Enhancing Internal Control over Financial Reporting through the Three Lines of Defence Model: Evidence from Nigerian Listed Companies

The integrity and reliability of financial reporting constitute fundamental pillars of modern corporate governance and capital market efficiency. In an era marked by high-profile corporate failures, increased regulatory scrutiny, and growing stakeholder demands for transparency, organisations worldwide face unprecedented pressure to establish robust internal control frameworks that ensure the accuracy, completeness, and timeliness of financial disclosures (C​o​m​m​i​t​t​e​e​ ​o​f​ ​S​p​o​n​s​o​r​i​n​g​ ​O​r​g​a​n​i​z​a​t​i​o​n​s​ ​o​f​ ​t​h​e​ ​T​r​e​a​d​w​a​y​ ​C​o​m​m​i​s​s​i​o​n​,​ ​2​0​1​3). The three lines of defence (3LOD) model, originally articulated by the I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​ ​(​2​0​1​3​) and subsequently updated in the Institute of Internal Auditors (IIA) Three Lines Model (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​2​0), has emerged as the predominant governance framework for structuring risk management and control activities within organisations. Despite its widespread adoption in developed economies, rigorous empirical evidence regarding its effectiveness in enhancing Internal Control over Financial Reporting (ICFR) within the context of emerging African markets remains notably scarce, representing a significant gap in the extant literature.

Nigeria, as Africa’s largest economy and home to one of the continent’s most developed capital markets, provides a compelling context for examining the relationship between 3LOD implementation and ICFR effectiveness. The Nigerian corporate governance landscape has undergone significant transformation in recent years, catalysed by the introduction of the N​i​g​e​r​i​a​n​ ​C​o​d​e​ ​o​f​ ​C​o​r​p​o​r​a​t​e​ ​G​o​v​e​r​n​a​n​c​e​ ​(​2​0​1​8​), gazetted as S.I. No. 22 of 2019 on 30 January 2019 pursuant to Sections 11(c) and 51(c) of the Financial Reporting Council (FRC) of Nigeria Act, the FRC of Nigeria (Amendment) Act in 2023, and the Securities and Exchange Commission (SEC) Framework on ICFR. These regulatory developments have collectively elevated the importance of effective internal controls, mandating that public interest entities (PIEs) establish, maintain, and report on the effectiveness of their ICFR systems (S​e​c​u​r​i​t​i​e​s​ ​&​ ​E​x​c​h​a​n​g​e​ ​C​o​m​m​i​s​s​i​o​n​ ​N​i​g​e​r​i​a​,​ ​2​0​2​1).

The FRC of Nigeria (Amendment) Act in 2023 has significantly expanded the scope of PIEs to include large private companies with annual turnover of 30 billion Naira and above, government contractors with annual contract sums of 1 billion Naira, and specified regulated entities. This expansion means thousands of Nigerian organisations now face mandatory ICFR compliance requirements. The FRC Guidance on Management Report on ICFR (F​i​n​a​n​c​i​a​l​ ​R​e​p​o​r​t​i​n​g​ ​C​o​u​n​c​i​l​ ​o​f​ ​N​i​g​e​r​i​a​,​ ​2​0​2​4) provides specific directives for management assessment, including requirements for documentation, evidential support, annual evaluation, and reporting.

Despite these regulatory advances, the Nigerian corporate sector continues to grapple with significant challenges in financial reporting quality. The prevalence of material weaknesses in internal controls, restatements of previously issued financial statements, and instances of financial fraud suggest that the implementation of effective ICFR remains an ongoing challenge. Understanding whether and how the 3LOD model contributes to addressing these challenges is therefore of considerable theoretical and practical importance, particularly given the paucity of research in this domain within sub-Saharan Africa.

This study aims to fill a significant gap in the extant literature by providing rigorous empirical evidence on the effectiveness of the 3LOD model in enhancing ICFR among Nigerian listed companies. Specifically, the study examines: (i) the individual and collective effects of the 3LOD on ICFR effectiveness; (ii) the moderating role of board oversight and audit committee effectiveness; and (iii) the contextual factors that influence the relationship between 3LOD implementation and ICFR quality. By doing so, this research makes a distinct contribution to the limited body of knowledge on governance mechanisms and financial reporting quality in emerging markets, offering insights that are relevant to academics, practitioners, regulators, and standard-setters.

The remainder of this paper is organised as follows. Section 2 presents the literature review and theoretical framework, including a detailed analysis of the literature gap and hypotheses development. Section 3 describes the research methodology, including sample selection, variable measurement, and model specification. Section 4 presents the empirical results, including both the quantitative regression findings and the qualitative interview themes. Section 5 concludes with implications, limitations, and directions for future research.

Agency theory, as articulated by J​e​n​s​e​n​ ​&​ ​M​e​c​k​l​i​n​g​ ​(​1​9​7​6​), provides a foundational lens for understanding the governance challenges that motivate the establishment of internal control systems. The theory posits that the separation of ownership and control in modern corporations creates inherent conflicts of interest between principals (shareholders) and agents (management). Information asymmetry between these parties provides opportunities for managerial opportunism, including earnings manipulation, asset misappropriation, and suboptimal resource allocation. Agency costs arise from monitoring expenditures by the principal, bonding expenditures by the agent, and residual loss from divergent interests.

The 3LOD model can be understood as a comprehensive governance mechanism designed to mitigate agency costs by reducing information asymmetry and constraining managerial discretion. The first line of defence establishes operational controls that directly limit opportunities for opportunistic behaviour. The second line provides monitoring and oversight that increases the probability of detection. The third line offers independent assurance that provides principals with confidence that management’s representations regarding financial performance and position are reliable (E​u​l​e​r​i​c​h​ ​&​ ​E​u​l​e​r​i​c​h​,​ ​2​0​2​0). From this perspective, effective implementation of the 3LOD model should be associated with higher quality financial reporting and more effective internal controls.

Institutional theory (D​i​M​a​g​g​i​o​ ​&​ ​P​o​w​e​l​l​,​ ​1​9​8​3; M​e​y​e​r​ ​&​ ​R​o​w​a​n​,​ ​1​9​7​7) complements agency theory by explaining how external pressures shape organisational structures and practices. The theory identifies three mechanisms through which organisations adopt particular practices: coercive isomorphism (regulatory pressures), mimetic isomorphism (imitation of successful peers), and normative isomorphism (professional standards and norms). D​i​M​a​g​g​i​o​ ​&​ ​P​o​w​e​l​l​ ​(​1​9​8​3​) argue that rational actors make their organisations increasingly similar as they try to change them, a process they term institutional isomorphism.

