
In a perfect world, internal controls would be 100% effective once implemented. In reality, organizations needs multiple lines of defense or barriers to guard against the risk that they will not achieve their objectives. The internal audit function is the last of three lines of defense recommended by the Institute of Internal Auditors (IIA) in its Three Lines of Defense Model.
As a precursor to the three lines of defense, boards govern and determine strategy. Senior management operationalizes the strategy and selects, develops and evaluates internal controls, with board oversight.
Against this backdrop, operational management is the first line of defense. It supervises and manages operations to ensure compliance with risk and internal control systems. Risk and compliance functions are the second line of defense, monitoring the adequacy and effectiveness of internal controls, reporting, compliance, and remediation of deficiencies. Both lines are accountable to senior management.
The third and last line of defense is internal audit. It does not own, create, or manage risks and it does not design or implement controls. It is unique because its role is to provide objective and independent assessments to the board, as to whether the other two lines of defense are operating effectively.
The IIA says all three lines of defense are necessary regardless of an organization’s size.
Meeting your duty of care
Improve your internal audit function by ensuring that it:
- Preserves its independence by reporting directly to the board or like body;
- Is professional and uses internationally recognized standards; and
- Has the required budget and access to resources.
For organizations without an internal audit function, remember, there are several options for accessing this service, ranging from the traditional in-house model to a fully outsourced team, and various options in between.

Read more about strategies to help you implement an effective internal audit function, or improve the one you have, in Finance and Accounting PolicyPro (GV 1.08 – Relationship with Internal Auditors).
Policies and procedures are essential to managing cut-off and other internal controls, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, co-published by First Reference and Chartered Professional Accountants Canada (CPA Canada) contain sample policies, procedures and other documents, plus authoritative commentary in the areas of finance and accounting and not-for-profit management, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30-day trial of Finance and Accounting PolicyPro here.
- Update acceptable use policies - November 1, 2023
- Payroll fraud and … harassment and overwork? - October 4, 2023
- Segregate payroll duties … or enable fraud - September 6, 2023