Travail de fin d'études : "The redesign of the three lines of defense model : reconciling independence and flexibility A comparative analysis of regulated and non-regulated organizations"

Abstract

This thesis looks at how companies use the updated 2020 version of the Three Lines Model to manage risks. The model, created by the Institute of Internal Auditors, is meant to help organizations stay flexible while also keeping internal audit independent. Internal audit is important because it gives fair and unbiased feedback on how risks are being handled, but it must not be influenced by management. At the same time, companies want different teams to work together better to avoid problems like repeating work or missing risks. The research is based on interviews with ten professionals who work in risk management and internal audit. These professionals come from both regulated organizations, like banks, and non-regulated ones, like tech companies or public investment firms. The study compares how these two types of organizations use the Three Lines Model in real life. In regulated companies, rules are very strict. Internal audit teams are clearly separated from management, and their independence is protected by laws and oversight from regulators. These companies usually have formal risk management systems and enough resources to keep roles separate. In non-regulated companies, factors are more flexible. Internal audit and risk management teams sometimes share responsibilities or even work together closely. These companies may not have formal systems, and they depend on internal practices to protect independence. Because of fewer resources, internal auditors sometimes help explain risks to managers or support them, which can create confusion about roles. Even though the updated model allows for more teamwork, all the professionals agree that internal audit must stay independent. It can give advice but should never take responsibility for managing risks. Most interviewees said that when internal audit crosses that line, its objectivity is at risk. The thesis shows that the Three Lines Model works better when organizations are mature and have strong governance. It also highlights that regulated and non-regulated companies face different challenges when trying to follow the model. The study gives practical advice for how organizations can make the model work for them, especially by keeping roles clear, supporting communication, and adjusting the model to fit their size and needs.