Data Protection Homepage 
Audit Guide Homepage
Download print version
|
|
|
|
|
|
|
Data Protection Homepage |
|
|
|
|
|
|
||
|
Audit Schedule (print ref: Part 3, Section 1.2)Once an organisation has decided to operate an Internal Data Protection Audit Programme, it will find that an annual Audit Schedule is an essential control mechanism. The Audit Schedule will help to ensure that the areas within the organisation that handle personal data will be audited on a planned and systematic basis. The steps involved in producing and maintaining an Audit Schedule are described in the following sections. Audit Schedule Generation An Audit Schedule is used to record which areas of the organisation should be audited and when, a pro-forma like that shown in Annex C.1 could be used for this purpose. The areas to be audited should be recorded in the first column, and the audit frequency should be entered in the second column. If required this information can be calculated as shown in Annex A, otherwise the frequency can simply be once per year. The remaining 12 columns are then used to record the dates scheduled for each audit during the year. It is very useful to give each audit a sequential reference number for cross-referencing purposes, and this number can also be entered on the schedule after each scheduled date. Audit Schedule Approval and Publication As the Audit Schedule is such an important component of an organisation's Data Protection Compliance Programme it needs to be owned and published by Senior Management. For example, the draft schedule could be drawn up by the person responsible for Data Protection and then presented to Senior Management for approval. Once this has been obtained the Audit Schedule could be distributed to all Heads of Departments and any other staff affected. If the organisation actually has a Data Protection Forum/Committee, or an Audit Committee, then this could play a key role in the approval process prior to the Audit Schedule being presented to Senior Management. Audit Schedule Maintenance An Audit Schedule is best produced and updated on an annual basis. However, there may be circumstances where the schedule needs to be updated before the end of the year, for example if a new department is created, or the audit frequency within a particular area needs to be changed for any reason. In these circumstances the Audit Schedule should be updated and re-distributed and all copies of the previous schedule removed. If the organisation already operates a Quality Management System like ISO 9000 then the easiest way of doing this is to control the Audit Schedule via the existing ISO 9000 Document Control process. |
|
|||||||||
|
|
