Convincing people of the importance of data protection

Some people take some convincing as to the importance of data protection. Here are some impact on individuals that could result from data protection breaches:

• Fraud/financial loss
• Identity theft (resulting in financial loss, but potentially other issues)
• Loss of personal privacy
• Persecution (by employer/government/companies/other organisations)
• Damage to relationships with friends/family

For example, your employer might discriminate you if they found out you were a member of an extreme political party (e.g. far right) or a activist group that is often at odds with the employer (e.g. an Oil & Gas company finding out one of its employees is a signed-up member of GreenPeace).

Explanation

Most good controls are about written explanations:

• Comparative Review of Outturn - explanations of variance
• Journals - explanation of the journal
• Reconciliations - explanations of the reconciling items
• Process documents - explanations of the process

Meeting minutes

Often the biggest challenge of audit is gathering the necessary information and gaining the necessary understanding. Meetings are a good source of this, but it's often hard to note down all the relevant information (speed of handwriting). One thing I have found that makes it easier is to prepare a set of slides for the meeting, to print these out, and then to annotate during the meeting. Then I dont' have to write some of the heading type information to support the notes.

The appropriate definition of risk

Unhelpfully, there are lots of different definitions of risk. For example, "a risk" can mean "a potential event". What helps me is thinking about what people mean when they ask the question "what is the risk?": they mean "what is the probability and significance of the outcome". Therefore risk is the probability and level of impact associated with an event.

But should it just be "event"? In some circumstances it may be helpful to think in terms of outcomes, situations and occurrences. For example, having insufficient premises isn't something that fits the definition of an event, but rather a situation.

Organisational responsibility database

Often it is very difficult, particularly in a large organisation, to find out who has responsibility for what. One possible solution would be an organisational responsibility database. All of the responsibilities are defined in the database, and then assigned to a particular person. Another possibility would be to encourage staff to detail their responsibilities on the internal directory (and upload their job descriptions to it).

Make being audited part of people's job descriptions

It's not uncommon to encounter hostility when auditing. People feel like it's a "extra" on top of the work they have to do; something which wastes their time that they might otherwise be using contructively. It's probably not possible to completely counter this viewpoint, but it may be possible to do it to some extent by making compliance with audit (both internal and external) a part of every employee's job description. This would make it clear to them that it is their responsibility to comply with audit.

Questions to ask yourself when designing tests

• What will the walkthrough look like? (for controls tests)
• What will the audit documentation look like?
• What is the control objective? (for controls tests)
• What is the risk?

And the most important:

• Under what circumstances is the outcome of this test going to result in an exception/issue/concern being noted and a recommendation being raised?