Guides privacy audit sampling methodology with statistical/non-statistical methods, sample size calculation, stratification, attribute sampling for compliance testing, confidence levels, tolerable rates, and result extrapolation.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Audit sampling is the application of audit procedures to less than 100% of items within a population to form a conclusion about the entire population. In privacy auditing, sampling is used to test compliance of processing activities, DSAR responses, consent records, vendor contracts, and other privacy controls without examining every individual record.
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Audit sampling is the application of audit procedures to less than 100% of items within a population to form a conclusion about the entire population. In privacy auditing, sampling is used to test compliance of processing activities, DSAR responses, consent records, vendor contracts, and other privacy controls without examining every individual record.
ISA 530 (International Standard on Auditing — Audit Sampling) and IIA Practice Advisory 2320-3 (Audit Sampling) provide the authoritative frameworks. For privacy audits, sampling must account for the heightened regulatory scrutiny of personal data processing and the potential for significant harm from individual non-compliant records.
| Approach | Description | When to Use |
|---|---|---|
| Statistical Sampling | Uses probability theory to select samples and evaluate results; allows quantification of sampling risk | When audit conclusions must be defensible to regulators; large populations; need to extrapolate results |
| Non-Statistical (Judgemental) Sampling | Auditor uses professional judgement to select items | Small populations; targeted testing of known risk areas; supplementary to statistical sampling |
Used to estimate the rate of deviation (non-compliance) in a population.
| Parameter | Description | Typical Privacy Audit Values |
|---|---|---|
| Population Size | Total items in the auditable population | e.g., 1,000 DSARs, 500 vendor contracts |
| Confidence Level | Probability that sample results reflect the population | 90% (standard); 95% (regulatory-facing) |
| Tolerable Deviation Rate | Maximum acceptable non-compliance rate | 5% (standard); 2% (critical controls) |
| Expected Deviation Rate | Estimated actual non-compliance rate | Based on prior audits or risk assessment |
| Sample Size | Number of items to test | Calculated from above parameters |
| Population | 90% Confidence / 5% Tolerable | 95% Confidence / 5% Tolerable | 95% Confidence / 2% Tolerable |
|---|---|---|---|
| 100 | 38 | 45 | 64 |
| 250 | 42 | 50 | 100 |
| 500 | 44 | 54 | 131 |
| 1,000 | 45 | 57 | 154 |
| 5,000 | 46 | 59 | 176 |
| 10,000+ | 46 | 59 | 181 |
Divides the population into subgroups (strata) and samples proportionally or disproportionately from each.
| Stratification Factor | Example Strata | Rationale |
|---|---|---|
| Business Unit | EU, US, APAC | Different regulatory requirements per jurisdiction |
| Data Sensitivity | Standard, sensitive, special category | Higher-risk data categories warrant more testing |
| Processing Purpose | Marketing, HR, customer service | Different compliance requirements per purpose |
| Time Period | Q1, Q2, Q3, Q4 | Detect seasonal patterns or deterioration |
| Vendor Tier | Tier 1 (high volume), Tier 2, Tier 3 | Focus sampling on highest-risk vendors |
| Method | Description | Application |
|---|---|---|
| Haphazard Selection | Items selected without structured method but avoiding bias | Quick preliminary testing |
| Block Selection | All items in a specific period or location | Testing a specific time window (e.g., all DSARs in March) |
| Judgemental Selection | Auditor selects items based on risk factors | Targeting high-value items, known exceptions, or anomalies |
| Consideration | Guidance |
|---|---|
| Individual harm threshold | Even a single non-compliant record can cause significant harm; auditors must not dismiss isolated findings |
| Regulatory expectations | Supervisory authorities may expect higher confidence levels for critical controls (breach notification, consent) |
| Special category data | Apply lower tolerable deviation rates (2%) for processing involving special category data under Article 9 |
| Automated processing | For fully automated processes, increase sample to verify algorithmic consistency across edge cases |
| Cross-border transfers | Stratify by destination country to verify adequacy/safeguard mechanism for each transfer route |
| Scenario | Sample Deviation Rate | Conclusion |
|---|---|---|
| Rate below tolerable deviation | e.g., 2% observed vs 5% tolerable | Population likely compliant; no material finding |
| Rate equals tolerable deviation | e.g., 5% observed vs 5% tolerable | Borderline; consider expanding sample or raising as medium finding |
| Rate exceeds tolerable deviation | e.g., 12% observed vs 5% tolerable | Material non-compliance; formal finding required |
| Zero deviations found | 0% observed | Strong evidence of compliance (but does not guarantee 100%) |
When sample results show deviations, the auditor must project findings to the full population:
| Element | Calculation |
|---|---|
| Point estimate | (Deviations found / Sample size) × Population size |
| Upper deviation limit | Calculated using statistical tables at the selected confidence level |
| Projected monetary impact | Point estimate × average impact per deviation |