Guides privacy audit report writing: executive summaries, findings classification (critical-high-medium-low), root cause analysis, recommendations, management responses, and distribution protocols.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Privacy audit report writing is the discipline of translating audit fieldwork into a structured, defensible written deliverable that communicates audit objectives, methodology, findings, and recommendations to stakeholders. A well-crafted audit report serves as the primary vehicle for communicating the state of privacy compliance to governance bodies, management, regulators, and data protection...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Privacy audit report writing is the discipline of translating audit fieldwork into a structured, defensible written deliverable that communicates audit objectives, methodology, findings, and recommendations to stakeholders. A well-crafted audit report serves as the primary vehicle for communicating the state of privacy compliance to governance bodies, management, regulators, and data protection authorities.
Under GDPR Article 39(1)(b), the Data Protection Officer must monitor compliance including audits, meaning audit reports are a key instrument of DPO oversight. ISO 19011:2018 (Guidelines for auditing management systems) Section 6.6 provides the international standard framework for audit report content and distribution.
| Section | Purpose | Typical Length |
|---|---|---|
| Cover Page | Report identification, classification, distribution list | 1 page |
| Executive Summary | High-level findings, overall opinion, critical issues | 1-2 pages |
| Table of Contents | Navigation aid | 1 page |
| Audit Scope and Objectives | What was audited, boundaries, exclusions | 1-2 pages |
| Methodology | Audit approach, sampling, tools used | 1-2 pages |
| Findings and Observations | Detailed findings with evidence, risk rating, root cause | 5-20 pages |
| Recommendations | Prioritised corrective actions | 2-5 pages |
| Management Response | Auditee agreement/disagreement, action plans, deadlines | 2-5 pages |
| Appendices | Evidence references, sampling details, interview logs | Variable |
| Rating | Definition | Response Timeline |
|---|---|---|
| Critical | Material non-compliance creating immediate risk of regulatory enforcement, data breach, or significant harm to data subjects | Immediate remediation; board notification within 24 hours |
| High | Significant control weakness or non-compliance that could lead to a breach or regulatory action if not addressed | Remediation plan within 14 days; completion within 60 days |
| Medium | Control deficiency that does not currently pose immediate risk but could deteriorate | Remediation within 90 days |
| Low | Opportunity for improvement; minor procedural gap | Remediation within 180 days or next audit cycle |
| Observation | Good practice note or suggestion; not a formal finding | No mandatory action |
Each finding should include:
| Element | Description |
|---|---|
| Finding ID | Unique identifier (e.g., AUDIT-2026-001) |
| Title | Concise descriptive title |
| Condition | What was observed (the current state) |
| Criteria | What was expected (the standard, policy, or regulation) |
| Cause | Root cause analysis (why the gap exists) |
| Effect | Impact or potential impact of the finding |
| Risk Rating | Critical / High / Medium / Low |
| Recommendation | Specific corrective action |
| Management Response | Auditee's response, action plan, responsible owner, deadline |
| Evidence Reference | Document IDs, screenshots, interview notes |
The executive summary must:
| Type | Example | Reference Format |
|---|---|---|
| Documentary | Policy documents, procedures, records | DOC-001: "Data Retention Policy v3.2, dated 15-Jan-2026" |
| Testimonial | Interviews, walkthroughs | INT-001: "Interview with DPO, 10-Mar-2026, 14:00-15:00" |
| Analytical | Data analysis, sampling results | ANA-001: "DSAR response time analysis, Q4 2025" |
| Observational | System screenshots, process observation | OBS-001: "Screenshot of consent banner, captured 12-Mar-2026" |
| Criterion | Standard |
|---|---|
| Accuracy | All findings supported by verified evidence; factual errors corrected before issuance |
| Objectivity | Balanced presentation; positive observations included alongside findings |
| Clarity | Plain language; technical terms defined; avoid jargon |
| Completeness | All scope areas addressed; no material omissions |
| Constructiveness | Recommendations are actionable, specific, and proportionate |
| Timeliness | Draft report issued within 10 business days of fieldwork completion |
| Conciseness | No unnecessary repetition; findings are distinct |
| Classification | Recipients |
|---|---|
| Full Report | Chief Privacy Officer, DPO, Internal Audit Director, auditee management |
| Executive Summary Only | Board Audit Committee, C-suite |
| Redacted Version | External regulators (on request), external auditors |
| Finding-Specific Extracts | Individual finding owners for remediation tracking |
| Regulation | Audit Report Relevance |
|---|---|
| GDPR Article 5(2) | Accountability principle — audit reports demonstrate compliance monitoring |
| GDPR Article 24 | Controller must implement appropriate measures and be able to demonstrate compliance |
| GDPR Article 28(3)(h) | Processor must allow and contribute to audits conducted by the controller |
| GDPR Article 39(1)(b) | DPO must monitor compliance including assignments of responsibilities, awareness-raising, training, and related audits |
| GDPR Article 47(2)(j) | BCRs must include audit mechanisms |
| ISO 27701:2019 Section 5.2 | PIMS-specific audit requirements |
| ISO 19011:2018 Section 6.6 | Preparing and distributing the audit report |