How to Pass the DSPT Audit: Avoid These Common Pitfalls

When it comes to completing the NHS Data Security and Protection Toolkit (DSPT) audit, many IT suppliers stumble not because they lack the right intentions, but because they make avoidable mistakes. At Periculo, we’ve supported numerous NHS IT suppliers through their DSPT audit journey, and we’ve identified recurring pitfalls that can delay compliance, jeopardise NHS contracts, or even result in failed submissions.

In this blog, we’ll walk you through the most common mistakes IT suppliers make during the DSPT audit process and offer practical steps to avoid them. Consider this your audit-ready checklist of “what not to do”—so you can take a smarter, smoother path to compliance.

1. Overstating Your Compliance

The pitfall: Marking ‘Yes’ to every DSPT assertion without solid evidence to back it up.

Why it’s a problem: In an audit, every claim you make must be supported by documented evidence. If you assert that 100% of staff have completed training but lack training logs or certificates, the auditor will flag it as a non-conformity. Worse still, misrepresentation can breach NHS contractual terms.

What to do instead: Be honest in your DSPT self-assessment. If an area isn’t fully in place, mark it as ‘Planned’ or ‘Not Yet Achieved’ and create an action plan. It’s far better to be transparent and proactive than to overpromise and underdeliver during audit.

2. Relying on Outdated or Incomplete Documentation

The pitfall: Submitting policies or evidence documents that are years old—or missing key details.

Why it’s a problem: The DSPT requires documentation that is accurate, comprehensive, and up to date. Auditors will check document version history, last review dates, and whether documents have been approved by senior management.

What to do instead: Review all your documentation before audit season. Make sure policies have been reviewed in the last 12 months, are version-controlled, and include all required elements (e.g. scope, roles and responsibilities, review cycles).

3. Scrambling for Evidence at the Last Minute

The pitfall: Waiting until just before the audit (or DSPT submission deadline) to locate or create supporting evidence.

Why it’s a problem: Without a well-organised library of evidence, it becomes stressful to prove compliance—especially when auditors ask for detailed proof across multiple standards.

What to do instead: Create a central evidence folder that maps each DSPT requirement to its supporting document or log. Use descriptive filenames, keep documents updated regularly, and assign responsibility for each evidence area to a named owner.

4. Ignoring Changes to DSPT Requirements

The pitfall: Copying last year’s DSPT answers without reviewing changes in this year’s requirements.

Why it’s a problem: NHS England updates the DSPT annually. Failing to comply with new or revised assertions can lead to submission rejection or additional scrutiny during audit.

What to do instead: Review the annual DSPT change summary. Highlight new requirements (e.g. evidence of multi-factor authentication or updated training modules) and incorporate them into your audit preparation plan early in the cycle.

5. Treating It as an IT-Only Exercise

The pitfall: Assuming the DSPT audit only concerns your IT team.

Why it’s a problem: The DSPT covers organisational governance, staff training, incident response, supplier management and more. Auditors may request interviews or evidence from HR, senior leadership, and procurement—not just the IT department.

What to do instead: Treat DSPT as a cross-functional responsibility. Involve leadership, HR, legal, and operations in audit prep. Assign a senior executive as your SIRO (Senior Information Risk Owner) to demonstrate top-level engagement.

6. Booking the Audit Too Late

The pitfall: Leaving it too late to schedule your independent DSPT audit.

Why it’s a problem: Auditors are typically busiest as the 30 June DSPT deadline approaches. Delays in scheduling can mean missing your submission window or rushing through the audit process unprepared.

What to do instead: Engage with an auditor now to secure a suitable slot. If you're unsure about readiness, ask for a pre-audit gap analysis so you can resolve issues before the formal review.

Turn Pitfalls into Progress

Avoiding these common missteps can save your organisation time, stress, and risk exposure. At Periculo, we help prepare you thoroughly, efficiently and achieve a confident, standards-met DSPT submission.

Book a Free Discovery Call or Contact Us below to learn how we can help you sidestep pitfalls and pass your DSPT audit with ease.