The Institute of Internal Auditors (IIA) updated its Three Lines of Defense model in July 2020, renaming it simply "The Three Lines Model" and releasing a substantially revised framework that reflected how organizations had evolved in the preceding decade. Five‑plus years later, internal audit functions are still adapting — some faster than others.
The 2020 update wasn't cosmetic. The IIA replaced “defense” with “lines” because the language implied risk management was primarily about preventing bad outcomes rather than also pursuing opportunities. The model was redesigned to emphasize governance, value creation, and organizational flexibility rather than rigid role assignments. For internal audit leaders, these changes carry direct implications for how audit functions operate, what they measure, and how they report to stakeholders.
What Changed in the 2020 Update
The original Three Lines of Defense model, developed by the IIA in the early 2000s, structured organizational risk management around a clear hierarchy: business operations owned and managed risk (first line), risk and compliance functions monitored and oversaw risk (second line), and internal audit provided independent assurance on the effectiveness of both (third line). The model was elegant and widely adopted — its simplicity made it easy to explain to boards and executive teams.
The 2020 update made several substantive changes:
Six principles replaced the three‑line structure as the organizing framework. Rather than defining fixed roles for each line, the updated model establishes principles that govern how governance, management, and assurance roles interact. These principles cover governance, governing‑body responsibilities, management responsibilities, internal audit responsibilities, internal audit independence, and value creation.
“Defense” was removed from the language. The IIA recognized that risk management is as much about seizing opportunities as it is about preventing losses. Framing everything as “defense” distorted how organizations thought about risk — it encouraged risk avoidance over risk‑informed decision‑making.
Second‑line functions are no longer defined by job title. The original model implicitly assigned risk management, compliance, legal, and security functions to the second line. The 2020 update defines second‑line roles by function type — oversight, expertise, and challenge — rather than by organizational unit. This matters because many organizations distribute second‑line responsibilities across multiple functions, and rigid mapping to org charts caused practical problems.
Internal audit explicitly reports to the governing body. The updated model clarifies that internal audit's independence requires a primary reporting line to the board or its equivalent, with operational reporting to the CEO for administrative purposes. This distinction — between governance reporting and administrative reporting — had always existed but was often poorly understood.
External assurance providers are addressed. The original model focused entirely on internal structures. The 2020 update acknowledges that many organizations rely on external assurance (regulatory examiners, external auditors, certification bodies) and positions these providers as an additional layer rather than a replacement for internal audit.
How Internal Audit Has Adapted — and Where It's Falling Short
Five years of post‑2020 implementation has produced a mixed picture. Many internal audit functions updated their charters and reporting structures; fewer have updated their operating models.
The most common adaptation: governance reporting line adjustments. Audit functions that previously reported to the CFO or COO restructured to report directly to the board or audit committee, with administrative reporting to the CEO. This structural change was the easiest to implement and the most frequently required by external quality assessments.
Less progress on the harder adaptations:
Risk‑based audit planning that reflects organizational strategy. The 2020 model emphasizes that internal audit's work should help the organization achieve its objectives, not just verify that controls are functioning. Many audit functions still produce annual audit plans based on risk assessments that are backward‑looking — they prioritize areas where incidents occurred or where auditors have historically found issues, rather than areas where strategic execution creates new risk exposure. A 2023 IIA survey found that fewer than 40 % of chief audit executives felt their audit plans were genuinely aligned with strategic priorities.
Flexibility in second‑line characterization. The updated model explicitly allows organizations to define their own second‑line structures based on what makes sense for their operations. Many audit functions still treat the three lines as fixed organizational buckets rather than flexible role categories. This creates tension when organizations restructure — if risk and compliance functions get merged, does that change the second line? The 2020 model says “no” — the roles define the line, not the org chart.
Value‑creation language in audit communications. The original model encouraged internal audit to frame its work in terms of control failures and deficiencies. The updated model asks internal audit to also communicate what it contributes to organizational value — identifying efficiency opportunities, flagging process improvements, supporting strategic initiatives. This doesn’t mean audit reports become promotional; it means they acknowledge that effective governance creates value, not just protects it.
Integration with emerging risk assessment. The 2020 update emphasizes that the three lines should work together to address emerging risks — risks the organization hasn’t encountered before. Many audit functions still approach emerging risk through a standard risk‑assessment update rather than a dedicated methodology. Horizon scanning, scenario planning, and cross‑functional emerging‑risk identification are still more common in risk‑management functions than in internal audit.
The Six Principles: What They Mean for Audit Practice
The 2020 update's six principles provide a more useful framework for evaluating audit‑function effectiveness than the original three‑line structure. Here’s how each applies to internal audit:
Principle 1: Governance
Effective organizations have governance structures that enable the governing body to fulfill its responsibilities. For internal audit, this means participating in governance forums, contributing to enterprise risk‑management discussions, and providing information that enables informed governance decisions.
Principle 2: Governing‑Body Responsibilities
The governing body (board or equivalent) is responsible for oversight of the organization’s risk management and control. Internal audit serves the governing body by providing independent assurance on whether the organization’s risk management is adequate and effective.
