Which best describes the third line of defense in risk management?

This question tests understanding of the third line of defense in the three lines of defense model. The third line is independent assurance, provided by functions like internal audit and, when appropriate, external audits. These groups operate independently from day-to-day management and risk owners, which lets them objectively assess whether controls are well designed and operating effectively across the organization. They examine governance processes, test controls, identify gaps, and report findings to the board or its audit committee, offering recommendations to strengthen the risk framework. This independence and reporting channel are what set the third line apart from the first line, where frontline managers own and operate controls, and the second line, where risk management and compliance functions oversee policies and risk controls. External regulators play a role in oversight, but they are not the internal third-line assurance function. Internal risk committees contribute to governance but do not provide the independent assurance that internal and external audits deliver. Hence, describing the third line as independent assurance providers—internal and external audit—best captures its role.