Marcus Belke
CEO of 2B Advice GmbH, driving innovation in privacy compliance and risk management and leading the development of Ailance, the next-generation compliance platform.
Good audit preparation means more than just a complete audit report. Documentation to be provided. It requires clear responsibilities, structured evidence and transparent processes. Companies that establish these structures at an early stage avoid stress during the audit and strengthen their governance at the same time. In this article, you will learn how auditors think, which weaknesses frequently occur in data protection audits and how you can prepare for an audit in a structured manner.
What auditors typically expect
The auditing bodies (Supervisory authority, internal audit, external auditor, customer/partner) may differ in tone, but rarely in the core statements. Auditors are looking for reliable answers to three key questions:
- Does the organization know its Processing?
„What do we process, why, for how long, with whom, where?“ (VVT as core evidence). - Are the protective measures selected in line with the risk and are they effective?
The TOMs are not just „on paper“, but have been implemented and checked in a comprehensible manner. - Are Rights of data subjects and obligations operationalized?
Information/Deletion, incident management, Duty to inform, The processes for the withdrawal of consent must be defined as real processes with deadlines and responsibilities.
It is also crucial for supervisory authorities that Responsible persons and processors cooperate upon request. The cooperation behavior can also be relevant for fines (reduction/assessment criterion).
Test methods that you should realistically plan for
In practice, a mixture of document reviews, structured questionnaires, interviews and spot checks are used. The fact that supervisory authorities can carry out data protection reviews and request information, among other things, is enshrined in the legal framework of powers.
The BayLDA questionnaire, for example, provides a very „audit-related“ perspective: it explicitly asks about data protection governance, the involvement of the data protection officer, VVT, privacy by design, processors/contracts, Duty to inform, rights of data subjects, proof of consent and data protection management. This is practically a catalog of expectations.
Test methodology | How inspectors recognize maturity | Typical evidence |
Document review („DeskAudit“) | Consistency: VVT ↔ TOM ↔ DSFA ↔ Contracts ↔ Deletion periods ↔Duty to inform | VVT, TOM concept/mapping, AV contracts,Deletion concept, DPIA/risk analysis, proof of consent |
Questionnaire (official/partner audit) | Ability to respond without „ad hoc invention“; clear responsibilities | Completed questionnaires, verification index per question (voucher link) |
Interviews/workshop discussions | Employees know the process, escalation, deadlines; no contradictory statements | Role matrix, training certificates, process manuals, ticket/workflow examples |
Samples/Walk-through | „Show me“: Information,Deletion, Authorization, incident response actually feasible | 1-3 case files per process (DSAR tickets, deletion runs, authorization review, incident runbook) |
Technical evidence (demos/logs) | Effectiveness and traceability (e.g. roles/rights, 2FA, backup tests) | Authorization concepts, protocols, backup test protocols, MFA rollout proofs |
Link tip:GDPR questionnaire LDA Bavaria
Typical test questions and assessment criteria
The following examples are formulated in such a way that they are suitable for audits by authorities as well as for customer and certification audits. They reflect typical questions from authorities (e.g. BayLDA questionnaire) and the DSK system (VVT/DSFA/Rights of data subjects).