In the Nigerian context, institutional theory helps explain the adoption and implementation of the 3LOD model. The regulatory requirements embedded in the N​i​g​e​r​i​a​n​ ​C​o​d​e​ ​o​f​ ​C​o​r​p​o​r​a​t​e​ ​G​o​v​e​r​n​a​n​c​e​ ​(​2​0​1​8​), SEC guidelines, and FRC regulations represent coercive pressures. The practices of multinational corporations and firms cross-listed on international exchanges create mimetic pressures. The professional standards promulgated by the Institute of Chartered Accountants of Nigeria (ICAN) and the IIA represent normative pressures. Understanding how these institutional forces interact to shape 3LOD implementation is essential for explaining variation in ICFR effectiveness across Nigerian listed companies.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control–Integrated Framework in 2023, providing comprehensive guidance for designing, implementing, and evaluating internal control systems. The framework identifies five integrated components of internal control: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components operate within an organisational context defined by the entity’s operations, financial reporting, and compliance objectives (C​o​m​m​i​t​t​e​e​ ​o​f​ ​S​p​o​n​s​o​r​i​n​g​ ​O​r​g​a​n​i​z​a​t​i​o​n​s​ ​o​f​ ​t​h​e​ ​T​r​e​a​d​w​a​y​ ​C​o​m​m​i​s​s​i​o​n​,​ ​2​0​1​3). COSO has also published the Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples, which assists users in assessing whether a system of internal control meets the requirements set forth in the Framework.

The 3LOD model and the COSO framework are complementary rather than competing governance mechanisms. While the COSO framework provides the conceptual architecture for internal control systems, the 3LOD model establishes the organisational structure through which COSO’s components are operationalised. The control environment is primarily shaped by first-line management actions and tone at the top. Risk assessment and control activities span the first and second lines. Monitoring activities encompass the second line’s oversight functions and the third line's independent assurance. Understanding this structural integration is essential for examining how the 3LOD model influences ICFR effectiveness (A​n​d​e​r​s​o​n​ ​&​ ​E​u​b​a​n​k​s​,​ ​2​0​1​5).

The 3LOD model originated from guidance issued by the IIA in January 2013, which provided a structured framework for delineating risk management and control responsibilities within organisations. The model was subsequently updated in July 2020 with the release of the IIA’s Three Lines Model, which emphasised a more principles-based approach, greater flexibility in implementation, and an explicit focus on governance, value creation, and risk management rather than defence alone. The updated model identifies four key actors: the governing body (board), management (comprising first- and second-line roles), internal audit (third-line), and external assurance providers (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​2​0).

The evolution from the 3LOD to the Three Lines Model reflects important conceptual developments. First, the term defence was retired because it conveyed the idea that risk is inherently negative, rather than something to be managed as part of value creation. Second, the updated model provides greater flexibility for organisations of different sizes and complexities, recognising that not all organisations can or should implement identical structures. Third, the model explicitly incorporates the governing body’s accountability for organisational oversight, recognising that the three lines operate within a broader governance architecture (E​u​l​e​r​i​c​h​,​ ​2​0​2​1).

The first line of defence encompasses operational management and business functions that own and manage risks as an integral part of their daily activities. These functions are responsible for implementing internal controls, identifying and assessing risks, and taking corrective action to address control deficiencies. Operational managers are accountable for maintaining effective day-to-day internal controls and executing risk procedures relevant to their areas of responsibility (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​1​3).

Research on first-line effectiveness has demonstrated positive associations with organisational performance. C​a​l​l​a​h​a​n​ ​&​ ​S​o​i​l​e​a​u​ ​(​2​0​1​7​) found that companies’ operational risk management activities can increase profitability through effective controls. F​l​o​r​i​o​ ​&​ ​L​e​o​n​i​ ​(​2​0​1​7​) documented a significant relationship between integrated risk management implementation and firm performance in Italy. In the context of financial reporting, the competence and integrity of first-line management directly influence the control environment, which COSO identifies as the foundation for all other internal control components.

The second line of defence comprises risk management, compliance, and other control functions that provide oversight, guidance, and monitoring of first-line activities. These functions establish policies, standards, and procedures; conduct risk assessments; ensure compliance with applicable laws and regulations; and provide risk-related reporting to senior management and the board. Unlike internal audit, the second line is not independent of management but operates as an integral part of the management team (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​2​0).

The coordination challenges between the second line and other governance functions have been documented in the literature. B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​ ​(​2​0​2​1​) examined coordination challenges in implementing the 3LOD model and found that role ambiguity between second-line functions and internal audit can undermine governance effectiveness. G​r​a​n​t​ ​T​h​o​r​n​t​o​n​ ​(​2​0​2​4​) identified that effective second-line functions must actively contribute to control design and implementation rather than merely identifying deficiencies. The maturity of the risk management function has been found to be a significant determinant of overall control effectiveness.

Internal audit constitutes the third line of defence, providing independent and objective assurance and advisory services designed to add value and improve organisational operations. Internal auditors evaluate the overall design and implementation of risk management and internal controls, ensuring that the first-and-second-lines function as intended. The Global Internal Audit Standards mandate that internal audit functions maintain organisational independence, with direct reporting lines to the board or audit committee (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​1​7).

The effectiveness of internal audit as a governance mechanism has been extensively studied. A​l​z​e​b​a​n​ ​&​ ​G​w​i​l​l​i​a​m​ ​(​2​0​1​4​) found that the internal audit function significantly contributes to improving the reliability and transparency of financial reporting. M​a​h​y​o​r​o​ ​&​ ​K​a​s​o​g​a​ ​(​2​0​2​1​) demonstrated that internal audit attributes, including staff competence, independence, and work performance, all matter and mutually strengthen each other in advancing financial reporting quality. M​o​d​j​a​d​j​i​ ​&​ ​N​g​w​a​k​w​e​ ​(​2​0​2​2​) showed that internal audit effectiveness enhances financial accountability in South African provincial treasuries. H​a​z​a​e​a​ ​e​t​ ​a​l​.​ ​(​2​0​2​0​) documented the impact of internal audit quality on the financial performance of Yemeni commercial banks.

ICFR refers to the processes established by management and the board to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with applicable accounting standards. The concept encompasses policies and procedures that ensure accurate transaction recording, safeguard assets from unauthorised use, detect and prevent errors and fraud, and support compliance with financial reporting standards (C​o​m​m​i​t​t​e​e​ ​o​f​ ​S​p​o​n​s​o​r​i​n​g​ ​O​r​g​a​n​i​z​a​t​i​o​n​s​ ​o​f​ ​t​h​e​ ​T​r​e​a​d​w​a​y​ ​C​o​m​m​i​s​s​i​o​n​,​ ​2​0​1​3).

The regulatory foundations for ICFR in Nigeria draw significantly from international precedents, particularly the U.S. Sarbanes-Oxley Act in 2002 and the UK’s Combined Code. The SOX Act, enacted in response to the Enron and WorldCom scandals, mandated strict reforms to securities regulations and imposed penalties for financial reporting failures. Similarly, Nigeria’s Investments and Securities Act in 2007 (S​e​c​u​r​i​t​i​e​s​ ​&​ ​E​x​c​h​a​n​g​e​ ​C​o​m​m​i​s​s​i​o​n​ ​N​i​g​e​r​i​a​,​ ​2​0​2​1) and subsequent SEC guidelines establish requirements for internal control systems in public companies, including Section 60(2) requiring Chief Executive Officer (CEO) and Chief Financial Officer (CFO) certification of financial statements, Section 61(1) mandating internal control systems, and Section 63 requiring auditors to issue statements on internal control existence, adequacy, and effectiveness (S​e​c​u​r​i​t​i​e​s​ ​&​ ​E​x​c​h​a​n​g​e​ ​C​o​m​m​i​s​s​i​o​n​ ​N​i​g​e​r​i​a​,​ ​2​0​2​1).

The Nigerian regulatory framework for ICFR has evolved significantly. The FRC of Nigeria (Amendment) Act in 2023 expanded the scope of PIEs to include large private companies with annual turnover of 30 billion Naira and above, government contractors with annual contract sums of 1 billion Naira, and specified regulated entities. The FRC Guidance on Management Report on ICFR (F​i​n​a​n​c​i​a​l​ ​R​e​p​o​r​t​i​n​g​ ​C​o​u​n​c​i​l​ ​o​f​ ​N​i​g​e​r​i​a​,​ ​2​0​2​4) provides detailed directives requiring management to conduct annual evaluations and include assessment reports in annual financial statements. Listed entities must comply with SEC Guidelines on ICFR, which require directors to report on internal control effectiveness and mandate external auditors to issue statements on the existence, adequacy, and effectiveness of internal controls.

International empirical research has documented significant relationships between internal control quality and various organisational outcomes. Studies have consistently found that effective ICFR is associated with higher financial reporting quality, reduced earnings management, lower cost of capital, and improved investor confidence. However, research in African contexts remains limited. O​n​u​m​a​h​ ​e​t​ ​a​l​.​ ​(​2​0​1​2​) examined the effectiveness of internal control systems of listed firms in Ghana and found an overall moderate level of effectiveness, with the control environment component demonstrating the highest effectiveness. Recent research by H​i​w​o​t​ ​(​2​0​2​4​) found that all five internal audit practices exerted positive and statistically significant impacts on financial reporting quality among Ethiopian microfinance institutions. These findings suggest that governance mechanisms significantly influence ICFR effectiveness in developing economies, though contextual factors mediate these relationships.

The N​i​g​e​r​i​a​n​ ​C​o​d​e​ ​o​f​ ​C​o​r​p​o​r​a​t​e​ ​G​o​v​e​r​n​a​n​c​e​ ​(​2​0​1​8​) was published by the FRC of Nigeria pursuant to its powers under Sections 11(c) and 51(c) of the FRC of Nigeria Act. The Code was approved by the Council and commended to the Minister for issuance in accordance with Section 73 of the Act, and was gazetted as S.I. No. 22 of 2019 on 30 January 2019. The Code establishes comprehensive principles for corporate governance practices, including requirements for internal control systems, risk management frameworks, and audit committee composition. Principle 24 addresses business conduct and ethics, while Principle 18 requires companies to establish an internal audit function headed by a professional with relevant qualifications and competence. The code also mandates external assessment of internal audit effectiveness at least once every three years (F​i​n​a​n​c​i​a​l​ ​R​e​p​o​r​t​i​n​g​ ​C​o​u​n​c​i​l​ ​o​f​ ​N​i​g​e​r​i​a​,​ ​2​0​1​9).

The FRC of Nigeria (Amendment) Act in 2023 significantly strengthened the regulatory framework for financial reporting. The Act mandates that PIEs must report on ICFR for financial periods as specified by the Council. Management is required to conduct annual evaluations of internal control effectiveness and include assessment reports in annual financial statements. The FRC has adopted the COSO 2013 Internal Control - Integrated Framework as the recommended framework for ICFR assessment. Companies are required to use recognised frameworks that are publicly available and established through due process. The FRC guidance emphasises the importance of adequate documentation, risk-based approaches, and management certification with FRC registration numbers. Non-compliance attracts penalties, including fines of up to 50 million Naira for failure to comply with final Council decisions (F​i​n​a​n​c​i​a​l​ ​R​e​p​o​r​t​i​n​g​ ​C​o​u​n​c​i​l​ ​o​f​ ​N​i​g​e​r​i​a​,​ ​2​0​2​4).

Despite the theoretical importance of the 3LOD model and the growing regulatory emphasis on ICFR in Nigeria, several significant gaps exist in the extant literature that this study addresses.

First, the vast majority of empirical research on the 3LOD model has been conducted in developed economies, particularly the United States, the United Kingdom, and continental Europe. C​h​a​m​b​e​r​s​ ​(​2​0​1​3​), D​a​u​g​h​e​r​t​y​ ​&​ ​A​n​d​e​r​s​o​n​ ​(​2​0​1​2​), and E​u​l​e​r​i​c​h​ ​(​2​0​2​1​) have examined the model primarily in Western corporate contexts. B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​ ​(​2​0​2​1​) studied coordination challenges in German organisations. While these studies provide valuable insights, their generalisability to developing economies with different institutional environments, regulatory capacities, and corporate governance traditions is uncertain. The regulatory and legal systems in developing countries are often far from being as strong as in developed economies, creating different dynamics in governance effectiveness (A​l​z​e​b​a​n​ ​&​ ​G​w​i​l​l​i​a​m​,​ ​2​0​1​4). This study provides the first comprehensive examination of 3LOD effectiveness in Nigeria, addressing a critical geographical gap in the literature.

Second, existing studies have typically examined individual governance mechanisms in isolation rather than their integrated effects. While research has investigated internal audit effectiveness (A​l​z​e​b​a​n​ ​&​ ​G​w​i​l​l​i​a​m​,​ ​2​0​1​4; M​a​h​y​o​r​o​ ​&​ ​K​a​s​o​g​a​,​ ​2​0​2​1), risk management quality (F​l​o​r​i​o​ ​&​ ​L​e​o​n​i​,​ ​2​0​1​7), and operational controls separately, few studies have simultaneously examined all 3LOD and their interaction effects on ICFR. The distinctive contribution of the 3LOD model lies in its integration, and understanding whether the whole is greater than the sum of its parts is essential for both theory and practice. This study directly addresses this gap by testing the three-way interaction effect of the three lines on ICFR effectiveness.

Third, the moderating role of board oversight in the 3LOD-ICFR relationship remains underexplored. While prior research has examined board and audit committee characteristics as direct determinants of financial reporting quality (K​i​r​a​g​u​,​ ​2​0​1​6), few studies have investigated how board effectiveness conditions the relationship between operational governance mechanisms (the three lines) and ICFR outcomes. Understanding this moderating effect is crucial for designing optimal governance architectures.

Fourth, the literature on ICFR in sub-Saharan Africa remains extremely limited. Most African governance research has focused on South Africa (M​o​d​j​a​d​j​i​ ​&​ ​N​g​w​a​k​w​e​,​ ​2​0​2​2), Ethiopia (M​i​h​r​e​t​ ​&​ ​Y​i​s​m​a​w​,​ ​2​0​0​7; H​i​w​o​t​,​ ​2​0​2​4), and Ghana (O​n​u​m​a​h​ ​e​t​ ​a​l​.​,​ ​2​0​1​2). Nigeria, despite being Africa’s largest economy, has received surprisingly limited attention in the governance and ICFR literature. Given Nigeria’s distinctive regulatory environment, including the recent FRC Amendment Act in 2023 and the expanded PIE definitions, this study provides timely and contextually relevant evidence.

