What Is the Three Lines Model? CIA & ACCA Guide
FOUNDATION CONCEPT
Three Lines Model: Why Internal Auditors (CIA) Are the 'Third Line' (And Why AA Auditors Need to Know)
The Three Lines Model clarifies roles in governance, risk, and control. For CIA candidates: it's your operating framework. For AA candidates: it's how you coordinate with internal audit and avoid duplication.
Master Governance Roles & Responsibilities
Build your understanding of the complete governance structure with CIA Part 1 foundations plus AA coordination:
In This Article
- Three Lines Model in 60 Seconds
- What Is the Three Lines Model?
- How Do the Three Lines Interact?
- Three Lines Model Examples (Real Scenarios)
- First Line: Operational Management
- Second Line: Risk & Compliance Functions
- Third Line: Internal Audit (CIA)
- The Governing Body's Role
- CIA Part 1 Context (Section 1181)
- Why AA Auditors Need to Understand This
- Why Students Find This Confusing
- Common Misconceptions
- Frequently Asked Questions
Three Lines Model in 60 Seconds
| What is it? | Framework clarifying governance roles in risk & control. |
| First Line? | Operational management — owns risks, implements controls. |
| Second Line? | Risk & compliance functions — oversee first line. |
| Third Line? | Internal audit (CIA) — provides independent assurance. |
| Governing Body? | Board — sets strategy, oversees all three lines. |
| Key Principle? | Internal audit's independence requires dual reporting. |
Here's what I see on exams: students understand that internal audit exists, but they can't explain how it fits into the broader governance structure. They struggle with questions like "describe how internal audit coordinates with risk management" or "explain why the internal auditor reports to both the board and management." The Three Lines Model answers these questions. It's not just a framework for CIA candidates to understand their role — it's foundational for AA candidates to understand how external audit coordinates with internal audit and relies on internal audit work. In this post, I'm going to walk you through the model systematically, show you how the three lines interact in real organizational scenarios, and explain the critical distinction between what each line does and why their independence matters. By the end, both CIA and AA candidates will have a complete mental model of how governance, risk, and control actually work in organizations across India, Asia, and globally.
What Is the Three Lines Model?
The Three Lines Model, developed by The Institute of Internal Auditors (IIA), is a governance framework that clarifies the roles and responsibilities of different parts of an organization in achieving objectives, managing risks, and maintaining controls. The model was updated to replace the older "Three Lines of Defense" terminology, but the concept is the same: there are distinct organizational parties that have different responsibilities toward governance, risk, and control, and they operate with clear lines of reporting.
Core Principle: The three lines are not organizational silos — they're complementary roles that must interact and coordinate. The first line owns and manages risks; the second line provides oversight and guidance; the third line provides independent assurance. The governing body provides oversight of all three and ensures they're functioning effectively.
Why does this matter? Because in many organizations, especially in India and Southeast Asia where we see rapid business growth and often less mature governance structures, people are confused about who is responsible for what. A CFO might assume the internal auditor should be managing compliance — but that's actually a second-line responsibility. A COO might think the internal auditor reports only to management — but the internal auditor must report functionally to the board for independence. The Three Lines Model clarifies these boundaries. It's in CIA Part 1 Section 1181 because it's foundational to understanding the internal audit profession. And it's important for AA candidates because your external audit plan must account for the roles of internal audit and risk management — you coordinate with them, you might rely on their work, and you need to understand the governance context in which they operate.
How Do the Three Lines Interact? (The Model in Action)
The three lines don't operate in isolation — they interact to support the organization's ability to achieve objectives while managing risks. Here's how:
🟥 First Line
Operational Management
- Role: Owns and manages risks day-to-day
- Reports to: Senior management
- Responsibility: Implement controls, execute operations
- Example: Finance department controls purchase approvals
🟨 Second Line
Risk & Compliance Functions
- Role: Oversee first line effectiveness
- Reports to: Senior management
- Responsibility: Set policies, monitor compliance
- Example: Risk committee monitors covenant compliance
🔵 Third Line
Internal Audit (CIA)
- Role: Provide independent assurance
- Reports to: Board (functionally) + Management (administratively)
- Responsibility: Audit all three lines
- Example: Internal audit evaluates control design & execution
Notice the key difference: the first and second lines both report to management, meaning they have a management relationship. The third line (internal audit) has dual reporting — functionally to the board (for independence) and administratively to management (for operational efficiency). This is critical. Internal audit must be independent of management in order to provide credible assurance to the board about whether management is doing its job correctly. If internal audit reported only to the CFO, its independence would be compromised — it couldn't objectively assess whether the CFO's financial controls were working. The dual reporting line protects that independence.