| Theme block | Typical test question | Assessment criterion (what „good“ means) | Typical evidence |
|---|---|---|---|
| Governance | „Is Data protection A matter for the boss, are responsibilities regulated?“ | Responsibilities are documented and effective in everyday life | Data protection guideline, roles/RACI, DPO integration concept |
| Processing transparency | „Is there a VVT, is it complete and up-to-date?“ | VVT covers real processing operations, incl. recipients, deletion periods, TOM description | VVT + change process/review protocol |
| Order processing | „Have all processors been recorded and are DP contracts Art. 28 concluded?“ | Complete vendor list; AV contracts with minimum content; control mechanism | Vendor register, AV contracts, TOM check Service provider |
| Rights of data subjects | „Can you provide information within the deadline?“ | Process & organization ensure timely, comprehensible information | DSAR process, sample answers, ticket examples |
| Deletion | „How do you ensure deletion periods for each type of data?“ | Data deletion concept per data type; justified deadlines; documented deletion runs | Deletion concept, deletion logs, exception/blocking rules |
| Risk/DSFA | „For which processes do you carry out a DPIA?“ | DPIA before start; decision per process documented; measures derived | DSFA reports, threshold value analysis, action plan |
| Consents | „Can you provide evidence of consent and Revocation make it possible?“ | Verifiability, information, revocation mechanism | Consent register, UI screenshots, logs |
Frequent weaknesses in audits
The following weaknesses are not „theoretical errors“, but typical gaps between paper compliance and everyday life. The examples are deliberately based on official audit questions and good practice catalogs (e.g. TOM checklists), as auditors ask questions precisely where implementation is often incomplete.
Technical defects
A frequent audit finding is not „no TOM“, but TOM without reference to effectiveness: although there is a PDF with keywords, there is no reliable evidence that measures have been implemented, tested and selected in line with the risks. Although the benchmark „regularly review/assess“ is explicitly addressed, it is practically impossible to fulfill without a concrete description.
Concrete, often criticized technical examples:
- Weak AuthenticationNo (or inconsistent) use of 2FA in high-risk areas, lack of locks on failed attempts, passwords are shared/written down, inadequate admin password standards.
- Immature role/rights concept: lack of role profiles, no regular checks, „function mailboxes“ and collective accounts without accountability.
- Backup/recovery as a blind spot: no written backup concept, no restore tests, no 3-2-1 strategy, potentially affected by Ransomware Encrypted backups, missing or untested emergency plan.
- Mobile/remote risks: lack of full device encryption, lack of MDM, insecure app sources, no clear loss chain.
Organizational deficiencies
Here, organizations often fail because of responsibilities and control, not because of legal knowledge.
- The DPO/data protection function is integrated too late. Projects start and systems go live while data protection is „dragged on“. However, this clashes with the expectation that data protection issues should be taken into account right from the start or when processes are changed (privacy by design in the audit question logic).
- There is no robust data protection management, only individual measures that are not brought together in a system that structures implementation, verification and updating. It is precisely this ability to „ensure and provide evidence“ (risk-based) that is at the heart of the accountability logic.
- Service provider management is formal, but not substantive: AV contracts exist, but there is no complete overview of service providers, no Transparency via sub-processors and no recurring audit of technical and organizational measures. Auditors ask precisely for „overview“ and „minimum content Art. 28“.
Frequent weaknesses in audits
Audit stress is rarely caused by individual questions, but mostly by disorganized searches, contradictory statements and unclear allocation of roles. Avoiding stress is therefore first and foremost a question of organization.
Before the audit
One effective lever is „evidence mapping“: each inspection request is given clear evidence in advance („single source of truth“) and a responsible role. This way you avoid hectic compilation during the exam.
As a minimum standard, you should ensure the following before the appointment:
- Single Point of Contact (SPoC) for inspector communication (prevents parallel chats and divergent statements).
- Clarification of roles: who answers „Policy“, who answers „IT detail“, who answers „HR processes“, who answers „Legal/Contracts“.
- Conduct a mock audit with five to ten key questions (VVT, DSAR, Deletion, AV, TOM, DSFA) as a dry run.
The fact that cooperation and a structured approach are not just „soft skills“ is demonstrated by the fact that cooperative behavior can be taken into account in supervisory measures and the assessment of fines.
During the audit
The tried and tested communication rule is: „Answer + evidence + context“.
- The answer should be brief, factual and verifiable.
- The document must be immediately linkable in the audit folder (not „submit to someone“ as the default mode).
- Context: Delimitation if the scope does not apply (e.g. „only applies to system X, not to Y“).
For contacts with the authorities, it is also important that Responsible persons and processors on request.
After the audit
The post-phase determines whether the Audit „becomes “expensive":
- Findings triage (high/medium/low) according to risk for Affected parties and probability of occurrence; content consistent with risk-based requirements and DPIA logic.
- An action plan is drawn up with a responsible person, deadline and form of verification. The DSK expressly recommends a coordinated approach and informing the management as a starting point for implementation projects.
- Closure evidence: Each measure does not end with „implemented“, but with „demonstrably implemented“ (e.g. screenshot, log, test report).
Audit check at a glance
Checkpoints | Responsible persons Role | Form of proof | Priority |
Audit scope, systems, locations, period defined | Management / Data protection coordination | Audit readme + scope document | High |
Single Point of Contact (SPoC) + communication rules defined | Data protection coordination | Role sheet + communication plan | High |
Data protection roles/RACI incl. DPO involvement clear | Management / DPO | RACI, organization chart, integration process | High |
VVT complete, up-to-date, versioned | Process owners + DPO | Master VVT + change log | High |
VVT contains deletion periods/criteria per data category | Process owner | VVT fields + references to Deletion concept | High |
VVT contains TOM references / general TOM description | IT security + DPO | VVT entry + TOM document link | High |
TOM verification: risk→measure mapping available | IT security + DPO | TOM matrix/mapping | High |
Authentication: Password policy + 2FA for high risk | IT security | Policy + system settings/reports | High |
Roles/rights concept documented and checked | IT Security / IT Ops | Role model + review protocol | High |
Written backup concept + restore tests | IT Ops / BCM | Backup concept + test protocols | High |
Emergency/BCM plan in place and practiced | BCM / IT Ops | Emergency plan + exercise protocols | Medium |
Vendor register complete (all processors) | Purchasing/Vendor Mgmt + DSB | Service provider list | High |
AV contracts with minimum content (Art. 28) for all AVs | Legal + DPO | AV contracts + annex | High |
Subprocessor transparency + release process | Vendor Mgmt + Legal | Subprocessor list + releases | Medium |
Mandatory information texts (Art. 13/14) per core process | Legal/Marketing + DSB | Data protection information + versioning | High |
DSAR process (Intake, Ident, Data search, Response) | Customer Service / DPO | Process description + ticket examples | High |
Information deadlines/monitoring of deadlines operationalized | DPO / Departments | Deadline SLA + workflow | High |
Deletion concept per data type (purpose, duration, requirements) | Records Mgmt / DSB | Extinguishing concept | High |
Deletion runs verifiable (logs/reports) | IT Ops / specialist departments | Deletion logs | High |
Procedure for deletion requests pursuant to Art. 17 | DPO / Service | Process + case file | High |
Threshold analysis: DSFA yes/no per high-risk process | DPO + process owner | Threshold analysis document | High |
DSFA carried out before commissioning (where required) | DPO + project management | DSFA report + action plan | High |
Proof of consent + revocation mechanism | Marketing/Product + DSB | Consent register + logs/UI proofs | High |
Training/sensitization (Phishing, data transfer) | HR + IT security | Training plan + attendance records | Medium |
Request log for Audit (Questions, answers, supporting documents, deadlines) | Audit SPoC | Audit log (e.g. table/ticket) | High |
Action plan according to Audit (Owner, date, document) | Management / DPO | Action plan + proof of closure | High |
Audit-ready with 2B Advice and Ailance
Audit capability does not only arise when an audit is announced. It is the result of clear structures, transparent processes and comprehensible evidence in data protection.
Companies that organize data protection strategically benefit twice over: they pass audits more confidently and at the same time strengthen their governance and the trust of customers and partners.
If you want to know how well your company is prepared for a data protection audit, it is worth taking a structured look at your own processes.
Find out more about our solutions for data protection and compliance management with Ailance and get in touch with our experts.
Marcus Belke is CEO of 2B Advice as well as a lawyer and IT expert for data protection and digital Compliance. He writes regularly about AI governance, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French