Governance That Works : Building the Three Lines Model That Boards Actually Trust

The Model Everyone Cites and Nobody Implements

Ask any governance professional about the three lines model and you will receive a confident explanation: the first line owns and manages risk, the second line provides oversight and expertise, and the third line delivers independent assurance. The model is elegant, logical, and universally endorsed. It appears in every governance textbook, every regulatory guidance document, and every professional standards framework.

There is just one problem. In the vast majority of organisations, the model does not actually work.

The reality, in organisation after organisation, is a three lines model that exists on paper but fails in practice. The first line treats risk management as someone else’s problem. The second line duplicates the work of the third line without adding distinct value. The third line operates in isolation, unaware of what the second line is doing and unable to rely on it. The Board receives fragmented, inconsistent assurance from multiple providers and has no integrated view of the organisation’s risk and control landscape. Everyone has a role, but nobody has a shared picture.

This article addresses the governance partnership dimension of the IAVANTAGE™ Framework – the “G” pillar that determines whether Internal Audit’s work actually influences organisational behaviour and decision-making. We will examine why the three lines model fails so frequently, propose a practical framework for making it work, and provide tools for building the integrated assurance capability that Boards need and deserve.

“The three lines model is not broken in theory. It is broken in execution. The gap between the elegant diagram on the governance framework slide and the reality of how assurance actually operates in most organisations is vast – and it is Internal Audit’s responsibility to help close it.” — Dawgen Global

Six Reasons the Three Lines Model Fails in Practice

Based on our advisory work across dozens of organisations, Dawgen Global has identified six recurring failure patterns that prevent the three lines model from delivering its intended value:

 

1. Accountability Confusion. The model describes roles but does not prescribe accountabilities. When a control failure occurs, the first line blames inadequate oversight by the second line. The second line blames inadequate implementation by the first line. The third line notes in its report that both were deficient. Nobody takes ownership of the fix because nobody believes the problem is exclusively theirs. The result is a perpetual cycle of findings, recommendations, and incomplete remediation.

 

2. Duplication Without Coordination. In many organisations, the second and third lines perform overlapping work without knowing it. The compliance function tests AML controls. Internal Audit tests AML controls. External audit tests AML controls. Each produces its own report with its own findings and its own recommendations. The Board receives three different perspectives on the same topic, none of which reference the others. Resources are wasted, management is frustrated by multiple reviews of the same area, and the Board cannot determine which assessment to rely on.

 

3. First Line Abdication. The most fundamental failure in the three lines model is first-line abdication of risk ownership. When the second and third lines are perceived as “the risk people,” operational managers conclude that risk management is not their responsibility. Controls are maintained to satisfy auditors rather than to protect the business. Risk assessments are completed to tick a box rather than to inform decision-making. The first line becomes a passive participant in a governance framework that depends on their active ownership.

 

4. Second Line Identity Crisis. The second line – risk management, compliance, quality assurance – often struggles to define its distinct value proposition. If the first line owns risk and the third line provides assurance, what exactly does the second line do? Too often, the answer is “a bit of both”: conducting testing that looks like audit work, producing reports that duplicate audit findings, and providing advice that management could obtain from consultants. The second line that cannot clearly articulate its unique contribution becomes a target for cost reduction.

 

5. Structural Fragmentation. In many organisations, the three lines do not report through a coherent governance structure. The CRO reports to the CEO. The Chief Compliance Officer reports to the General Counsel. The CAE reports to the CFO administratively and the Audit Committee functionally. External audit reports to the Audit Committee. Each assurance provider operates within its own reporting silo, with different mandates, different timelines, and different formats. Integration requires deliberate effort that the governance structure does not incentivise.

 

6. The Board’s Passive Role. The Board and Audit Committee are the ultimate beneficiaries of the three lines model, yet they often play a passive role in making it work. They receive reports from each line separately, do not demand coordination, and do not hold the three lines accountable for providing an integrated assurance picture. The Board that does not actively require integrated assurance will not receive it – because integration requires effort that no single line is motivated to undertake without Board mandate.

 

 

The IAVANTAGE™ Integrated Assurance Framework

The IAVANTAGE™ Framework addresses these failures through a practical, implementable approach to integrated assurance. The framework has four components: clarity of roles, coordination mechanisms, combined reporting, and Board stewardship.

 

COMPONENT 1: CLARITY OF ROLES – THE RACI FOR GOVERNANCE

 

The first step is to replace the abstract model with a specific accountability matrix that defines, for each major risk category, exactly who is Responsible for managing the risk (first line), who is Accountable for oversight (second line), who is Consulted for expertise, and who provides Independent assurance (third line). This RACI matrix should be documented, approved by the Board, and reviewed annually.

