Bridging the Lines: Enhancing assurance through collaboration

Is your second line of assurance perceived as more valuable than internal audit? If so, that perception could be a strategic risk—and a wake-up call.

In today’s complex business environment, organizations are increasingly focused on the assurance they receive from the various functions within their organization. A key risk facing internal audit functions is the notion that second-line functions are a more valuable source of assurance than the third line (internal audit). 

What is causing this shift in perspective, and how can internal audit dispel this viewpoint and demonstrate the value it brings to its organizations? For internal auditors, it’s critical to establish a link between the internal audit function and other assurance providers to ensure a collaborative and coordinated approach to assurance.

• A deeper dive into Standard 9.5
  • Standard 9.5 Coordination and Reliance
• Defining the roles in the Three Lines model
• The Three Lines: Working together
• Assurance map creation, ownership, and strategic value
• Improving coordination and reducing duplication across the three lines
• Balancing assurance and advisory: The evolving role of internal audit
• Strengthening internal audit with technology
• Frequently Asked Questions

A deeper dive into Standard 9.5

Domain IV of the Global Internal Audit Standards focuses on the chief audit executive’s (CAE) responsibility to manage the internal audit function in accordance with the internal audit charter and mandate. CAEs must focus on developing a strategic plan for the long-term advancement of the internal audit function.

Standard 9.5 Coordination and Reliance

Standard 9.5 Coordination and Reliance supports the Three Lines Model and emphasizes the importance of the CAE coordinating with internal and external assurance providers to minimize duplication of efforts, highlight gaps in coverage of key risks, and enhance the overall value added by assurance providers. When the internal audit function relies on the work of other assurance providers, the CAE must document the basis for that reliance and is still responsible for the conclusions reached by the internal audit function.

This means that internal auditors are tasked with developing a methodology that enables them to identify and evaluate all assurance providers within the organization. Standard 9.5 is specifically linked to the Three Lines Model and the concept of combined assurance. The goal is to reduce duplication of work undertaken by both 2^nd and 3^rd Lines thus encouraging great reliance on all assurance providers. Maximizing assurance and efficiency, and minimizing duplication, will help leadership realize the value the internal audit function brings to the organization.

Defining the roles in the Three Lines model

The Institute of Internal Auditors (IIA) established the Three Lines Model to clarify the roles and responsibilities, set goals, and establish governance accountability across the organization. It clearly distinguishes the roles of internal auditors from those of other assurance functions, such as compliance and risk management. 

Looking more closely at each line, the first line is the organization’s frontline. This is where day-to-day operations take place, making the first line directly responsible for identifying, assessing, and mitigating risk across the organization.

The second line provides expertise, support, and monitoring relating to risk management. The second line is responsible for establishing policies, identifying emerging risks, ensuring compliance with regulations, and monitoring the effectiveness of risk management practices. It acts as a bridge between the first line (which manage risks directly) and the third line (which provides independent assurance through internal audit engagements).

The third line– the internal audit function – strengthens the organization’s ability to create, protect, and sustain value by providing the board/audit committee and management with independent, risk-based, and objective assurance, advice, insight, and foresight. In doing so, it may consider assurance from other internal and external providers.

The Three Lines: Working together

In an ideal world, the three lines work together to manage risk across the organization and drive achievement of strategic objectives. Collaboration and communication are critical components for a successful implementation of the Three Lines Model. This includes the following:

1. Define roles. Clearly outline the roles of operational management, risk management/compliance, and internal audit, ensuring each understands their responsibilities in risk management.
2. Create policies. Develop comprehensive risk management and compliance policies, including a documented risk management framework that aligns with organizational goals and relevant regulations.
3. Train employees. Educate all employees on their roles and contributions to risk management, emphasizing the importance of effective communication.
4. Encourage collaboration. Promote communication and collaboration between the three lines to ensure a unified risk management approach.
5. Monitor and improve. Establish systems for continuous monitoring of risk activities, allowing for regular assessment and adaptations to changing risks, and ensure that business-critical risks are identified.
6. Secure leadership support. Obtain commitment from top leaders to emphasize the importance of the Three Lines Model across the organization. Leadership support is key to implementation.