This study makes the following contributions. Theoretically, it extends the application of Agency Theory and Institutional Theory to the governance of financial reporting in an emerging market context, demonstrating how the 3LOD model functions as a multi-layered mechanism for reducing information asymmetry. Methodologically, it employs a mixed-methods design with multi-respondent data collection that reduces common method bias and integrates thematic qualitative evidence with quantitative regression analysis. Practically, it provides evidence-based recommendations for Nigerian regulators, including the FRC and SEC, on strengthening ICFR requirements.

Drawing on the theoretical foundations and empirical literature reviewed above, this study develops hypotheses examining the relationships between the 3LOD and ICFR effectiveness.

The first line of defence, comprising operational management, is responsible for implementing and maintaining the internal controls that directly affect financial reporting processes. The competence, integrity, and accountability of first-line management determine the quality of the control environment, which COSO identifies as the foundation for all other internal control components. When first-line management prioritises control effectiveness, establishes clear policies, and maintains adequate segregation of duties, ICFR quality should improve. C​a​l​l​a​h​a​n​ ​&​ ​S​o​i​l​e​a​u​ ​(​2​0​1​7​) demonstrated that operational risk management activities enhance organisational performance through effective controls.

H1: The first line of defence has a positive and significant effect on ICFR effectiveness among Nigerian listed companies.

The second line of defence, comprising risk management and compliance functions, provides oversight, monitoring, and guidance that enhances the effectiveness of first-line controls. By establishing risk policies, conducting risk assessments, monitoring compliance, and providing risk reporting, second-line functions facilitate the identification and mitigation of risks that could affect financial reporting. Research has demonstrated that mature risk management functions exhibit fewer internal control deficiencies and higher financial reporting quality (B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​,​ ​2​0​2​1; F​l​o​r​i​o​ ​&​ ​L​e​o​n​i​,​ ​2​0​1​7).

H2: The second line of defence has a positive and significant effect on ICFR effectiveness among Nigerian listed companies.

Internal audit, as the third line of defence, provides independent assurance on the effectiveness of governance, risk management, and internal controls. The independence of internal audit from management enables objective evaluation of control effectiveness and identification of deficiencies that might otherwise escape detection. The empirical literature consistently demonstrates positive relationships between internal audit effectiveness and various measures of control and reporting quality (A​l​z​e​b​a​n​ ​&​ ​G​w​i​l​l​i​a​m​,​ ​2​0​1​4; H​a​z​a​e​a​ ​e​t​ ​a​l​.​,​ ​2​0​2​0; M​a​h​y​o​r​o​ ​&​ ​K​a​s​o​g​a​,​ ​2​0​2​1).

H3: The third line of defence has a positive and significant effect on ICFR effectiveness among Nigerian listed companies.

While the individual effects of each line of defence on ICFR are important, the integrated functioning of all three lines may produce effects that exceed the sum of their individual contributions. The 3LOD model is designed as an integrated system in which the effectiveness of each line depends on, and reinforces, the effectiveness of the others. Coordination, communication, and alignment among the three lines should enhance overall governance effectiveness (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​2​0). When the three lines function in an integrated manner, with clear delineation of responsibilities, effective communication channels, and coordinated assurance activities, the resulting governance system should be more effective than when lines operate in isolation.

H4: The integrated implementation of all 3LOD has a stronger positive effect on ICFR effectiveness than the individual effects of each line alone.

Board oversight and audit committee effectiveness may moderate the relationship between 3LOD implementation and ICFR effectiveness. Strong board oversight can reinforce the accountability of each line of defence, ensure adequate resources for control activities, and create organisational pressure for control effectiveness. The audit committee, through its oversight of financial reporting, internal audit, and external audit, plays a particularly important moderating role (K​i​r​a​g​u​,​ ​2​0​1​6). Companies with more effective boards and audit committees demonstrate stronger internal controls and higher quality financial reporting.

H5: Board oversight and audit committee effectiveness positively moderate the relationship between 3LOD implementation and ICFR effectiveness.

This study adopts a positivist philosophical paradigm, employing a mixed-methods research design that combines quantitative and qualitative approaches with explicit integration of findings. The quantitative component utilises a cross-sectional survey design to examine the relationships between 3LOD implementation and ICFR effectiveness, supplemented by archival data analysis of publicly available financial reports. The qualitative component incorporates semi-structured interviews with key governance stakeholders to provide contextual depth and triangulate survey findings. Following C​r​e​s​w​e​l​l​ ​&​ ​C​l​a​r​k​ ​(​2​0​1​7​), a convergent parallel design was adopted in which qualitative and quantitative strands are collected concurrently, analysed independently, and integrated at the interpretation stage. The mixed-methods approach enables triangulation of findings across data sources, enhancing validity and reliability (J​i​c​k​,​ ​1​9​7​9).

The target population comprises all companies listed on the Nigerian Exchange Group (NGX) as of December 31, 2024. According to NGX data, there were approximately 156 listed companies across various sectors. These companies are all classified as PIEs under the FRC Amendment Act in 2023 and are subject to mandatory ICFR reporting requirements.

A stratified random sampling technique was employed to ensure representation across industry sectors and company sizes. The population was stratified by sector classification based on NGX industry categories. From each stratum, companies were randomly selected proportional to the stratum’s representation. The minimum sample size was determined using C​o​c​h​r​a​n​ ​(​1​9​7​7​)’s formula for finite populations, with a 95% confidence level and 5% margin of error, yielding a minimum of 94 companies. To account for potential non-response, the sample was expanded to 110 companies, with 94 valid responses ultimately obtained (85.5% response rate).

The final sample of 94 companies represents diverse industry sectors. The financial services sector comprises the largest group at 38.3% (n = 36), followed by consumer goods at 18.1% (n = 17), industrial goods at 14.9% (n = 14), oil and gas at 10.6% (n = 10), agriculture at 8.5% (n = 8), and other sectors at 9.6% (n = 9). By market capitalisation, large-cap companies (above N100 billion) represent 42.6% (n = 40), mid-cap companies (N25-100 billion) represent 35.1% (n = 33), and small-cap companies (below N25 billion) represent 22.3% (n = 21).

Primary data was collected through a structured questionnaire administered to multiple respondents within each sampled company. The questionnaire was designed based on validated instruments from prior governance and internal control research, adapted to the Nigerian regulatory context. Pre-testing was conducted with 15 respondents from five companies not included in the main sample. The questionnaire comprised five sections: (1) demographic and organisational characteristics; (2) first line of defence effectiveness (12 items, Cronbach’s alpha = 0.894); (3) second line of defence effectiveness (10 items, Cronbach’s alpha = 0.871); (4) third line of defence effectiveness (12 items, Cronbach’s alpha = 0.912); and (5) ICFR effectiveness (15 items, Cronbach’s alpha = 0.908). All items were measured on a five-point Likert scale.

