From privacy-audit-skills
Guides internal privacy audit program design and execution: risk-based planning, scope definition, fieldwork, findings classification, evidence gathering, remediation tracking, and reporting.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-audit-skillsThis skill uses the workspace's default tool permissions.
An internal privacy audit program provides systematic, independent assurance that an organization's privacy practices conform to applicable data protection regulations, internal policies, contractual obligations, and recognized frameworks. Unlike external audits (SOC 2, ISO 27701 certification), internal privacy audits are conducted by or on behalf of the organization itself, giving management ...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
An internal privacy audit program provides systematic, independent assurance that an organization's privacy practices conform to applicable data protection regulations, internal policies, contractual obligations, and recognized frameworks. Unlike external audits (SOC 2, ISO 27701 certification), internal privacy audits are conducted by or on behalf of the organization itself, giving management direct visibility into compliance gaps before they become regulatory findings or breaches.
The internal privacy audit function operates under the IIA (Institute of Internal Auditors) International Standards for the Professional Practice of Internal Auditing and adapts these standards to the privacy domain. At Sentinel Compliance Group, the internal privacy audit program reports to the Audit Committee of the Board of Directors, maintaining independence from the privacy operations function it audits.
The privacy audit universe represents the complete set of auditable entities, processes, and systems relevant to privacy compliance. It forms the basis for risk-based audit planning.
| Category | Auditable Areas | Example Entities |
|---|---|---|
| Regulatory Compliance | GDPR, CCPA/CPRA, LGPD, PIPA, sector-specific laws | EU processing operations, California consumer data handling, Brazilian customer data |
| Data Lifecycle | Collection, processing, storage, sharing, retention, deletion | Web forms, CRM system, data warehouse, third-party APIs, backup systems |
| Data Subject Rights | Access, rectification, erasure, portability, restriction, objection | DSAR intake process, identity verification, response workflow, automated systems |
| Third-Party Management | Processors, sub-processors, joint controllers, data sharing | Cloud hosting, analytics vendors, marketing platforms, payment processors |
| Privacy Governance | Policies, training, DPO function, privacy committee, DPIA process | Privacy policy management, training program, DPO independence, DPIA register |
| Technical Controls | Encryption, access controls, pseudonymization, logging, deletion | Database encryption, IAM configuration, log management, automated purge jobs |
| Breach Management | Detection, assessment, notification, documentation, remediation | SIEM configuration, breach assessment process, DPA notification, root cause analysis |
| Cross-Border Transfers | Transfer mechanisms, TIAs, supplementary measures | SCCs, BCRs, adequacy decisions, data localization controls |
| Consent Management | Collection, recording, withdrawal, preference management | Consent platforms, cookie banners, preference centers, consent databases |
| Records of Processing | RoPA completeness, accuracy, maintenance | Controller register, processor register, update workflow |
Each auditable area is scored on a risk matrix:
| Risk Factor | Weight | Scoring (1-5) |
|---|---|---|
| Regulatory exposure | 25% | 1 = No regulation, 5 = Multiple strict regulations with active enforcement |
| Volume of personal data | 20% | 1 = Minimal PII, 5 = Large-scale special category data |
| Prior audit findings | 15% | 1 = No findings, 5 = Unresolved critical findings |
| Organizational change | 15% | 1 = Stable, 5 = Major system/process changes |
| Third-party dependency | 10% | 1 = No third parties, 5 = Critical third-party processing |
| Complaint/incident history | 10% | 1 = No incidents, 5 = Multiple privacy incidents |
| Time since last audit | 5% | 1 = Audited this quarter, 5 = Never audited or >2 years |
Risk Score Calculation: Weighted sum of all factors (maximum 5.0)
| Risk Score | Audit Frequency |
|---|---|
| 4.0 — 5.0 | Every 6 months |
| 3.0 — 3.9 | Annual |
| 2.0 — 2.9 | Every 18 months |
| 1.0 — 1.9 | Every 24 months or as resources permit |
Sentinel Compliance Group — Privacy Audit Annual Plan 2025
Approved By: Audit Committee, December 15, 2024
Plan Owner: Chief Audit Executive
Q1 2025:
- DSAR Response Process (Risk Score: 4.3, Last Audit: Jun 2024)
- Cookie Consent Management (Risk Score: 3.8, Last Audit: Mar 2024)
Q2 2025:
- Third-Party Processor Management (Risk Score: 4.5, Last Audit: Dec 2023)
- Cross-Border Data Transfers (Risk Score: 4.1, Last Audit: Sep 2024)
Q3 2025:
- Data Retention and Deletion (Risk Score: 3.9, Last Audit: Jun 2024)
- Privacy Training Effectiveness (Risk Score: 3.2, Last Audit: Dec 2024)
