inside this publication · 3 \\ \\ workiva.com a ompliance week eook sponsored by inside this...

COMPLIANCE WEEKBrought to you by the publishers of

IIA Three Lines Model:Reading between the lines

INSIDE THIS PUBLICATION:

IIA’s ‘Three Lines of Defense’ updated to stress collaboration

Practitioners weigh in on the IIA's new Three Lines Model

Q&A: IIA president on Three Lines update, COVID-19, more

Comparing the IIA’s new ‘Three Lines Model’ to the old one

An e-Book publication sponsored by

2 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM

A Compliance Week e-Book sponsored by

About us

Compliance Week, published by Wilmington plc, is a business intelligence and information service on corporate governance, risk, and compliance that features a daily e-mail newsletter, a bi-monthly print magazine, industry-leading events, and a variety of interactive features and forums. Founded in 2002, Compliance Week has become the go-to resource for chief compliance officers and audit execu-tives; Compliance Week now reaches more than 60,000 financial, legal, audit, risk, and compliance practitioners. www.complianceweek.com

COMPLIANCE WEEK

Workiva Inc. (NYSE: WK) simplifies complex work for thousands of organizations worldwide. Customers trust Workiva’s open, intelligent, and intuitive platform to connect data, documents, and teams. The results: improved efficiency, greater transparency, and less risk.

http://www.complianceweek.comhttp://www.complianceweek.comhttp://www.complianceweek.com



Inside this e-Book

IIA’s ‘Three Lines of Defense’ updated to stress collaboration 4

Practitioners weigh in on the IIA’s new Three Lines Model 6

Q&A: IIA president on Three Lines update, COVID-19, more 9

Comparing the IIA’s new ‘Three Lines Model’ to the old one 12



The Institute of Internal Auditors (IIA) recently an-nounced an update to its widely utilized “Three Lines of Defense” Model to focus more on defined roles in an effort to boost collaboration.

The revised “Three Lines Model,” as it is now being referred to by the IIA, “acknowledge[es] that risk-based decision-mak-

ing is as much about seizing opportunities as it is about de-fensive moves,” the organization stated in a press release. “The new Three Lines Model helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, col-laboration, accountability and, ultimately, objectives.”

IIA’s ‘Three Lines of Defense’ updated to stress collaboration

The updated “Three Lines Model” encourages more effective collaboration between key players within a company, writes Kyle Brasseur.



The original Three Lines of Defense Model consisted of the first line (risk owners/managers), the second line (risk con-trol and compliance), and the third line (risk assurance). Each line reported up to senior management, with the third line of internal audit representing the last wall before external audit and regulators.

The updated Model adopts a six-step, principles-based ap-proach. It encourages the governing body to provide delega-tion and direction to each line, with the lines providing ac-countability and reporting in return. The roles of the first line (“provision of products/services to clients; managing risk") and second line (“expertise, support, monitoring and chal-lenge on risk-related matters”) both fall under management, while the third line (“independent and objective assurance and advice on all matters related to the achievement of objec-tives”) still lives under internal audit. The model encourages management and internal audit to coordinate response.

“The Three Lines Model has largely been viewed as the basis for sound risk management,” said Institute of In-ternal Auditors President and CEO Richard Chambers in a statement. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the Model to ensure its sus-tained usefulness and value.”

Under the new Model, first- and second-line roles “may be blended or separated,” the IIA explains. “Some second line roles may be assigned to specialists to provide complemen-tary expertise, support, monitoring, and challenge to those with first line roles. … However, responsibility for managing risk remains a part of first line roles and within the scope of management.”

As such, ensuring compliance with legal, regulatory, and ethical expectations is now recommended to be a first-line role, a change from compliance’s second-line status in the old Model.

The IIA stresses that the third line of the Model, though it is encouraged to collaborate with management, must still remain independent from the responsibilities of manage-ment in order to maintain objectivity, authority, and cred-ibility.

