Internal Audit, DPO and the adjustment of Three-Lines-of-Defense-Modell

Abstract

Internal audit usually follows the Three-Lines-of-Defense-Modell (T-LoD).1 Within this modell the 1LoD is the business line – like sales and marketing. The 2LoD is checking whether the 1LoD adheres to internal policies, external law and adequately manages the risk. Risk management and compliance function are part of the 2LoD. The 3LoD is internal audit which has the oversight over both the 1LoD and similarly the 2LoD. But the T-LoD-modell fails when the DPO is defined as 2LoD. That derives from the independent position of DPO.