Back to Perspectives

Defense Wins Championships – Why Your Government Needs Internal Auditing on Its Team


Executive Summary:

  • State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
  • The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
  • As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.


At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense 

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

  • First Line of Defense – develops strategies to address risks
  • Second Line of Defense – monitors strategies
  • Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization's adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization's systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

  • Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
  • Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
  • Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement. 
  • Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team's Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

Related Services

Audit and Assurance

Related Solutions

Audit and Assurance

Related Industries

State and Local Government


State and Local Government Compliance Internal Controls Risk Management Internal Audit

Let’s Talk