The process of updating the Three Lines Model was a joint effort between both the Institute of Internal Auditors and a task force of audit practitioners, risk and compliance executives, stakeholders, and many more. The Model is in-tended to apply to all organizations and “is most effective when it is adapted to align with the objectives and circum-stances of the organization,” according to a statement from the IIA. ■

Source: Institute of Internal Auditors' original Three Lines of Defense Model



Practitioners weigh in on the IIA’s new Three Lines

A CW/Workiva survey shows firms could benefit from a deep dive into the Three Lines Model, especially in light of the pandemic, Jaclyn Jaeger reports.

A recent poll of 155 audit, risk, legal, and compliance professionals found that while most respondents intend to adopt the Institute of Internal Auditors’ new “Three Lines Model” and don’t expect significant change, they see their biggest adjustment as the new model’s empha-sis on coordination to elude siloed thinking.

That was just one key takeaway from the survey that gauged how the compliance space feels about the new Three Lines Model. A revamped and modernized version of the IIA’s widely adopted “Three Lines of Defense Model,” the new version, unveiled July 20, is intended to reflect the evolving role of risk management and to encourage greater collaboration between business functions in a way the pre-vious model did not.

When asked how closely their company has traditionally followed the IIA’s recommended model for corporate gover-nance (the old Three Lines of Defense Model), the plurality (38 percent) of respondents said they “refer to it occasional-ly,” while another 21 percent said they “follow the model to a

T.” Moreover, these responses did not vary across industries, meaning that even in highly regulated sectors that typically have more mature corporate governance models in place—like financial services and healthcare—most respondents in-dicated they still refer to the model only occasionally.

The more telling finding came from the 14 percent of re-spondents who said they didn’t even know the model exist-ed, and the other 14 percent who said they knew of it but have never used it. “Companies may not even realize that what they’ve built in terms of their organizational structures incorporate elements of having the three lines,” says Ernest Anunciacion, director of product marketing at Workiva. “They may just not formally call it that.”

Why are some still not familiar with the IIA’s governance model? The finding signals that “companies could benefit from further educating themselves about what this Three Lines Model is, including the updates that have happened, and then how they could formalize that within their organi-zations,” Anunciacion says.



How closely does your company follow the IIA’s recommended model for corporate governance?

Which lines of defense has your organization formally implemented?

Scope of adoptionAmong those who historically have followed the old Three Lines of Defense Model, 67 percent said they’ve adopted all three lines. Fifteen percent said they’ve adopted the first and second lines only; 5 percent said the first and third lines only; and 3 percent said the second and third lines only.

Respondents who are familiar with the IIA’s old Three Lines of Defense Model were further asked how long it has “been on their radar.” Although the model has been in ex-istence for more than 10 years, 38 percent of respondents said their organizations either just started using it or have done so only in the last year or two. Another 23 percent said they’ve adopted it in the last three to five years; 22 percent in the last six to 10 years; and 17 percent said more than 10 years ago.

Respondents were also asked about whether they intend to adopt the new Three Lines Model. Here, 72 percent an-swered yes. The results remained consistent, irrelevant of company asset size, which indicates the Three Lines Model fits organizations of all sizes.

Among those polled for this survey, the plurality of re-spondents (39 percent) were from organizations with less than $1 billion in revenue, while another 25 percent were from organizations with revenue between $1 billion and $5 billion. Twelve percent were from organizations between $10 billion and $40 billion in asset size, and another 12 percent were from companies between $40 billion and $100 billion in asset size.

Among those who said they don’t intend to adopt the new model, the top reasons cited were costs; the pandemic; and “still grappling with the old model.” Cost could be interpret-ed in a couple of different ways, either due to actual dollars spent or costs associated with reconfiguring roles and re-sponsibilities and adding new functions. An example may be if you’re a small- or medium-size company and currently have one person wearing multiple hats within the organiza-tion, Anunciacion says.

Time also played a role in the model’s adoption. If an or-ganization were to look at this new model and want to adopt the six guiding principles, for example, they’d have to assess what that means in terms of how long it will take to do a busi-ness impact analysis of how and where to adjust roles and re-sponsibilities as they exist today. “That can be a major under-taking for organizations if they had to go through and look at every single job description,” Anunciacion says. “So, the time aspect of it in terms of cost could be insurmountable.”