Assurance map creation, ownership, and strategic value

Assurance maps are an essential tool for visually representing risk coverage, aligning assurance activities, identifying who is responsible for what, and highlighting potential gaps in coverage. These maps are increasingly recognized for their strategic value, providing support to stakeholders, including senior management and the audit committee, in decision-making. Yet, two questions remain: (1) who should be responsible for maintaining the accuracy of the assurance map, and (2) who owns the assurance map?

Ownership of the assurance map is a topic of debate, with two primary schools of thought. Some advocate that the risk management function should claim ownership, as it is more closely involved in overseeing and monitoring risk-related activities. This approach not only leverages the second line’s expertise but also safeguards the independence and objectivity of the internal audit function.

The second line also complements the organization’s risk management efforts by providing expertise, support, and risk monitoring, while also analyzing and reporting on the adequacy and effectiveness of risk controls, which encompasses:

• Developing, implementing, and continuously improving risk management practices and controls at the process, systems, and entity levels.
• Achieving risk management objectives, including compliance, ethical behavior, controls, IT security, sustainability, and quality assurance.

Alternatively, other viewpoints suggest that the internal audit function should initiate the creation of the assurance map, leveraging its (internal audit’s) broad scope and independent perspective, before transferring the ownership to the risk function or a senior director responsible for organizational risk. In this scenario, the third line maintains primary accountability to the governing body, such as the board or audit committee. It operates independently of management’s responsibilities, providing a holistic view across the organization to assess how business-critical risks are managed and mitigated.

Improving coordination and reducing duplication across the three lines

The second and third lines may sometimes experience duplication of effort, as both lines are involved in assurance activities. Additionally, internal audit must also avoid any impairments to its independence and objectivity, particularly when potential conflicts of interest arise. As a result, should the internal audit function and the organization rely on the assurance provided by the second line?

To do that, internal audit will need to evaluate the work of the assurance provider. This may require the chief audit executive to step in and determine if internal audit can place reliance on the work of other assurance providers. If the internal audit function decides to rely on an internal or external assurance provider, it needs to document the agreed-upon relationship and be clear about the specifications of the assurance provided, as well as the testing and evidence required to support it. If internal audit is not going to rely on another assurance provider, that decision also needs to be documented and reported to the board or audit committee. Failure to do so may result in decision makers and stakeholders using a potentially flawed assurance to inform decision making.

To help decide whether to rely on the second line’s assurance, internal audit should consider the following factors:

• Are there potential or actual conflicts of interest? Were disclosures made?
• What are the reporting relationships and the potential impacts of this arrangement?
• What is the relevance and validity of the second line’s professional experience, qualifications, and certifications?
• Can internal audit rely on the second line’s methodology and due professional care applied in planning, supervising, documenting, and reviewing the work?
• Are the second line’s findings and conclusions reasonable and based on sufficient, reliable, and relevant evidence?

Balancing assurance and advisory: The evolving role of internal audit

Both the second and third lines offer unique assurance roles that are vital to an organization’s success. Understanding the value that each brings to the organization is important to ensure a cohesive risk management strategy.

The second line has several unique aspects that make it a crucial component of an organization’s overall risk management and assurance framework, including:

• Overseeing and monitoring the activities of the first line.
• Providing the necessary frameworks, policies, procedures, and guidelines that enable the first line to manage risks effectively.
• Offers specialized expertise in areas such as risk management, compliance, and financial control.
• Maintaining a separate status from those responsible for the direct delivery of services, allowing it to offer objective assurance.
• Conducting quality assurance activities to ensure the first line’s risk management and control processes are functioning as intended.
• Providing tools, techniques, and training to first line managers and staff to help them understand and implement effective risk management practices.

