third line of defense

The third line of defense in risk management refers to internal audit functions within an organization. They independently evaluate and review the effectiveness of the first and second lines—those involved in day-to-day risk management and controls. Their role is to provide objective assurance that policies are followed, risks are managed appropriately, and internal controls are working as intended. Essentially, they act as an external, unbiased check to ensure the organization’s governance, risk management, and internal control systems are effective, comprehensive, and improving over time.