Hello and welcome back to the final course of the CIPM. This one is about auditing data protection and it's probably one of my favorites as I actually I'm an auditor, so it's a good place to end up. [inaudible] It's a shame we're not doing this face-to-face because this always causes lots of arguments, as well, lots of discussions. Let's consider our audit. Our role is just to weigh itself, checking ourselves as a way of understanding exactly where we are. I've told you it's not about compliance against the law but it could be against conforming or compliance to even your own policies and procedures, not necessarily against the law or standard but actually are people doing what you want them to be doing, our people doing the things you want them to do. Here's the definition of audit. You need to know this. It says systematic, independent, and documented process for obtaining audit evidence and comparing that audit evidence, evaluating it objectively to some audit criteria. We've got our audit criteria, the thing we're trying to fulfill. We've got our audit evidence that we're trying to do. No cheats, this was objective and independent. We don't find this a little bit when we talked about data protection officers. To be independent and objective, well, you can't assess your own work. You're not objective or independent enough. Obviously, when we're auditing, we're trying to achieve some level of independence and objectivity. Perhaps even you're data protection division or the data protection office or the privacy office that is doing the work shouldn't be the people to audit it because again, you can't audit your own work, that doesn't make you independent or objective. We need to find some auditor, some audit department, some audit division to help us do this. Now, they don't have to be experts in data protection, I want to make that clear. To be able to compare one thing against another and see if it fits, you don't have to be an expert in data protection laws and do that. You have to be an expert in auditing. Auditor should be an expert in auditors, data protection people should be an expert in data protection. We'll talk about that conflict in just a little bit. To me, then the next thing is about what's your evidence and what's your criteria? Your criteria are the things you're auditing again. The criteria for me is the policies, the procedures, the laws, the regulatory requirements, anything that says, "Yes, we've got to achieve this level." As I said, that could be externally set so that could be internally set. Then we've got the evidence. The evidence for me is an evidence triangle, it's about trying to weigh up what people say or what documentation tells you should be happening and records that show you what's actually happened. We've got this evidence triangle here, interview, documents, and records. What people say, what the policies and procedures tell you should be happening or shall happen, and then the records that show you what's actually got on, what's actually occurred, so just take an example why you're auditing the visitor management, the ins and outs parts of the business or who would I interview? I would interview reception, security, those people. Well, your documents should be, hopefully, it might be the visitors signing in and signing out process or a physical security procedure and then records. Records might be a visitor's logbook or an ID card system of some kind. You've got the interview, documents, and records. I'm comparing that against my internal policies and procedures, against what the law says. We call this process auditing. Process auditing, it means essentially we've got a process from input to output. It doesn't really matter what the process is. When I sit down with someone I say, "Right start to start, end to the end. Tell me what you do on a day-to-day basis." Along the process, there's going to be sets of audit criteria that hits that process. If you can imagine this in terms of the data life cycle, the audit criteria could even be things like data protection principles. Are we collecting the smallest that we should do? Are we being transparent when we get the information? How long do we retain it? Who has access to it? When do we dispose of it? From beginning to end, we can see those requirements or the audit criteria hitting our process. Every time a criteria hits our process, we can try an evidence if that criteria is met. How do we evidence? We've got a triangle of interview, documents, and records. If you like, we can think about does the evidence conform to the criteria? Is the evidence compliant or the criteria, if you like? The notch, we use the evidence. Internally matching though is what the person tells us the same thing as what has actually happened on the record. Is it the same thing as what's said in the policy? We can actually make some determinations here. Those determinations, we can make is if the evidence matches the criteria we've got compliance, if the evidence matches the other evidence, if you'd like we've then got the process conformity. If you've got a mismatch, we've got then a noncompliance and a nonconformity, we have an audit finding. This is where things get slightly contentious, because that's all an audit finding is. Is the auditor saying I had a criteria, I've got some evidence, they don't match, or I couldn't get the evidence to evidence that criteria. It is the auditor's job within their timeline to try and find evidence, to not to try to catch you out, but it's to try and find evidence that evidence is the criteria. If they can't find the evidence that the evidence is criteria, or if there was a mismatch between the evidence and the criteria, or indeed the evidence itself, that's an audit finding. Then that's what they should write to you. They should write to you of an audit finding that says, here's the evidence and here's the criteria , and that's the end. A lot auditor's make the mistake of going further and then trying to tell you how to fix it. Now that's a big mistake. Auditor's should never recommend, because then make themselves invalid as an auditor. If they come in and do a subsequent audit, that they're not independent, that auditing their own recommendations, their own work, they should never do that. What gives the auditor the right with that auditing skills to tell the data protection practitioner of 20, 30 years what's right and what's wrong for their organization for data privacy or data protection. They don't have that experience, they don't have that knowledge of data protection law, they shouldn't be doing that. Really all the auditor research for is to find problems, not give you solutions. It's to find out where those mismatches are between the criteria and the evidence. Where there's a mismatch, you say here's the criteria, here's the facts I couldn't evidence it. You go away and come up with some corrective action, and it's the organization's responsibility, the individual's responsibility to come up with that corrective