Guides privacy audit follow-up and verification: scheduling by severity, remediation effectiveness testing via re-performance/inspection/observation, finding closure, re-testing, reporting, escalation per IIA 2500/ISO 19011.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Audit follow-up is the process by which the audit function monitors and verifies that management has effectively implemented remediation actions in response to audit findings. IIA Standard 2500 requires the Chief Audit Executive to establish and maintain a system to monitor the disposition of results communicated to management. Follow-up is not merely tracking whether actions were completed — i...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Audit follow-up is the process by which the audit function monitors and verifies that management has effectively implemented remediation actions in response to audit findings. IIA Standard 2500 requires the Chief Audit Executive to establish and maintain a system to monitor the disposition of results communicated to management. Follow-up is not merely tracking whether actions were completed — it requires independent verification that the remediation actually addresses the root cause and reduces the identified risk to an acceptable level.
In privacy audits, effective follow-up is critical because unremediated findings represent ongoing regulatory non-compliance. A GDPR Art. 5(2) accountability failure, an unpatched consent mechanism, or a persistent DSAR processing delay exposes the organization to supervisory authority enforcement, data subject complaints, and reputational harm.
Follow-up timing is driven by finding severity:
| Severity | Initial Follow-Up | Re-test if Partial | Maximum Extensions |
|---|---|---|---|
| Critical | 30 days after target date | 15 days | 1 (requires CPO approval) |
| High | 60 days after target date | 30 days | 2 (requires DPO approval) |
| Medium | 90 days after target date | 45 days | 2 |
| Low | 180 days after target date | 90 days | 3 |
| Advisory | Next scheduled audit | N/A | N/A |
The auditor independently repeats the control activity to verify it produces the expected result. Used for procedural controls (e.g., re-performing a DSAR response to verify the process meets the 30-day deadline).
The auditor examines records, documents, or system configurations produced after remediation to verify the control is operating as designed. Used for documentary controls (e.g., inspecting updated DPAs for Art. 28 compliance).
The auditor observes the remediated process in real-time to verify it functions correctly. Used for operational controls (e.g., observing the updated breach notification workflow during a tabletop exercise).
The auditor interviews process owners about the remediated control and corroborates statements with independent evidence. Used when direct testing is impractical.
The auditor analyzes post-remediation data to verify the control is producing expected outcomes. Used for measurable controls (e.g., analyzing DSAR response times post-remediation to verify improvement).
A finding may be closed only when ALL of the following are satisfied:
New → In Progress → Remediation Complete → Pending Verification → Closed
↓
Partial Pass → Re-remediation → Pending Verification
↓
Fail → Reopened → Escalation
| Trigger | Escalation Level | Action |
|---|---|---|
| Finding overdue 30+ days (Critical) | CPO and CISO | Mandatory management meeting within 5 days |
| Finding overdue 45+ days (High) | Audit Committee | Report to next Audit Committee meeting |
| Finding failed verification twice | DPO and CPO | Root cause review and revised plan required |
| Finding open 12+ months (any severity) | Board Audit Committee | Include in annual audit opinion |
| Repeated finding (same root cause, 3+ occurrences) | Audit Committee | Systemic issue investigation |
Produced for each verification event: finding reference, verification method, evidence reviewed, test results, conclusion (pass/partial/fail), and recommended next steps.
Monthly report to DPO and CPO summarizing: total open findings by severity, overdue findings, findings closed in period, verification pass rate, aging analysis, and escalation status.
Unremediated findings at year-end are factored into the annual audit opinion. Persistent critical or high findings may result in an "Unsatisfactory" or "Needs Improvement" rating.