The second line is particularly important in the model because it's the "bridge" between operational management (first line) and independent oversight (third line). The second line — risk management, compliance, quality assurance functions — provides specialized expertise and oversight, but it's still part of management. It doesn't have the independence of internal audit. This is why the CIA Part 1 Reference Guide notes: "Second-line functions have some degree of independence from the first line, but they are still management functions and subject to senior management."
Three Lines Model Examples (Real Organizational Scenarios)
Examples help cement the model. Here are four real scenarios showing how the three lines interact in specific organizational situations:
Example 1: Purchase Order Approval (First Line Controls). A manufacturing company has a policy that all purchase orders over £5,000 must be approved by the department manager and the finance manager. This is a first-line control — operational management is implementing a control to manage procurement risk. The finance department processes the transaction. The risk of incorrect or unauthorized purchase orders is owned and controlled by the first line. Second-line oversight: The finance compliance team monitors purchase orders to assess whether the control is operating — they sample transactions and verify approvals are present. Third-line assurance: Internal audit evaluates whether the control is designed effectively (e.g., are authorization limits appropriate?) and operating consistently (e.g., are exceptions documented and approved by someone with authority?).
Example 2: Covenant Compliance (Second Line Monitoring). A company has a bank loan with debt covenants (e.g., minimum EBIT £10m). Monitoring covenant compliance is technically a second-line responsibility — it's an oversight function. The finance team calculates whether the company will breach covenants, and the finance compliance team alerts management to risks. The first line (operations) receives this information and responds (e.g., cutting costs, reducing capital spend). Third-line assurance: Internal audit assesses whether the second line's covenant monitoring is effective and whether management's response to covenant risk is appropriate. This shows how the three lines interact around a single risk.
Example 3: IT General Controls (All Three Lines Together). Data security is managed across all three lines. First line: IT operations implements access controls (passwords, user access management). Second line: IT compliance monitors that controls are working (testing user access, reviewing exception logs). Third line: Internal audit assesses whether the IT control environment is designed and operating effectively. Fourth line (external): External auditors rely on internal audit work and evaluate IT general controls as part of financial statement audit.
Example 4: Revenue Recognition (First Line with Second-Line Check). First line: The sales team books revenue when goods are shipped (first-line control embedded in the process). Second line: The accounting standards team reviews revenue transactions to ensure they comply with IFRS 15 — they challenge if criteria are met. Third line: Internal audit assesses whether revenue is recognized consistently across the organization and whether the first and second line are functioning. External audit (fourth line) tests revenue transactions and relies on internal audit findings about the operating effectiveness of the revenue control environment.
In each example, the three lines are working together, with clear role boundaries. The first line owns the risk; the second line monitors; the third line provides independent assurance. This clarity prevents duplication and ensures all risks are being managed and overseen.
First Line: Operational Management (Controls Embedded in Business Processes)
The first line is your operational business — the sales team, finance team, HR, production, supply chain. These teams execute the organization's day-to-day activities. The first line owns the risks that arise from those activities and is responsible for designing and implementing controls to manage those risks.
First-Line Responsibilities (from CIA Part 1): Executing day-to-day operations; identifying, assessing, controlling, and mitigating risks; owning the risks and designing/executing controls to respond to those risks; implementing internal policies and procedures; ensuring activities are consistent with organizational goals.
For example, the accounts receivable team (first line) has a risk: some customers might not pay their invoices. They design controls to manage this risk — credit checks before approving credit limits, dunning procedures for overdue accounts, periodic collection follow-ups. These are first-line controls embedded in the business process. The first line is responsible for whether these controls work, not the risk management committee or internal audit. Internal audit and risk management might oversee and monitor, but ownership is with the first line. For deeper context on how controls are embedded in specific audit areas, see our post on control deficiencies and audit findings.
Second Line: Compliance & Risk Oversight Functions (Monitoring First-Line Effectiveness)
The second line consists of functions like compliance, risk management, quality assurance, legal, finance control, health & safety — teams that monitor and support the first line's risk management activities. The second line provides specialized expertise, sets policies and frameworks, and monitors whether the first line is complying with those frameworks.
Second-Line Responsibilities (from CIA Part 1): Monitoring and supporting the first line by providing expertise, policies, and compliance frameworks; developing risk frameworks and policies; providing training on risk management; monitoring the effectiveness of first-line controls; advising management on risk mitigation; facilitating risk management practices by operational management.
Example: The compliance team (second line) establishes policies for all vendors the company works with — background checks, sanctions screening, conflict of interest declarations. The first line (procurement team) applies these policies when selecting vendors. The second line monitors whether procurement is following the vendor policies — they sample vendor files, assess whether background checks were done, verify compliance with selection criteria. The second line doesn't procure (that's first line); it monitors procurement compliance (that's second line). Importantly, the second line is still part of management. It reports to the CFO or CEO, not independently to the board. This means it can't provide the kind of independent, objective assurance that the board needs about whether management is doing its job. For context on risk assessment and oversight, see our post on fraud risk assessment frameworks.
Third Line: Internal Audit (Independent Assurance Provider)
The third line is internal audit. The internal audit function provides independent and objective assurance and advice on the adequacy and effectiveness of governance, risk management, and control processes. The critical word is independent. Internal audit must be independent from management in order to provide credible assurance to the board about whether first-line and second-line activities are functioning as intended.
Third-Line Responsibilities (from CIA Part 1): Providing independent and objective assurance on the effectiveness of governance, risk management, and controls; evaluating whether the first and second lines are functioning as intended; recommending improvements; reporting adequately to the board and senior management; maintaining independence from management activities.
The independence is achieved through dual reporting lines: (1) Functional reporting to the board — the Chief Audit Executive (CAE) reports functionally to the board or audit committee for purposes of setting the internal audit plan, discussing findings, and ensuring independence. (2) Administrative reporting to management — the CAE also reports administratively to the CEO or CFO for HR, budget, administrative matters. This dual structure ensures that while internal audit operates within the organization, it has the independence it needs to challenge management when necessary. The board has oversight authority, so if the CEO tries to suppress an internal audit finding, the CAE can escalate directly to the board. For context on how internal audit and external audit interact, see our post on internal audit function overview.
The Governing Body (Board) Role in the Three Lines Model
The governing body — typically the board of directors or audit committee — sits above all three lines. The board's role is to set the organization's strategic direction, oversee management, and ensure that appropriate structures and processes exist for governance, risk management, and control.
Board Responsibilities (from CIA Part 1): Setting strategic direction and approving organizational objectives; overseeing governance, risk management, and internal control systems; appointing and evaluating the CEO; delegating to management and providing direction/oversight/resources; receiving independent assurance from internal audit; ensuring internal audit is independent, objective, and competent.
The board's relationship with internal audit is unique. While the CEO and senior management are responsible for day-to-day operations (and thus report within the first and second lines), the board needs independent information about whether management is performing that responsibility effectively. Internal audit provides that independent assurance. This is why the CAE reports functionally to the board — so internal audit can tell the board what it sees, without filtering through management.
Understand the Complete Governance Framework
Master the Three Lines Model with CIA Part 1 plus exam-focused application scenarios:
CIA Part 1 Context: Section 1181 Three Lines Model
CIA Part 1 Section 1181 covers the Three Lines Model in detail. The section emphasizes six key principles that govern how the three lines interact to achieve good governance:
The Six Principles of the Three Lines Model (CIA Part 1 1181.06-1181.07):
- Governance: Organizations require structures and processes that enable accountability, actions, and independent assurance.
- Governing Body Roles: The board ensures appropriate structures, aligns objectives with stakeholder interests, delegates to management, oversees internal audit.
