Compliance Controls in an Audit

In the context of conducting audits of legal or regulatory management systems of any kind, it is vitally important to consider the compliance controls that have been previously identified to mitigate the risks detected in the entity.

In this article, we will use Personal Data Protection and Criminal Compliance as examples of management systems.

As an illustrative, non-exhaustive example, we will look at some of these controls, which are either implemented to mitigate risks associated with the use of personal data information, or are a series of controls aimed at mitigating the risk of criminal offenses that have been previously identified as potentially occurring within an organization.

Many of these controls will apply to both regulations, especially those related to the crime of discovery and disclosure of secrets (Art.197 of the Criminal Code):Whoever, in order to discover the secrets or violate the privacy of another, without their consent, seizes their papers, letters, email messages or any other personal documents or effects, intercepts their telecommunications or uses technical devices for listening, transmission, recording or reproduction of sound or image, or any other communication signal, will be punished with imprisonment from one to four years and a fine of twelve to twenty-four months. Since clearly, the criminal conduct involves the disclosure of information containing personal data in most cases.

In this context, we could identify the following as effective controls:

• Employee onboarding/offboarding/modification procedure.- A procedure that consists of keeping an employee’s access to information up to date both when they start to be part of the company and when they leave it.
• Physical access controls to facilities and files.- In this case, we refer to maintaining a controlled access system through the use of keys, cards, or biometric data that prevent access to all the entity’s information by any employee or external member of the organization who is on its premises.
• Signing of the confidentiality commitment by all workers.– In line with the above, it is important that all workers commit to acting with maximum confidentiality and diligence regarding the information they handle in their job position.
• Digitization of physical documentation.- This control is aimed at maintaining a double archive of physical documentation in such a way that its custody is ensured in digital format.
• Employee training.- Beyond the mandatory training required by law, such as Occupational Risk Prevention, it is necessary for the staff to know the minimum notions and action guidelines related to Data Protection and, in case of having implemented a Criminal Risk Management System, those related to Criminal Compliance.
• Information encryption and deletion.- In this case, it is about trying to encrypt the information avoiding any security breach from the time it is sent until it reaches the final recipient. And, on the other hand, and referring in this case to the stipulations in the European General Data Protection Regulation, delete all information that is dispensable and unnecessary for the purposes for which it was collected at the time, thus preventing it from coming to light illicitly.

When conducting an audit of either of the two regulations mentioned, evidence of the controls we have seen previously will be requested. This evidence must be shown to the audit team clearly and precisely, as well as being up to date. There must be proof that the applied controls are effective in mitigating the risk for which they were chosen. Failure to present the evidence requested by the audit team will result in a series of “Non-Conformities” or “Qualifications” in the “Audit Report” that will mean a negative result for the organization.

At GlobalSuite Solutions, we have the GlobalSuite® software, entirely developed by our team, which allows the implementation, management, and maintenance of all the requirements demanded by management system standards in all types of organizations and sectors. Having software that helps automate the management of such a system will bring multiple benefits to your company when working on implementing the system in your organization. Additionally, we offer the necessary help and advice for implementing a Criminal Compliance or Data Protection service.