Within each company, questionnaires were distributed to four categories of respondents: Chief Financial Officer (1), Risk Manager or Head of Risk Management (1), Chief Internal Auditor or Head of Internal Audit (1), and Audit Committee Chair or member (1). This multi-respondent approach reduces common method bias. A total of 440 questionnaires were distributed, with 376 completed responses received (85.5% response rate). After excluding incomplete responses, 362 valid responses from 94 companies were retained for analysis.

Secondary data was extracted from annual reports, audited financial statements, and corporate governance compliance reports for the period 2019–2024. Key data items included: internal control deficiency disclosures, financial restatements, audit opinions, board and audit committee characteristics, and company financial characteristics. Data was sourced from the NGX website, company investor relations portals, and the FRC of Nigeria’s National Repository Portal.

Semi-structured interviews were conducted with 18 governance professionals purposefully selected from the sample companies. Interviewees included six Chief Internal Auditors, five Chief Financial Officers, four Risk Managers, and three Audit Committee Chairs. Interviews lasted approximately 45 to 60 minutes and were recorded with permission, transcribed verbatim, and analysed using thematic analysis following the six-phase procedure recommended by B​r​a​u​n​ ​&​ ​C​l​a​r​k​e​ ​(​2​0​0​6​). Two researchers independently coded the transcripts using NVivo 14. Initial codes were generated inductively from the data and subsequently grouped into candidate themes, which were then reviewed against the coded extracts and the full dataset. Inter-coder reliability assessed using Cohen’s kappa yielded a value of 0.86, which is interpreted as substantial agreement. Disagreements were resolved through discussion until consensus was reached. The detailed presentation of the resulting themes is set out in Section 4.5.

ICFR effectiveness was measured using a multi-dimensional composite index combining survey-based perceptual measures and archival indicators. The primary measure was the mean score across 15 ICFR effectiveness items adapted from the COSO 2013 Framework assessment protocol, covering all five COSO components. Each item was measured on a five-point Likert scale, yielding a theoretical range of 1.0 to 5.0. The perceptual measure was supplemented with archival indicators: (1) presence or absence of material weaknesses (binary, reverse-coded so that absence equals 1); (2) incidence of financial restatements (binary, reverse-coded so that absence equals 1); (3) external audit opinion type (dummy, 1 for unqualified); and (4) compliance with SEC ICFR reporting requirements (composite score scaled from 0 to 1). The five components were standardised to z-scores prior to extraction. The procedure for combining these indicators using principal component analysis is described in detail in Section 3.4.2.

Principal component analysis (PCA) was used to derive a single weighted composite ICFR effectiveness score from the five standardised indicators identified above. PCA was preferred to a simple equal-weighted average because the underlying indicators have different scales, different reliability, and different theoretical weights in capturing ICFR effectiveness, and a data-driven weighting derived from the observed covariance structure was deemed more defensible (H​a​i​r​ ​e​t​ ​a​l​.​,​ ​2​0​1​9).

Suitability of the data for PCA was first assessed. The Kaiser-Meyer-Olkin (KMO) measure of sampling adequacy returned a value of 0.812, which exceeds the 0.60 threshold conventionally used and is generally regarded as meritorious. Bartlett’s test of sphericity was statistically significant (chi-square = 218.47, df = 10, p < 0.001), confirming that the correlation matrix is not an identity matrix and that the indicators share sufficient common variance to justify a component solution.

Extraction was performed using the unrotated principal components method, given that the objective was to derive a single composite index rather than to identify multiple latent constructs. Components were retained using the Kaiser criterion (eigenvalues greater than 1.0), supported by inspection of the scree plot. A single component was retained with an eigenvalue of 3.142, explaining 62.84% of the total variance in the five indicators. The second component had an eigenvalue of 0.738, well below the retention threshold, supporting the unidimensional structure of the ICFR composite.

All five indicators loaded positively and substantially on the retained component. The unrotated component loadings, communalities, and the weights subsequently used to construct the composite index are reported in Table 1. Composite scores were computed as the linear combination of the standardised indicators using the component score coefficients, and were then rescaled to the original 1.0 to 5.0 ICFR scale to facilitate interpretation. Internal consistency of the composite was satisfactory (Cronbach’s alpha = 0.842), and the composite correlated strongly with the survey-only ICFR mean (r = 0.91, p < 0.001), supporting convergent validity.

First line effectiveness (FLE) was measured as the mean score across 12 items assessing: management commitment to internal controls, clarity of control responsibilities, competence of operational management, tone at the top, accountability mechanisms, and operational control implementation (Cronbach’s alpha = 0.894). Second line effectiveness (SLE) was measured as the mean score across 10 items assessing: risk management function maturity, compliance function effectiveness, risk assessment quality, policy development, risk reporting, and coordination with other lines (Cronbach’s alpha = 0.871). Third line effectiveness (TLE) was measured as the mean score across 12 items assessing: internal audit independence, audit plan quality, auditor competence, audit execution effectiveness, reporting quality, and relationship with the audit committee (Cronbach’s alpha = 0.912).

Board oversight effectiveness (BOE) was measured as the mean score across 8 items assessing: board independence, board financial expertise, audit committee effectiveness, frequency of audit committee meetings, board evaluation of ICFR, board risk oversight, and board engagement with internal and external auditors (Cronbach’s alpha = 0.856).

Consistent with prior research, several control variables were included: Firm size (natural logarithm of total assets); Firm age (natural logarithm of years since incorporation); Leverage (total debt to total assets ratio); Profitability (return on assets); Industry sector (dummy variables based on NGX classification); and Audit quality (Big 4 auditor indicator variable).

To test hypotheses H1 to H3, the following multiple regression model was estimated:

where,

• ICFR_i: Composite Internal Control over Financial Reporting (ICFR) effectiveness score for firm i (dependent variable; higher values indicate stronger ICFR effectiveness).

• $\beta_0$: Intercept term, representing the expected value of ICFR when all independent variables are zero.

• $\beta_1$, $\beta_2$, $\beta_3$: Coefficients for the main effects of the three lines of defense effectiveness:

  • FLE = First Line Effectiveness

  • SLE = Second Line Effectiveness

  • TLE = Third Line Effectiveness

• $\beta_4$ to $\beta_{12}$: Coefficients for the control variables, interpreted as the average change in ICFR associated with a one-unit change in the respective control variable, holding all other variables constant.

Control variables (with definitions and coding):

• SIZE: Natural logarithm of total assets (in USD millions) at the end of the financial year.

• AGE: Firm age, measured as the number of years since the firm’s incorporation (or listing, if incorporation date unavailable).

• LEV: Financial leverage, calculated as total liabilities divided by total assets.

• ROA: Return on Assets, calculated as net income divided by average total assets.

• SECTOR_j Set of industry dummy variables (categorical indicators). Firms are classified according to their primary one-digit SIC code. k dummy variables are included (one sector is omitted as the reference category to avoid perfect multicollinearity). Each SECTOR_j takes the value of 1 if the firm belongs to that industry and 0 otherwise.

• BIG4: Binary indicator equal to 1 if the firm is audited by a Big 4 audit firm (Deloitte, PwC, EY, or KPMG), and 0 otherwise.

• $\varepsilon_i$: Error term (residual), capturing all other factors influencing ICFR that are not included in the model. It is assumed to be normally distributed with mean zero and constant variance (subject to diagnostic checks).

To test H4, the following model was estimated with an interaction term:

The three-way interaction term captures the additional effect of integrated 3LOD implementation beyond individual line effects. All constituent variables were mean-centred prior to forming the interaction to reduce non-essential multicollinearity (A​i​k​e​n​ ​e​t​ ​a​l​.​,​ ​1​9​9​1).

To test H5, the following moderated regression model was estimated:

All variables forming interaction terms were mean-centred. Simple-slope analyses were conducted at one standard deviation above and below the mean of BOE following A​i​k​e​n​ ​e​t​ ​a​l​.​ ​(​1​9​9​1​), and visualised as interaction plots in Section 4.3.3.

Ordinary Least Squares (OLS) regression was employed as the primary estimation technique. Pre-estimation diagnostic tests confirmed appropriateness: VIFs all below 3.0, Breusch-Pagan test for heteroscedasticity, and Shapiro-Wilk test for normality, where heteroscedasticity was detected, and robust standard errors were employed.

A potential concern in estimating the effect of 3LOD implementation on ICFR is endogeneity, which may arise from three sources. First, reverse causality is plausible, since firms with already-stronger ICFR may be more likely to invest in formal 3LOD architectures. Second, omitted variables such as governance culture and management quality may jointly influence both 3LOD implementation and ICFR outcomes. Third, measurement error in the perceptual components of the 3LOD constructs may attenuate OLS estimates. A two-stage least squares (2SLS) instrumental variable (IV) approach was therefore used as a robustness check.

The instrument selected is industry-level mean 3LOD implementation, computed for each firm as the leave-one-out mean of the composite 3LOD score across all other sample firms in the same NGX sector classification. This instrument has been used in analogous settings in the governance and internal-controls literature, where industry-level governance practices serve as exogenous shifters of firm-level governance adoption (see, for example, A​g​g​a​r​w​a​l​ ​e​t​ ​a​l​.​,​ ​2​0​0​9 and D​o​i​d​g​e​ ​e​t​ ​a​l​.​,​ ​2​0​0​7 on peer-firm governance practices used as instruments).

The relevance condition requires that industry-level 3LOD implementation correlates with firm-level 3LOD implementation. This is theoretically grounded in institutional theory (D​i​M​a​g​g​i​o​ ​&​ ​P​o​w​e​l​l​,​ ​1​9​8​3): mimetic isomorphism predicts that firms emulate the governance practices of industry peers, particularly under regulatory and reputational pressure, and normative isomorphism predicts that shared professional networks (ICAN, IIA Nigeria, sectoral risk officer forums) propagate common practices within industries. The first-stage results, reported in Table 2, confirm this strong empirical relationship. The first-stage F-statistic is 28.46, comfortably above the conventional Staiger-Stock threshold of 10, and the partial R-squared on the excluded instrument is 0.197, indicating that the instrument is not weak.

The exogeneity (exclusion) condition requires that, conditional on the controls, industry-level 3LOD implementation affects firm-level ICFR only through its effect on firm-level 3LOD implementation. Three arguments support this assumption in the present setting. First, by construction the instrument is the leave-one-out industry mean and does not include the focal firm's own 3LOD score, so it is not mechanically related to the firm’s ICFR. Second, industry-level 3LOD practice reflects collective regulatory, professional and isomorphic pressure that influences each individual firm’s governance architecture but is unlikely to be a direct input into that firm’s transaction-level financial reporting controls, which are firm-specific and operationally embedded. Third, the regressions control for firm size, age, leverage, profitability, sector dummies, and Big 4 audit quality, absorbing the most plausible channels through which industry conditions might directly affect ICFR. The Sargan-Hansen overidentification test is not applicable in this just-identified specification; the Durbin-Wu-Hausman test of endogeneity returned a p-value of 0.187, providing no statistical evidence that OLS is inconsistent, while the 2SLS estimates remain qualitatively and quantitatively consistent with the OLS results (Section 4.4.3).

Table 3 presents the descriptive statistics for all variables. The mean ICFR effectiveness score is 3.42 (SD = 0.78), indicating moderate overall ICFR effectiveness among Nigerian listed companies, falling between neutral and agree on the five-point scale. The range (1.60 to 4.87) indicates substantial variation. Among the three lines, the third line (internal audit) demonstrates the highest mean at 3.68 (SD = 0.82), followed by the second line at 3.51 (SD = 0.75), and the first line at 3.38 (SD = 0.79). Board oversight has a mean of 3.55 (SD = 0.86). Control variables show a mean firm size (ln assets) of 15.24, mean leverage of 0.42, mean ROA of 0.08, and 56.4% engaging Big 4 auditors.

Table 4 presents the Pearson correlation matrix. All three lines show positive and statistically significant correlations with ICFR at the 1% level. The third line exhibits the strongest correlation (r = 0.612, p < 0.01), followed by the second line (r = 0.498, p < 0.01) and the first line (r = 0.412, p < 0.01). Correlations among the three lines are moderate (0.452 to 0.534), indicating they are related but not redundant. VIFs are all below 3.0. Board oversight shows significant positive correlations with all three lines and ICFR.

Table 5 presents the OLS regression results. Model 1 (controls only) explains 18.4% of variance (R-squared = 0.184, F = 3.412, p < 0.01). Model 2 (adding 3LOD variables) shows substantial improvement (R-squared = 0.524, adjusted R-squared = 0.498, F = 9.847, p < 0.001), a 34.0 percentage point increase. The results provide strong support for H1, H2, and H3: FLE (β = 0.130, t = 2.412, p < 0.05), SLE (β = 0.198, t = 3.156, p < 0.01), and TLE (β = 0.284, t = 4.023, p < 0.01).

Table 6 presents the integrated effects model. The three-way interaction term is positive and significant (β = 0.156, t = 2.847, p < 0.01), supporting H4. The combined implementation produces an additional effect beyond individual contributions. The total effect is 0.752 (0.126 + 0.192 + 0.278 + 0.156), representing an increase of approximately 0.75 standard deviations in ICFR effectiveness.

Table 7 presents the moderated effects model. Board oversight positively moderates the SLE-ICFR (β = 0.112, t = 2.156, p < 0.05) and TLE-ICFR (β = 0.134, t = 2.412, p < 0.05) relationships, but the FLE-BOE interaction is not significant (β = 0.068, t = 1.245, p > 0.05). These results provide partial support for H5.

To assist interpretation, the significant moderating effects are visualised in Figure 1 and Figure 2 using simple-slope plots evaluated at one standard deviation above (high) and below (low) the mean of board oversight (A​i​k​e​n​ ​e​t​ ​a​l​.​,​ ​1​9​9​1). Predicted ICFR values are plotted against second-line and third-line effectiveness, respectively, holding all other variables at their sample means.

Figure 1 shows that the slope of the SLE-ICFR relationship is markedly steeper at high levels of board oversight (+1 SD) than at low levels (−1 SD). The simple slope at high BOE is 0.282 (p < 0.01), compared with 0.090 (p < 0.10) at low BOE, indicating that the contribution of risk-management and compliance functions to ICFR is amplified when boards and audit committees actively engage with second-line outputs.

Figure 2 shows a similar but more pronounced pattern for the third line of defence. The simple slope at high BOE is 0.391 (p < 0.01), compared with 0.161 (p < 0.05) at low BOE. The practical implication is that the well-documented contribution of internal audit to financial-reporting quality is substantially conditional on the board’s willingness to receive, scrutinise, and act on internal audit reporting. Where board oversight is weak, internal audit retains a positive effect on ICFR but at less than half the magnitude observed under strong oversight.

The analysis was repeated using the perceptual ICFR measure only. Results are qualitatively similar: all three lines show positive and significant effects, the third line having the largest coefficient. The interaction term remains positive and significant.

Models were estimated separately for financial services (n = 36) and non-financial (n = 58) companies. The pattern is consistent across sub-samples, with larger coefficients for financial services companies, consistent with their more intensive regulatory environment.

The 2SLS instrumental variable approach described in Section 3.5.4 was estimated to address potential endogeneity. The first-stage results (Table 2) confirm that the instrument is strong and relevant. In the second stage, the instrumented FLE, SLE and TLE coefficients remain positive and statistically significant, and quantitatively close to the OLS estimates (FLE = 0.143, p < 0.05; SLE = 0.211, p < 0.01; TLE = 0.301, p < 0.01). The Durbin-Wu-Hausman test of endogeneity does not reject the null of exogeneity (p = 0.187), supporting the reliability of the OLS estimates as the primary specification while confirming that the substantive conclusions are robust to this alternative identification strategy.

Thematic analysis of the 18 interview transcripts yielded five overarching themes that map directly onto the quantitative findings and substantially enrich their interpretation. Each theme is summarised below, together with representative supporting evidence; Table 8 provides a consolidated overview of themes, sub-themes, illustrative coded extracts, and the frequency with which each theme appeared across the 18 interviews.

The single most prominent theme, mentioned in 17 of 18 interviews, was the centrality of internal audit independence to ICFR effectiveness. Interviewees consistently linked weaknesses in financial-reporting quality to compromised internal audit reporting lines, inadequate audit committee engagement, and resource constraints. A Chief Internal Auditor in the financial services sector observed that in firms where internal audit reports are administratively to the Chief Financial Officer rather than functionally to the audit committee, the unit struggled to challenge financial-reporting positions. This pattern is consistent with the quantitative finding that the third line exerts the strongest individual effect on ICFR (β = 0.284) and that this effect is amplified under strong board oversight (Figure 2).

Risk-management and compliance functions were repeatedly described as the least-developed of the three lines, particularly in non-financial sectors. Interviewees identified three sub-themes: limited integration of risk assessment with financial-reporting processes; inadequate technical capacity in compliance monitoring; and unclear demarcation of responsibilities between the second line and internal audit. A Risk Manager in the consumer goods sector reported that the risk function was largely focused on operational and treasury risks, with limited involvement in the ICFR assessment cycle, even though the firm was a Public Interest Entity. These accounts explain why the second line’s coefficient (β = 0.198), although significant, is materially smaller than the third line’s, and why role ambiguity emerged in prior coordination research (B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​,​ ​2​0​2​1).

Although first-line effectiveness had the smallest individual coefficient in the quantitative analysis, interviewees consistently described it as a necessary precondition for the other lines to be effective. Where operational management did not own controls and where business-unit heads viewed compliance as administrative overhead, second- and third-line activity was reported to deteriorate into a reporting exercise rather than a substantive control activity. A Chief Financial Officer commented that the tone set by the executive committee shaped whether finance teams treated reconciliations as control activities or as month-end formalities. This is consistent with the COSO 2013 emphasis on the control environment as the foundation for all other components.

Audit committee effectiveness emerged as the most consistently cited determinant of overall 3LOD performance, mentioned in 16 of 18 interviews. Three sub-themes were identified: the presence of members with genuine financial-reporting expertise; the frequency and depth of executive sessions with the external and internal auditors; and the audit committee’s willingness to challenge management on accounting estimates and judgments. An Audit Committee Chair noted that audit committees that confined themselves to receiving reports without challenge added little incremental value, whereas committees that probed material judgements substantially reinforced the third line. This theme directly corroborates the moderating role of board oversight documented in Section 4.3.3.

Interviewees uniformly referenced the FRC Amendment Act in 2023 and the expanded SEC guidance as catalysts for the formalisation of 3LOD arrangements, but several distinguished between visible compliance documentation and substantive control improvement. Two Chief Internal Auditors observed that firms had rapidly adopted the language of 3LOD without commensurate investment in capability. This observation provides a qualitative corroboration of the institutional theory framing in Section 2.1.2: coercive isomorphism is producing structural adoption, but normative depth varies considerably across firms, helping to explain the wide range observed in ICFR effectiveness (1.60 to 4.87).

The qualitative themes converge with the quantitative results in four respects. First, the dominance of internal audit in determining ICFR (Theme 1) maps onto its largest individual coefficient. Second, the maturity gap of the second line (Theme 2) is consistent with its smaller, though still significant, effect. Third, the pivotal role of the audit committee (Theme 4) substantiates the moderation results in Section 4.3.3, particularly the steeper SLE and TLE slopes under high board oversight (Figure 1 and Figure 2). Fourth, the distinction between structural adoption and substantive capability (Theme 5) reinforces the institutional theory framing and helps to explain the wide variance in ICFR effectiveness observed across the sample.

The finding that all three lines have positive and significant effects, with internal audit exhibiting the strongest individual effect, is broadly consistent with the international literature but with important variations from comparable emerging-market evidence. The magnitude of the third-line effect (β = 0.284) is similar to that reported by A​l​z​e​b​a​n​ ​&​ ​G​w​i​l​l​i​a​m​ ​(​2​0​1​4​) for Saudi public-sector entities, where internal audit factors had the strongest association with internal control quality, and to M​a​h​y​o​r​o​ ​&​ ​K​a​s​o​g​a​ ​(​2​0​2​1​) in Tanzanian local government authorities. The Nigerian estimate is, however, somewhat smaller than the effect documented by H​a​z​a​e​a​ ​e​t​ ​a​l​.​ ​(​2​0​2​0​) for Yemeni commercial banks, who reported a substantially stronger internal-audit-quality coefficient in a more tightly regulated banking-only sample. The smaller Nigerian coefficient is plausibly attributable to the broader cross-sectoral composition of the present sample, which includes non-financial sectors where internal audit functions tend to be smaller and less mature.

With respect to the second line, the Nigerian estimate (β = 0.198) is consistent in direction with F​l​o​r​i​o​ ​&​ ​L​e​o​n​i​ ​(​2​0​1​7​) in Italy and C​a​l​l​a​h​a​n​ ​&​ ​S​o​i​l​e​a​u​ ​(​2​0​1​7​) in the United States, but is materially smaller than developed-market estimates. This pattern is consistent with B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​ ​(​2​0​2​1​), who documented coordination problems between second-line and third-line functions, and with C​o​h​e​n​ ​&​ ​S​a​y​a​g​ ​(​2​0​1​0​), who found that second-line maturity in emerging contexts lags behind developed economies. H​i​w​o​t​ ​(​2​0​2​4​) reported similar findings in Ethiopian microfinance institutions, where risk-management practices contributed positively but more modestly to financial-reporting quality than internal audit. The qualitative evidence in Section 4.5.2 directly corroborates this maturity gap.

The smaller first-line effect (β = 0.130) aligns with O​n​u​m​a​h​ ​e​t​ ​a​l​.​ ​(​2​0​1​2​), who found that in Ghanaian listed firms the control environment component, though foundational, exhibited the most variable effect on overall internal-control quality. M​o​d​j​a​d​j​i​ ​&​ ​N​g​w​a​k​w​e​ ​(​2​0​2​2​) similarly found that operational-level control ownership in South African provincial treasuries was a necessary but not sufficient condition for financial accountability. The Nigerian results add to this body of African evidence in confirming that first-line ownership is foundational but exerts its influence largely indirectly, through enabling the second and third lines to operate effectively.

The significant positive three-way interaction (β = 0.156) provides among the first empirical confirmations of the integration premise embedded in the IIA’s Three Lines Model (I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​,​ ​2​0​2​0) in an African context. Prior evidence from Western settings (B​a​n​t​l​e​o​n​ ​e​t​ ​a​l​.​,​ ​2​0​2​1; E​u​l​e​r​i​c​h​,​ ​2​0​2​1) has emphasised coordination challenges without directly testing the joint amplification effect. The present finding suggests that, conditional on coordination challenges being overcome, the joint maturity of the three lines yields gains in ICFR that exceed the sum of the individual contributions. Practically, this implies that Nigerian firms should focus on simultaneous strengthening and coordination rather than on disproportionate investment in any single line.

The moderating effect of board oversight on the second and third lines is consistent with the audit-committee literature reviewed in K​i​r​a​g​u​ ​(​2​0​1​6​), and extends those findings by showing that the value of board oversight in an emerging market is realised principally through its amplification of the second- and third-line functions, rather than through a direct effect on first-line behaviour. This pattern echoes M​o​d​j​a​d​j​i​ ​&​ ​N​g​w​a​k​w​e​ ​(​2​0​2​2​) in South Africa, who found that board-level scrutiny was particularly consequential for internal audit reach and impact. The Nigerian evidence therefore aligns with a growing African consensus that board oversight functions as a force multiplier for governance mechanisms rather than as a stand-alone determinant of ICFR.

Sectoral differences in coefficient magnitude reflect differential regulatory pressures, with financial services under prudential supervision by the Central Bank of Nigeria and the National Insurance Commission mandating more stringent requirements. This is consistent with H​a​z​a​e​a​ ​e​t​ ​a​l​.​ ​(​2​0​2​0​) in Yemen and with the broader emerging-market regulatory literature, which finds that prudentially supervised sectors achieve materially higher governance effectiveness than non-prudentially supervised counterparts within the same jurisdiction.

This study examined the effectiveness of the 3LOD model in enhancing ICFR among Nigerian listed companies. Drawing on agency theory, institutional theory, and the COSO Framework, the research investigated how the 3LOD influence financial reporting quality. Using a mixed-methods design with survey data from 376 respondents across 94 listed companies, supplemented by archival data and 18 thematically analysed interviews, the study generated several findings.

First, all three lines demonstrate positive and statistically significant effects on ICFR effectiveness, with internal audit exhibiting the strongest effect (β = 0.284, p < 0.01), followed by risk management (β = 0.198, p < 0.01) and operational management (β = 0.130, p < 0.05). Second, integrated implementation produces an additional positive effect (β = 0.156, p < 0.01) beyond individual effects. Third, board oversight positively moderates the second-and third-line-relationships, and the interaction plots in Section 4.3.3 show that internal audit’s contribution to ICFR is more than doubled under strong board oversight. Fourth, the 3LOD variables increase explained variance by 34.0 percentage points, indicating they are significant determinants of ICFR effectiveness. Fifth, qualitative evidence corroborates these findings and identifies internal audit independence and audit committee effectiveness as the pivotal levers of governance impact.

This study makes several contributions. First, it extends agency theory to financial reporting governance in emerging markets, demonstrating how the 3LOD model functions as a multi-layered mechanism for reducing information asymmetry. Second, it provides empirical validation for the COSO Framework in a developing economy context. Third, it contributes to institutional theory by documenting how coercive, mimetic, and normative pressures interact to shape governance adoption in Nigeria, while the qualitative evidence shows that institutional pressure tends to produce structural adoption faster than substantive capability. Fourth, it addresses the significant gap in African governance literature by providing rigorous evidence from the continent’s largest economy and by situating the findings within the broader emerging-market literature.

For corporate management: effective ICFR requires investment in all three lines with attention to integration through cross-functional committees, joint risk assessments, and coordinated assurance plans. For boards and audit committees: ensure adequate resources and independence for all three lines, with particular attention to functional reporting lines for internal audit and to the technical capacity of the second line, since these are the levers through which board oversight produces its strongest effect on ICFR. For regulators (FRC and SEC): consider incorporating explicit 3LOD requirements into ICFR guidance and supplementing structural compliance with capability-based supervisory expectations, since the qualitative evidence indicates that structural adoption is outpacing substantive capability. For the internal audit profession: leverage the evidence that internal audit has the strongest individual effect on ICFR to advocate for resources, independent reporting lines, and active audit committee engagement.

The datasets generated and analysed during this study are available from the corresponding author upon reasonable request. The data includes: (1) company-level data comprising ICFR effectiveness scores, 3LOD effectiveness scores, board oversight scores, firm financial characteristics, and archival indicators for 94 Nigerian listed companies; and (2) respondent-level data comprising individual questionnaire responses from 376 governance professionals. Both datasets are provided in anonymised form to protect respondent and company confidentiality, in accordance with the research ethics approval and data protection commitments made to participants. The data dictionary, survey instrument, anonymised interview transcripts, NVivo coding framework, and replication code are included as supplementary materials.

First, the cross-sectional design limits causal inference; longitudinal research would strengthen confidence. Second, reliance on perceptual measures introduces potential common method bias, mitigated by multi-respondent data, archival triangulation, and the convergence of qualitative and quantitative evidence. Third, the Nigerian focus limits generalisability to other emerging markets; future research should examine 3LOD effectiveness in other African countries. Fourth, future research could investigate how 3LOD implementation influences emerging challenges, including cybersecurity risk, sustainability reporting, and ESG disclosures. Fifth, more extensive qualitative designs, including case studies of companies with exemplary 3LOD implementation, would generate a richer understanding of implementation processes. Finally, although the present 18 interviews enabled identification of stable themes, future research could employ larger-scale qualitative designs to test the generalisability of the themes documented here.