the spectrum. Traditionally, one of the roles of the IA function is to provide assurance while maintaining objectivity and independence; however, its mandate should continue to evolve as the need to adapt to a business-focused, technology driven, advisory mindset is amplified.
Future state and opportunities - IA functions with the strongest impact in their organisations are those which are adapting to change; collaborating and making investments in digital assets, analytics, and automation. New technologies have created new opportunities for IA by enabling techniques to improve efficiency and insight from assurance activities.

Looking ahead

IA is at the cusp of innumerable possibilities to collaborate with the other lines, develop roadmaps, and help lead improvement to optimise governance across the organisation. Our point of view represents fulfilling assurance responsibilities with combined core assurance spread throughout the lines of defence, rather than just through IA, but also includes the imminent need for IA to advise the business with anticipation and measurement of risk.

Key contacts

Peter Astley

Partner, Risk Advisory

pastley@deloitte.co.uk

+44 (0)20 7303 5264

Peter focuses on the provision of Internal Audit, Risk Management and other control and assurance related services to the Corporate Sector. He is the firm’s Global and EMEA lead Internal Audit Partner... More

Russell Davis

Partner, Risk Advisory

rdavis@deloitte.co.uk

+44 (0)20 7007 6755

Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance an... More

Viewing offline content

Audit & Assurance

Consulting

Financial Advisory

Legal

Deloitte Private

Risk Advisory

Tax

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Strategy

Economy & Society

Organization

People

Technology

Industries

Spotlight

Careers Home

Modernising the three lines of defence model

An internal audit perspective

Overview

Our key findings

Looking ahead

Key contacts

Peter Astley

Partner, Risk Advisory

Russell Davis

Partner, Risk Advisory

Recommendations

Link your accounts

Viewing offline content

Modernising the three lines of defence model

An internal audit perspective

Overview

Our key findings

Looking ahead

Key contacts

Partner, Risk Advisory

Partner, Risk Advisory

Recommendations

Link your accounts

You previously joined My Deloitte with your email address. Log in again to link your social media account.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.