Guide to Data Protection Auditing - Step-by-step Process


			Data Protection Homepage Audit Guide Homepage Download print version


< Previous \| Next >

Audit Follow-up (print ref: Part 3, Section 5)

If any Non-compliances are discovered during a Data Protection Audit, it is desirable to undertake some sort of Audit Follow-up in order to check that the proposed corrective action has actually been implemented and that it has been effective.

The issues that need to be addressed when deciding on an appropriate Audit Follow-up programme are described in the sections that follow and are also illustrated in flow chart form in Figure 3.7.

Scope

The scope of follow-up action should be chosen in accordance with the severity of the original non-compliance and therefore may be any of the following:

Confirmation via telephone of minor adjustments.
Documentation checks.
Partial re-audits only covering those areas where Non-compliances were recorded.
Full re-audit of entire Area/Department where a substantial lack of adequate controls or systematic disregard of procedures was found.

This information will be recorded in the lower section of the Compliance Audit Report during the Closing Meeting as described in Section 4.4.4.

Timescales

The timescale of the follow-up action should also be chosen in accordance with the severity of the original Non-compliance and the original risk assessment of the Data Protection activities involved (see Section 1.1). Minor non-compliances may be left until the next scheduled audit of the Area/Department while major problems may need to be corrected immediately. This information will also be recorded in the lower section of the Compliance Audit Report as described in Section 4.4.4.

Fig. 3.7: Audit Follow-up

Return to top

Audit Follow-up

< Previous | Next >