Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up
Spacer Spacer

< Previous | Next >
 

 Spacer
Spacer

Functional or Vertical Audit (print ref: Part 3, Section 3.3.1)

This type of audit concentrates on processes and procedures restricted to the department itself and does not cross inter-departmental boundaries. An example would be an audit of all the functions within a Personnel department. Section 3.2.1 has suggested that the Functional Audit Checklists of Annexes F, G and H should form the basis of this component of the Compliance Audit. Factors to consider when conducting a Functional Audit in this way include:

  1. Questioning Techniques

    For each question on the checklist always try and work through the following sequence:

    • Ask: Ask the question to establish the facts
       
    • Verify: Listen to the auditee's answer and verify where necessary that you have understood the actual situation.
       
    • Check: Confirm that what you have been told corresponds with what the Data Protection System actually says should occur. Also check that any associated records and logs are correct and up-to-date.
       
    • Record: Write down your findings as described in the next section.

    It is important that the Auditor is always prepared to change the order of questions from those drawn up in the checklists. This is to encourage the flow of information from the Auditee and so obtain the required information faster. This is why extra space is allowed on all the Checklists to record any supplementary questions and their corresponding answers.

  2. Use of Checklists for Note Taking

    Audit Checklists are the key records of what occurred during the audit and it is therefore essential that they should be used correctly. With reference to any of the checklists of Annexes F to J inclusive the columns should be used as follows:

    • Evidence (Documents) Examined: The second column of the checklist is used to record details of the evidence presented in answer to the question. In the case of documents, reference numbers that uniquely identify them should be recorded such as procedure reference, order number, policy number etc.
       
    • Findings and Observations: The third column is used by the Auditor to record their assessment of how well the evidence presented demonstrates compliance with the requirements of the Data Protection Act and the documented Data Protection System.
       
    • Result: The final column of the checklist is used for grading the answer to each question, and the Auditor may choose to leave this activity until the end of the audit. Whenever the grading is done one of four categories are used (see 4.2 for details):
       
      • COM: The evidence demonstrates full compliance.
      • MAJ: The evidence demonstrates a Major Non-compliance.
      • MIN: The evidence demonstrates a Minor Non-compliance.
      • OBS: No Non-compliance was found but the Auditor has recorded an Observation about potential problems and how improvements could be made.

Return to top
 
Toolbox top border
Spacer

Audit Execution

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright