
Article 6 closed with a one-page exercise: the assurance map, showing which of an organization’s principal risks carry continuous assurance, periodic assurance, or none at all. Boards that complete it honestly usually discover the same two things. First, some risks are assured twice — tested by internal audit, reviewed by compliance, monitored by risk management, each unaware of the others’ work. Second, other risks — often the newest and largest — are assured by no one at all. Both findings have the same root cause: the organization has adopted the language of the Three Lines Model without building the machinery that makes it work. This seventh article in The Internal Audit Imperative™ — the first of the series’ technical-depth pieces — is about that machinery.
The Model, Properly Understood

The Three Lines Model is probably the most-cited and least-implemented governance framework in the Caribbean. Properly understood, it describes roles, not departments. The first line is management: it owns risks and owns the controls that manage them — no risk register or audit report changes that ownership. The second line comprises the functions that help management manage risk and provide challenge: risk management, compliance, information security, quality, actuarial — close to the business, but with a mandate to question it. The third line is internal audit: independent, board-reported assurance over how well the first two lines are working. Above all three sits the governing body, accountable to stakeholders for the whole arrangement.
Two refinements matter. The model’s modern formulation deliberately abandoned the image of three defensive walls in favour of collaboration with distinct accountabilities — the lines exist to work together, not to file past each other. And because the lines are roles, one person or team can serve more than one — common and acceptable in smaller organizations — provided the organization is honest about which hat is being worn, and independence safeguards are documented where it matters.
Why It Breaks Down in the Caribbean

Across the region, the model fails in practice for a short list of recognizable reasons:
- The second line is one person deep. A single compliance officer — often consumed by regulatory filings — stands in for risk management, compliance monitoring, and information security combined. Challenge capacity is theoretical.
- Internal audit does management’s homework. In many organizations the risk register is built and maintained by internal audit, because no one else will. The function ends up auditing its own risk assessment — a quiet but real independence problem.
- Duplication without coverage. The visible risks — cash, procurement, payroll — attract every line’s attention; the emerging ones — cyber, cloud concentration, model risk, ESG data — attract none.
- Ceremonial risk registers. A register updated annually for the board pack, disconnected from decisions, budgets, and audit planning, is documentation — not risk management.
- No shared language. Risk calls it likelihood and impact; compliance calls it breaches; audit calls it findings. The board receives three dialects and no picture.
What the Standards Now Require

The Global Internal Audit Standards convert three-lines cooperation from good practice into obligation. The chief audit executive must coordinate with the other providers of assurance — internal and external — to minimize duplication and gaps; may place reliance on the work of other assurance providers, but only after evaluating their competence, objectivity, and the quality of their work, and remains responsible for the conclusions drawn; and should maintain a view of assurance coverage across the organization’s principal risks — in practice, the assurance map. For boards, the significance is this: a fragmented assurance landscape is no longer merely inefficient. It is a conformance finding.
The Machinery: Five Mechanics That Make the Lines Work

- One assurance map, jointly owned. A single page — principal risks down the side; first-, second-, and third-line activity across the top — maintained as a living document and tabled at every audit committee meeting. The map is the contract between the lines: it shows who covers what, exposes the blank cells, and ends the duplication that no one intended.
- A common risk language. One taxonomy of risks, one rating scale, one set of definitions used by management, risk, compliance, and audit alike — the discipline at the heart of Dawgen’s CARISK™ Without a shared language, coordination meetings are translation exercises.
- A coordinated planning calendar. Risk’s assessment cycle, compliance’s monitoring plan, and internal audit’s annual plan built in sequence, not in parallel — each consuming the others’ outputs, with a joint session before plans are finalized. One planning conversation replaces three surprised ones.
- Documented reliance protocols. Where internal audit intends to rely on second-line work — compliance testing, model validation, security monitoring — the evaluation of that work’s quality is performed once, documented, and refreshed periodically. Reliance without evaluation is delegation; the Standards permit the first and prohibit the second.
- Integrated reporting to the committee. One combined assurance report — the TRUST360™ pattern — in which the board sees each principal risk once, with the first-line position, second-line monitoring, and third-line assurance conclusion side by side. The board’s question changes from “what did each function do?” to “how assured are we, and where are we not?” — which is the question that matters.
The three lines fail as a filing system and succeed as a conversation — one map, one language, one calendar, one report.
The Small-Organization Reality

Most Caribbean entities cannot staff three full lines, and pretending otherwise produces org-chart theatre. The honest alternative is role clarity over structural purity: name which hats each officer wears; document the safeguards where one person serves two lines (disclosed to the board, with sensitive reviews reassigned or co-sourced); let the second line borrow specialist depth — cyber, actuarial, AML analytics — through external support rather than heroic generalism; and where internal audit currently maintains the risk register, plan its handover to management within a defined period, with audit facilitating the transition rather than owning the product. Regulators and quality assessors consistently respond better to a small structure honestly safeguarded than a large one notionally staffed.
What Good Looks Like
In an organization where the machinery works, a director can ask one question about any principal risk — “who gives us comfort on this, and when did they last look?” — and receive one coherent answer. Management states its position; risk and compliance show their monitoring; internal audit states its independent conclusion and when it will next test. New risks enter the map before they mature; assurance follows them there. Nothing about this requires a large organization. It requires an agreed map, a shared language, a sequenced calendar, evaluated reliance, and one report — disciplines, not headcount.

The Dawgen Perspective
When boards ask us where to begin strengthening governance, our answer is rarely “hire more people.” It is almost always “connect the ones you have.” The gap between a fragmented assurance landscape and an integrated one is measured in weeks of design work, not years of recruitment — and it is the highest-return governance investment most Caribbean organizations can make, because every subsequent audit, review, and board paper inherits the coherence.
Dawgen Global designs and implements this machinery across 15+ Caribbean territories: assurance mapping, risk taxonomy and appetite design under CARISK™, integrated assurance reporting under TRUST360™, reliance protocol design, and co-sourced second-line and third-line capacity where structures are thin.
Next in the series: “Cybersecurity as an Audit Mandate: The Topical Requirement Caribbean Firms Can’t Ignore” — what the first mandatory Topical Requirement demands, and how boards should respond to the region’s fastest-compounding risk.
| Connect Your Lines Before Someone Maps the Gaps for You
Dawgen Global’s Integrated Assurance Design engagement delivers the five mechanics in one programme: your assurance map, a CARISK™ risk taxonomy, a coordinated planning calendar, documented reliance protocols, and a TRUST360™ combined assurance report for your audit committee. One map. One language. One picture for the board. Email | [email protected] | dawgen.global | Big Firm Capabilities. Caribbean Understanding. |
About Dawgen Global
Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.
The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.
To explore a partnership, reach out:
- Website: dawgen.global
- Email: [email protected]
- WhatsApp (Global): +1 555-795-9071
- Caribbean offices: +1 876-665-5926 | +1 876-929-3670 | +1 876-926-5210

