The Audit is always a “Snapshot concept”. The auditor gathers his observation and as on the date of his certificate adds his disclaimers that to the best of his knowledge and in good faith and based on the evidences provided, he certifies that the organization is compliant. The Certification sponsors do their best to properly accredit auditors with training and imbibe a culture of responsibility and ethics to ensure that audits are meaningful.
However industry practitioners know that some accredited auditors take their work lightly and issue certificates without proper assessments.
The auditor escapes his responsibility because the moment the audit is over, it is entirely the responsibility of the organization to maintain the controls suggested and taken on note during the audit. While we can understand that the auditor cannot take more responsibility on an ongoing basis, from the point of view of the CEO, it is often felt that audit is a money making game and it has no real value to the organization. Organizations still go through audit certifications because the customer feels more assured and it has become a ritual to ask for certifications.
We need to change this perception of auditors and the perception on the system of audit. Audit is not a money making tool. It should be an instrument of change in an organization.
Naavi therefore suggests what could be a revolutionary concept in IS audits through the PDPSI (Personal Data Protection Standard of India framework that is being developed through FDPPI. (Foundation of Data Protection Professionals in India).
FDPPI has envisaged the engagement of PDPSI in two modes namely “Consultancy” mode ” Audit” mode. In the consultancy mode, a PDPSI consultant works with an organization to conduct a Risk assessment, develop a Gap analysis report. The PDPSI comes with a table of “Model Implementation Specification” (MIS) and it could be basis on which the gap report emerges. But the organization may decide that they have a certain level of “Risk Appetite” and hence all controls in the MIS is not relevant for them and they would like to implement only a truncated version of MIS.
This truncated version is what is referred to as “Adopted Implementation Specification” (AIS) and is like the “Statement of Applicability” or SOA. The AIS is supported by a “Variance Justification Document” (VJD) where there is a documentation of why the organization thinks that a suggested MIS control is not relevant or needs modification. This concept is similar to the HIPAA concept of “Addressable implementation specifications” in its security rule.
The PDPSI consultant will work with the organization until this AIS with VJD is signed off by the top management. This AIS will then be the “Implementation Charter” for the DPO. If the implementation charter is faulty, then the responsibility is with the management. The DPO’s role is to understand and implement the AIS in good faith.
The PDPSI auditor when he enters the scene will ask for the AIS. If it is not available, the auditor will conduct his own risk assessment, develop a gap report and submit it as the first deliverable. He will then wait for the management to either give a go ahead for the gap report as presented which means that the MIS becomes identical with AIS. If not the management may come up with its own VJD and fine tune the MIS into its approved AIS which becomes the implementation boundaries set by the company for itself.
The Company may take a stand that they are only interested in the AIS as adopted and the auditor can check if they have done it properly.
The PDPSI auditor therefore looks at the AIS item by item, calls for evidences and decide whether the AIS items have been implemented “Satisfactorily” or “Not”. This is a binary decision and for an organization there has to be 100% satisfactory report. Where there is a “Not satisfactory” remark, the organization can justify its non compliance based on a new VJD. The auditor will go with the decision of the company and close his audit.
However, every PDPSI audit also involves a DTS (Data Trust Score) assessment and in this document, the auditor will express his own view on how good is the implementation with reference to the MIS. If an organization is callous and truncated the MIS to an unjustifiable AIS, then it will suffer from a low DTS. The auditor need not fight with the organization and forced to issue a “Satisfactory” report when he is really not satisfied. In effect in this system the auditor’s report only says “I am satisfied that the Company is in satisfactory compliance with whatever AIS has been adopted”. The DTS expresses the real assessment of the auditor which is provided to the auditee and it is open to them to hide it and not disclose it.
The DTS however is reported by the auditor to the FDPPI and hence it gets recorded and cannot be manipulated subsequently.
The PDPSI system envisages that at the closure of the audit, the auditee will send one “Audit Closure Feedback” to the FDPPI. In this if the auditee has serious reservations on the DTS, it can be sent so that an opportunity would have been given to the organization to object to any DTS element.
After this FDPPI would allocate a mentor for the PDPSI completed audit as an optional service so that the DPO of the organization can on a quarterly basis check with the mentor if there is some action to be taken. For this purpose the DPO may discuss any significant “Incident” in confidence and get a feedback whether he needs to make further investigations etc.
This “mentoring” service ensures that FDPPI continues to be in an engagement with the client and does not drop him like a hot brick once the audit is closed and payments are settled.
The role of a “Mentor” is however limited and lower than the role of the “PDPSI Consultant”. Also the Mentor will not be the same person as the auditor. He can however be a consultant if required. Mentor will fulfill the role of providing a quick feedback in crisis situations will be like an “Emergency Consultancy” service so that DPO will have a friend to consult in times of need. He will be a “Friend of DPO”.
The auditor and the mentor would be offering their services under FDPPI disclaimers. Consultant is engaged by the company on a contractual basis.
PDPSI is a pioneering system and the SOPs are under development. But the end objective is clear. The PDPSI is meant to support the Data Protection Eco system on a continuing basis and is not meant to be only a money scooping activity.
FDPPI will develop a “Data Protection Emergency Team” (DPERT) which will have a pool of mentors from whom the service would be provided. Only FDPPI certified consultants/auditors would be constituting this DPERT.
We are aware that in the sceptic world, the intentions of FDPPI will have to go through a process of testing and trust building. The team of FDPPI is working towards establishing the trust of the organizations and we welcome the views and suggestions of experts.