The audit community (eg ISO 27001 audit) generally conducts an audit as a snapshot at a point of time and issue a certificate that the subject entity is compliant. The the certificate would be normally valid for a 3 year period with a clause that the entity should maintain the compliance check through internal audits at periodical intervals. Most auditors also add that in case of any significant change in the operations, the audit should be repeated. As a result, the responsibility for the maintenance of controls after the audit vests with the organization.
The internal audit team of an organization normally maintains a schedule of audit such as quarterly audit or half yearly audit depending on its own risk perceptions. This “Intermittent Audit” is like the Financial Reporting on quarterly basis through Balance Sheets drawn once in a quarter.
In some industries the system of “Continuous Audit” is in vogue where the maintenance checks are conducted at more frequent intervals and observations are made on critical parameters on transaction to transaction basis. In such a system each transaction is filtered through an audit check before being recorded. For example in the case of a Financial Audit, each voucher may be checked for appropriate permissions and authority and on clearance taken on record. In simple decision making environment this can be automated to the extent the audit becomes almost a “Continuous Audit”.
However in the Techno Legal Audits such as GDPR or ITA 2000 or DPDPB audits, the filters involve some legal interpretations which need human intervention more often than in the case of simple financial decisions. In the case of Personal data protection, a “Transaction” may mean collection of a personal data set, or accumulation of identifiers. Some times new processes and disclosure also may be transactions where personal data is processed as a transaction.
Despite the emergence of AI tools, it is difficult to fully automate the Personal Data related transaction verification on a continuous transaction by transaction basis. The effort would therefore be to reduce the intermittent audit period from around 3 months to a lesser duration of say one month or more ideally one day. Such auditing may require some affirmative action by a human and cannot be entirely relied upon on an automated system.
How this “compression” of audit period can be achieved is a complex decision and may also depend on the risk perceptions in the entity. Further in the enterprise level legal compliance, compliance can be measured only in totality of the operations and not on individual transactions. Hence it would be necessary to have an index of compliance as a barometer to be watched. Hence Concurrent Audit in the Techno Legal scenario cannot be done without first developing the measurement index of compliance and tracking its changes.
The DTS system developed by Ujvala Consultants is used by the Ujvala Concurrent Audit system with the use of an online mechanism already developed. Some finer details of how to tag the monitoring of changes to certain parameters of change is being finalized and will shortly be announced as an automated online system for Certification.
The Concurrent DTS evaluation of Ujvala will follow the steps of “Self Assessment”, “Mentor Assisted Self Assessment”, “Summary Assessment based on documentary evidence” . Subsequently the Certification can be passed onto a qualified auditor who is accredited by a suitable organization such as FDPPI.
Watch out for the launching of the “Personal Data Certification” system based on Concurrent audit shortly.