PlumBot: Bot: Creating new article from JSON

2026-03-18T02:34:37Z

Bot: Creating new article from JSON

New page

🛡️ '''Third line of defence''' is the [[Definition:Internal audit | internal audit]] function within an insurance organization, responsible for providing independent and objective assurance to the [[Definition:Board of directors | board]] that the first and second lines — operational management and [[Definition:Risk management | risk management]]/[[Definition:Compliance | compliance]] oversight, respectively — are functioning effectively. Within the broader [[Definition:Three lines of defence model | three lines of defence model]] widely adopted across the global insurance industry, the third line occupies a uniquely independent position: it reports directly to the board or its [[Definition:Audit committee | audit committee]], free from management influence, and has unrestricted access to people, records, and systems across the organization.

🔎 In practice, the third line conducts risk-based audit plans that examine whether an insurer's [[Definition:Underwriting | underwriting]] controls, [[Definition:Claims management | claims processes]], [[Definition:Reserving | reserving]] practices, [[Definition:Regulatory compliance | regulatory compliance]] arrangements, and [[Definition:Information security | information security]] controls operate as designed. Unlike the second line, which monitors and advises on an ongoing basis, the third line performs periodic, structured reviews and issues formal findings with remediation timelines. Under [[Definition:Solvency II | Solvency II]], internal audit is one of four mandatory [[Definition:Key function | key functions]] that every insurer must maintain, and the [[Definition:Prudential Regulation Authority (PRA) | PRA]] in the UK and [[Definition:European Insurance and Occupational Pensions Authority (EIOPA) | EIOPA]] both expect the function to have sufficient stature, resources, and expertise to challenge senior management credibly. In the United States, the [[Definition:National Association of Insurance Commissioners (NAIC) | NAIC's]] Model Audit Rule imposes similar expectations for internal audit independence at insurers above certain premium thresholds.

💡 The credibility of the third line rests on its genuine independence — a principle that regulators test rigorously. When the third line is under-resourced, conflicted, or marginalized, governance failures tend to follow, as demonstrated in several notable insurance scandals where internal audit either missed or was prevented from escalating critical control weaknesses. For [[Definition:Managing general agent (MGA) | MGAs]] and [[Definition:Coverholder | coverholders]] operating under [[Definition:Delegated underwriting authority (DUA) | delegated authority]], capacity providers increasingly expect evidence that a credible third-line function — whether in-house or outsourced — reviews delegated operations. In fast-growing [[Definition:Insurtech | insurtech]] firms, establishing even a lean internal audit capability signals to [[Definition:Reinsurance | reinsurers]] and regulators that the organization takes assurance seriously beyond what the first and second lines can self-certify.

'''Related concepts:'''
{{Div col|colwidth=20em}}
* [[Definition:Three lines of defence model]]
* [[Definition:Internal audit]]
* [[Definition:First line of defence]]
* [[Definition:Second line of defence]]
* [[Definition:Audit committee]]
* [[Definition:Solvency II]]
{{Div col end}}

Definition:Third line of defence - Revision history

PlumBot: Bot: Creating new article from JSON