- Management and First/Second Line Roles: Management achieves objectives; first and second lines enable actions toward those objectives.
- Third Line Roles: Internal audit provides independent assurance on governance and risk management.
- Third Line Independence: Internal audit must be independent from management to maintain credibility and objectivity.
- Creating and Protecting Value: All roles working together, aligned with stakeholder interests, create and protect organizational value.
The CIA Part 1 material also warns: "Due to the expertise that internal auditors possess in the field of risk management and control, sometimes they are requested to undertake roles that typically fall beyond the legitimate internal audit roles." This is a critical point. Internal audit should not manage risks (that's first line), should not set compliance policies (that's second line), should not make decisions about control design (that's first line). Internal audit's role is to audit, assure, and advise — not to do.
Why AA Auditors Need to Understand the Three Lines Model
As an external auditor, you need to understand the Three Lines Model because it affects your audit planning, your risk assessment, and your ability to rely on the work of others. Here's why:
1. Avoiding Duplication: If internal audit has already tested whether a control is operating effectively, you don't need to test it from scratch. You understand what internal audit's role is (independent assurance on control effectiveness) and you can assess their work and rely on it if their methodology and conclusions are sound.
2. Understanding Risk Oversight: When you assess audit risk in a client, you consider whether the second line (risk management, compliance) is effective at monitoring the first line. A company with a weak second line — where risk management is reactive rather than proactive, where compliance monitoring is minimal — has higher audit risk. The Three Lines Model helps you think systematically about this governance gap.
3. Evaluating Governance Quality: The quality of governance affects your audit risk assessment. If the board is actively overseeing internal audit, receiving and acting on internal audit findings, and maintaining the independence of the internal audit function, governance is strong. If the board is passive, or if the CAE is reporting to the CFO only (no functional reporting to the board), governance is weak. The Three Lines Model gives you a framework for assessing these governance characteristics.
4. Coordinating with Internal Audit: When you plan your external audit, you meet with the CAE and the internal audit team. You discuss their plan, their findings, areas where your work might overlap. You're applying the Three Lines Model implicitly — you understand that internal audit is independent, that they've audited controls and risk management processes, and you're determining where reliance is appropriate and where you need to do your own testing.
For more on how external auditors coordinate audit work and rely on others' work, see our post on CIA Part 2 engagement planning. And for how the internal audit function fits into broader organizational structure, see our resource on CIA exam structure.
Why Students Find the Three Lines Model Confusing
The Three Lines Model seems straightforward when you first read it — first line owns risks, second line monitors, third line audits. But students get confused because the lines interact, overlap, and don't always map cleanly to a single department. Let me address the main confusion points:
Confusion 1: "Aren't Risk Management and Compliance Part of the First Line?" No. Risk management and compliance functions are second line. They're not the ones executing the business or owning the risks day-to-day; they're monitoring and supporting the first line's management of risks. This confuses students because risk management and compliance are sometimes embedded in operational departments. But their role within those departments is second-line oversight, not first-line execution.
Confusion 2: "If Internal Audit Reports to Management, How Is It Independent?" Internal audit has dual reporting: functional reporting to the board (for independence) and administrative reporting to management (for operations). Many students miss this dual structure and assume internal audit reports only to management, which would compromise independence. The functional reporting line to the board is what enables independence.
Confusion 3: "Can the Second Line Do Testing?" or "Can Internal Audit Prevent Fraud?" These questions confuse the roles. The second line can monitor and test compliance with policies, but they're not providing independent assurance — they're part of management. Internal audit can detect fraud in the course of auditing, but fraud prevention is management's responsibility (first line), not internal audit's primary role. The distinctions are subtle but important.
Confusion 4: "What's the Difference Between the Third Line and External Auditors?" Both provide assurance, but external auditors (fourth line) focus on financial statement fairness and compliance with standards. Internal auditors (third line) provide assurance on governance, risk management, and controls more broadly — they're not limited to financial reporting areas. External auditors can rely on internal audit work if appropriate, but they conduct their own testing to support their opinions.
