Internal Audit & Quality Mgmt
Plain English Translation
Organizations must adopt a quality management program that includes procedures for internal audits, ongoing monitoring, and periodic review of all privacy and security policies. Privacy and security documentation must be kept current, evaluated against operational realities, and updated when changes occur. This ensures that compliance is treated as a continuous process rather than a one-time exercise.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a basic schedule to review your public privacy policy and internal data handling practices annually to ensure they match.
Required Actions (scaleup)
- Implement formal internal audit procedures and maintain a security risk register to track identified vulnerabilities and compliance gaps.
Required Actions (enterprise)
- Deploy a comprehensive quality management program with dedicated internal audit teams, automated compliance monitoring, and continuous control testing.
RA 10173 requires organizations to implement comprehensive organizational, physical, and technical security measures to protect personal data from unauthorized processing.
Yes, IRR Section 26(f) explicitly mandates procedures for implementing quality management and internal audits within the organization.
The IRR mandates regular review and evaluation; best practices suggest reviewing and updating privacy and security policies at least annually or when major systemic changes occur.
It is an overarching governance structure that includes policies, procedures, accountability assignments, and continuous monitoring to ensure adherence to data protection principles.
You conduct an audit by evaluating existing technical and organizational controls against the IRR requirements, testing control effectiveness, and documenting remediation actions. Tools like WatchDog Security's Compliance Center can help structure this process by linking audit procedures, evidence, and remediation status to specific RA 10173 control requirements.
It should include data mapping, privacy policy reviews, consent mechanisms, security incident response protocols, and the results of security risk monitoring.
Organizations should implement continuous vulnerability management, conduct periodic risk assessments, and maintain a centralized risk register to track and mitigate threats. Tools like WatchDog Security's Vulnerability Management and Risk Register can support this by connecting technical findings to risk treatment workflows and remediation tracking.
Evidence includes documented privacy policies, internal audit reports, updated security risk registers, and records of quality management program activities.
The NPC requires the appointment of a Data Protection Officer, registration of data systems, and a documented privacy management program with ongoing quality assurance checks.
CISOs should ensure all physical, technical, and organizational controls are documented, conduct a pre-assessment internal audit, and verify that privacy policies reflect actual data handling practices.
Internal audits are easier to defend when policies, control tests, findings, and remediation records are organized in one place. Tools like WatchDog Security's Compliance Center can help map RA 10173 requirements to controls, collect evidence, identify gaps, and maintain a repeatable audit trail for review.
A quality management program should turn audit findings and security observations into tracked risks with owners, due dates, and treatment plans. Tools like WatchDog Security's Risk Register can help centralize identified privacy and security risks, score their impact, and provide reporting for leadership review.
"Any natural or juridical person or other entity involved in the processing of personal data shall adopt a quality management program and put in place procedures for review and monitoring, including: Procedures for implementing quality management and internal audits within the organization or agency; Policy for documentation, regular review, evaluation and updating of the privacy and security policies and practices."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

