The Three Lines Model helps organisations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

The model applies to all organisations and is optimised by:

  • Adopting a principles-based approach and adapting the model to suit organisational objectives and circumstances.
  • Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
  • Implementing measures to ensure activities and objectives are aligned with the prioritised interests of stakeholders.

We have adopted the Institute of Internal Auditors Three Lines Model and enhanced the model to include non-financial risk considerations, in particular safety governance.

Three Lines Model

What is Internal Audit?

The definition of ‘internal audit’ is:

An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes (The Institute of Internal Auditors Inc, 2017).

Internal audit is appointed by the governing authority (board of directors) and serves the organisation as a whole.

What is External Audit?

A definition of external audit is:

An audit of financial statements undertaken in accordance with laws and external auditing standards by an external auditor who is independent of the organisation being audited.

Increasingly, external auditors are being asked to provide assurances over other statements made by the organisation or its management. These include sustainability statements or control assurance in relation to services provided to customers (IFRS Foundation, 2022).

External audit serves the owners or prospective owners of an organisation.

In the private sector the external auditor is appointed by the owners (shareholders or members).

In the public sector the external auditor is appointed by the legislature (parliament).

Internal Audit versus External Audit

Auditors of all types whether internal or external must be incisive, focused and diligent with a strong sense of purpose, integrity and ethics. However, the difference between internal audit and external audit is not always well-understood.

There are similarities between the role of internal audit and the role of external audit.

Internal audit and external audit should collaborate to avoid duplication of audit effort and to make sure the external auditor can place reliance on any internal audit work covering components of the external audit scope of work.