Guide to Data Protection Auditing


			Data Protection Homepage Audit Guide Homepage Download print version

Part 1: Introduction | Part 2: The Audit Method | Part 3: The Audit Process | Part 4: Guide to Auditing | Annexes

< Previous | Next >

Part 3: The Audit Process

Section	Title	Print Page ref
Part 3	The Audit Process	3.3
1.	Audit Planning	3.5
1.1	Risk Assessment	3.5
1.2	Audit Schedule	3.5
1.2.1	Audit Schedule Generation	3.5
1.2.2	Audit Schedule Approval and Publication	3.5
1.2.3	Audit Schedule Maintenance	3.6
1.3	Selection of Auditor	3.6
1.3.1	Skills	3.6
1.3.2	Training in Auditing	3.6
1.3.3	Experience of Data Protection Law and Practice	3.7
1.3.4	Personal Attributes	3.7
1.4	Pre-Audit Questionnaire	3.7
1.5	Preparatory Meeting/Visit	3.7
1.5.1	Administration	3.8
1.5.2	The Audit	3.8
1.5.3	Practical Arrangements	3.8
1.6	Audit Management Checklist	3.8
2.	Audit Preparation	3.9
2.1	Adequacy Audit	3.9
2.1.1	Audit Timescale	3.9
2.1.2	Documentation Review	3.9
2.1.3	Adequacy Audit Methodology	3.11
2.1.4	Adequacy Audit Outcome	3.11
2.1.5	Adequacy Audit Reporting	3.12
2.2	Confirmation of Audit Schedule	3.12
2.3	Audit Checklists	3.12
2.3.1	The Role of an Audit Checklist	3.12
2.3.2	Disadvantages of Checklists	3.12
2.3.3	Functional Audit Checklists	3.13
2.3.4	Process Audit Checklists	3.15
2.3.5	Checklist Preparation	3.15
2.4	Sampling Criteria	3.16
2.5	Audit Plan	3.16
3.	Conduct of the Compliance Audit	3.17
3.1	Opening Meeting	3.17
3.2	Audit Environment	3.17
3.2.1	Functional or Vertical Audit	3.17
3.2.2	Process or Horizontal Audit	3.19
3.2.3	Staff Awareness Interviews	3.19
3.3	Audit Execution	3.19
3.3.1	Functional or Vertical Audit	3.19
3.3.2	Process or Horizontal Audit	3.20
3.3.3	Staff Awareness Interviews	3.21
3.3.4	Positive Auditing	3.23
4.	Compliance Audit Reporting	3.25
4.1	Non-compliance Records and 1	3.25
4.1.1	Header	3.25
4.1.2	Details of Non-compliance	3.25
4.1.3	Corrective Action Programme	3.26
4.1.4	Corrective Action Follow-up	3.26
4.2	Non-compliance Categories	3.26
4.2.1	Major Non-compliance	3.26
4.2.2	Minor Non-compliance	3.26
4.2.3	Observation and 1	3.27
4.3	Compliance Audit Report and 1	3.27
4.3.1	Header	3.27
4.3.2	Audit Summary	3.27
4.3.3	Summary of Agreed Corrective Actions	3.28
4.3.4	Agreed Audit Follow-up	3.29
4.4	Closing Meeting	3.29
4.4.1	Confirmation of Non-compliances	3.29
4.4.2	Agreement to suitable Corrective Action	3.29
4.4.3	Corrective Action Responsibilities and Timescales	3.30
4.4.4	Agreed Audit Follow-up	3.30
4.5	Audit Report Distribution	3.30
4.6	Audit with no Non-compliances	3.30
5.	Audit Follow-up	3.31
5.1	Scope	3.31
5.2	Timescales	3.31
5.3	Methodology	3.31
5.4	Audit Closure	3.33
5.4.1	Non-compliance Sign-off	3.33
5.4.2	Compliance Audit Report Closure	3.33

Illustrations

Figure	Title	Print Page ref
3.1	The Data Protection Audit Lifecycle and 1	3.3
3.2	Audit Planning	3.4
3.3	Audit Preparation (1)	3.10
3.4	Audit Preparation (2)	3.14
3.5	Conduct of the Compliance Audit	3.18
3.6	Compliance Audit Reporting	3.24
3.7	Audit Follow-up	3.32

Return to top

< Previous | Next >