The solution is to think of the Three Lines as roles, not departments. A single department might contain multiple roles. Finance might have first-line people (accounts receivable team executing collections) and second-line people (finance compliance team monitoring month-end close controls). The roles are what matter, not the org chart.
Common Misconceptions About the Three Lines
❌ Myth 1: The Three Lines Are Completely Separate Silos
Wrong: Students sometimes think the three lines don't interact — each operates independently, then reports up. Reality: The three lines interact constantly. Second line monitors first line. Third line audits both. They coordinate, share information, and work together toward common organizational objectives. The model doesn't create silos; it clarifies overlapping roles.
❌ Myth 2: Internal Audit Reports Only to Management
Wrong: Students often miss that internal audit has dual reporting — functionally to the board, administratively to management. Reality: This dual structure is what makes internal audit independent. The functional reporting line to the board means the CAE can bypass management and escalate findings directly to the board if necessary. This independence is critical to internal audit's credibility.
❌ Myth 3: The Board "Runs" the Three Lines Model
Wrong: Students sometimes think the board directly manages the first and second lines. Reality: The board sets direction and oversees, but management (CEO, senior management) is responsible for day-to-day operations and for implementing first and second line activities. The board delegates to management, then receives assurance from internal audit about whether management is performing that responsibility effectively.
❌ Myth 4: "Third Line" Means Internal Audit Audits Only Financial Controls
Wrong: Students often conflate internal audit with financial controls testing. Reality: Internal audit audits governance, risk management, and control across the entire organization — IT general controls, operational effectiveness, compliance, fraud prevention, even board oversight. Financial controls are just one area. External auditors might rely on internal audit testing of financial controls, but internal audit's scope is much broader.
Frequently Asked Questions
Q1: Why Does Internal Audit Need Functional Reporting to the Board if It's Part of the Organization?
Internal audit is part of the organization (administrative reporting to the CEO for budgets, hiring, etc.), but it needs independence from management to provide credible assurance. Functional reporting to the board means the audit plan and significant findings are communicated to and discussed with the board, independently of management filtering. If the CFO disagrees with an internal audit finding about financial controls, the CAE can escalate directly to the board. This independence protects internal audit's ability to provide objective assurance to the board about whether management is performing its responsibilities.
Q2: Can the Second Line Do Testing (Like Sampling Transactions) or Is That Only Third Line?
The second line can do testing — compliance teams sample transactions to verify policies are being followed. The difference is purpose and independence. The second line tests compliance with policies to support management in monitoring the first line. The third line (internal audit) tests control effectiveness and design to provide independent assurance to the board. Both might sample transactions, but they're answering different questions and have different independence relationships.
Q3: If Internal Audit Is Independent, Why Does It Report Administratively to Management?
Administrative reporting to management is necessary for operational efficiency — internal audit needs a budget, hiring authority, HR support, office space. The CEO or CFO provides those resources. But administrative reporting (for operations) is different from functional reporting (for audit independence). Functional reporting to the board protects the audit plan and findings from management interference. Think of it this way: management provides the resources, but the board sets the direction and receives the findings. This balance maintains both effectiveness and independence.
Q4: How Do External Auditors Use the Three Lines Model in Planning?
External auditors use the Three Lines Model to understand the control environment and to identify where they can rely on internal audit work. During planning, the external auditor assesses: Is internal audit independent? What areas has internal audit tested? Are their testing methodologies sound? Where might we rely on their testing (e.g., operating effectiveness of IT general controls) versus where do we need to do our own testing (e.g., substantive procedures on account balances)? Understanding the Three Lines also helps the external auditor understand governance quality — if the board is actively overseeing internal audit and acting on findings, that's a positive governance indicator that might lower audit risk.
Master Governance Roles & Internal Audit Independence
Build your understanding of the Three Lines Model with CIA Part 1 foundations and audit coordination in practice.
Get Your CIA FoundationPopular posts
Featured product
Featured product
ACCA Books
Get 50% off original BPP & KAPLAN ACCA books. Study smarter, save bigger today!
BPP Online lectures
BPP online lectures at India pricing – under £55/subject. Learn smart, pay less.
Leave a comment