In contrast, the third line provides assurance through its independent and objective evaluation of risk controls and governance. This independence is critical for delivering credible assurance. Other unique characteristics include:

• Auditing a wide range of business areas to provide a holistic view of the organization’s operations and controls.
• Continuous monitoring helps identify and address issues promptly.
• Offering advisory services by recommending best practices and identifying opportunities for improvement.
• Focusing on the effectiveness of the organization’s internal controls to ensure operations are aligned with company objectives.
• Engaging with stakeholders to ensure audit findings and recommendations are communicated effectively and acted upon.

Given the unique strengths of both the second and third lines, why do some organizations view the second line as a more valuable source of assurance? Some might argue that internal audit uses the independence concept to distance itself from the organization’s operations, leading to a lack of business acumen and understanding of the organization’s strategic objectives.

Strengthening internal audit with technology

Richard Chambers, author and senior advisor of Risk and Audit, says the second line is often viewed as more pragmatic and tends to work more closely with the business than internal audit. This may contribute to the rationale why organizations see more value in second-line assurance. According to Chambers, some internal audit functions remain stuck in the past (“Jurassic”) with behaviors such as building plans based on cycles rather than risks, developing an annual audit plan and adhering to it throughout the year, and avoiding auditing technology and leveraging technology in general.

This “Jurassic” mindset leads us to the question: Is internal audit fit for the future? With the pressure to do more with less in an environment of unprecedented business disruption, the internal audit function must evolve to become a trusted partner of its leadership team – or face extinction. With new thinking, skills, capabilities, and the use of new technology, internal audit can become a more dynamic solution creator, helping the organization address challenging (VUCA) market conditions, customer expectations, and workforce needs.

Frequently Asked Questions

We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity.

Q1: For an organization that has an area that manages both the 2nd and 3rd Line, do you recommend them being separated or can it be effective for a single area to manage both?

A: I would suggest that the 2nd and 3rd Lines should be separate. Such separation allows them both to provide a different lens through which to offer assurance. For example, unlike the 3rd Line (internal audit), the 2nd Line is not independent of the organization's management chain but is separate from those responsible for direct delivery of services. This separation helps maintain objectivity while still being closely integrated with the organization's operations. Whereas the 3rd Line operates independently from the activities they audit, ensuring unbiased and objective assessments. This independence is crucial for providing credible assurance.

Q2: For an organization where there is a fusion of internal audit and risk management, who should own the assurance map or risk map? 

A: There are several schools of thought here. The first is that internal audit should create and own the assurance map and support the creation of an Assurance Forum. The second thought is that creating the assurance map could be considered as impacting on internal audits independence. My personal view, I have seen this work extremely effectively, is that internal audit creates the assurance map, but it is 'owned' by either the Head of Risk or, if there isn't a risk function within the organization, then by the senior director who has responsibility for risk within the organization.

Q3: For the purpose of assessing the quality of work, is it required to assess the work of the 2nd Line for each engagement where internal audit wants to rely? Can reliance be based on a cyclical audit of the 2nd Line's assurance for all the quality factors deemed important?

A: I would adopt an approach similar to the approach that internal auditors adopted regarding risk management (i.e., a periodic internal audit engagement of the risk management framework within the organization that would then enable them to provide an assurance regarding risk management). Alternatively, some internal audit functions will include an assessment of risk management in each and every internal audit engagement. The same approach could be applied to being able to place reliance on 2nd Line assurance (i.e., undertake a periodic assessment of the assurance provided by the 2nd Line or undertake an assessment of the 2nd Line assurance specifically related to work that internal audit is undertaking and a requirement to be able to rely on the 2nd Line's assurance).

Q4: Does the 2nd Line have to be independent from the 3rd Line of Assurance?

A: 2nd and 3rd Lines must remain clearly distinct in roles and responsibilities to maintain effective governance and assurance.

• 2nd Line (risk, compliance, control functions):
  • Supports management by developing risk management frameworks, policies, and procedures.
  • Monitors risks and controls but does not provide independent assurance.
  • Typically reports to senior management, sometimes with dotted-line reporting to the board or audit committee.
• 3rd Line (internal audit):
  • Provides independent and objective assurance on the effectiveness of governance, risk management, and internal controls.
  • Must be independent from both the 1st and 2nd lines.
  • Reports directly to the board, audit committee, ensuring independence from operational influence.
• Best practice:
  • Clear documentation of roles and responsibilities.
  • No dual roles that could compromise independence (e.g., an internal auditor also leading compliance).
  • Regular communication between the lines to ensure alignment without compromising objectivity.

Q5: How can we rely on assurance providers within a specific department if it is considered independent when those assurance providers are usually managed by the same person who controls the process? Can we really rely on the information?

A: This is a very important and nuanced point about independence and reliability of assurance within a department, especially when the assurance providers (e.g., QA, compliance reviewers, risk officers) are managed by the same person who owns or operates the process they are reviewing. Even if a team is labelled as “independent,” if it reports to or is influenced by the process owner, its objectivity and credibility can be compromised. Can you rely on the information - not fully—unless safeguards are in place. You can place some reliance on their work, but it should be supplemented by independent validation. Internal audit should periodically assess the effectiveness and independence of these embedded assurance functions.

Q6: How could the 2nd Line obtain more authority?

A: For the 2nd Line (e.g., risk, compliance, quality assurance) to gain more authority and influence within an organization, it must demonstrate value, build trust, and align closely with strategic goals—while maintaining its separation from management. Examples of how it might demonstrate value, etc. include:

1. Demonstrate strategic value - Align risk and compliance activities with business objectives and show how effective oversight enables growth, protects reputation, and reduces costs (e.g., fewer regulatory fines or audit findings).
2. Enhance risk intelligence - Provide insightful, data-driven reporting that helps leadership make informed decisions and use dashboards, heat maps, and trend analysis to visualize risk exposure and control effectiveness.
3. Build strong relationships - Collaborate with the 1st Line to co-create solutions, not just enforce rules, be seen as a partner, not a blocker.
4. Develop subject matter expertise - Be the go-to authority on regulatory changes, risk frameworks, and control design, and offer training and guidance that empowers the 1st Line.
5. Strengthen governance ties - Secure a seat at key committees (e.g., risk, compliance, executive), ensure regular reporting to the board or risk committee.
6. Leverage technology - Use integrated GRC (Governance, Risk, and Compliance) platforms to improve visibility and efficiency and automate monitoring and reporting to free up time for strategic work.
7. Quantify impact - Track and report on KPIs, including reduction in control failures, timeliness of issue remediation and risk mitigation effectiveness.
8. Promote a risk-aware culture - Lead initiatives that embed risk thinking into daily operations and recognize and reward good risk management behaviors.

Q7: How does the 3rd Line compete with the 2nd Line for resources?

A: The 2nd Line (e.g., risk, compliance, QA) and the 3rd Line (internal audit) can sometimes appear to compete for resources, especially in organizations with limited budgets or overlapping responsibilities. However, this "competition" is more about resource prioritization and role clarity than direct rivalry.

• How to Manage or Avoid Competition:
  • Clear Role Definitions: Use the Three Lines Model to delineate responsibilities. For example:
    • 2nd Line: Designs and monitors controls.
    • 3rd Line: Independently assesses the effectiveness of those controls.
• Collaboration and Coordination:
  • Joint planning sessions to align audit and compliance calendars.
  • Shared risk assessments to avoid duplication.
• Board-Level Governance:
  • Audit and Risk Committees can help balance resource allocation and ensure both lines are adequately supported.
• Integrated Assurance Models:
  • Some organizations adopt a unified assurance approach, where all lines contribute to a single risk view, reducing redundancy.

