The Institute of Internal Auditors (IIA)

Beyond the Three Lines: How AI Can Finally Make Combined Assurance Work

The discussion centers on using artificial intelligence to turn the theoretical three‑lines model of combined assurance into a practical, continuously coordinated system. Ash Rajendran explains that most firms operate the first, second and third lines in parallel, not together. IIA research shows only 40 % share risk registers with internal audit and just 25 % use a common risk‑management platform, while each function maintains its own taxonomy and reporting cadence. These silos prevent a holistic view of emerging threats. Rajendran proposes an AI “connective tissue” that ingests audit plans, compliance reports, monitoring alerts and operational metrics, normalizes terminology, and produces a living combined‑assurance map. In a billing‑transaction example, the AI layer correlates customer complaints, a recent code change, a six‑month‑old audit finding and a compliance exception into a single cross‑functional alert, potentially averting a large‑scale incident. If implemented with clear ownership—first line for deployment, second line for performance monitoring, internal audit for independent validation—the approach promises real‑time risk visibility, faster remediation, and stronger governance. However, Rajendran stresses human‑in‑the‑loop review, data‑privacy safeguards, and auditability of AI models to preserve audit independence and regulatory compliance.