Three Lines Model
The Three Lines Model clearly define roles within an organisational structure to not only emphasise oversight provided by a governing body but also to identify risk management activities that aid in fulfilling the organisations objectives. Management, internal audit, and external assurance providers are considered three roles that can collectively contribute to the outcome of well-informed decisions made within an organisation.
Management’s role includes both the first and second line. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. This consists of identifying and assessing controls and mitigating risks. Additionally, business and process owners guide the development and implementation of internal policies and procedures and ensure activities are consistent with University goals and objectives. Mid-level managers may design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.
Bowles Hall Administration Building, 3rd Floor Room 315, Lorman Campus
1000 ASU Drive, #150
Lorman, MS 39096-7500
The second line role can be separate or blended with the first line to help ensure risks and controls are effectively managed. Support functions such as compliance, risk management, human resources, etc. may be added to assist with managing risk, monitoring controls as well as challenging those in the first line roles.
The third line role provides independent and objective assurance to management and the governing body that the first and second lines’ efforts are consistent with expectations. Internal audit may not direct or implement processes, but they can provide advice and recommendations regarding processes. Additionally, Internal Audit may support enterprise risk management (ERM) but may not implement or perform Ask management other than inside of its own function. Internal auditors accomplish that objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
External Assurance Providers
External assurance providers such as external auditors are responsible for expressing an opinion on the fairness (accuracy within a degree of materiality) of the financial statements in conformity with certain accounting standards. Additionally, external assurance providers may provide assurance to the Board of Trustees regarding institutional compliance requirements (such as Title IV funding of financial aid).
For additional information regarding the Three Lines Model, please visit the Institute of Internal Auditors (IIA) website to download a free copy.
Institute of Internal Auditors Three Lines Model