 

RISK DOMAIN	1ST LINE Owns & Manages	2ND LINE Oversees & Advises	3RD LINE Assures	BOARD Stewards
Financial Reporting Risk	CFO / Finance teams implement controls and produce reports.	Financial Controller reviews; external reporting team validates.	IA audits financial controls; EA audits financial statements.	AC approves accounts; reviews IA and EA findings.
Regulatory Compliance	Business units implement compliance procedures.	Compliance function monitors, advises, and tests.	IA provides independent assessment of compliance framework.	AC reviews compliance dashboard; approves compliance plan.
Cybersecurity Risk	IT operations implement security controls and monitor threats.	CISO/Security team sets policy, monitors, and tests.	IA/IT Audit assesses security framework effectiveness.	Board reviews cyber risk appetite; receives breach reports.
Credit / Market Risk	Front office manages positions within approved limits.	Risk Management sets limits, monitors, and stress tests.	IA audits risk framework, model governance, and limit compliance.	Board Risk Committee sets appetite; reviews stress test results.
Operational Risk	Business units identify, assess, and manage operational risks.	Operational Risk team facilitates RCSA, monitors KRIs.	IA audits operational risk framework and key processes.	AC/Risk Committee reviews operational risk profile.
ESG / Climate Risk	Operations implement sustainability practices.	Sustainability team sets targets, monitors, and reports.	IA assesses ESG data quality and reporting accuracy.	Board approves ESG strategy; reviews assurance results.

 

COMPONENT 2: COORDINATION MECHANISMS

 

Clarity of roles is necessary but not sufficient. The three lines must actively coordinate their activities to eliminate duplication, close coverage gaps, and share intelligence. The IAVANTAGE™ Framework prescribes four coordination mechanisms.

First, a quarterly Three Lines Coordination Meeting, chaired by the CAE, bringing together representatives from Internal Audit, Risk Management, Compliance, and other second-line functions. The agenda covers upcoming assurance activities, identified coverage gaps, shared findings and themes, and emerging risks requiring multi-line response.

Second, a shared assurance calendar that maps all planned assurance activities across all three lines, preventing duplication and enabling the identification of areas where no assurance is planned. Third, agreed reliance protocols that define the conditions under which Internal Audit can rely on second-line testing, reducing duplication while maintaining audit quality. Fourth, a common risk taxonomy that ensures all three lines are using the same risk language, categorisation, and assessment criteria.

 

COMPONENT 3: COMBINED REPORTING

 

The ultimate deliverable of integrated assurance is a Combined Assurance Report that provides the Board with a single, comprehensive view of assurance coverage and results across all three lines. This is perhaps the most impactful innovation that a CAE can introduce to the governance framework.

The Combined Assurance Report should include an assurance coverage map showing, for each material risk, what assurance has been provided by each line; a consolidated view of significant findings and themes across all assurance providers; identified coverage gaps where no assurance has been provided; an overall assurance assessment for each material risk (adequate, partially adequate, or inadequate); and a forward-looking view of planned assurance activities for the next quarter.

The format should be visual and concise. A heat-map style dashboard, colour-coded by assurance adequacy, allows the Board to immediately identify areas of concern and areas of comfort. The Combined Assurance Report does not replace individual reporting by each line – it synthesises and contextualises their work into a governance-ready format.

“The Board that receives separate reports from risk, compliance, internal audit, and external audit must perform its own integration – a task it is not equipped for and should not be asked to do. The Combined Assurance Report does this integration for the Board, providing the unified picture that governance demands.” — Dawgen Global

 

COMPONENT 4: BOARD STEWARDSHIP

 

The final component places responsibility where it ultimately belongs: with the Board. The three lines model only works when the Board actively demands that it works. This means the Board must explicitly endorse the integrated assurance framework, require coordination between assurance providers, receive and review the Combined Assurance Report quarterly, hold each line accountable for fulfilling its defined role, and challenge coverage gaps and assurance inadequacies.

The CAE plays a pivotal role in educating the Board on integrated assurance. Many Board members have never seen a Combined Assurance Report and do not know to ask for one. The CAE who takes the initiative to propose, develop, and deliver this capability demonstrates precisely the kind of strategic leadership that the IAVANTAGE™ Framework envisions.