Q8: Does having an integrated or shared risk management, compliance and audit platform help the 3 Lines to work more efficiently?

A: Yes, having an integrated, shared risk management, compliance, and audit platform can significantly enhance the effectiveness and efficiency of the 3 Lines. The benefits of an Integrated Platform include:

1. Improved collaboration:
   • Enables real-time information sharing between the 1st, 2nd, and 3rd Lines.
   • Reduces silos and fosters a common understanding of risks and controls.
2. Centralized risk data - A single source of truth for:
   • Risk registers
   • Control libraries
   • Audit findings
   • Compliance obligations
   • Enhanced data integrity and traceability
3. Streamlined workflows:
   • Automates risk assessments, control testing, issue tracking, audit planning, and reduces manual effort and duplication.
4. Better risk visibility:
   • Dashboards and analytics provide cross-functional insights, early warning indicators, heat maps, and trend analysis.
5. Stronger governance:
   • Supports consistent documentation and reporting and facilitates board and audit committee oversight with integrated reporting.
6. Audit readiness:
   • Easier to demonstrate compliance and control effectiveness to regulators and external auditors.

Q9: Does SOX/ICFR testing typically fall within the 2nd Line or 3rd Line?

A: The responsibility for SOX (Sarbanes-Oxley Act) or ICFR (Internal Control over Financial Reporting) testing can vary by organization, but here's how it typically breaks down within the 3 Lines model:

• 2nd Line (Most Common)
• Ownership: In many organizations, the 2nd Line (often the SOX Compliance or Internal Controls team) is responsible for:
  • Designing and maintaining the ICFR framework.
  • Coordinating and performing testing of key controls.
  • Documenting results and remediating deficiencies.
  • Supporting management’s annual SOX certification.
• 3rd Line (Independent Assurance)
• Internal audit may:
  • Validate the effectiveness of the 2nd Line’s testing.
  • Perform independent testing of selected controls.
  • Provide assurance to the audit committee and external auditors.
  • Step in if the 2nd Line lacks capacity or independence.

Q10: Should a true 2nd Line be independent from the 1st Line, in the sense that they should challenge the 1st Line's design and adherence to controls?

A: Yes, the 2nd Line should be independent (separate) from the 1st Line to effectively challenge and oversee the design and operation of controls. Separation is important for the following reasons:

• The 2nd Line (e.g., risk, compliance, QA) is responsible for:
  • Monitoring the effectiveness of controls.
  • Advising on risk and compliance.
  • Challenging the 1st Line’s decisions, assumptions, and control design.
• If the 2nd Line is not independent, it risks:
  • Losing objectivity in assessing risks and controls.
  • Failing to escalate issues due to internal pressure.
  • Overlapping roles, which can lead to gaps or duplication in control coverage.
• While separation is essential, the 2nd line should still collaborate with the 1st Line:
  • Provide guidance and training.
  • Help design effective and practical controls.
  • Share insights from monitoring to improve processes.

Q11: I would challenge the "advisory role" from the 3rd Line as the 2nd Line's expertise seems closer to the operation. What are your thoughts?

A: Domain V of the Global Internal Audit Standards is very clear in that internal audit services involve providing assurance, advice, or both. Internal auditors are expected to apply and conform with the Standards when performing engagements, whether they are providing assurance or advice, except when otherwise specified in individual standards. Domain V goes on to say internal auditors may initiate advisory services or perform them at the request of the board, senior management, or the management of an activity. The nature and scope of advisory services may be subject to agreement with the party requesting the services. Examples of advisory services include advising on the design and implementation of new policies, processes, systems, and products; providing forensic services; providing training; and facilitating discussions about risks and controls. When performing advisory services, internal auditors are expected to maintain objectivity by not taking on management responsibility. For example, internal auditors may perform advisory services as individual engagements, but if the chief audit executive takes on responsibilities beyond internal auditing, then appropriate safeguards must be implemented to maintain the internal audit function’s independence. I am, however, also aware of some internal audit functions that do not provide advisory services. It is documented in their IA Charter and approved by the audit committee, but this is, in my experience, unusual.

Q12: In the context of a company restructuring, where the demand for compliance services is reduced, is it possible to integrate compliance into the internal audit office for a period of 2 years to audit? What are the main conflicts, disadvantages, or advantages of this integration?

A: Yes, it is possible to integrate the compliance function into the internal audit function for a limited period, especially in smaller organizations or during times of transition. However, this arrangement must be carefully managed to avoid compromising the independence and objectivity of internal audit, as emphasized in the Global Internal Audit Standards (2024).

• Safeguards to Enable Temporary Integration:
  • Document the dual role in the internal audit charter and disclose it to the board.
  • Limit the duration and define a clear exit strategy.
  • Segregate teams: Keep compliance and audit staff separate, even if under one leader.
  • Board oversight: Ensure the audit committee is aware and actively monitors the arrangement.

Yes, integration is possible — but only with clear boundaries, strong governance, and a temporary mandate. The Global Internal Audit Standards (Standard 7.1) explicitly require safeguards when the CAE assumes roles beyond internal auditing.

Q13: How often should internal audit undertake formal assurance work in relation to 2nd Line frameworks and methodologies?

A: According to the Global Internal Audit Standards (2024), internal audit should undertake formal assurance work in relation to 2nd Line frameworks and methodologies on a risk-based and periodic basis, guided by the following principles:

Standard: 9.5 – Coordination and Reliance, the standard outlines the expectations for how internal audit should engage with other assurance providers, including 2nd Line functions (e.g., risk, compliance, IT security, quality assurance):

• Frequency and Triggers for Formal Assurance Work
• Internal audit must:
  • Coordinate with 2nd Line functions to avoid duplication and identify assurance gaps.
  • Evaluate the work of 2nd Line providers before relying on it.
  • Document the basis for reliance, including:
    • Independence and objectivity.
    • Competence and qualifications.
    • Methodology and due professional care.
    • Scope and results of their work.
• Frequency is not fixed but should be periodic and risk-based, meaning:
  • At least annually as part of the audit planning process.
• More frequently if:
  • The 2nd Line framework is newly implemented or significantly changed, there are known issues or weaknesses in the 2nd Line’s performance and the 3rd Line intends to rely on 2nd Line work for high-risk areas.
• Risks and Conflicts:
  • Over-reliance on 2nd Line without proper evaluation can impair audit quality.
  • Duplication of effort occurs if coordination is poor.
  • Perceived encroachment on 2nd Line responsibilities if not communicated well.
• Best Practices:
  • Maintain an assurance map to track who provides assurance over what.
  • Include 2nd line frameworks in the annual audit universe.
  • Use combined assurance reviews to assess how well 1st, 2nd, and 3rd Lines work together.
  • Establish formal agreements if relying on 2nd Line work long-term.

Q14: If the 2nd Line is not ready to collaborate with the internal audit function, how should the chief audit executive (CAE) approach them to encourage collaboration to improve the control environment of the company?

A: If the 2nd Line is reluctant to collaborate with the 3rd Line (internal audit), the chief audit executive (CAE) should approach the situation with a strategic, empathetic, and value-driven mindset. The goal is to build trust, clarify roles, and demonstrate how collaboration strengthens the overall control environment — not to impose authority. The CAE may frame the message along the lines of 'We’re not here to audit you — we’re here to work with you to ensure the audit committee and senior management have a complete, accurate picture of how risks are being managed. When we collaborate, we all look stronger.'

Q15: Given your extensive experience working across both the 2nd and 3rd lines, which line do you believe holds greater potential in driving assurance value in today’s risk environment, especially considering evolving expectations from regulators and stakeholders?

