Quiz Entry - updated: 2026.06.20
In an organizational chart of the lines of defense, what sits in the often-added "4th line," and where do the CISO and internal audit fall?
A 4th line of external auditors and supervisory bodies sits above the board; internal audit and the audit committee form the 3rd line, the CISO sits in the 2nd line, and IT services in the 1st.
Mapped onto an org chart:
- 4th Line — external audit (e.g. FDA, SAMA) and auditing institutions (e.g. PwC for SOX), above the Board of Directors.
- 3rd Line — Internal Audit and the Audit Committee, reporting near the board/CEO.
- 2nd Line — the CISO and other oversight functions, under the CEO.
- 1st Line — operational units including IT Service that run the day-to-day controls.
The 4th line is the external, independent check that the internal lines cannot provide on themselves.