 

 

Building the Combined Assurance Map: A Step-by-Step Guide

The Combined Assurance Map is the foundational tool for integrated assurance. It provides a visual representation of what assurance exists, what gaps remain, and how different providers complement each other. Here is the practical methodology for building one:

 

Step 1: Define the Assurance Universe. Start with the organisation’s material risks – typically the top twenty to thirty risks from the enterprise risk register, supplemented by any additional risks that the Board considers strategically material. Each risk becomes a row in the assurance map.

 

Step 2: Identify All Assurance Providers. Map every function that provides assurance on any aspect of the risk universe: Internal Audit, Risk Management, Compliance, Quality Assurance, Health and Safety, Information Security, External Audit, and any specialist reviewers. Each provider becomes a column in the assurance map.

 

Step 3: Populate the Coverage Matrix. For each risk-provider intersection, document what assurance activity has been performed in the past twelve months or is planned for the current period. Classify each cell as full assurance (comprehensive review completed), partial assurance (some testing or monitoring but not comprehensive), no assurance (no coverage by this provider), or reliance available (another provider’s work can be relied upon).

 

Step 4: Identify Gaps and Overlaps. Analyse the completed map for risks where no provider has delivered assurance (coverage gaps), risks where multiple providers have delivered the same assurance (unnecessary duplication), and risks where only one provider has delivered assurance and that assurance is partial (single-point vulnerability).

 

Step 5: Assess Overall Assurance Adequacy. For each material risk, provide an overall assessment of assurance adequacy based on the combined coverage. This assessment considers the number and quality of assurance providers covering the risk, the recency and comprehensiveness of their work, and the consistency of their findings.

 

Step 6: Develop the Coverage Response Plan. For identified gaps, define how they will be closed: additional Internal Audit engagement, enhanced second-line monitoring, external specialist review, or accepted risk exposure with Board acknowledgement. For identified overlaps, define how duplication will be eliminated through agreed reliance protocols.

The Reporting Revolution: From Finding Factories to Strategic Briefings

The Governance Partnership pillar extends beyond the three lines model to encompass the quality and impact of Internal Audit’s own reporting. If the three lines model is the architecture of governance, audit reporting is its language. And in too many organisations, that language is failing.

The typical audit report is a document that nobody wants to read. It is long, procedural, filled with technical jargon, and structured around audit methodology rather than business impact. The executive summary is not actually a summary but a condensed version of the full report. The findings are described in terms of control deficiencies rather than business risks. The recommendations are generic rather than actionable.

The IAVANTAGE™ approach to audit reporting inverts the traditional structure. Reports should lead with impact: what is the business risk, how significant is it, and what should management do about it? Every report should open with a one-page executive brief that can be read in under three minutes and that communicates the essential message without requiring the reader to navigate the rest of the document. The detail exists for those who want it, but the insight is immediately accessible.

Visual communication is essential. Risk heat maps, trend charts, and comparison dashboards communicate more effectively than paragraphs of narrative. The best audit reports we have seen use data visualisation to show not just what the findings are but how they compare to prior periods, to peer organisations, and to the Board’s risk appetite thresholds.

Perhaps most importantly, the CAE’s quarterly Audit Committee presentation should be a strategic briefing, not a status report. It should synthesise themes from across the quarter’s engagements, connect findings to strategic risk implications, provide the CAE’s independent perspective on the organisation’s governance and risk posture, and highlight emerging risks that require Board attention. This is the conversation that builds the CAE’s reputation as a strategic advisor rather than a compliance reporter.

Build Your Integrated Assurance Capability

Integrated assurance is not built overnight. It requires deliberate effort, stakeholder buy-in, and practical tools. Dawgen Global provides comprehensive support for organisations ready to transform their governance model.

 

YOUR NEXT STEP Request Your IAVANTAGE™ Integrated Assurance Workshop Dawgen Global facilitates a half-day Integrated Assurance Workshop that brings together representatives from all three lines to build your organisation’s Combined Assurance Map, establish coordination protocols, and design the reporting framework your Board needs. Participants receive all templates, tools, and a customised implementation roadmap. ↓  REQUEST YOUR WORKSHOP  ↓ Email: [email protected]  |  Call: +1 (876) 926-5210

 

CATCHING UP ON THE SERIES? Articles 1–7 cover the Expectation Gap, Maturity Model, Seven Pillars, Business Case, Technology, CAE Leadership, and Dynamic Planning. Read all articles: www.dawgen.global

 

Coming Next in the IAVANTAGE™ Series

Article 9: “The Talent Imperative: Building the Audit Team of the Future” – A comprehensive guide to recruiting, developing, and retaining the diverse, digitally fluent, strategically minded professionals that a Level 3+ audit function demands. With competency frameworks, career development models, and practical retention strategies.

 

About Dawgen Global