Part of Strengthening assurance – independent assessment and audit guide
Appendices
Appendix A - Glossary of terms
Audit/assessment - systematic, independent and documented process for obtaining audit/assessment evidence and evaluating it objectively to determine the extent to which the audit/assessment criteria are fulfilled. An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining 2 or more disciplines). An internal audit is conducted by the organisation itself (provided they can evidence independence and separation of duties, such as an internal audit office), or by an external party on its behalf.
Audit/assessment scope - extent and boundaries of an audit/assessment.
Control - measure that is modifying risk. Controls include any process, policy, device, practice, or other actions which modify risk. It is possible that controls do not always exert the intended or assumed modifying effect.
Documented evidence - information required to be controlled and maintained by an organisation and the medium on which it is contained.
CAF-aligned DSPT - Cyber Assessment Framework- aligned Data Security and Protection Toolkit.
CAF-aligned DSPT independent assessment providers - organisations who are commissioned directly by health and social care organisations to complete a CAF-aligned DSPT assessment or review.
Effectiveness - extent to which planned activities are realised and planned results achieved.
UK General Data Protection Regulation (GDPR) - the General Data Protection Regulation, GDPR, is an EU regulation on data protection and privacy, which is retained in UK domestic law as the UK GDPR. The UK GDPR controls how personal information is used by organisations, businesses or the government, and sits alongside the Data Protection Act 2018.
Personal data - protected under Data Protection legislation/UK GDPR, personal data is data relating to an identified or identifiable natural person.
Terms of Reference (ToR) - used to define the scope of an audit, the Terms of Reference (ToR), should establish the focus and objectives of the audit, the audit timetable (including reporting), and a summary of staff to be engaged in the work, along with the audit tools and techniques that will be used. The ToR should be agreed prior to the audit starting.
Statement of Work (SoW) - a statement of work, SoW, often serves the same purpose as a terms of reference.
Last edited: 22 January 2025 7:54 am