Q4 2025:
- Breach Notification Process (Risk Score: 4.0, Last Audit: Mar 2024)
- Records of Processing Activities (Risk Score: 3.5, Last Audit: Sep 2024)
Reserve/Contingency (50 hours):
- Ad hoc investigations, management requests, regulatory-triggered audits
Confirm that the internal audit charter authorizes privacy audits and defines:
Document the audit scope including:
| Scope Element | Description |
|---|---|
| Objective | What the audit intends to evaluate (e.g., adequacy and effectiveness of DSAR response controls) |
| Period | The timeframe under examination (e.g., January 1 — June 30, 2025) |
| Entities | Organizational units in scope |
| Systems | IT systems and platforms in scope |
| Regulations | Applicable legal requirements |
| Standards | Applicable internal policies and external frameworks |
| Exclusions | Explicitly out-of-scope areas with justification |
Create the detailed audit program (test procedures) for each control objective:
Control Objective: DSARs are processed within regulatory timeframes
Test 1: Obtain DSAR tracking log for the audit period
Test 2: Select sample of [n] DSARs per sampling methodology
Test 3: For each sampled DSAR, verify:
a. Identity verification was completed before disclosure
b. Response was provided within 30 days (GDPR) or 45 days (CCPA)
c. Response contained all required information per Art. 15
d. Extension, if used, was communicated within initial deadline
e. Denial, if applicable, was justified and communicated with appeal rights
Test 4: Review DSAR metrics for trend analysis
Test 5: Interview DSAR coordinators on process adherence
Issue the engagement letter to the audit client (privacy operations team) containing:
Conduct an opening meeting with the audit client to:
| Technique | Application | Example |
|---|---|---|
| Document Review | Policies, procedures, records, reports | Review privacy policy against GDPR Art. 13-14 requirements |
| Interview | Process understanding, control awareness | Interview DPO on DPIA review process |
| Observation | Process walkthrough, system demonstration | Observe DSAR fulfillment from intake to response |
| Data Analysis | Population analysis, trend identification, anomaly detection | Analyze DSAR response times across the full population |
| Technical Testing | System configuration verification | Verify encryption-at-rest configuration on database |
| Sampling | Representative testing of transactions | Select 30 DSARs from population of 450 for detailed testing |
| Reperformance | Independent control execution | Submit test DSAR and verify correct handling |
Internal privacy audit sampling follows IIA Practice Guide "Audit Sampling":
Attribute Sampling (for compliance testing):
| Population Size | Expected Error Rate | 95% Confidence Sample |
|---|---|---|
| 50-100 | 0% expected | 30 |
| 101-500 | 0% expected | 40 |
| 501-1000 | 0% expected | 50 |
| 1000+ | 0% expected | 60 |
| Any | 1-5% expected | Add 10-20 to above |
Judgmental Sampling (risk-focused selection):
Every audit test must be documented in working papers containing:
| Working Paper Element | Description |
|---|---|
| Reference Number | Unique identifier linked to the audit program test step |
| Objective | What the test is designed to evaluate |
| Procedure | Detailed steps performed |
| Population | Description and size of the population tested |
| Sample | Size and selection methodology |
| Results | Factual findings for each sample item |
| Conclusion | Pass/Fail determination with reasoning |
| Evidence | Attached or cross-referenced supporting documentation |
| Preparer | Auditor name and date |
| Reviewer | Reviewer name and date |
Each finding is classified by severity:
| Severity | Criteria | Response Time |
|---|---|---|
| Critical | Systemic non-compliance with regulation; imminent risk of enforcement action, significant data breach, or harm to data subjects; complete control failure | Immediate: interim remediation within 5 business days; full remediation within 30 days |
| High | Material non-compliance; control design deficiency or widespread operating failure; significant gap between policy and practice | Remediation plan within 10 business days; full remediation within 60 days |
| Medium | Isolated non-compliance; control operating inconsistently; documentation gaps that could lead to material issues | Remediation within 90 days |
| Low | Minor documentation gaps; process improvement opportunities; control enhancements that would strengthen compliance posture | Remediation within 180 days |
| Advisory | Best practice recommendations; emerging risk observations; no current non-compliance | No required response; tracked for information |
Each finding is documented using the Condition-Criteria-Cause-Consequence-Recommendation format:
Finding ID: PA-2025-Q2-003
Title: Incomplete identity verification for DSAR fulfillment
Severity: High
Status: Open
Condition (What did we find?):
In 6 of 30 sampled DSARs (20%), the identity verification step was not
completed or documented prior to disclosing personal data to the requestor.
