Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up
Spacer Spacer

< Previous | Next >
 

 Spacer
Spacer

Process Audit Checklists (print ref: Part 3, Section 2.3.4)

A Data Protection Audit should not only examine the Data Protection Systems operating within individual areas of an organisation, but should also track key operating processes that cross inter-departmental boundaries. Most of these operating processes will be unique to each organisation or department, and this is also true for processes that involve aspects of Data Protection such as the handling of Subject Access Requests. The role of a Process Audit is to track the operation of these processes from beginning to end to ensure that the requirements of the Data Protection Act are met at every stage.

It will be apparent from Section 2.3.3 that whereas it is possible to draw up a considerable number of checklist questions in advance for a Functional Audit, this is not the case for a Process Audit. Therefore, the Auditor will have to draw up a fresh set of Checklist questions each time a particular process is audited, and to make this easier a blank Process Audit Checklist has been provided in Annex J.

Checklist Preparation

When preparing checklists, auditors should remember that the fundamental purpose of each audit is:

  • To collect objective evidence about the status of the Data Protection System in the organisation/department so that an informed judgement can be made about its adequacy and effectiveness.
  • The Auditor must therefore take samples from the selected area and check for implementation and effectiveness of the Data Protection System in order to arrive at that informed judgement.

In effect the Checklist defines the sample so that the Auditor must make it as representative as possible within the objectives of the audit. Auditors may find it helpful to bear the following points in mind when designing their own questions to supplement the Checklists of Annexes F, G and H:

  • Where the Data Protection System is thoroughly documented checklist questions may be quite specific, but in the absence of documentation questions may need to be of a broader nature.
  • Experienced Auditors may be able to just write down key words whereas less experienced Auditors will feel more confident writing out questions in full.
  • Think in terms of "what to look at" and "what to look for" when preparing checklist questions.
  • To ensure the audit sample is representative first focus on the main function of the department or area.
  • Do not neglect more peripheral activities completely as these may not be quite as well controlled and hence are more likely to be the cause of a breach.
  • It is also a good idea to examine what happens when systems are under pressure rather than functioning as normal. For example, what happens:
  • When a lot of staff are off sick or on holiday?
  • When there are major changes in the workforce?
  • At the end of the month or the financial year?
  • When the computer system breaks down?
  • When work levels are abnormally high? For example, in an Insurance Company when there is a flood of insurance claims after a major storm.

Return to top
 
Toolbox top border
Spacer

Preparation: Compliance Audit

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright