Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up
Spacer Spacer

< Previous | Next >
 

 Spacer
Spacer

Process or Horizontal Audit (print ref: Part 3, Section 3.3.2)

An example of this type of process would be a Data Subject Access request that covers more than one department, and the Process Audit Checklist of Annex J should form the basis of this component of the Compliance Audit. The conduct of a Process Audit is very similar to the Functional Audit and the following additional points should be taken into consideration:

  1. Questioning Techniques

    The same sequence of Ask, Verify, Check, Record should be used during the Process Audit. However, it is also very important to Observe what is actually happening once each question has been asked in order to check that this is in compliance with procedures.

  2. Use of Checklists for Note Taking

    The Process Audit Checklists will be used for note taking in a very similar manner to the Functional Audit Checklists, but the following additional points should be noted:

    • Evidence (Documents) Examined: As well as recording reference numbers of any documents seen, this column of the checklist should be used for recording details of the process examined in terms of: what, where, when and who.
       
    • Findings and Observations: This column should be used to record what the Auditor actually saw taking place, what the Auditee said, and the extent to which it complied with procedures.
       

  3. Process Audit Strategy

    Auditors will find it easier to conduct successful Process Audits if they adopt a consistent "walk through" strategy. By "walking through" the process in this way they will establish an Audit Trail that will show up any deviations from procedures. The recommended sequence of events is:

    • The Auditor follows the procedure from one end to the other and can choose either:
      • Trace Forward: Start at the beginning and follow the entire process through to completion, e.g. start with a Subject Access Request and follow the process until the requested data has been despatched to the Subject.
         
      • Trace Back: Start at the end and follow the entire process back to the beginning, e.g. start with a completed Subject Access Request and trace it back to the original request from the Subject.
         
    • If a discrepancy is found, the Auditor should report the symptom to the Data Protection Representative immediately for verification.
       
    • If a discrepancy is found the Auditor should follow the trail through if possible until the probable causes are identified. This will make the Audit far more beneficial to the organisation rather than just reporting the symptoms. It should also provide helpful clues as to how the system might be improved to prevent errors recurring.
       
    • The discrepancy together with any likely causes is then recorded on the Process Audit Checklist for later transfer to a Non-compliance Record as described in section 4.2.

Return to top
 
Toolbox top border
Spacer

Audit Execution

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright