Internal Audit

The three lines of defence: building effective governance and managing risk

March 24, 2026
|
4 minute read

In an environment characterised by heightened regulatory expectations, rapid technological advancement, and increasingly complex risk landscapes, effective governance frameworks have become indispensable for organisations. The Three Lines of Defence (3LOD) model has long served as a foundational framework for clarifying roles and responsibilities across governance, risk management, and internal control. Although originally designed to structure risk and control functions, the model has since evolved, both in practice and through regulatory guidance, to reflect a more integrated and holistic approach to organisational governance.

Origins and Evolution of the Model

The 3LOD model originated as a simple yet powerful framework for clearly defining accountability in risk management. Under the original model, the first line comprised operational management and control activities, the second line included risk management and compliance oversight, and the third line was independent internal audit assurance.

In 2020, the Institute of Internal Auditors (IIA) updated the model, now referred to as the Three Lines Model, emphasising collaboration, clear accountabilities, and value creation in addition to protection. This modernisation also reinforces the role of governing bodies and clarifies how management functions intersect within the first two lines. The updated model underscores that first and second-line responsibilities reside within management, but with differentiated focus areas and expertise.

First Line: Operational Ownership of Risks

The first line of defence consists of business units and operational management, which are responsible for the day-to-day ownership and management of risk. These actors implement internal controls, adhere to policies, and directly interact with clients and markets. In a banking context, for example, the credit risk team within lending operations carries out risk assessments, approves loan applications within delegated limits, and monitors portfolio quality. Their control procedures, such as for example verifying borrower documentation, mitigate operational risk proactively.

Under MFSA governance guidance, organisations are expected to embed robust operational controls and ensure that staff are trained to apply procedures effectively, such as regular testing of business continuity protocols.

Second Line: Oversight, Policy and Independent Monitoring

The second line encompasses risk management, compliance, and specialised control functions. These units develop risk frameworks, define policies, monitor adherence, and challenge first-line activities where necessary. They do not operate the business but ensure that risks are properly identified and managed.

For example, a financial institution’s AML/CTF compliance function continuously reviews transaction monitoring systems to ensure suspicious activity is escalated and reported. In larger organisations, the risk function may aggregate enterprise-wide risk metrics, reporting breaches of risk appetite to senior leadership. The MFSA’s supervisory priorities for 2025 highlight that authorities will continue scrutinising how governance, risk and compliance (GRC) functions are structured to ensure effective oversight.

Third Line: Independent Assurance

The third line of defence, typically internal audit, provides independent and objective assurance to the governing body on the effectiveness of governance, risk management, and internal controls. Internal auditors assess both first and second-line activities against established standards and organisational objectives, issuing audit reports that inform board committees and senior leadership on control gaps, risks, and remediation plans.

For instance, an internal audit team may conduct a risk-based review of cybersecurity controls, outsourcing arrangements, access controls, and incident response capabilities. Their findings not only verify compliance with internal standards but also help prioritise investments and risk reduction strategies.

When it comes to the Third Line of Defence, independence is critical. Internal audit functions must operate free from management influence to ensure credibility and objectivity.

Integration with MFSA Governance Expectations

The MFSA Corporate Governance Code and related manuals require authorised entities to maintain effective governance and internal controls commensurate with their size, nature, and complexity. These principles, including stakeholder engagement, ethical conduct, and the operation of internal controls, dovetail with the three lines framework.

Moreover, the General Code of Conduct for Decision Makers recently published by the MFSA emphasises accountability, compliance, and ethical decision-making, reinforcing cultural expectations that complement structural frameworks like the three lines model.

Benefits and Implementation Challenges

When effectively implemented, the three lines model clarifies governance roles, enhances communication, and strengthens organisational resilience. It creates a shared language that reduces ambiguity around who “owns,” “monitors,” and “assures” risk management activities. However, challenges persist, particularly in delineating responsibilities in smaller organisations where roles may overlap, or in ensuring that second-line units challenge first-line activities without impeding operational efficiency.

Conclusion

The Three Lines of Defence remains a timeless yet adaptable architecture for modern governance. Its alignment with MFSA regulatory expectations underscores its relevance in promoting robust risk management, ethical behaviour, and organisational accountability. By integrating these principles into corporate governance frameworks, organisations can better navigate risks while delivering value to stakeholders in an increasingly complex global environment.

At the same time, in practice it is not uncommon for the boundaries between the three lines to become blurred, particularly in smaller or fast-growing organisations where roles may overlap. Such convergence, while sometimes operationally convenient, can weaken oversight and dilute accountability if not carefully managed. It is therefore imperative that boards and senior management remain vigilant in preserving the integrity of the model, by ensuring clear role definition, effective challenge, and true independence of assurance functions. Continual reflection on and reinforcement of the Three Lines framework is essential to maintaining its effectiveness as a cornerstone of sound governance.

Our Authors

Mark Wirth
Partner
Mark Wirth
Partner
Gergely Szabó
Director
Gergely Szabó
Director

Continue Reading

Internal Audit
Articles
Feb 16, 2026
|
3 minute read
The internal auditor: a valuable pillar of governance in fintech
Within the fast-evolving fintech ecosystem, the internal audit function is indispensable, yet it remains frequently underestimated. For regulated fintech firms operating under the supervision of the Malta Financial Services Authority (MFSA), a robust internal audit function provides valuable guidance in identifying and mitigating operational, technological and regulatory risks.
by
Internal Audit
Articles
Feb 11, 2026
|
3 minute read
From PSD2 to PSD3: Strengthening Europe’s Payments Framework
Together with the accompanying Payment Services Regulation (PSR), PSD3 is intended to modernise Europe’s payments rulebook, reflecting both rapid technological change and a number of gaps that became apparent under the current PSD2 framework
by

Order the European VAT Handbook 2025-2026