The "four lines of defence model" for financial institutions

FSI Occasional Papers  |  No 11  | 
23 December 2015

Executive summary1

Since the Global Financial Crisis of 2007-09, the design and implementation of internal control systems has attracted serious academic and professional attention. Much research on the effectiveness and characteristics of internal audit functions has been conducted under the sponsorship of the Institute of Internal Auditors Research Foundation (IIARF) and published in academic and professional journals. Despite these efforts, there has been little systematic analysis of how the design of an internal control system affects the efficiency and effectiveness of corporate governance processes, especially at financial institutions such as banks and insurance companies. The "three lines of defence model" has been used traditionally to model the interaction between corporate governance and internal control systems. We consider the existing three-lines-of-defence model could be substantially enhanced by giving it a specific focus on the regulation of banks and insurance companies. We address this deficiency and attempt to ascertain the extent to which these financial institutions - due to their idiosyncratic features and specific regulatory requirements - need a more effective internal control model. Although our study relates to financial institutions in general, our detailed analysis focuses on banking institutions.

In order to account for the specific governance features of banks and insurance companies, we outline a "four lines of defence" model that endows supervisors and external auditors, who are formally outside the organisation, with a specific role in the organisational structure of the internal control system.

Building upon the concept of a "triangular" relationship between internal auditors, supervisors and external auditors, we examine closely the interactions between them. By establishing a four-lines-of-defence model, we believe that new responsibilities and relationships between internal auditors, supervisors and external auditors will enhance control systems. That said however, we also highlight the risk that new problems could be caused by inadequate information flows among those actors.

1 The authors would like to thank the reviewers for the valuable comments and suggestions they received which helped improve the accuracy and validity of the investigation: Prof Robert Melville from CASS Business School, Prof Wilco Oostwounder from the University of Utrecht; and Juan Carlos Crisanto, Stefan Hohl and Raihan Zamil from the Financial Stability Institute of the Bank for International Settlements.