Guide to Data Protection Auditing - What is a Data Protection Audit?


			Data Protection Homepage Audit Guide Homepage Download print version

What does an Audit cover? | Types of Audit | Background to the Audit method


< Previous \| Next >

Audit Evidence (print ref: Part 2, Section 1.3)

It should be apparent from the previous sections that Internal and External audits are looking for evidence concerning different aspects of a data protection system. These different aspects relate back to the original Audit Objectives detailed in Section 3 of Part 1 and are summarised in the table below:

Audit Objective	Evidence Sought	Adequacy Audit	Compliance Audit
The system EXISTS and is ADEQUATE	Documentation, e.g. Data Protection Policy, Procedures etc.	Yes	Yes (assumed)
The system is USED	Records of Subject Access Requests, Complaints etc.	No	Yes
The system WORKS	Corrective Actions, System updates and improvements	No	Yes

The above table should help to make the distinction between Adequacy and Compliance Audits even clearer, i.e.

The Adequacy Audit's prime concern is that there is a documented data protection system that adequately addresses all aspects of the Data Protection Act.
The Compliance Audit is concerned with how the data protection system is being used and how effective it is.

Return to top

Background to the Audit method

< Previous | Next >