Final answer:
Internal audit is considered the third line of defense in an organization's corporate governance. It operates independently from management to assure the board and senior management of the effectiveness of internal controls and risk management processes. Failures in effective corporate governance, such as in the case of Lehman Brothers, demonstrate the critical need for solid internal audit functions.
Step-by-step explanation:
The internal audit function serves as an independent assurance provider to the board and management, with the role of evaluating the efficacy of risk management, control, and governance processes within an organization. Contrary to external audit, which provides assurance to external stakeholders, internal audit is aligned with the third line of defense in corporate governance, as defined in the widely recognized Three Lines Model. This furthers the segregation of duties within an organization and enhances the internal controls that mitigate various business risks.
The first line of defense consists of management and front-line employees who are responsible for maintaining effective internal controls and conducting day-to-day risk management activities. Next in line is the second line of defense, which includes functions like compliance and risk management departments that provide oversight and support for the controls in place. Lastly, the internal audit function, as the third line of defense, operates independently from the other two and assures the board of directors and senior management about the effectiveness of internal controls, risk management, and governance processes.
In the case of Lehman Brothers, there was a failure in corporate governance, which did not provide accurate financial information to the investors, highlighting the importance of robust and effective audit functions within an organization's governance framework.