Affected requests: DSAR-2025-0147, DSAR-2025-0203, DSAR-2025-0289,
DSAR-2025-0312, DSAR-2025-0378, DSAR-2025-0401.
Criteria (What should be happening?):
GDPR Art. 12(6) requires controllers to verify the identity of the data
subject making the request, particularly where the controller has reasonable
doubts. Sentinel Compliance Group Privacy Procedure PR-DSAR-001 Section 4.2
requires two-factor identity verification for all DSARs before any personal
data is disclosed.
Cause (Why did it happen?):
The DSAR workflow system does not enforce a mandatory verification step before
allowing the coordinator to mark the request as "in progress." Three of the
six cases involved requests received via email rather than the self-service
portal, where the verification workflow is not automated.
Consequence (What is the risk?):
Without proper identity verification, personal data may be disclosed to
unauthorized individuals, constituting a personal data breach under Art. 4(12)
GDPR. This could result in supervisory authority enforcement action, reputational
harm, and direct harm to data subjects. The ICO fined a UK company GBP 175,000
in 2023 for disclosing personal data in response to a fraudulent DSAR.
Recommendation:
1. Implement a mandatory verification gate in the DSAR workflow system that
blocks progression until verification is completed and documented.
2. Extend automated verification to email-originated DSARs by redirecting
requestors to the self-service portal.
3. Retrain DSAR coordinators on verification requirements.
Management Response: [To be completed by management]
Remediation Owner: [To be assigned]
Target Date: [To be set]
INTERNAL PRIVACY AUDIT REPORT
Report Number: PA-2025-Q2
Classification: Confidential
1. Executive Summary
- Audit objective and scope
- Overall rating (Satisfactory / Needs Improvement / Unsatisfactory)
- Summary of findings by severity
- Key themes and systemic issues
2. Audit Scope and Approach
- Detailed scope description
- Regulations and standards tested against
- Methodology (sampling, testing approach)
- Period covered
- Limitations and constraints
3. Findings and Recommendations
- Critical findings (if any)
- High findings
- Medium findings
- Low findings
- Advisory observations
4. Management Action Plans
- Agreed remediation actions per finding
- Responsible owners
- Target completion dates
5. Prior Audit Follow-Up
- Status of findings from prior audits
- Closed findings with verification evidence
- Overdue findings with escalation status
6. Appendices
- Detailed test results
- Population and sample details
- Documents reviewed
- Personnel interviewed
| Rating | Criteria |
|---|---|
| Satisfactory | No critical or high findings; medium and low findings do not indicate systemic issues; controls are generally effective |
| Needs Improvement | One or more high findings OR multiple medium findings indicating a pattern; controls are partially effective but require strengthening |
| Unsatisfactory | One or more critical findings OR multiple high findings; fundamental control failures exist; immediate management attention required |
Finding Issued → Management Response (10 business days) → Remediation In Progress
→ Owner Reports Completion → Audit Verification Testing → Finding Closed OR
→ Reopened with Revised Plan
| Metric | Measurement |
|---|---|
| Open Findings by Severity | Count of open findings per critical/high/medium/low |
| Overdue Findings | Count and percentage of findings past target date |
| Average Time to Remediate | Mean days from finding issuance to verified closure |
| Remediation Effectiveness | Percentage of findings closed on first attempt (not reopened) |
| Recurrence Rate | Percentage of findings that reappear in subsequent audits |
| Condition | Escalation Level |
|---|---|
| Critical finding not addressed within 5 business days | Chief Privacy Officer and CISO |
| High finding overdue by 30+ days | Chief Audit Executive to Audit Committee |
| Medium finding overdue by 60+ days | Chief Audit Executive to management |
| Pattern of repeated findings in same area | Chief Audit Executive to Audit Committee |
| Management refuses to remediate | Chief Audit Executive to Audit Committee and Board |
Sentinel Compliance Group operates an internal privacy audit program with the following characteristics: