Definition:Third line of defence

🛡️ Third line of defence is the internal audit function within an insurance organization, responsible for providing independent and objective assurance to the board that the first and second lines — operational management and risk management/ compliance oversight, respectively — are functioning effectively. Within the broader three lines of defence model widely adopted across the global insurance industry, the third line occupies a uniquely independent position: it reports directly to the board or its audit committee, free from management influence, and has unrestricted access to people, records, and systems across the organization.

🔎 In practice, the third line conducts risk-based audit plans that examine whether an insurer's underwriting controls, claims processes, reserving practices, regulatory compliance arrangements, and information security controls operate as designed. Unlike the second line, which monitors and advises on an ongoing basis, the third line performs periodic, structured reviews and issues formal findings with remediation timelines. Under Solvency II, internal audit is one of four mandatory key functions that every insurer must maintain, and the PRA in the UK and EIOPA both expect the function to have sufficient stature, resources, and expertise to challenge senior management credibly. In the United States, the NAIC's Model Audit Rule imposes similar expectations for internal audit independence at insurers above certain premium thresholds.

💡 The credibility of the third line rests on its genuine independence — a principle that regulators test rigorously. When the third line is under-resourced, conflicted, or marginalized, governance failures tend to follow, as demonstrated in several notable insurance scandals where internal audit either missed or was prevented from escalating critical control weaknesses. For MGAs and coverholders operating under delegated authority, capacity providers increasingly expect evidence that a credible third-line function — whether in-house or outsourced — reviews delegated operations. In fast-growing insurtech firms, establishing even a lean internal audit capability signals to reinsurers and regulators that the organization takes assurance seriously beyond what the first and second lines can self-certify.

Related concepts: