Skip to main content

Three Lines of Defense Model

Each role in an organization has responsibilities that directly relate to one or more COSO principles. The Institute of Internal Auditors (IIA) presents the following model to communicate the role each member plays in mitigating the university’s risks.

In the Three Lines of Defense Model, key areas responsible for carrying out control activities are grouped together and presented according to their respective role in the risk management and control of an organization. A key part of the model is coordination and communication between all three lines to ensure control responsibilities are understood by members in all three lines.

 3 line


Graphics sourced from  The IIA's Three Lines Model , The Institute of Internal Auditors, July 2020.

First Line

Description/Role Examples
  • Leads and directs actions (including managing risk) and application of resources to achieve the objectives of the organization.
  • Maintains a continuous dialogue with the governing body, and reports on: planned, actual, and expected outcomes linked to the objectives of the organization; and risk.
  • Establishes and maintains appropriate structures and processes for the management of operations and risk (including internal control).
  • Ensures compliance with legal, regulatory, and ethical expectations.
  • Financial Unit Managers
  • Business Unit/Entity Approvers
  • Grant Managers


Second Line

Description/Role Examples
  • Provides complementary expertise, support, monitoring, and challenge related to the management of risk, including:
    • The development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level.
    • The achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.
  • Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).
  • A risk management function (e.g., Risk and Insurance Management, Enterprise Risk Management)
  • A compliance function (e.g. Office of Contract and Grant Accounting, Sponsored Programs Administration, Athletics Compliance Office, IT Security Officer)
  • A controllership function (e.g. Central Finance)


Third Line

Description/Role Examples
  • Maintains primary accountability to the governing body and independence from the responsibilities of management.
  • Communicates independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organizational objectives and to promote and facilitate continuous improvement.
  • Reports impairments to independence and objectivity to the governing body and implements safeguards as required.
  • Office of Audit, Risk, & Compliance