How to Handle Regulatory Audits During a Project
If your organisation is subject to a regulatory audit while a project is in progress, knowing how to respond — and how we support you — is important. Audits can come from the ICO, FCA, CQC, NHS Digital, or sector-specific regulators.
What Auditors May Ask For
Auditors commonly request:
- Data flow diagrams showing where personal data is processed and stored
- Evidence of Data Processing Agreements (DPAs) with suppliers including Progressive Robot
- Security assessment results (penetration tests, vulnerability scans)
- Incident and breach logs
- Access control policies and audit trails
- Evidence of staff training and GDPR awareness
How We Support You
- Documentation: We maintain technical documentation for your systems that can be provided to auditors as evidence of sound engineering practice
- DPA / subprocessor agreements: We provide signed Data Processing Agreements and can appear in your Record of Processing Activities (RoPA)
- Security evidence: We can provide penetration test reports, security review summaries, and access control documentation
- Incident records: We maintain logs of any incidents, how they were handled, and how they were resolved
- Expert witness: In formal regulatory proceedings, we can provide written statements or expert opinions on technical matters
What to Do When an Audit Is Announced
- Notify your Account Manager immediately
- Request the documentation you need through your Project Manager
- Allow 5 business days for compilation of comprehensive documentation (emergency requests may be accommodated faster)