Which component is first in the three lines of defense model in internal auditing?

In the three lines of defense model, the first component is typically the business itself. This model is designed to clarify roles and responsibilities in managing risk and ensuring effective governance within an organization. The business is responsible for implementing and maintaining effective controls and risk management practices in their operations. This frontline layer encompasses all employees who are expected to identify and manage risks as part of their duties.

The second line of defense involves risk management and compliance functions that support and oversee the risk management processes established by the business. These functions provide guidance and monitor the effectiveness of risk controls but do not replace the accountability of the business.

The third line of defense is the internal audit function, which provides independent assurance on the effectiveness of governance, risk management, and control processes. Lastly, external audit acts as an additional layer that provides independent insights and assessments of the financial statements and internal controls but is not considered a direct component of this internal model.

Therefore, recognizing the business as the first line of defense highlights the fundamental expectation that accountability for risk management lies primarily with the operational units themselves.