The pandemic, however, should be even more reason for companies to consider adoption of the Three Lines Model, Anunciacion says. “If anything, this is a great opportunity to rethink what practitioners’ internal model looks like.”



Pros and consMany who said they plan to adopt the new Model said they anticipate “significant changes” upon adopting it. The biggest significant change, according to 40 percent of respondents, would be “emphasiz[ing] coordination to avoid silos.”

Unlike the IIA’s former Three Lines of Defense Model, the new Three Lines Model is far less prescriptive. As IIA Presi-dent and CEO Richard Chambers explained, “The new mod-el’s principles-based approach is designed to provide users greater flexibility. Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.”

But some indicated the more principles-based approach blurs the lines between certain functions. As one respondent commented, “Traditionally, risk was more attached to the first line, with compliance being more independent. With the new model, balancing 1st and 2nd lines could be more challeng-ing.” When asked what benefits the Three Lines Model princi-ples-based approach achieves, respondents cited the following:

» Acts as a framework for more effective risk management; » Encourages the governing body to provide delegation and

direction to each line, with the lines providing account-ability and reporting in return;

» Encourages management and internal audit to coordinate responses; and

» Works for companies of all sizes.

Just 10 percent of respondents said it achieves none of the above. The majority (67 percent), however, said they don’t be-lieve the Three Lines Model needs any improvements, while just 33 percent said more work needs to be done. “I would have expected that to be more of a 50-50 split, because no model is perfect,” Anunciacion said.

Some said the Model ignores compliance. As one remarked, “the risk and compliance department are not specifically called out in this model the way internal audit and management are.”

Another respondent commented: “From my eyes as a com-pliance professional, it appears the new Three Lines Model is undervaluing compliance role in risk management frame-work. While I do agree that ‘compliance is everyone’s respon-sibility,’ the function itself plays a key distinct role.”

Anunciacion stresses, however, that we are in unique times and that the pandemic “should highlight the need for more coordination across those functions.” Though it may be coincidental, the Three Lines Model was released in the mid-dle of a pandemic. Anunciacion finds that timing “impecca-ble with the opportunity we have for that self-reflection and where we have opportunities to improve.” ■

The six-step, principles-based approach does the following (check all that apply):

Acts as a framework for more effectiverisk management

Encourages governing body to provide delegation and direction to each line; lines in turn provide accountability and reporting

Encourages management and internal audit to coordinate responses

Works for companies of all sizes

None of the above

"The new model’s principles-based approach is designed to provide users greater flexibility. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.”

Richard Chambers, President and CEO, IIA



In the wake of drastic updates to the “Three Lines Model” for managing risk, IIA President and CEO Richard Chambers catches up with CW to discuss the changes, how COVID-19 has impacted the internal audit profession, and more.

Q. The IIA recently unveiled a modernized version of its widely adopted Three Lines Model. What’s your take on the final product?

A. This was a labor of love on the part of the IIA. The original Three Lines of Defense Model was developed a couple of de-

cades ago. I’m not sure anyone can really pinpoint precisely when and where the first version of it was published, but, re-gardless, over time it took on an iconic status as a reference model for people trying to understand roles and responsibil-ities in risk management and controls and governance. Over the years, the IIA began to recognize how useful it was in illustrating the importance of internal audit’s role in these areas. So, we ended up putting our own endorsement on it in the early 2000s. It was not the IIA’s model, but we wanted to make sure people understood the model better, and we want-ed to provide some perspective on it.

Q&A: IIA president on Three Lines update, COVID-19, more

Jaclyn Jaeger talks with the IIA's outgoing leader, Richard Chambers, regarding the updated Three Lines Model, his career at the IIA, and more.



I’m very proud of the work that the task force did. This was the work of a group of very talented and dedicated IIA leaders, volunteers, and staff.

Q. What was the impetus behind changing the old model? Were there particular criticisms? If so, how does the new model reconcile those criticisms?

