The IIA has just updated the Three Lines Model, and this version is braver than the last. It doesn't stop at the org chart. It names the messy design choices real organizations face — overlapping roles, reporting lines, even what to do when the head of internal audit also oversees a controls function. Most professionals will still read it as a diagram: management owns risk, second-line functions support, internal audit assures independently, the board oversees.
I read it differently — because over 18 years, I've occupied every one of those boxes. And here's the thing: the model now describes many of these design choices well. What it can't do — what no document can — is tell you what each line feels like from the inside, or why the wiring between them matters so much that organizations keep getting it wrong until they've felt the cost.
The third line, first time around
I started in internal audit — first in consulting at EY, then corporate audit at Asian Paints. I was technically sharp and, in hindsight, occasionally tone-deaf.
Early on, I issued a finding on a plant process that was correct on paper. The plant head didn't dispute the facts. He disputed the framing — because implementing my recommendation exactly as written would have slowed a production line during peak season. I had audited the control. I hadn't understood the business.
That's the third line's occupational hazard: independence can quietly become distance. The IIA's new guidance actually warns about this — it says independence should never become isolation. True. But you don't learn that from a principle. You learn it from a plant head who's right to be annoyed with you.
Crossing into the first line
Then I did something unusual for an auditor — I moved into the business. Procurement at Asian Paints, owning conversion costs across outsourced manufacturing. Later, Supply Chain FP&A at Mondelēz, responsible for planning across a USD 0.9 billion COGS base.
Two things changed my worldview permanently.
First, I discovered what pressure actually feels like. When you're closing a monthly forecast, negotiating processing charges, and chasing a productivity target, a data request from audit doesn't feel like assurance. It feels like friction — arriving at exactly the wrong week.
Second, I learned that most control failures aren't about bad people. They're about good people making trade-offs under time pressure, with incentives that reward speed. The first line isn't careless about risk. It's busy.
The second line: the hardest seat in the house
As Head of Internal Controls for India and Bangladesh at Mondelēz, I sat in the middle — close enough to the business to be useful, independent enough to say no. The business wants you to enable, audit wants you to enforce, and you serve both without fully belonging to either.
One example that shaped me: our inventory write-off process had approval layers that looked rigorous but added no real control — just delay and storage cost. I simplified it. A controls head removing approvals raises eyebrows. But the redesign saved roughly half a million dollars and, counterintuitively, improved accountability, because fewer approvers meant clearer ownership. More control is not better control.
The design choice the model now names — but you have to live to understand
Here's where the updated model and my own career collide.
The new Statement of Position does something the old diagram didn't: it explicitly addresses what happens when the second and third lines overlap — including the case where the chief audit executive supervises another assurance or compliance function. It even lists the safeguards that make that arrangement legitimate: clear separation between the supervised function's operations and audit's own assurance work; board approval of the expanded remit; periodic independent review of the dual-responsibility area; and disclosure to the board whenever objectivity might be at risk.
I know those safeguards aren't abstract, because I lived inside the exact arrangement they describe.
For years, in the global organization I worked at, internal controls reported into the first line. Each market's controls lead reported to that country or regional finance head. On paper, sensible: keep controls close to the business it serves. In practice, it created a blind spot I watched play out again and again.
Because each controls person reported only into their own market, each one could only see their own market. The controls lead in one country had no window into what her counterpart three borders away had already solved. There was no cross-market conversation, no shared library of what good looked like. Twelve smart people, each solving in isolation.
The cost of that isolation was painfully visible in audit findings. The same order-to-cash weakness would surface independently in one country, then another, then a third — each treated as a fresh discovery, each remediated locally, none of them learning from the others. Repeat findings across markets weren't a competence problem. They were a wiring problem — exactly the kind of fragmented, siloed assurance the new model warns against.
The fix the organization adopted was elegant, and it maps almost line for line onto the safeguards the IIA now spells out. They did not merge the second and third lines — that would have destroyed audit's independence. Instead, they re-routed the second line's reporting into the third: regional heads were retitled "Head of Internal Audit and Controls," so both functions sat under one shared leader. But beneath that shared head, the audit and controls teams stayed operationally separate — a deliberate wall between them.
That wall wasn't just culture; it was governed. The expanded remit was approved at the top. Controls retained clear ownership of its own operations. Audit's assurance over the controls area was kept distinct — and where the same leader sat over both, independent eyes reviewed that overlap so the person supervising controls wasn't quietly grading their own homework. Controls didn't hand audit everything; it shared findings only on a need-to-know, exception basis. Independence preserved — connection created.
Think of it like a bank where the same institution runs both the trading desk and the research desk, but builds a barrier so one can't improperly influence the other. Same principle: shared leadership, separated work, disclosed and reviewed.
The outcome was exactly what the old structure couldn't deliver. Audit, by definition, sees every market. Now that cross-market pattern recognition could flow into controls. The second line stopped being twelve isolated islands and started operating with the whole map.
I felt this personally, because I made that exact transition — from the third line into the second — right as this took hold. As a controls leader, I was no longer limited to what I could see in my own patch. I could reach for the best practice audit had already found in another market and bring a better, faster fix to mine. I wasn't reinventing solutions. I was importing proven ones.
That's the real lesson. The updated model can now tell you that this design choice exists, and even how to make it safe. What it can't tell you is what the old wiring costs you before you fix it — the same finding landing three times, twelve good people each convinced they're the first to see the problem — or how much sharper the second line becomes the moment it can finally see the whole map. The diagram gives you the safeguards. Only the chair gives you the conviction to use them.
What the model still can't put on the page
The model works best when the people in each line have genuine empathy for the other two — and when the org has thought hard about how information flows between them. There's no substitute for having sat in each chair: knowing the pressure of the forecast week, the loneliness of the middle seat, the temptation of distance in the third line.
The IIA has given boards a much better map than they had five years ago. But a map isn't the terrain. The reason the same structures work in one organization and quietly fail in another usually isn't the diagram — it's whether the people wiring the lines have ever felt what it's like to stand in each of them.
If you're an audit leader wrestling with where your controls function should report, or a business leader who wants audit to show up as a partner rather than a police force — I'd genuinely enjoy comparing notes. My DMs are open, and I'm always happy to discuss this at industry forums.
Which line have you spent most of your career in — and what do you wish the other two understood about it?