The only right way to eat an Audit Elephant

A DPO asked me: "What is the right way to launch an internal audit and what are the most important topics to cover?" This is a very good and honest question.

My answer is, like with any great undertaking, that the best way to eat that great audit elephant is one bite at the time. And believe it or not - I do have a simple visual template to help you tackle and swallow that mouthful.

Approach

There are many ways to approach the internal audit. That will depend entirely on the type and size of the organisations, type of operations and processing activities, organisational and geographical structure, etc, etc. The well-worn phrase: "It depends on a specific assessment" has never been more justified and in particular here professionals working in data protection field can take inspiration from project management tools and structures.

Structure

There are many ways to structure an internal audit. From the top of my head (and in no particular order) you can set up a structure your audit based on

• Processing activities in your article 30 Records
• The critical risks as evaluated in your Risk assessment
• Topics described in your Information security Policy
• Specific location, if your organisation consists of offices in several locations
• Specific procedures, that have recently been implemented
• The overview of last years most significant security breaches
• Topic of your local DPAs most significant decisions/fines/guidelines
• Sampling of relevant areas, based on the last years audit critical findings.

There are probably other good ideas for structure and approach - please share them in the comments, so that other professionals can benefit from your experience and knowledge.

Topic selection

I propose, that you invite all relevant colleagues for a brainstorm session if you are in a large organisation. If you are in the smaller organisation and probably the only person with understanding of the topics, try to find professionals in organisations of similar size and industry to help you brainstorm.

Start by making a list of all the relevant audit topics. From the top of my head (and in no particular order) those could be audit of:

• Personal Data Retention policies and procedures (slettepolitikker og procedurer)
• Accountability audit - audit with Top managements role in showing the direction, making relevant decisions and delegating responsibility of data protection activities (tilsyn med topledelses ansvar ved implementering af databeskyttelses tiltag)
• Data processing during recruitment process (databehandling ved rekruttering)
• Policies and procedures for user access control (politikker og procedurer for brugerrettigheder og adgangskontrol)
• Article 7 - compliance with conditions for consent (betingelser for samtykke)
• Asset management policies (h?ndtering af aktiver)
• Access-rights management for newcomers, movers and leavers (new employees, employees changing positions internally and ex-employees) (tildeling af rettigheder ved til/fratr?delse eller ved intern jobskift)
• Accessibility of the DPO (A right to directly and confidentially contact the DPO) (DPOens tilgeng?lighed for de registrerede)
• Processing of personal information of children (behandling af personoplysnigner om b?rn)
• Processing of Article 9 - health-related personal information (behandling af helbredsoplysninger)
• Compliance with Article 15 - Right of access by the person (data subject) (den registreredes indsigtret)
• Backup and restore
• Allocation of role, responsibility, accountability of key personnel (tildeling af roller, ansvar og ansvarlighed for n?glepersoner)
• Personnel awareness of data protection requirements (medarbejderawareness)
• Documentation for training and employee awareness (dokumentation for gennemf?rt medarbejderawareness)
• Data Processing Agreements (Databehandleraftaler)
• Processors and sub-processors (tilsyn med databehandlere og underdatabehandlere)
• Processing activities related to Supply Management, other Controllers and Joint Controlles (Behandlingsaktiviteter i forbindelse med leverand?rstyring, andre dataansvarlige og f?llesdataansvar)
• International transfers (tredjelandsoverf?rsler)
• Legal basis for processing (article 30) (hjemmel til behandling jf. artikel 30)
• DPIA
• Security measures relating to establishing and operations of home/remote office (sikkerhedsforanstaltnigner ved etablering og drift af hjemme/fjernkontorer)
• Business continuity plan (beredskabsplan)
• Topic audits based on recent significant security breaches (tilsyn p? baggrund af seneste alvorlige brud p? persondatasikkerhed)
• Topic audits based on previous year's proposed improvements of technical/organisational measures (tilsyn p? baggrund af forbedringstiltag fra sidste ?r)
• Sample-audit of data processing activities in HR department (stikpr?ve tilsyn af behandlingsaktiviteter i HR afdeling)
• Sample-audit of data processing activities in Financial department (stikpr?ve tilsyn af behandlingsaktiviteter i ?konomi afdeling)
• If you feel adventurous - take audit of compliance with Article 5 (1) ??
• If you feel extra adventurous - take compliance with Article 5 (2) ??

As mentioned above this is not an exhaustive list. I am sure you can contribute with many other relevant audit topics in the comments.

Structure

Now comes the fun part. Write the audit topics in the prioritised order and for each completed audit connect the dots in the picture. As the time goes - you will manage to eat that huge Elephant, one bite at the time and in a very visual manner show your progress to your colleagues and management.

To give yourself a nice sense of accomplishment, start by writing the topics of the previous audits that you already completed since in the previous years, since May 2018. That way you already now can mark a significant portion of the elephant and feel good about your efforts.

You can also use this template to engage in conversations with your colleagues over what chunks of your audit elephant are particularly difficult or unmanageable - and what they can do to help you with support, knowledge or resources to manage the difficult parts of the audit.

Conclusion

This template is a good way to visualise the wast amount of topics that you need to cover in your internal audit activities over time. It is a good way to start a dialogue with your colleagues and do team evaluation of audit priorities as well as tackle challenges and celebrate accomplishments of your audit activities.

This visual template can help you remember ALL RELEVANT aspects and progress of your internal audit work, so that you won't forget any vital details, when reporting findings of your internal audit to relevant stakeholders.

Feedback

If you find this template useful, have ideas for improvement or suggestions for other useful templates for your data protection and information security work - please don't hesitate to reach out to me here on LinkedIn. If you have modified this template and added other (for your organisation) relevant fields - please let me know. I would love to see it used and improved.

Danish version

Bonus version

If your current most challenging part of work are kids, then I have a bonus template for you, that might (or might not) give you an hour of quite and piece to do your actual audit work in the time of Corona lock down.