A: In today’s complex and fast-evolving risk environment, both the 2nd and 3rd Lines play critical roles in delivering assurance value — but they do so in distinct and complementary ways. The question of which holds greater potential depends on how we define 'value' and the maturity of the organization’s governance model. If the goal is operational responsiveness and risk ownership, 2nd Line may appear more valuable. If the goal is independent assurance, strategic insight, and board confidence the 3rd Line holds greater potential.

Q16: How can internal audit create an environment where the 2nd Line feels comfortable discussing their challenges openly?

A: Creating an environment where 2nd Line functions feel comfortable discussing their challenges openly with internal audit requires a deliberate shift in tone, trust, and collaboration. Here’s a practical, trust-building approach grounded in the Global Internal Audit Standards (2024) and best practices from the 3 Lines Model: 

• Start with Relationship Building, Not Reviews - Schedule non-audit, informal meetings with 2nd Line leaders (e.g., risk, compliance, InfoSec).
• Focus on listening, understanding their pressures, and showing empathy. Avoid audit language like 'findings' or 'gaps’ use 'insights, 'themes,' or 'opportunities.' We’re here to understand your world better — not to audit you, but to support a stronger control environment together.
• Co-create a combined assurance framework, invite 2nd Line functions to help build or refine the assurance map, let them define how they assess risk and control effectiveness, agree on shared language, reporting formats, and escalation paths.
• Create psychological safety in meetings, acknowledge their challenges (e.g., resource constraints, regulatory pressure), avoid “gotcha” moments — instead, offer to help escalate systemic issues to senior leadership, celebrate their successes in audit reports or assurance forums.
• Use assurance forums or roundtables, host regular assurance forums with 2nd and 3rd Line leaders, make it a safe space to share - what’s working, what’s not, what support is needed and rotate facilitation to show shared ownership.
• Offer support, not oversight, provide advisory services (e.g., reviewing risk frameworks, helping with control design), share tools, templates, or training that can help them mature their function, and offer to pilot joint reviews with clear boundaries.

Q17: Who should define the roles of each of the 3 Lines?

A: According to the Global Internal Audit Standards, the responsibility for defining the roles of each of the 3 Lines — 1st Line (operational management), 2nd Line (risk, compliance, etc.), and 3rd Line (internal audit) — lies primarily with senior management and the board, with support from the chief audit executive (CAE) and guidance provided by the IIAs 3 Lines Model. Senior management leads the definition of roles and responsibilities for the 1st and 2nd Lines and ensures that risk ownership (1st Line) and oversight (2nd Line) are clearly delineated and collaborates with the CAE to ensure clarity and avoid duplication or gaps.

• Supporting Standards: Standard 6.1 – Internal Audit Mandate, 'The CAE must provide the board and senior management with the information necessary to establish the internal audit mandate.'Standard 9.5 – Coordination and Reliance, 'The CAE must coordinate with internal and external providers of assurance services and consider relying upon their work.'
• Standard 7.1 – Organizational Independence, 'The CAE must discuss with the board and senior management any roles that may impair independence.'
• The board, audit committee and senior management are responsible for defining and maintaining the roles of the 3 Lines. The CAE plays a key advisory and coordinating role, especially in ensuring that the 3rd Line remains independent and that assurance activities are well-aligned.

Q18: How do we effectively use 1^st and 2^nd Lines to develop the internal audit plan?

A: To effectively use the 1st and 2nd Lines in developing a risk-based internal audit plan, internal auditors should leverage the 3 Lines Model as outlined by the Institute of Internal Auditors (IIA). Understanding the 3 Lines:

• 1st Line (operational management): Owns and manages risks. They are responsible for maintaining effective internal controls and executing risk and control procedures on a day-to-day basis.
• 2nd Line (risk management & compliance): Provides oversight, develops risk management frameworks, and monitors compliance with laws and regulations.
• 3rd Line (internal audit): Provides independent assurance on the effectiveness of governance, risk management, and control processes.