A. Over the years, there were a number of concerns—criti-cisms, if you will—of the model. One is that it was being per-ceived as a very rigid, siloed model—that each line stayed within its line and you didn’t end up with any collaboration or crossover. The other is that the model was fine in illustrat-ing how the various participants help to protect the value of an organization. But organizations don’t exist just to protect value. They exist to create value. So, you obviously have to protect the value you have while creating more.

We began to agree with some of the critics that perhaps the model needed to be refreshed to reflect (1) the importance of collaboration across the organization and (2) that organi-zations have to have all their key players aligned in creating that value. The new model I think does address both those concerns. It stresses the importance of collaboration across the lines.

Q. What’s the biggest change you’ve seen in the profession, since we last spoke in 2009, when you were first elected IIA president?

A. Internal audit has made tremendous strides in the last 12 years. In 2009 when you and I spoke, we were all mired in the depths of a great recession and a financial crisis. Internal audit was being thrust into service in a lot of organizations to help identify ways to reduce cost and navigate the challenges that were being presented by the financial crisis.

As we moved beyond that, there was heightened expec-tation on the part of regulators and others … calling out the value that internal audit can bring and the role that it should

play in ensuring the effectiveness of controls of risk man-agement within the industry. It was a real opportunity for internal audit to demonstrate not only that it has a strong role to play in controls assessment, but in the assessment of risks.

Over the course of the middle of the last decade, we start-ed to see more and more financial debacles and scandals at big companies that clearly had culture at the root. It became more common for people to ask, ‘Who is looking at culture?’ So, you started to hear more regulators, the IIA, and others say, ‘This is a role for internal audit.’ You started to see inter-nal audit being involved in auditing culture or providing as-surance to boards about the culture of the organization. That was further evolution of the profession.

You also saw during that period a lot of huge cyber-secu-rity breaches. What that did was to highlight how internal audit could provide value to an organization in providing as-surance around the effectiveness of cyber-security controls.

The common thread here is that internal audit has demonstrated over this past decade its agility—the ability of our profession and of individual internal audit departments to pivot quickly and decisively to address new or emerging risks. This last decade has been yet further evidence of the ability of the profession to pivot, to demonstrate its agility, and stay focused on the real risks of the organization.

Q. What is the role of internal audit in fostering culture?

A. Where I think we can add real value when it comes to cul-ture is by being part of the organization, but most impor-tantly being in a position of having reporting relationships to management, reporting relationships to the board, and tentacles that reach into the organization every day in every corner of the organization. We have the ability to provide in-sight and assurance to management that the culture of the organization is healthy—that the organization is walking its talk. So, our value is to be there in an eyes-and-ears role for the board and for management.

But auditing culture is not easy. I gave a speech a couple

"The common thread here is that internal audit has demonstrated over this past decade its agility—the ability of our profession and of individual internal audit departments to pivot quickly and decisively to address new or emerging risks. This last decade has been yet further evidence of the ability of the profession to pivot, to demonstrate its agility, and stay focused on the real risks of the organization."

Richard Chambers, President, Institute of Internal Auditors



of years ago in India to a group of corporate chairmen to the board talking about the concept of auditing culture. A gentle-man stood up, and he made the observation that when audi-tors do their work, they typically use their sense of sight and sound. We see evidence. We hear evidence. He said auditing culture also requires you to use your sense of smell. I thought that was quite profound. Culture is not always evident. Not until you really take the time to understand what is going on, how are people being treated, how are they getting mea-sured—one of the clearest indicators in my mind that a cul-ture is not healthy is if what gets measured is the only thing that gets rewarded. If I am rewarding you based on what you do, and not how you do it, then you’re going to be inclined to focus more on the outcomes and not the means.

Q. How do you see the IIA and internal audit evolving, post-COVID-19?

A. There are a lot of things I think are going to be different going forward. I believe that how internal audit is resourced will be impacted. As companies are having to make expense reductions, we’re already seeing internal audit budgets be-ing reduced in a number of organizations. In some organiza-tions, that equates to reductions in staffing.

