Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Guides privacy audit follow-up and verification: scheduling by severity, remediation effectiveness testing via re-performance/inspection/observation, finding closure, re-testing, reporting, escalation per IIA 2500/ISO 19011.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-skills-complete:audit-follow-up-verifyThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit follow-up is the process by which the audit function monitors and verifies that management has effectively implemented remediation actions in response to audit findings. IIA Standard 2500 requires the Chief Audit Executive to establish and maintain a system to monitor the disposition of results communicated to management. Follow-up is not merely tracking whether actions were completed — i...
Guides privacy audit findings remediation: prioritizes by severity (critical, high, medium, low), assigns owners, tracks deadlines, verifies fixes, applies closure criteria, and escalates overdue items.
Activate for: audit, audit preparation, audit pack, internal audit, external audit, regulatory audit, supervisory visit, audit evidence, audit trail, audit readiness, mock audit, audit findings, audit response, audit remediation, audit committee, board audit, annual audit, ISO audit, surveillance audit, certification audit, regulator visit, FCA visit, BSI audit, PCI audit, SOC 2 audit, audit questionnaire, evidence inventory. NOT for: compliance obligation mapping (use official compliance-tracking auto-skill), vendor evaluation (use official /vendor-review), risk register building (use official risk-assessment auto-skill).
Prepare for compliance audits by collecting evidence, organizing documentation, and coordinating with auditors.
Share bugs, ideas, or general feedback.
Audit follow-up is the process by which the audit function monitors and verifies that management has effectively implemented remediation actions in response to audit findings. IIA Standard 2500 requires the Chief Audit Executive to establish and maintain a system to monitor the disposition of results communicated to management. Follow-up is not merely tracking whether actions were completed — it requires independent verification that the remediation actually addresses the root cause and reduces the identified risk to an acceptable level.
In privacy audits, effective follow-up is critical because unremediated findings represent ongoing regulatory non-compliance. A GDPR Art. 5(2) accountability failure, an unpatched consent mechanism, or a persistent DSAR processing delay exposes the organization to supervisory authority enforcement, data subject complaints, and reputational harm.
Follow-up timing is driven by finding severity:
| Severity | Initial Follow-Up | Re-test if Partial | Maximum Extensions |
|---|---|---|---|
| Critical | 30 days after target date | 15 days | 1 (requires CPO approval) |
| High | 60 days after target date | 30 days | 2 (requires DPO approval) |
| Medium | 90 days after target date | 45 days | 2 |
| Low | 180 days after target date | 90 days | 3 |
| Advisory | Next scheduled audit | N/A | N/A |
The auditor independently repeats the control activity to verify it produces the expected result. Used for procedural controls (e.g., re-performing a DSAR response to verify the process meets the 30-day deadline).
The auditor examines records, documents, or system configurations produced after remediation to verify the control is operating as designed. Used for documentary controls (e.g., inspecting updated DPAs for Art. 28 compliance).
The auditor observes the remediated process in real-time to verify it functions correctly. Used for operational controls (e.g., observing the updated breach notification workflow during a tabletop exercise).
The auditor interviews process owners about the remediated control and corroborates statements with independent evidence. Used when direct testing is impractical.
The auditor analyzes post-remediation data to verify the control is producing expected outcomes. Used for measurable controls (e.g., analyzing DSAR response times post-remediation to verify improvement).
A finding may be closed only when ALL of the following are satisfied:
New → In Progress → Remediation Complete → Pending Verification → Closed
↓
Partial Pass → Re-remediation → Pending Verification
↓
Fail → Reopened → Escalation
| Trigger | Escalation Level | Action |
|---|---|---|
| Finding overdue 30+ days (Critical) | CPO and CISO | Mandatory management meeting within 5 days |
| Finding overdue 45+ days (High) | Audit Committee | Report to next Audit Committee meeting |
| Finding failed verification twice | DPO and CPO | Root cause review and revised plan required |
| Finding open 12+ months (any severity) | Board Audit Committee | Include in annual audit opinion |
| Repeated finding (same root cause, 3+ occurrences) | Audit Committee | Systemic issue investigation |
Produced for each verification event: finding reference, verification method, evidence reviewed, test results, conclusion (pass/partial/fail), and recommended next steps.
Monthly report to DPO and CPO summarizing: total open findings by severity, overdue findings, findings closed in period, verification pass rate, aging analysis, and escalation status.
Unremediated findings at year-end are factored into the annual audit opinion. Persistent critical or high findings may result in an "Unsatisfactory" or "Needs Improvement" rating.