A lot has been said and written over the past couple of years about the Three Lines of Defense Model — a tool that is often used to illustrate the interrelationship and roles/responsibilities of the board, management, internal oversight functions, and internal audit in ensuring that risks are adequately assessed and effective controls are in place. The IIA published a position paper on the model earlier this year that outlines the roles and responsibilities of each player — with emphasis on internal audit.
Theoretically, if all players execute their role correctly, there should never be a complete failure of all three lines of defense.…