Internal Audit
      Back to home
      1. GDPRiS Knowledge Base
      2. User Guides
      3. Internal Audit

      DP Staff Internal Audit

      Setting up and completing the internal audit

      This document is to show you how to set up and run through an internal audit to review your GDPR compliance.

      There are two sections which make up the Internal Audit process of question sets in the Internal Audit, Personal Questions and the Organisation Questions.

      Personal Questions will be questions which each member of staff would be required to answer regarding their data protection.

      Organisation Questions would typically be answered by DP Staff users only. These are designed to cover the school, rather than individual responses.

      Information from the audit such as user responses to questions can be found in the following reports in the Reports section:

      Users and Staff Reviews: Shows how many questions each user has answered from each section.

      Staff Data Protection Self-Assessment: Shows each question which a user has answered and their response.

      All SAQ Responses: These are the responses from just the Organisation questions which the DP Staff users have answered.

      Internal Audit Settings

      Internal Audit Components

      Click on Internal Audit Settings via the Audits area on the navigation pane.

      There are three audits which you can schedule independently.

       The Organisation Questions and the  Personal Questions 

      The Organisation Questions address the ICO’s Accountability Framework. These questions can be answered by any DP Staff user. The other DP Staff users will be able to see the saved responses.

      The  Personal Questions are questions which are to be answered by all your users within the GDPRiS portal. These questions will cover what your staff do and do not know about data protection and your school’s relevant processes and procedures.

      Setting a Reminder to Start an Internal Audit

      Before an Internal Audit is started, you can set a reminder in the GDPRiS portal to remind you when you are expected to start your Internal Audit for the relevant section via the bell icon.

      A popup window will appear where you can provide a description for the audit which you are setting a reminder and choose a date which you want the audit to start on.

      Once you are happy with your changes, click Okay.

       

       

      Start an Internal Audit

      When you wish to start one of your Internal Audit sections, click on       to the right-hand side of the relevant audit.

      A popup window will appear where you can give a description and where you can set the end date.

       

       

      Note: The End Date will only allow you to go as far as 3 months from the Start date.

      Once you are happy with the changes you have made, click Okay to save your changes and to start your Internal Audit for the relevant section.

       

      Organisation Questions

      The Organisation Questions are expected to be answered by any DP Staff user. These are questions which need to be answered on behalf of the school as a whole as they cover various aspects such as your schools processes and procedures as well as if your school can provide evidence to back up the answers which you will put.

      To start answering your Internal Audit questions, click on Audits in the navigation menu on the left-hand side of the page and choose Internal Audit.

      Choose Organisation Questions from the available audits in the drop-down box.

       

       

      Note: When a DP Staff user answers any of the questions within the sections shown in the previous screen shot, those answers will be visible to each DP Staff user. DP Staff users will be able to either answer or edit an existing answer if the question section has not been saved as complete.

      Personal Questions

      Personal Questions

      The School Personal Questions are expected to be answered by each user within the GDPRiS portal as these questions are designed to show what your users do and do not know regarding data protection and your school’s processes and procedures.

      To start answering your Internal Audit questions, click on Audits in the navigation menu on the left-hand side of the page and choose Internal Audit.

      Select the School Personal Questions from the available audits in the drop-down box.

      Use Expand All or Collapse all accordingly.

       

       

      Answering Questions

      Personal Questions

      All the questions follow the same format. See this example.

      There is a question, a multiple-choice answer selection and a free text box available, when you click on the question, where you can add to your answer.

       

       

      Use Save if you need to leave the page or continue later.

      Once you have completed this section Complete and Lock

      Note: Once you have clicked Complete and Lock, you will not be able to either add to or amend your existing answers.

      Organisation Questions                                                              

      GDPRiS holds the ICO’s Accountability Framework as a set of questions that organisations can use to measure their compliance to the ICO’s expectations for their data protection regime.

      The way schools do this in GDPRiS, is to set up an Organisation Audit.

      Any DP Staff can access and respond to questions. The latest set of responses will always be the one that gets reported on in dashboards and reports.

      The questions and the sub-headings in the expanded view follow the ICO Accountability Framework as you can see here:

      ICO Accountability Framework

      If you are not too familiar with accountability you can complete the top-level questions which will automatically populate the answers in expanded view. This is sufficient at this point and shows that you are looking at accountability.

      Once you are more familiar with the ICO’s expectations for your data protection, and run another audit, you can complete the sub-headings ad the multiple-choice answers can be set individually.

      All the questions follow the same format. See this example.

      There is a question, a hint, a multiple-choice answer selection, when you click on the question you will see sub sections and if you click on More details you can add to your answer.

       

       

      The responses that can be given to each question are as follows:

      Each of these responses count in different ways towards the overall compliance result:

      • Not started – this counts as 0%, as does a non-response
      • Partly – this counts as 20%
      • Achieved – this counts as 80%
      • Achieved Evidenced – this counts as 100%
      • Not applicable – the question is taken out of the calculation completely. It does not count towards the compliance rating.

      *You will see the compliance percentages on your organisation dashboard on the Organisation Audit Tile*

      The Screenshot below shows.

      • Leadership & Oversight – 100% of all questions were answered, and all as Achieved Evidenced (100%)
      • Training & Awareness – 100% of all questions were answered, but not many scored more than a Partly.
      • Policies & Procedure – just over half of the questions were answered. But because the compliance bar is lagging well behind the completed bar, we can tell that the responses tended to be less than Achieved.

      Edit Internal Audit

      When you started your Internal Audit section you had to put in an End date. If you have passed your end date but you are still to complete some part of your audit, you have the option to extend your current audit.

      In the Internal Audit Settings section, click on the pencil icon next to the relevant section.

      A popup window will appear where you can see the options to select a new end date. Type in a reason why you are extending the audit period as this goes towards the history of the

      audit.

       

       

      Note: The audit period can only be extended as far as 3 months from its original start date.

      Once you have made your changes, click “Okay” to save.

       

      Lock Internal Audit


      If you are confident that all of the relevant sections have been completed as part of the audit you have run through, you can lock the audit so that no more changes can be made.
      Click on next to the relevant audit section in the Internal Audit Settings section.
      A popup window will appear.
      If you are sure that you want to lock the audit section, click Okay, if not, click Cancel and go back and review all parts of the audit to make sure all relevant sections are complete.

       

       

      Close Internal Audit

      When an audit section has been locked, the next stage of the process if to close it.

      Click on the X icon next to the relevant audit section in the Internal Audit Settings section.

      A popup window will appear where you can select when you will want to run through the same audit section again and where you can add some notes to closing the audit.

      Once you are happy with your changes, click Close.

       

      Internal Audit History

      Click on Internal Audit History via the Audits area on the navigation pane to see the information on current and historical audits.

      Reports

      The Reports section is where you can track which users have started their Internal Audit as well as review answers to questions which your staff have answered. By reviewing these reports, you will be able to see where your areas are for improvement.

      Please review the following reports for results from the Internal Audit:

      Users and Staff Reviews

      Staff Data Protection Self-Assessment

      All SAQ Responses

      User Guides: DP Staff Internal Audit