Audit Categories (print ref: Part 1, Section 5)
It is important to realise that there are many different categories of audits in common use today within the various branches of auditing. For Data Protection auditing, however, there are only three main categories of audits that we need to consider:
Description |
Audit Category |
Conducted by |
First party |
Internal |
By the organisation on itself |
Second party |
Supplier |
By the organisation on a supplier or sub-contractor |
Third party |
External |
By the IC, its sub-contractors, or an independent consultant on the organisation |
These three categories of audits are described below:
First Party Audits
First Party, or Internal Audits are those where an organisation carries out audits on itself. As we have suggested earlier they can be a very effective management tool, which can help organisations adopt a proactive and best practice approach to data protection. By establishing a regular schedule of internal audits and training staff to carry them out organisations will develop confidence in their own systems based on objective evidence. The ongoing process of auditing and being audited will also increase the general level of data protection awareness among all the staff.
Return to top
Second Party Audits
Second Party Audits are commonly known as Supplier Audits because they are used where an organisation has to assure itself of the ability of a potential or existing supplier or sub-contractor to meet the requirements of the Data Protection Act.
Today there is a tendency for organisations to outsource more and more of their data processing activities. Therefore Supplier Audits are becoming increasingly important as part of the process for making the initial selection of a data processor, and then for monitoring their ongoing performance.
It should be noted that the organisation need not undertake a Supplier Audit itself if the supplier can provide evidence of having successfully passed a Data Protection Audit, provided it was conducted by a reputable and independent third party Assessment Body.
Return to top
Third Party Audits
Third Party Audits involve an independent outside body coming in to the organisation to conduct an audit. For Third Party Data Protection Audits it is possible to identify two different sub-classifications:
Information Commissioner Investigations (Section 51)
This relates to an investigation the Commissioner may carry out under her statutory audit powers of Section 51(7) of the Data Protection Act 1998 which states:
"The Commissioner may, with the consent of the Data Controller, assess any processing of personal data for the following of good practice".
In circumstances where a Data Controller may invite the Commissioner to conduct a consensual audit of this nature, she may:
- Carry out the assessment with her own staff using the audit methodology described in this guide.
- Contract out the assessment to a third party who will also use the audit methodology described in this guide.
Third Party Assessments
This situation occurs when a Data Controller believes that it will be beneficial to have an independent external assessment of the effectiveness of their data protection systems. To facilitate this, the Data Controller may sub-contract the assessment to a third party (such as an audit firm) and request that they use the audit methodology described in this guide.
It is also possible that the Data Controller might want the data protection system to be assessed as part of a wider programme involving audits of areas such as Data Security, Health and Safety or Quality Management. Many organisations are now finding it more cost effective to conduct integrated audits in this way. This has already been recognised within the international auditing community by initiatives such as the new ISO 19011 provisional standard for joint auditing of Environmental Management (ISO 14001) and Quality Management (ISO 9001) Systems.
Return to top
|