The IIA’s Three Lines Model is as badly flawed as its old one

The Institute of Internal Auditors recently updated its Three Lines of Defense Model, renaming it the “Three Lines Model.” I was asked to comment on weaknesses in the original model and identified several fundamental flaws. The refresh has not fixed them.

The original model fails to reflect how organisations actually make decisions. It creates unhelpful silos, particularly in the second line, that assume responsibilities rightfully belonging to management. Rather than emphasising how organisations ensure decisions achieve their purpose through monitoring, the model emphasises organisational structure and departmental labels.

Internal audit need not exist as a separate entity. While independent decision reviews may have value, an “internal regulator” proves counterproductive. The useful question is not “who audits whom” but “are the decisions we made still producing the outcomes we intended?”

The terms “controls” and “risks” have become divorced from their original decision-making context. Controls represent decisions made previously. Treating them as independent “things” wastes resources monitoring elements that may no longer matter. What matters is whether the assumptions behind those decisions still hold.

The monitoring that organisations actually need addresses three areas: implementation failures in primary decision elements, secondary element breakdowns or deterioration, and contextual changes affecting decision validity. None of these require a Three Lines Model. They require a monitoring plan built into the decision before it is made.

Despite the opportunity for improvement, the refreshed model is equally problematic. The document relies on sophistry rather than common sense, using undefined terms like governance and risk management interchangeably. Terms appear as nouns, verbs, and adjectives inconsistently. Phrases like “risk-based thinking” are invented concepts lacking clarity.

The “Applying the Model” section abandons previous strictness, permitting organisations to adapt the guidance however they prefer. This suggests the authors recognised its impracticality.

The updated model remains what the original was: a web of interconnected and ambiguous words and half-formed thoughts. The ambiguity serves consultants and internal auditors by justifying their continued existence while failing to provide practical guidance for organisational decision-making.