Principle 3: Management Responsibilities
Management is responsible for managing risk and maintaining effective control. Internal audit does not own this responsibility — it provides assurance that management has discharged it. Audit functions that assume ownership of risk‑management activities undermine both this principle and their own independence.
Principle 4: Internal‑Audit Responsibilities
Internal audit provides independent assurance and advice on the adequacy and effectiveness of governance, risk management, and control. The scope includes all organizational activities — not just financial controls, not just IT systems, but everything the organization does.
Principle 5: Internal‑Audit Independence
Internal audit must be independent from the activities it audits. This is the principle that receives most attention — it’s why internal audit reports to the board rather than management. Independence is also maintained through auditor‑rotation policies, conflict‑of‑interest management, and audit‑plan approval by the governing body rather than management.
Principle 6: Creating and Protecting Value
All roles in the organization contribute to value creation and protection. Internal audit creates value by providing insight, identifying control failures before they cause losses, and supporting decision‑making with objective information.
How Internal Audit Should Adapt in 2025
Based on patterns observed across implementations, the following adaptations are most impactful:
1. Restructure the Audit Plan to Reflect Strategic Risk
Move from a coverage‑based audit plan (auditing each area on a fixed cycle) to a strategic risk‑based plan. Start with the organization’s strategic objectives and work backward: what risks could prevent those objectives from being achieved? Focus audit resources on the areas with the highest strategic‑risk exposure, regardless of whether those areas have been audited recently.
This requires deeper engagement between internal audit and senior leadership. Internal audit cannot produce a strategic audit plan by reviewing last year’s incidents — it needs to understand where the organization is heading and what could go wrong along the way.
2. Develop Dedicated Emerging‑Risk Capabilities
Establish a formal process for identifying and assessing emerging risks that fall outside the standard risk assessment. This doesn’t require a separate emerging‑risk audit — it means internal audit should have a methodology for surfacing risks that aren’t yet on management’s radar.
Techniques include horizon scanning (reviewing external trends across industries and geographies), scenario planning (building plausible future states and assessing organizational readiness), and engagement with functions that interact with external uncertainty — investor relations, strategy, competitive intelligence.
3. Revise Audit Reporting to Emphasize Insight Over Deficiencies
Traditional audit reporting leads with findings: what failed, what needs to be fixed. Update reporting to lead with insight: what does this mean for the organization, what could happen if it isn’t addressed, and how does it rank against other risks?
The 2020 model explicitly asks internal audit to contribute to value creation, not just control verification. Audit reports that lead with findings and treat them equally miss the opportunity to help readers understand which issues matter most. A control gap in a low‑risk area warrants different attention than the same gap in a high‑risk area — audit reports should make this distinction explicit.
4. Map Assurance Across the Three Lines Before Planning
Before developing the audit plan, map the assurance landscape across all three lines. What assurance is management providing itself (first line)? What assurance are risk and compliance functions providing (second line)? What gaps exist that internal audit needs to fill (third line)?
Many audit plans include work that duplicates first‑ and second‑line assurance activities — testing controls that management is already testing, reviewing processes that compliance is already monitoring. This wastes audit resources and creates confusion about ownership. A properly mapped assurance landscape helps internal audit focus on gaps rather than overlaps.
| Adaptation Area | Common Pre‑2020 Practice | 2020‑Aligned Practice |
|---|---|---|
| Audit Plan Basis | Coverage cycle / historical findings | Strategic risk exposure |
| Second Line Treatment | Fixed organizational mapping | Role‑based flexibility |
| Report Structure | Findings‑led with equal weighting | Insight‑led with risk significance |
| Emerging Risk Approach | Standard risk‑assessment update | Dedicated horizon‑scanning & scenario planning |
Key Takeaways
- Align audit planning with strategy: Start with the organization’s objectives, identify strategic risks, and allocate audit resources accordingly.
- Build an emerging‑risk function: Use horizon scanning, scenario planning, and cross‑functional workshops to surface risks before they materialize.
- Shift reporting focus: Lead reports with insight and risk significance, then present findings as supporting evidence.
- Map the assurance ecosystem: Clearly delineate what the first, second, and third lines are already covering to avoid duplication and fill genuine gaps.
- Reinforce independence: Keep the reporting line to the board strong, and use rotation and conflict‑of‑interest policies to safeguard objectivity.
Conclusion
The 2020 Three Lines Model was a wake‑up call for internal audit: risk management is no longer a defensive exercise but a strategic, value‑creating discipline. Organizations that have merely tweaked reporting lines without revisiting their audit methodology are leaving performance on the table. By redesigning audit plans around strategic risk, institutionalizing emerging‑risk capabilities, reshaping reports to highlight insight, and rigorously mapping assurance responsibilities, internal audit can fulfill the promise of the new model—delivering not just assurance, but real, measurable value to the board and the business. The next few years will be decisive; audit leaders who act now will position their functions as indispensable partners in navigating an increasingly complex risk landscape.