Question 19
Domain 1 — Governance and Risk Management FrameworksWhat is the third line of defense in the Three Lines of Defense model?
Correct answer: C
Explanation
In the Three Lines of Defense model, the third line is "internal audit," which provides independent assurance over governance, risk management, and internal controls. It sits apart from operational management and the first and second lines, so it can objectively evaluate whether those controls are working.
Why each option is right or wrong
A. Risk management function
B. Internal audit
Under the Institute of Internal Auditors’ Three Lines Model, the third line is the internal audit function, which provides independent and objective assurance to the board and senior management over governance, risk management, and control. The first line is operational management and the second line is risk/compliance oversight, so the separate assurance role belongs to internal audit rather than those management functions.
C. Business operations
D. External auditors