Why the Three Lines Model Matters for Your CIA Exam
The Three Lines Model is one of the most frequently tested concepts in CIA Part 1. It sits within Domain V (Governance, Risk Management, and Control), which accounts for 20% of the Part 1 exam. Understanding the model thoroughly, including the specific roles assigned to each line and how the IIA distinguishes between them, is a meaningful advantage in any exam session.
The IIA published its updated Three Lines Model in 2020, replacing the older Three Lines of Defence framework. The two models cover similar territory but differ in language and emphasis. CIA exam questions test the current 2020 model, so if your study materials still describe "lines of defence," check whether they reflect the updated framework.
The Core Idea
The Three Lines Model describes how responsibilities for risk management and control are distributed within an organisation. It is built around the concept that different parties within an organisation provide different types of assurance about whether risks are being managed effectively.
The three lines are:
- First line: Management and operational staff who own and manage risks as part of their day-to-day responsibilities.
- Second line: Risk management and compliance functions that support, advise, and monitor first-line activities.
- Third line: Internal audit, which provides independent assurance to the governing body and senior management.
Separately, the model places the governing body (typically the board and its audit committee) and senior management outside the three lines, as the parties to whom all three lines are accountable.
The First Line: Operational Management
The first line consists of the people who run operational activities and own the associated risks. They are responsible for managing risks because they are closest to the processes, decisions, and activities that create risk in the first place.
In practical terms, the first line includes business unit managers, branch staff, trading desks, credit teams, and any other operational function whose activities generate risk. Their role in the model is to:
- Design and operate effective controls within their processes
- Identify and manage risks within their areas of responsibility
- Report risk information accurately to senior management
A common misconception is that risk ownership sits with the risk management function (the second line). The model is explicit that risk ownership sits with the first line. Risk managers advise; operational managers own.
CIA exam questions frequently test this distinction. If a question describes a scenario where the risk management team is characterised as "owning" an operational risk, the correct analysis under the Three Lines Model is that this represents a misallocation of responsibility. Risk ownership belongs with the people making operational decisions, not with the oversight functions.
The Second Line: Risk Management and Compliance Functions
The second line provides oversight, guidance, and challenge to the first line. It does not own operational risks; it helps the first line manage them more effectively and provides an additional level of monitoring for senior management.
Typical second-line functions include:
- Risk management: Setting the risk framework, risk appetite statements, and risk methodologies; aggregating and reporting risk information; challenging the first line's risk assessments.
- Compliance: Monitoring adherence to regulations, policies, and legal requirements; providing guidance on regulatory obligations; reporting compliance breaches.
- Finance and financial control: Financial reporting oversight, management accounting, and control monitoring (though the boundary between first and second line in finance can be organisation-specific).
The key characteristic of the second line is that it supports and challenges the first line while maintaining some degree of independence from operational activities. Second-line functions are typically not independent enough to provide the same level of assurance as internal audit, because they are often involved in designing the controls they monitor and report to senior management rather than directly to the governing body.
CIA candidates should note that the second line is often described as providing oversight rather than assurance. The distinction matters for exam questions: internal audit provides independent assurance; the second line provides monitoring and challenge.
The Third Line: Internal Audit
The third line is the internal audit function, which provides independent assurance to the governing body and senior management that the organisation's governance, risk management, and internal control processes are working as intended.
The defining characteristic of the third line is independence. Internal audit must be independent of both the first line (operational management) and the second line (risk and compliance functions) to provide credible assurance. The head of internal audit (Chief Audit Executive) reports functionally to the audit committee of the governing body, which is the structural mechanism that protects this independence.
The scope of internal audit assurance includes:
- Governance processes and the effectiveness of the governing body's oversight
- Risk management frameworks and whether risks are being identified and managed appropriately
- Internal control effectiveness across first and second line activities
- Compliance with laws, regulations, and policies
- Reliability of financial and operational reporting
A point that CIA exam questions test carefully is that internal audit does not own or manage the risks it reviews. Internal audit assesses whether the first line is managing risk appropriately. If internal audit takes on management responsibilities (for example, designing controls or making decisions about risk mitigation strategies), its independence is compromised and its ability to provide objective assurance is impaired.
The 2020 model introduced an important conceptual shift by encouraging internal audit to provide assurance across both first and second line activities, rather than simply assuring that the second line is functioning. In practice, this means internal audit should not limit its scope to verifying that risk and compliance functions have done their job; it should also assess whether the underlying risks in first-line activities are being managed appropriately.
The Governing Body and Senior Management
The governing body (board and audit committee) sits above the three lines in the model. Its role is to set the organisation's direction and oversee how management pursues that direction, including receiving and acting on assurance provided by all three lines.
Senior management sits between the governing body and the three lines. Its role is to delegate risk ownership to the first line, oversee the second line's monitoring activities, and receive assurance from internal audit.
A specific point relevant to CIA exam questions is the relationship between the governing body and internal audit. The model specifies that internal audit has a direct accountability relationship with the governing body, typically through the audit committee. This relationship is what protects internal audit's independence: if internal audit reported solely to the CEO or CFO (senior management), its independence from management activities would be compromised.
How Exam Questions Test the Model
CIA Part 1 exam questions on the Three Lines Model typically take one of three forms:
Role identification: A scenario describes a function or activity and asks which line it belongs to. For example: "A compliance officer reviews loan applications against regulatory requirements and reports breaches to the risk committee. Which line does this function represent?" The answer is the second line.
Independence and impairment: A scenario describes a situation where one line has taken on responsibilities that belong to another, and asks whether this represents an impairment or a conflict. For example: "Internal audit designed the risk management framework that it is now assessing. Does this impair internal audit's independence?" The answer is yes, because internal audit cannot objectively assess a framework it designed.
Accountability relationships: A question asks who a particular function reports to, or who bears accountability for a particular risk. These questions test whether candidates understand that risk ownership sits with the first line, oversight sits with the second line, and independent assurance is provided by the third line to the governing body.
The 2020 Update: What Changed
The shift from "Three Lines of Defence" to the "Three Lines Model" in 2020 reflected the IIA's view that the language of "defence" implied a predominantly negative or compliance-oriented view of risk management. The updated model:
- Emphasises that all three lines add value rather than simply preventing harm
- Explicitly positions the governing body as the recipient of assurance from all three lines, rather than as an oversight layer sitting above a defensive structure
- Encourages a more collaborative relationship between internal audit and the other lines, including sharing information and coordinating coverage, without compromising independence
For CIA candidates, the practical implication is that exam questions based on the 2020 model may emphasise the positive contribution of all three lines to organisational objectives, rather than framing the question purely in terms of control and defence.
Practise Domain V questions including governance, risk management, and control topics to test your understanding of the Three Lines Model in exam scenarios.