Strategic use in risk-based planning:

1. Gathering risk intelligence –
   • From the 1st Line: Obtain insights into operational risks, emerging issues, and control weaknesses through interviews, surveys, and review of incident reports.
   • From the 2nd Line: Use risk registers, compliance reports, and enterprise risk assessments to identify high-risk areas and systemic issues.
2. Validating and prioritizing risks - Cross-reference risks identified by the 1st and 2nd Lines with internal audit’s own risk assessment. Evaluate the adequacy of risk coverage by the 1st and 2nd Lines to determine where internal audit should focus its assurance efforts.
3. Identifying assurance gaps - Use tools like assurance maps to visualize who is covering what risks. Identify areas where there is no or insufficient assurance and prioritize these in the audit plan.
4. Coordinating and relying on other Lines - As per Standard 9.5 (Coordination and Reliance), internal audit must coordinate with other assurance providers and may rely on their work if they are deemed competent and objective. Document the basis for reliance and ensure it aligns with internal audit’s own standards of evidence. 
5. Engaging in continuous dialogue - Maintain regular communication with 1st and 2nd Line leaders to stay informed of changes in risk profiles. Use these relationships to validate audit findings, develop action plans, and monitor implementation. 

Practical steps for implementation: 
Conduct stakeholder interviews with 1st and 2nd Line leaders during the annual planning cycle. Review and analyze risk and control self-assessments (RCSAs), compliance dashboards, and incident logs. Map risks to assurance providers to identify duplication and gaps. Use a dynamic planning approach to adjust the audit plan as new risks emerge or as assurance coverage changes. 

Q19: How do we measure the improvement of the internal control framework when it is not always possible to calculate, for example, the savings made?

A: Measuring improvement in an internal control framework isn't always about quantifiable cost savings. Instead, it often involves a combination of qualitative and quantitative indicators/measures that reflect enhanced control maturity, reduced risk exposure, and improved assurance outcomes: 

• Control maturity assessment - Use a maturity model (e.g., COSO, COBIT, or a custom 5-level scale) to assess progress over time.
• Key Performance Indicators (KPIs).
• Key Risk Indicators (KRIs) - Monitor indicators that reflect risk exposure (e.g., number of control failures or near misses, frequency of policy breaches, volume of exceptions in key processes and/or incident response times).
• Audit and assurance feedback:
  • Internal audit results - Fewer significant findings or improved audit ratings.
  • External audit reliance - Increased reliance on internal controls by external auditors.
• Stakeholder surveys:
  • Improved confidence in the control environment from management and audit committee / board.
• Benchmarking and Peer Reviews - Compare your control framework against industry peers or standards. External quality assessments (e.g., IIA’s EQA) can provide independent validation of improvement.

Q20: We have advocated assurance maps for a number of years but challenges within the organization (i.e., between the CRO and CAE) have led us to poor outcomes. What advice can you provide?

A: This is a common and sensitive challenge. When challenges exist between the chief risk officer (CRO) and chief audit executive (CAE), this may undermine the development of an assurance map or combined assurance framework, the result is often fragmented assurance, duplication, and gaps in risk coverage—all of which weakens governance.

Reframe the purpose:
Focus on value to the board/audit committee and shift the conversation from “ownership” to value creation for the board and audit committee. Emphasize that the assurance map is a tool for the board/audit committee, and not a turf battle. It helps the board/audit committee understand who is providing assurance over what, and where there are gaps or overlaps, and it supports better risk oversight and resource allocation.

Ask the audit committee chair or board risk committee to sponsor a joint session between the CRO and CAE. Use this forum to agree on the purpose of the assurance map, the roles of each line, and a collaborative process for maintaining the map, as this helps depersonalize the issue and re-anchor it in governance. Document and communicate the governance benefits, report progress to the board/audit committee with a focus on improved risk visibility, work toward better alignment of assurance activities and enhanced board confidence in risk oversight.