How we assess risk is also going to be important. I’ve been espousing for years that internal auditors have to be-come much more adept at continuous risk assessment and that technology is a platform and means to do that. If these last few months have taught us anything, it’s that risks are incredibly volatile. The velocity of change in the risk profile of most organizations over the last six months is almost un-precedented. That is fundamentally going to have to influ-ence how we assess risks going forward.

We’re becoming more adept at how we audit remotely. As an internal auditor … there are different types of evidence that you have to obtain to be able to draw conclusions. There is physical evidence, documentary evidence, testimonial evi-

dence. Each of those has value. The most valuable of evidence and the most reliable and unassailable always seemed to be physical evidence. But we’re all working from home now, so there’s not a whole lot you can do around physical evidence. Testimonial—yes, we can still call and interview people all day long. My point here is that’s going to fundamentally change the way we think about how we draw conclusions as auditors, and it goes to the heart of how we do our jobs.

Q. You’ll be stepping down in March 2021 as the IIA’s pres-ident. What are your plans moving forward?

A. I’ve intentionally not made any definite plans, because I still have almost eight months in this role. Important for me is to remain active and to continue in some way to serve the profes-sion that I’ve dedicated a significant percentage of my life to.

I am incredibly proud of the almost 12 years I have been in this role. I’ve been very fortunate to be supported by boards, directors, and leaders within our volunteer side of the IIA. I was very fortunate, because of that support, to be able to attract and retain the talent to do the things that we needed to do. As a result, we have truly had a remarkable run at the IIA—not just in what we’ve be able to do as a board and profession, not just in the way we elevated the voice of our organization to serve this profession around the world, but in terms of being able to acquire the resources to sup-port the profession.

We’ve had a good, solid, productive period. But I’m also confident that even greater things lie ahead. It’s also why I felt like I needed to step back and let someone else come for-ward and lead. I believe if you stay in a role for a long period of time, sometimes you may be inclined to think the world needs to continue to look like it has looked. I know coming out of this crisis and looking at the IIA and America and our profession that it’s supposed to look very different, and I think it’s time for someone else to come in with fresh ideas to lead the organization. ■

"I’ve been espousing for years that internal auditors have to become much more adept at continuous risk assessment and that technology is a platform and means to do that. If these last few months have taught us anything, it’s that risks are incredibly volatile. The velocity of change in the risk profile of most organizations over the last six months is almost unprecedented. That is fundamentally going to have to influence how we assess risks going forward.”

Richard Chambers, President, Institute of Internal Auditors



Comparing the IIA’s new ‘Three Lines Model’ to the old

IIA’s new “Three Lines Model” of risk management allows for greater flexibility between “lines,” writes Jaclyn Jaeger.

The Institute of Internal Auditors (IIA) recently unveiled a modernized version of its widely adopted “Three Lines of Defense Model” to reflect the evolving role of risk management and to encourage greater collaboration be-tween business functions in a way the previous model did not.

The new model, unveiled July 20, was the culmination of a robust effort that began last year, headed by a core working group of governance experts and led by IIA Senior Vice Chair Jenitha John. The working group relied upon the vast experi-ences of an additional 30-member advisory group, as well as public comments. The project also included a comprehensive review of governance approaches from around the world.

One significant change in the newly revamped model is the elimination of the word “defense” in the title. Now sim-

ply called the “Three Lines Model,” the name change reflects one of the principal criticisms of the old model, which was primarily that it focused too heavily on defending against risk, rather than focusing on value creation and prospective-ly managing risk.

The new three lines model addresses that criticism by more closely incorporating the governing body, which “clearly delineates roles and responsibilities of the govern-ing body, as well as executive management, and internal audit,” IIA President and CEO Richard Chambers wrote in a blog post. “While not a governance model, the increased focus on governance supports both value creation and pro-tection and deals with both the offensive and defensive as-pects of managing risk.”