action, the data protection team's responsibility to come up with that corrective action, or the management's responsibility to come up with that corrective action, not the auditors. I think that's very important. Just to go back to that audit definition just to make that very clear, we then got this thing as systematic, independent, and documented process for obtaining audit evidence against the audit criteria. That's their job, end off, no recommendations for corrective and preventive actions come from the organization being audited, the business unit being audited. All they can comment on is does the evidence match itself? Does the evidence match the audit criteria? Wonderful. What exam questions might you be asked on this? You might be asked exam question, what is an audit, and what's the difference between an evidence and a criteria? A criteria could be a law such as the GDPR, or it could be an own internal data protection policy or procedure. What's evidence, records, interviews, and documentation. Also they might ask you about an audit life cycle. An audit life cycle is about audit planning, audit preparation, carrying out your audit, doing your report, and then doing some follow-up. Again, I want to make clear to you that this is again the auditor's job. What's an an audit plan? An audit plan essentially is when we're going to decide what needs auditing and how often? How are we going to break up the data protection landscape? Do we audit themes like subject access requests? Do we audit business units, do we want to audit systems? How are we going to break up our audit plan? What needs auditing more frequently? Where are higher risk areas that's going to need more frequent audits? How long are we going to do before we audit the entire piece? What's our first priority? First of all, write an audit plan. Know what we're going toward it and when, for how long and who's going to do it. That's our audit plan. The next thing we're going to do is prepare for each individual audit. How do we prepare for each individual audit? Well, we get in touch. We say, "Hey, I'm the auditor, I'm going to becoming and auditing you, please give me some idea of the criteria I'm looking for. Make sure that all the evidence is there, the right people I can talk to would be there." The idea of that audit preparation is to facilitate your journey onsite. You don't want to turn up on site to do an audit and have people not there, documents and records not ready for you. Then you go about the auditing itself. Stay true if you like, is then to to carry and carry out the audit. Quite easy. Turn up on site, opening meeting. Let everyone understand what you're there to do. No tricks, no traps, just offering them improvement opportunity. Try and find the criteria, try and find the evidence. If you can match it up great, if you can audit findings, those audit findings get documented in a short report. Again, all that reports should have in it is, this is what we audited, from time to time these are the people we spoke to, this is the evidence we looked at, these are the things we could evidence, these are the things we couldn't evidence. Now go away and come up with a corrective action plan to make sure that those things we couldn't evidence can be evidenced in future and it's up to you what you do. I think there's a natural assumption and auditors fall prey of this all the time, which we assume the document is right or that person isn't doing what the document says, that's not a good audit finding. What the audit finding should be is, there was this sort of criteria, we could or couldn't evidence it, these are the reasons why. The temptation to assume the document right is, that person isn't doing what the document says. That person could well be wrong, but equally, that person could have found a better way. So we have to open ourselves to the idea that as an auditor, we just reporting the facts and that the organization decide what the corrective action should be. We can facilitate that process. We can agree corrective actions with the individuals. Those corrective actions might take a day, might take 12 amps, might involve buying a new IT system or replacing an entire audit program, it depends what the organization wants to do. Our final thing to do is to then follow up. That means after a period of time, go back into that business unit section, whatever we're trying to do and then essentially see how they're doing into the corrective action. Can we close those audit findings by demonstrating that they're taking a corrective action that now closes their improvement opportunity? Actually, I like the word improvement opportunity much more than I like non-conformance or noncompliance. I think it makes auditing a lot [inaudible] more value-adding, a lot more positive. Then of course, the results of that follow-up go back up into your plan. When you're doing your next plan, you say well, where had audit findings last time? where had audit findings the last time? Of course this is all part of the check phase. That check phase and that enables you to move forward into the act phase, that action phase. The final thing we're going to talk about is different types of audits and you might see an exam question on this as well. Three different types of audits, first party, second party, third party. You're going to need to know the difference between them. Essentially, first party is your internal auditors. These are your people within your business that are going to carry out audits. Second parties, this is where we audit our second parties. We audit our suppliers, we audit our vendors. I've tried to be very clear throughout this course that some people we call third parties aren't third parties. They're the second party to a contract, they are our supplier, our vendor, we forgot legal relationship. They are not third parties, they're second parties, they're the other party to our contract. So first party is just auditing ourselves. Second party is auditing our suppliers or our vendors or our business partners. Then third party is some truly external audit were what we are doing is we are having some sort of regulator or third party audit company come and assess us, again some sort of standard. Of course, the level of assurance with these is different. If we go back to our audit definition of systematic, independent, and documented, well, who has the most independence here? It's going to be the third party. The third party is going to be the most independent person to audit us. So the level of assurance we get, we are going to get some level of assurance from internal audits, they're certainly going to know us better, but they're not going to be as independent. So generally speaking, third party audit is going to give us that sort of final area in terms of the assurance we need. I'd want us to finish here by saying thank you very much. It's been an absolute pleasure to spend this time with you on the CIPM. Best of luck for the exam. Thank you for listening.
