Audit and Certification Process
Schellman provides audit and certification services in full accordance with all relevant standards. Our audit and certification process is provided to prospective clients and addresses each major stage of the audit and certification processes. Prospective clients are also informe
APEC Certification Overview
The Asia-Pacific member economies developed a privacy framework as a volunteer system that outlines standards relating to personal information protection as the data moves across borders. Controllers that volunteer in the program are assessed by an Accountability Agent against the Cross Border Privacy Rules (CBPR) and if compliant, receive a certification. Processors are assessed against the Privacy Recognition for Processors and would also receive a certification if compliant with the program.
As an APEC Accountability Agent, Schellman’s APEC Privacy Certification program evaluates a United States based organization’s privacy practices against the certification minimum requirements included below. These certification standards follow the APEC’s Privacy Recognition for Processors (PRP) Program Requirements.
The Schellman certification seal is a service mark of Schellman. The Schellman certification seal may not be used in connection with any product or service that was not within the scope of the CBPR certification review, or in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Schellman. The certification seal should be used only upon the granting or extending of a CBPR certification.
Initial Certification Assessment
During the initial assessment of a new client or a reassessment of an existing client, Schellman will perform a formal review to help ensure that engaging the client does not create a conflict of interest. Upon agreement of the scope and timing between the client and Schellman, a job arrangement letter (JAL) will be documented to address the contractual agreements between the client and Schellman pertaining to the certification services.
The planning phase occurs in advance of the project execution phase, at least one month prior to project execution. The planning phase includes providing the CBPR Intake Questionnaire, discussions with the client regarding timing of execution, scope details, required documentation collection to be provided to Schellman, and various other planning documents as required.
Project execution, also known as fieldwork, includes various testing procedures performed, both onsite and remote, to evidence the certification minimum requirements included below. The testing procedures may include one or more of the following:
- Inquiry of relevant personnel with the requisite knowledge and experience regarding the performance and application of the related requirement. This included in-person interviews, telephone calls, e-mails, web-based conferences, or a combination of the preceding.
- Observation of the relevant processes or procedures during fieldwork that includes, but is not limited to, witnessing the performance of controls or evidence of control performance with relevant personnel, systems, or locations relevant to the performance of control policies and procedures.
- Inspection of the relevant audit records that includes, but is not limited to, policies, documents, system configurations and settings, or the existence of sampling attributes, such as signatures, approvals, or logged events. In some cases, inspection testing may involve tracing events forward to consequent system documentation or processes (e.g. resolution, detailed documentation, alarms, etc.) or backwards for prerequisite events (e.g. approvals, authorizations, etc.).
During project execution, and/or at the completion of execution, Schellman will notify the client of any areas that are not compliant. Post project execution, Schellman will provide the client with a report outlining the compliant and non-compliant, if applicable, areas. Non-compliant areas must be remediated within the timeframe provided by Schellman. Once remediated, the client must provide Schellman with sufficient evidence of the remediation. The minimum program requirements must be compliant prior to granting certification.
Ongoing Monitoring and Compliance Review
Participants are monitored throughout the certification period to ensure compliance with the program. The monitoring activities may include periodic reviews of the Participant’s privacy notice for updates or modifications or investigations into any disputes received by Schellman. It may also include a review of any matters disclosed on the Participant’s website, other than the privacy notice. Documentation may be requested by Schellman of the Participant to validate compliance or onsite visits. Schellman will notify the Participant in advance to allow for documentation collection and scheduling of the onsite visit.
Re-Certification and Annual Attestation
In order for clients to maintain their certification, recertification must take place every year following the date of initial certification. The recertification process will include:
- An updated and completed PRP Intake Questionnaire provided by the client. Schellman will review the completed form looking for any changes since the initial certification.
- If there has been a material change, reasonably determined by the Accountability Agent, Schellman will perform a review process that will be similar to the initial certification fieldwork process as outlined above.
- An audit report will be provided to the Participant outlining the Accountability Agent’s findings regarding the Participant’s level of compliance with the program requirements. The report will include any areas of non-compliance and corrections the Participant needs to make to correct areas and the time-frame within which the corrections must be completed for purposes of obtaining re-certification.
- If non-compliance areas were found during the re-certification process, Schellman will review documentation provided by the Participant to verify that correction has been completed and is compliant, prior to obtaining re-certification.
- Upon verification that the requirements are in compliance, a final report will be provided to the Participant as notice of compliance with the program requirements and that the Participant has been re-certified.
Certification shall be suspended in cases when, for example:
- The client was found to be in breach of the program’s requirements and the findings have not been resolved within the required time-frames, which shall not exceed a period of six (6) months or upon the due date of the annual recertification;
- The certified client does not allow re-certification audits to be conducted at the required frequencies;
- Where there are reasonable grounds to believe that a Participant has engaged in a practice that may constitute a breach of the program requirements; or
- The certified client has voluntarily requested a suspension.