New approach allows for ‘greater flexibility’Aside from its name change, the new Three Lines Model now stands upon the following six key principles:

» Principle 1: Governance » Principle 2: Governance body roles » Principle 3: Management and first and second line roles » Principle 4: Third line roles » Principle 5: Third line independence » Principle 6: Creating and protecting value

“The new model’s principles-based approach is designed to provide users greater flexibility,” Chambers wrote. “Governing bodies, executive management, and internal audit are not slot-ted into rigid lines or roles. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.”

This final point, that the lines are not intended to denote structural elements, bears emphasizing because it addresses another common criticism of the old model, which is that, in-tentional or not, many interpreted it too literally. Boundaries started to develop between departments, with the mentality being, “‘That’s a first-line responsibility. I’m second line, so that’s not my job, not my problem,’” says Stephen Masterson, technical advisory partner at advisory and audit firm SM+Co.

In other cases, the direct opposite problem would result—the duplication of audit efforts. In some organizations, there was often too much overlap between the second line (risk control and compliance monitoring) and the third line (inter-nal audit). “The second line often looked and felt and acted like an audit function,” Masterson says.

In comparison, the new model enables greater fluidity be-tween the first and second lines while also stressing internal audit’s independence from management to ensure the role is “free from hindrance and bias in its planning and in the car-rying out of its work, enjoying unfettered access to the people, resources, and information it requires,” the new model states.

The new model further stresses, however, that “indepen-dence does not imply isolation” and that regular interaction between internal audit and management is needed “to en-sure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.”

“There are still a number of organizations where the head of internal audit does not have independence from manage-ment, does not have a line to the board,” says Norman Marks, who was an outspoken critic of the old model. “So, in those situations, it could be a catalyst for change.”

Rules vs. principles“Companies that have a well-built three lines of defense struc-

ture already in place will not have a hard time adapting to the principles-based model,” Masterson says. For these organiza-tions, “it’s going to be more of a mentality shift,” he says.

Under the old model, “managing controls” and “internal controls measures” were referred to as the first line, whereas the second line was a defined list of specific functions: finan-cial control, security, risk management, quality control, inspec-tion, and compliance. And the third line was “internal audit.”

Many companies, however, do not have a formal three lines of defense structure—and these are the ones that likely will benefit the most from the new model’s principles-based approach. Specifically, Principle 3 of the Three Lines Model states, “First and second line roles may be blended or separat-ed. Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles.”

The new model goes on to explain, “second line roles can focus on specific objectives of risk management, such as compliance with laws, regulations, and acceptable ethical be-havior; internal control; information and technology security; sustainability; and quality assurance. Alternatively, second line roles may span a broader responsibility for risk manage-ment. However, responsibility for managing risk remains a part of first line roles and within the scope of management.”

In his blog post, Chambers wrote that the “challenge for all organizations will be to apply and adapt the Three Lines Model to their own needs and priorities.” For example, the extent of first- and second-line roles will vary depending on numerous factors, “including the size and complexity of the organization, the industry or sector in which it operates, and the level of external regulation.”

Keeping with the ‘three’ lines in the title and in the docu-ment may still be a bit confusing, however. “There are many or-ganizations that don’t have a second line at all,” says Bob Hirth, senior managing director at Protiviti. There are also many or-ganizations that don’t have a third line, he says.

While the new model is an “improvement,” there is still a lot of opportunity to further explain and to help organizations benefit from the new model, Hirth says. “If you eliminate the word ‘line’ and eliminate the word ‘three,’” he says, “this is really about sitting down and figuring out together who is re-sponsible for what in terms of meeting objectives, risk man-agement, and risk identification around those objectives, and then the activities that you choose to employ around meeting those objectives, of which internal control is one.”

Practitioners should keep in mind that the model is in-tended as guidance, not a requirement. “It should be taken as such,” Hirth says, “and used in a way that helps each organi-zation mature, evolve, and improve its effectiveness related to risk management and internal control.” ■

workiva.com/risk

Use the Workiva platform to take back control of audit,

risk, and compliance. Pinpoint and eliminate vulnerabilities

and steer your organization to a brighter future.

Navigate tomorrow’s risk today

inside this publication · 3 \\ \\ workiva.com a ompliance week eook sponsored by inside this...

Documents