# Five Audit Characterizations There are five characterizations typically found within an audit report. 1. Condition 1. A statement describing the current state of the audited control. 2. Criteria 1. Standards used to measure the activty/performance of an audited control. 3. Cause 1. The explaination for variance between condition and criteria. 4. Effect 1. This is the impact of the variance between condition and criteria. 5. Recommendation 1. The action needed to correct the cause. ## Privacy Impact Assessment (PIA) A tool used to identify, assess, and mitigate potential privacy risks. PIA are necessary/required by the E-governement Act of 2002. The PIA planning process typically involves the following steps - 1. Conduct a privacy threshhold analysis (PTA). 2. Plan for the PIA. 3. Define the aim and the scope of the PIA. 4. Consult with the identified stakeholders. 5. Map information flows. 6. Conduct the PIA. 7. Identify strategies to address privacy risks. 8. Report the PIA. 9. Review and respond to the PIA. To gauge whether a PIA is necessary for an organization, a Privacy Threshold Analysis (PTA) can be conducted. The following questions can be asked to determine if a PIA is applicable - 1. What information in regard to individuals is collected, generated, and retained. 2. Does the system operate under specific or general legal authority. 3. Has a PIA ever been conducted for the system.